SlideShare a Scribd company logo

8021x feature config_guide

Wilson Ospina, profile picture
Wilson Ospina

This document provides instructions for configuring 802.1x authentication on an AlliedWare Plus switch. It describes the basic components of 802.1x including authenticator, supplicant and authentication server. It provides steps to configure the switch as an authenticator including setting up a RADIUS server and enabling 802.1x on ports. It also describes features like dynamic VLAN assignment, multi-supplicant modes, and how the switch handles assigning different VLANs to multiple supplicants on the same port.

Design
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Technical Guide alliedtelesis.com xC613-22005-00 REV A FEATURE OVERVIEW AND CONFIGURATION GUIDE Introduction 802.1x is an IEEE standard providing a mechanism for authenticating devices attached to a LAN port or wireless device. Devices wishing to access services behind a port must authenticate themselves before any Ethernet packets are allowed to pass through.The protocol is referred to as 802.1x because it was initially defined in the IEEE standard 802.1x, published in 2001 and revised in 2004 and again as the current 802.1x 2010 standard. Networks have two important requirements:  Security: Authentication and Authorization  Flexibility:The ability for users to roam Networks need a device authentication method that is highly secure, but not tied to a port’s physical location. Network resources presented to a given user need to be determined from their authentication credentials. 802.1x user authentication satisfies these requirements. It is relatively uncomplicated and has little impact on network performance. It is a protocol that is medium-independent —being equally as effective on wireless connections (802.11i) and wired connections. 802.1x user authentication is rapidly becoming an expected component on networks. 802.1x
Introduction Page 2 | 802.1x Products and software version that apply to this guide This Guide applies to all AlliedWare Plus products, running version 5.4.4 or later. Feature support may change in later software versions. For the latest information, see the following documents:  The product’s Datasheet  The AlliedWare Plus Datasheet  The product’s Command Reference These documents are available from the above links on our website at alliedtelesis.com. Content Introduction.............................................................................................................................................................................1 Products and software version that apply to this guide.......................................................................2 802.1x System Components.........................................................................................................................................3 802.1x component protocols..............................................................................................................................3 Example message sequence.................................................................................................................................5 Basic Steps in 802.1x Configuration..........................................................................................................................6 Multi-supplicant modes............................................................................................................................................6 Single supplicant...........................................................................................................................................................7 Multi-host.........................................................................................................................................................................7 802.1xVLAN Assignment...............................................................................................................................................8 DynamicVLAN assignment...................................................................................................................................8 802.1x Configuration Example.....................................................................................................................................9 DynamicVLAN assignment with multiple supplicants........................................................................11 Using a guestVLAN................................................................................................................................................13 Verify the operation of 802.1x..................................................................................................................................14 Names of commands used................................................................................................................................15
802.1x | Page 3 802.1x System Components 802.1x System Components There are three main components to a system using 802.1x port authentication control:  Authenticator: the device that wishes to enforce authentication before allowing access to services that are accessible behind it. An example of this is a switch that has 802.1x port authentication control enabled.  Supplicant: the client that wishes to access services offered by the authenticator’s system. An example of this is a Windows XP Professional PC with an 802.1x client.  Authentication server: the device that uses the authentication credentials supplied by the supplicant, to determine if the authenticator should grant access to its services.The AlliedWare Plus implementation of 802.1x supports the use of a RADIUS. authentication server using Extensible Authentication Protocol (EAP) in conjunction with RADIUS. Figure 1: 802.1x system components 802.1x component protocols There are two protocols involved in the authentication conversation: 1. EAPoL exchanged between the supplicant and authenticator.  EAPoL—Extensible Authentication Protocol over LAN— is the protocol defined in IEEE802.1x. 2. RADIUS exchanged between the authenticator and authentication server.  RADIUS has received specific extensions to interoperate with EAPoL. Switch RADIUS Server Supplicants Authenticator Authentication Server
802.1x System Components Page 4 | 802.1x The diagram below illustrates where EAPoL and RADIUS protocols are used in the authentication conversation: Figure 2: 801.X component protocols Table 1: Basic steps in an 802.1x conversation STEP ACTION 1 The supplicant informs the authenticator that it wants to initiate the conversation. 2 The authenticator requests the supplicant's credentials. 3 The supplicant sends username/password or X.509 certificate. 4 The authenticator wraps the supplicant's reply into a RADIUS packet and sends it to the RADIUS server. 5 The RADIUS server chooses an authentication method, and sends an appropriate request to the supplicant as a ‘challenge’. 6 The RADIUS server and supplicant exchange some messages, ferried by the authenticator. 7 The RADIUS server eventually decides if the supplicant is allowed access and the RADIUS server sends an Access-Accept or Access-Reject message to the Authenticator. 8 The authenticator sends an EAPoL-Success or EAPoL-Fail to the supplicant. 9 The supplicant has a session using the network (if accepted). 10 When the session is over, the supplicant sends a log-off message. Switch RADIUS Server Supplicants Authenticator Authentication Server RADIUS EAPoL
802.1x | Page 5 802.1x System Components Example message sequence The diagram below illustrates an exchange using the EAP-MD5 authentication method, which is the simplest authentication method supported by 802.1x. The EAPoL log-off message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network.The EAPoL log-off message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network. Figure 3: EAPoL message sequence EAP-Request6 Radius-Access-Challenge EAPOL-Start EAP-Response/Identity (MyID) EAP-Request/Identity EAP-Request-Challenge (MD5) EAP-Response-Challenge (MD5) EAP-Success EAP-Fail EAPOL-Logoff Radius-Access-Request Radius-Access-Challenge Radius-Access-Accept Radius-Access-Reject Authentication fail Authentication success Authentication terminated Port unauthorized Port authorized Port unauthorized Authentication Server (RADIUS server)AuthenticatorSupplicant EAPOL conversation between supplicant and switch. RADIUS conversation between switch and RADIUS server. 1 5 4 7 2 10 3 8 6 8 7 Radius-Access-Request Data Session 9
Basic Steps in 802.1x Configuration Page 6 | 802.1x Basic Steps in 802.1x Configuration To configure the switch operating as authenticator, follow the instructions below: Figure 4: Configuring 802.1x basic steps Step 1: Configure a RADIUS server for the switch to send requests to awplus(config)# radius-server host 192.168.1.250 key <secret-key> Step 2: Instruct 802.1x to use the configured RADIUS server awplus(config)# aaa authentication dot1x default group radius Step 3: Configure port1.0.5 for 802.1x authentication awplus(config)# interface port1.0.5 awplus(config-if)# dot1x port-control auto awplus(config-if)# spanning-tree portfast Multi-supplicant modes AlliedWare Plus can be configured to accept one or more supplicants downstream of a port. Three authentication host-modes are available:  single-supplicant: the default state, only one supplicant allowed per port.  multi-host: once the first host on a port is authenticated, all other downstream hosts are allowed without being authenticated (piggy-back mode).  multi-supplicant: multiple separate supplicants are individually authenticated on one port. The command (entered in interface configuration mode for a physical port interface) is : awplus(config-if)# auth host-mode {single-supplicant|multihost| multi-supplicant} Switch RADIUS Server Supplicant Authenticator Authentication Server 192.168.1.250 192.168.1.45 port1.0.5
802.1x | Page 7 Basic Steps in 802.1x Configuration This command controls how the switch deals with the situation where multiple authentication supplicants are downstream of a single port.This is possible if an EAP passes through a Layer 2 switch which has been connected to the port, and the supplicants are attached to that Layer 2 switch. Single supplicant The first option that the command can set is single-host. With this option, only one supplicant may be authenticated on the port. Once that host has been authenticated, no other supplicants may be authenticated until the first supplicant’s session has closed.This means, of course, that none of the other hosts downstream of the port will be able to send or receive traffic on that port. This option is recommended when you know that there should only be one host connected to a port. By limiting the port to a single authenticated host, you guard against the consequences of someone accidentally or maliciously connecting a downstream switch to the port. Multi-host The next available host-mode option is multiple host mode (chosen by the parameter value multi-host). With this mode, once the first host has been authenticated on the port, all other downstream hosts are allowed without being authenticated.This is sometimes known as piggy-back mode. It is useful when the downstream switch attached to the authenticating port is an intelligent switch that can act as an authentication supplicant. If you trust that malicious users cannot be connected to that switch but you do not know the identity of those users, then you can simply authenticate the switch and then allow its attached users to have network access. If the valid switch is disconnected and an invalid one is connected which is not configured with the correct authentication credentials, then the devices connected to the invalid switch will be blocked from accessing the network. Figure 5: Configuring 802.1x multi-host x900 Switch RADIUS Server Hosts Authenticator Authentication Server Once the supplicant switch/router is authenticated all traffic from these hosts is allowed Switch or router that can act as 802.1x supplicant
802.1xVLAN Assignment Page 8 | 802.1x 802.1xVLAN Assignment DynamicVLAN assignment Whilst the authentication of devices attaching to the network is primarily driven by security considerations, it has significant spin-off benefits. Once a device has been authenticated, the network knows the identity of the device and/or its user. Decisions can be made, based on this identity. In particular, it is possible to decide what network environment, and level of access, to present to this device and its user. The standard mechanism via which a user’s network environment is controlled isVLAN membership. Once a user’s packets are classified into a particularVLAN, the user’s access to the network will be controlled by the constraints that have been put on thatVLAN throughout the network. For this reason, it is now common for LAN switches to have the ability to dynamically assign theVLAN into which a device’s traffic will be classified, once that device has been authenticated. DynamicVLAN assignment is achieved by a collaboration between the authenticator (the LAN switch) and the authentication server (the RADIUS server). When the RADIUS server sends back a RADIUS accept message to the authenticator, it can also include other attributes in that message that identify aVLAN to which the authenticated device should be assigned. DynamicVLAN assignment is a powerful extension to 802.1x, as it enables:  Identity-based networking—the user gets the same environment no matter where they connect.  Guest Access—guest users are allowed access to very limited parts of the network.  NAC—level of access is based on a workstation’s security status. Figure 6: Dynamic VLAN assignment x900 Switch RADIUS Server Supplicants Authenticator Authentication Server RADIUS access-accept message says “supplicant is accepted, put them into VLAN X”
802.1x | Page 9 802.1x Configuration Example Authenticator configuration In addition to the basic 802.1x configuration, some further configuration is required to enable DynamicVLAN creation on the switch.TheVLANs that can be dynamically assigned must be present in theVLAN database: awplus(config)# vlan database awplus(config-vlan)# vlan x awplus(config-vlan)# vlan y awplus(config-vlan)# vlan z awplus(config-vlan)# exit Ports that acceptVLAN membership dynamically have to be enabled for dynamicVLAN creation: awplus(config)# interface port1.0.5 awplus(config-if)# auth dynamic-vlan-creation 802.1x Configuration Example The following example explains how to configure 802.1x. In this example, the RADIUS Server keeps the Client information, validating the identity of the Client and updating the switch about the authentication status of the client.The switch is the physical access between the two clients and the server. It requests information from the client, relays information to the server and then back to the client. To configure 802.1x authentication, first enable authentication on port1.0.1 and port1.0.2 and then specify the RADIUS Server IP address and port. Figure 7: 802.1x configuration example 802-1x_1.1 Client B Client A 192.126.12.1 port1.1.1 Radius Server port1.1.2 vlan 4
802.1x Configuration Example Page 10 | 802.1x Table 2: 802.1x configuration on the switch awplus# configure terminal Enter the Global Configuration mode. awplus(config)# aaa authentication dot1x default group radius Enable authentication globally. awplus(config)# interface port1.0.1 Specify the interface (port1.0.1) to be configured and enter the Interface mode. awplus(config-if)# dot1x port-control auto Enable authentication (via RADIUS) on port1.0.1. awplus(config-if)# dot1x control-direction both Block traffic in both directions, other than authentication packets, until authentication is complete. awplus(config-if)# exit Exit the Interface Configuration mode and enter the Global Configuration mode. awplus(config)# interface port1.0.2 Specify the interface (port1.0.2) you are configuring and enter the Interface mode. awplus(config-if)# dot1x port-control auto Enable authentication (via RADIUS) on port1.0.2. awplus(config-if)# exit Exit the Interface Configuration mode and enter the Global Configuration mode. awplus(config)# radius-server host 192.126.12.1 auth-port 1812 Specify the RADIUS Server address (192.126.12.1) and authentication port. awplus(config)# radius-server key secret Specify the shared key secret between the RADIUS server and the client. awplus(config)# interface vlan4 Specify the vlan (vlan4) to be configured and enter the Interface mode. awplus(config-if)# ip address 192.126.12.2/24 Set the IP address on vlan4.
802.1x | Page 11 802.1x Configuration Example DynamicVLAN assignment with multiple supplicants In multi-supplicant mode, what happens if two supplicants downstream of the same port are assigned to differentVLANs?The auth dynamic-vlan-creation command has two parameters that govern the operation in this situation: rule and type. The rule parameter The first parameter is the rule parameter. For SBx8100, SBx908 and x900 Series switches (the situation is different for the x210, x230, x310, x510, x600, x610 and x930 Series, as we will see below) it is not possible to assign differentVLANs to untagged traffic from different supplicants. On the SBx8100, SBx908 and x900, dynamicVLAN assignment effectively says ‘the one untaggedVLAN to be used on the authenticating port isVLAN x’. So, if the first supplicant is authenticated and assignedVLAN 45, then the authenticating port will classify all untagged traffic arriving on the port into VLAN 45. But if a second supplicant downstream of the same port then authenticates, and the RADIUS server assignsVLAN 56 to that supplicant, the switch then faces a dilemma. It is already usingVLAN 45 as the untaggedVLAN on that port; it cannot useVLAN 56 as well. There are two ways that the switch can resolve this situation. It can: 1. Allow the second supplicant to access the network, but assign its data toVLAN 45. 2. Block the second supplicant from having network access. The rule parameter configures which of these choices the switch will opt for. If rule is set to permit, then option (1) above is chosen. If rule is set to deny, then option (2) above is chosen. The type parameter The second parameter is the type parameter. The type parameter applies only to the x210, x230, x310, x510, x600, x610 and x930 Series switches.This is because these switches support MAC-basedVLANs, whereas the x8100, x900 Series and SBx908 do not. The effect of the type parameter is to make use of the x210, x230, x310, x510, x600, x610 and x930 MAC-basedVLAN support to provide a better solution to the case where different supplicants downstream of a single port are dynamically allocated to different VLANs. If type is set to the value single, then the MAC-basedVLAN capability is not used, and the port’s behavior in the different-dynamic-VLANs situation will be controlled by the rule parameter. However, if type is set to multi, the switch brings the MAC-basedVLAN capability into play. This capability enables it to support multiple different untaggedVLANs on the same port. This is achieved by associatingVLAN membership with the source MAC address of the incoming packets. So, when different supplicants downstream of a single port are dynamically assigned different VLANs, the switch simply builds a table that maps supplicants’ MAC addresses to their dynamically assignedVLANs.
802.1x Configuration Example Page 12 | 802.1x The combination of these parameters results in three options for handling the case where differentVLANs are assigned to supplicants on the same ports. Option 1 Deny access to supplicant assigned a differentVLAN. If the first supplicant authenticated on the port is assignedVLAN X, then any supplicants subsequently assigned a differentVLAN are denied access.This is the default state when dynamicVLAN creation is enabled. This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule deny Figure 8: Deny access to supplicant assigned to a different VLAN Option 2 Force all supplicants into the sameVLAN If the first supplicant authenticated on the port is assignedVLAN X, then any supplicants subsequently assigned a differentVLAN are allowed access, but forced intoVLAN X This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule permit Figure 9: Force all supplicants into the same VLAN 2. Supplicant accepted and assigned to VLAN11. Authenticator allows access. 1. Supplicant accepted and assigned VLAN 10 x900 Switch 2. Supplicant accepted by RADIUS server and assigned VLAN 11. Authenticator allows access, but puts supplicant into VLAN 10. Authenticator 1. Supplicant accepted and assigned VLAN 10
802.1x | Page 13 802.1x Configuration Example Option 3 Dynamically assign multipleVLANs to one port On the x210, x230, x310, x510, x600, x610 and x930 switches, it is actually possible to assign differentVLANs to different supplicants downstream of the same port. This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule permit type multi Figure 10: Dynamically assign multiple VLANs to one port The switch can assignVLAN membership to packets based on source MAC:  Packets from MAC of supplicant 1 are assigned toVLAN10  Packets from MAC of supplicant 2 are assigned toVLAN11 This feature is not supported on SBx8100, x900 and SwitchBlade x908 switches. Using a guestVLAN Whilst you need to authenticate the users who will have access to the important services within your network, you might also want to provide some basic level of access to users who fail to authenticate. For example, visitors to an enterprise will often need to have Internet access. It would be desirable to have a secure, convenient way to provide this Internet access via the corporate LAN. By default, 802.1x denies access to users who fail authentication. Guests are not known to the RADIUS server, so fail authentication.The solution is to provide a GuestVLAN which is configured with: awplus(config)# interface port1.0.5 awplus(config-if)# auth guest-vlan <vlan id> x600 Switch 2. Supplicant accepted and assigned to VLAN 11. Authenticator allows access and allocates this supplicant’s data to VLAN 11. Authenticator 1. Supplicant accepted and assigned VLAN 10
Verify the operation of 802.1x Page 14 | 802.1x Figure 11: Using a guest VLAN If a supplicant attempts authentication and fails or does not even attempt authentication (no 802.1x client in the PC) then they are dynamically assigned to the guestVLAN. Verify the operation of 802.1x When a supplicant has been authenticated on a port the details of the authentication can be seen with: show dot1x supplicant int port1.0.5 Interface port1.0.5 authenticationMethod: dot1x totalSupplicantNum: 1 authorizedSupplicantNum: 1 macBasedAuthenticationSupplicantNum: 0 dot1xAuthenticationSupplicantNum: 1 WebBasedAuthenticationSupplicantNum: otherAuthenticationSupplicantNum: 0 Supplicant name: Engineer01 Supplicant address: 0002.b363.319f authenticationMethod: 802.1x portStatus: Authorized - currentId: 9 abort:F fail:F start:F timeout:F success:T PAE: state: Authenticated - portMode: Auto PAE: reAuthCount: 0 - rxRespId: 0 PAE: quietPeriod: 60 - maxReauthReq: 2 BE: state: Idle - reqCount: 0 - idFromServer: 8 CD: adminControlledDirections: both - operControlledDirections: both CD: bridgeDetected: false KR: rxKey: false KT: keyAvailable: false - keyTxEnabled: false dynamicVlanId: 20 assignment enabled 10/100 Link 1 Gigabit Link Link aggregation x900 stack x600 Supplicant assigned to guest vlan Windows 2008 server AR770 8000GS Internet Private Zone Enterprise CA server Client devices Public/Private Zone ACLs used to ensure GUEST VLAN traffic goes to the Internet and nowhere else <--- Authenticated by 802.1x <--- Supplicant name <---MAC of authenticated device <---VLAN assigned, if dynamicVLA
C613-22005-00 REV A North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021 alliedtelesis.com © 2015 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. When a supplicant has been authenticated, and assigned to aVLAN, the port they authenticated on will then be seen to be a member of thatVLAN. Names of commands used dot1x port-control radius-server host radius-server key Validation commands show dot1x show dot1x interface show vlan 20 VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ====================== 20 Engineering STATIC ACTIVE port1.0.5(u) show vlan 30 VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ====================== 30 Marketing STATIC ACTIVE port1.0.5(u)

More Related Content

PDF
Eyeball Server Management User and Administration Guide
Eyeball Networks
 
DOCX
Install offline Root CA Server 2003
Ammar Hasayen
 
PDF
ESM Installation Guide (ESM v6.9.1c)
Protect724tk
 
PDF
Cisco ccna-security note
jihad nader
 
PDF
Aruba OS 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Logger Forwarding Connector for OM 7.3.0.7838.0 Configuration Guide
Protect724manoj
 
PDF
Logger Forwarding Connector for OMi 7.3.0.7839.0 Configuration Guide
Protect724manoj
 
PDF
ArcSight Management Center 2.5 Administrator's Guide
Protect724mouni
 
Eyeball Server Management User and Administration Guide
Eyeball Networks
 
Install offline Root CA Server 2003
Ammar Hasayen
 
ESM Installation Guide (ESM v6.9.1c)
Protect724tk
 
Cisco ccna-security note
jihad nader
 
Aruba OS 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Logger Forwarding Connector for OM 7.3.0.7838.0 Configuration Guide
Protect724manoj
 
Logger Forwarding Connector for OMi 7.3.0.7839.0 Configuration Guide
Protect724manoj
 
ArcSight Management Center 2.5 Administrator's Guide
Protect724mouni
 

What's hot (20)

PDF
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
ArcSight Management Center 2.2 Administrator's Guide.pdf
Protect724mouni
 
PDF
Aruba VIA 2.0.1 User Guide Linux Edition
Aruba, a Hewlett Packard Enterprise company
 
PDF
ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Configuration guide
protect724rkeer
 
PDF
ARPMiner Manual
Yasin KAPLAN
 
PDF
ArcSight Connector Appliance v6.1 Release Notes
Protect724tk
 
PDF
ArcSight Management Center 2.0 Administrator's Guide
Protect724mouni
 
PDF
A lte 2011
Colin Hsieh
 
PDF
Installation Guide for ESM 6.8c
Protect724migration
 
PDF
Ieee 802.1 x
Mohamed Gamel
 
PDF
RepSM Model Import Connector v5.2.7.6581.0 Configuration Guide for ArcSight E...
Protect724v2
 
PDF
Aruba cppm 6_1_user_guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Onboard Deployment Guide 3.9.6
Aruba, a Hewlett Packard Enterprise company
 
PDF
ArcSight Management Center 1.0 Administrator's Guide
Protect724mouni
 
PDF
Rsa archer 6.9 platform installation and upgrade guide (3)
AnkurGarg165647
 
PDF
ESM_Express_InstallGuide_6.9.0.pdf
Protect724v2
 
PDF
Step 02 ciac-se -3_0_1_configuration_guide
boslemper
 
PDF
Dell sonicwall aventail_connect_tunnel_client_windows_user_guide
newper
 
PDF
Poodle sha2 open mic
Rahul Kumar
 
PDF
ArcMC 2.6 Release Notes
Protect724mouni
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
ArcSight Management Center 2.2 Administrator's Guide.pdf
Protect724mouni
 
Aruba VIA 2.0.1 User Guide Linux Edition
Aruba, a Hewlett Packard Enterprise company
 
ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Configuration guide
protect724rkeer
 
ARPMiner Manual
Yasin KAPLAN
 
ArcSight Connector Appliance v6.1 Release Notes
Protect724tk
 
ArcSight Management Center 2.0 Administrator's Guide
Protect724mouni
 
A lte 2011
Colin Hsieh
 
Installation Guide for ESM 6.8c
Protect724migration
 
Ieee 802.1 x
Mohamed Gamel
 
RepSM Model Import Connector v5.2.7.6581.0 Configuration Guide for ArcSight E...
Protect724v2
 
Aruba cppm 6_1_user_guide
Aruba, a Hewlett Packard Enterprise company
 
Onboard Deployment Guide 3.9.6
Aruba, a Hewlett Packard Enterprise company
 
ArcSight Management Center 1.0 Administrator's Guide
Protect724mouni
 
Rsa archer 6.9 platform installation and upgrade guide (3)
AnkurGarg165647
 
ESM_Express_InstallGuide_6.9.0.pdf
Protect724v2
 
Step 02 ciac-se -3_0_1_configuration_guide
boslemper
 
Dell sonicwall aventail_connect_tunnel_client_windows_user_guide
newper
 
Poodle sha2 open mic
Rahul Kumar
 
ArcMC 2.6 Release Notes
Protect724mouni
 
Ad

Viewers also liked (16)

DOCX
Techniques For Quitting Smoking
guestd1df0c4
 
PPT
Carl rogers ppt
John Carter
 
PDF
Rock The Red Program Book
The Red Pump Project
 
PPTX
D side introduction for mitx shoes 1.28.14
MikeKinkead
 
PDF
5th Annual Rock the RED Fashion Show
The Red Pump Project
 
PPT
Vietnam Presentation Revised M
nwchap
 
DOCX
Techniques For Quitting Smoking
guestd1df0c4
 
PPT
C:\Users\Jones\Nikki\Vietnam Presentation Revised
nwchap
 
PDF
41731326 configuration
Wilson Ospina
 
PDF
Tomato anna f1_growers_handbook
Boniface Mutundu
 
PPT
Red Pump Year In Impact
The Red Pump Project
 
PPT
Proposal
guest1b9400
 
PPS
Catch The Moment 2 ~ ~
YuLin Chen
 
PPT
Introduction Of Sez
guest320f68
 
PDF
Why Banks Are Failing the Innovation Test - The Disruption House Research Report
rupertbull
 
PPT
Hazing Powerpoint
kristen
 
Techniques For Quitting Smoking
guestd1df0c4
 
Carl rogers ppt
John Carter
 
Rock The Red Program Book
The Red Pump Project
 
D side introduction for mitx shoes 1.28.14
MikeKinkead
 
5th Annual Rock the RED Fashion Show
The Red Pump Project
 
Vietnam Presentation Revised M
nwchap
 
Techniques For Quitting Smoking
guestd1df0c4
 
C:\Users\Jones\Nikki\Vietnam Presentation Revised
nwchap
 
41731326 configuration
Wilson Ospina
 
Tomato anna f1_growers_handbook
Boniface Mutundu
 
Red Pump Year In Impact
The Red Pump Project
 
Proposal
guest1b9400
 
Catch The Moment 2 ~ ~
YuLin Chen
 
Introduction Of Sez
guest320f68
 
Why Banks Are Failing the Innovation Test - The Disruption House Research Report
rupertbull
 
Hazing Powerpoint
kristen
 
Ad

Similar to 8021x feature config_guide (20)

PDF
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
djameleddine2015
 
PDF
Ieee 802.1 x
matoko
 
PPT
Implementing 802.1x Authentication
dkaya
 
PPTX
802.1x Authentication Standard
Dan Miller
 
PPT
802.1x
Alp isik
 
PDF
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Priyanka Aash
 
PDF
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
PPTX
IEEE 802.1 x
Anwesh Dixit
 
PDF
At8000 s configurando_8021x
NetPlus
 
PDF
Westermo WeOS port security
Fabian Vandendyck
 
PDF
Ieee 802.1 x
Swapnil Kapate
 
PPT
Ali shahbazi khojasteh dot1X
Ali Shahbazi Khojasteh
 
PDF
Sw8021x
university fsr
 
PPT
Introdutction – 802.1x Port-Based Authentication
cszxd
 
PPT
Introdutction – 802.1x Port-Based Authentication
cszxd
 
PDF
cudbardbell-freetheradius
Arran Cudbard-Bell
 
DOCX
Creating an 802 1 xv3
Aruba, a Hewlett Packard Enterprise company
 
PPT
Security threats in the LAN
Agora Group
 
PDF
radius dhcp dot1.x (802.1x)
rinnocente
 
PDF
Xb30330.xb30350 management guide
Danilo Eduardo Miranda
 
Configuring Wired 802.1x Authentication on Windows Server 2012.pdf
djameleddine2015
 
Ieee 802.1 x
matoko
 
Implementing 802.1x Authentication
dkaya
 
802.1x Authentication Standard
Dan Miller
 
802.1x
Alp isik
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Priyanka Aash
 
IEEE 802.1X and Axis’ Implementation
Axis Communications
 
IEEE 802.1 x
Anwesh Dixit
 
At8000 s configurando_8021x
NetPlus
 
Westermo WeOS port security
Fabian Vandendyck
 
Ieee 802.1 x
Swapnil Kapate
 
Ali shahbazi khojasteh dot1X
Ali Shahbazi Khojasteh
 
Sw8021x
university fsr
 
Introdutction – 802.1x Port-Based Authentication
cszxd
 
Introdutction – 802.1x Port-Based Authentication
cszxd
 
cudbardbell-freetheradius
Arran Cudbard-Bell
 
Creating an 802 1 xv3
Aruba, a Hewlett Packard Enterprise company
 
Security threats in the LAN
Agora Group
 
radius dhcp dot1.x (802.1x)
rinnocente
 
Xb30330.xb30350 management guide
Danilo Eduardo Miranda
 

Recently uploaded (20)

PPTX
CLASS_11_BUSINESS_STUDIES_PPT_CHAPTER_1_Business_Trade_Commerce.pptx
PRITTHAKKAR7
 
PPT
UNIT I- Yarn, types, explanation, process
SANGEETHA PRIYA B
 
PDF
Trusted Executive Protection Services in Ontario — Discreet & Professional.pdf
secureshields25
 
PPTX
YV PROFILE PROJECTS PROFILE PRES. DESIGN
ShaluPriya26
 
PDF
Interior Structure and Construction A1 NGYANQI
yqsuniacc0o0
 
PPTX
AC-Unit1.pptx CRYPTOGRAPHIC NNNNFOR ALL
prabujayant2022
 
PDF
GREEN BUILDING MATERIALS FOR SUISTAINABLE ARCHITECTURE AND BUILDING STUDY
cyclohex75
 
PDF
UNIT 1 Introduction fnfbbfhfhfbdhdbdto Java.pptx.pdf
yash131101123110
 
PPTX
building Planning Overview for step wise design.pptx
SamuelJohnson540488
 
PPTX
Tenders & Contracts Works _ Services Afzal.pptx
navilasatheesh
 
PDF
YOW2022-BNE-MinimalViableArchitecture.pdf
PrathikT1
 
PPTX
Wisp Textiles: Where Comfort Meets Everyday Style
sportsenerlix
 
PPT
EGWHermeneuticsffgggggggggggggggggggggggggggggggg.ppt
simonkahinga
 
PDF
The Advantages of Working With a Design-Build Studio
Douglah Designs
 
PDF
Chalkpiece Annual Report from 2019 To 2025
ramyaux
 
PPTX
DOC-20250430-WA0014._20250714_235747_0000.pptx
gameon41
 
PDF
Key Trends in Website Development 2025 | B3AITS - Bow & 3 Arrows IT Solutions
B3AITS - Bow & 3 Arrows IT Solutions
 
PPT
Machine printing techniques and plangi dyeing
SANGEETHA PRIYA B
 
PPTX
CLASSIFICATION OF YARN- process, explanation
SANGEETHA PRIYA B
 
PPTX
Causes of Flooding by Slidesgo sdnl;asnjdl;asj.pptx
renrif6047
 
CLASS_11_BUSINESS_STUDIES_PPT_CHAPTER_1_Business_Trade_Commerce.pptx
PRITTHAKKAR7
 
UNIT I- Yarn, types, explanation, process
SANGEETHA PRIYA B
 
Trusted Executive Protection Services in Ontario — Discreet & Professional.pdf
secureshields25
 
YV PROFILE PROJECTS PROFILE PRES. DESIGN
ShaluPriya26
 
Interior Structure and Construction A1 NGYANQI
yqsuniacc0o0
 
AC-Unit1.pptx CRYPTOGRAPHIC NNNNFOR ALL
prabujayant2022
 
GREEN BUILDING MATERIALS FOR SUISTAINABLE ARCHITECTURE AND BUILDING STUDY
cyclohex75
 
UNIT 1 Introduction fnfbbfhfhfbdhdbdto Java.pptx.pdf
yash131101123110
 
building Planning Overview for step wise design.pptx
SamuelJohnson540488
 
Tenders & Contracts Works _ Services Afzal.pptx
navilasatheesh
 
YOW2022-BNE-MinimalViableArchitecture.pdf
PrathikT1
 
Wisp Textiles: Where Comfort Meets Everyday Style
sportsenerlix
 
EGWHermeneuticsffgggggggggggggggggggggggggggggggg.ppt
simonkahinga
 
The Advantages of Working With a Design-Build Studio
Douglah Designs
 
Chalkpiece Annual Report from 2019 To 2025
ramyaux
 
DOC-20250430-WA0014._20250714_235747_0000.pptx
gameon41
 
Key Trends in Website Development 2025 | B3AITS - Bow & 3 Arrows IT Solutions
B3AITS - Bow & 3 Arrows IT Solutions
 
Machine printing techniques and plangi dyeing
SANGEETHA PRIYA B
 
CLASSIFICATION OF YARN- process, explanation
SANGEETHA PRIYA B
 
Causes of Flooding by Slidesgo sdnl;asnjdl;asj.pptx
renrif6047
 

8021x feature config_guide

  • 1. Technical Guide alliedtelesis.com xC613-22005-00 REV A FEATURE OVERVIEW AND CONFIGURATION GUIDE Introduction 802.1x is an IEEE standard providing a mechanism for authenticating devices attached to a LAN port or wireless device. Devices wishing to access services behind a port must authenticate themselves before any Ethernet packets are allowed to pass through.The protocol is referred to as 802.1x because it was initially defined in the IEEE standard 802.1x, published in 2001 and revised in 2004 and again as the current 802.1x 2010 standard. Networks have two important requirements:  Security: Authentication and Authorization  Flexibility:The ability for users to roam Networks need a device authentication method that is highly secure, but not tied to a port’s physical location. Network resources presented to a given user need to be determined from their authentication credentials. 802.1x user authentication satisfies these requirements. It is relatively uncomplicated and has little impact on network performance. It is a protocol that is medium-independent —being equally as effective on wireless connections (802.11i) and wired connections. 802.1x user authentication is rapidly becoming an expected component on networks. 802.1x
  • 2. Introduction Page 2 | 802.1x Products and software version that apply to this guide This Guide applies to all AlliedWare Plus products, running version 5.4.4 or later. Feature support may change in later software versions. For the latest information, see the following documents:  The product’s Datasheet  The AlliedWare Plus Datasheet  The product’s Command Reference These documents are available from the above links on our website at alliedtelesis.com. Content Introduction.............................................................................................................................................................................1 Products and software version that apply to this guide.......................................................................2 802.1x System Components.........................................................................................................................................3 802.1x component protocols..............................................................................................................................3 Example message sequence.................................................................................................................................5 Basic Steps in 802.1x Configuration..........................................................................................................................6 Multi-supplicant modes............................................................................................................................................6 Single supplicant...........................................................................................................................................................7 Multi-host.........................................................................................................................................................................7 802.1xVLAN Assignment...............................................................................................................................................8 DynamicVLAN assignment...................................................................................................................................8 802.1x Configuration Example.....................................................................................................................................9 DynamicVLAN assignment with multiple supplicants........................................................................11 Using a guestVLAN................................................................................................................................................13 Verify the operation of 802.1x..................................................................................................................................14 Names of commands used................................................................................................................................15
  • 3. 802.1x | Page 3 802.1x System Components 802.1x System Components There are three main components to a system using 802.1x port authentication control:  Authenticator: the device that wishes to enforce authentication before allowing access to services that are accessible behind it. An example of this is a switch that has 802.1x port authentication control enabled.  Supplicant: the client that wishes to access services offered by the authenticator’s system. An example of this is a Windows XP Professional PC with an 802.1x client.  Authentication server: the device that uses the authentication credentials supplied by the supplicant, to determine if the authenticator should grant access to its services.The AlliedWare Plus implementation of 802.1x supports the use of a RADIUS. authentication server using Extensible Authentication Protocol (EAP) in conjunction with RADIUS. Figure 1: 802.1x system components 802.1x component protocols There are two protocols involved in the authentication conversation: 1. EAPoL exchanged between the supplicant and authenticator.  EAPoL—Extensible Authentication Protocol over LAN— is the protocol defined in IEEE802.1x. 2. RADIUS exchanged between the authenticator and authentication server.  RADIUS has received specific extensions to interoperate with EAPoL. Switch RADIUS Server Supplicants Authenticator Authentication Server
  • 4. 802.1x System Components Page 4 | 802.1x The diagram below illustrates where EAPoL and RADIUS protocols are used in the authentication conversation: Figure 2: 801.X component protocols Table 1: Basic steps in an 802.1x conversation STEP ACTION 1 The supplicant informs the authenticator that it wants to initiate the conversation. 2 The authenticator requests the supplicant's credentials. 3 The supplicant sends username/password or X.509 certificate. 4 The authenticator wraps the supplicant's reply into a RADIUS packet and sends it to the RADIUS server. 5 The RADIUS server chooses an authentication method, and sends an appropriate request to the supplicant as a ‘challenge’. 6 The RADIUS server and supplicant exchange some messages, ferried by the authenticator. 7 The RADIUS server eventually decides if the supplicant is allowed access and the RADIUS server sends an Access-Accept or Access-Reject message to the Authenticator. 8 The authenticator sends an EAPoL-Success or EAPoL-Fail to the supplicant. 9 The supplicant has a session using the network (if accepted). 10 When the session is over, the supplicant sends a log-off message. Switch RADIUS Server Supplicants Authenticator Authentication Server RADIUS EAPoL
  • 5. 802.1x | Page 5 802.1x System Components Example message sequence The diagram below illustrates an exchange using the EAP-MD5 authentication method, which is the simplest authentication method supported by 802.1x. The EAPoL log-off message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network.The EAPoL log-off message, of course, is not sent immediately after the other messages in the diagram, but is sent later on, at the end of the supplicant’s data session, when it wishes to disconnect from the network. Figure 3: EAPoL message sequence EAP-Request6 Radius-Access-Challenge EAPOL-Start EAP-Response/Identity (MyID) EAP-Request/Identity EAP-Request-Challenge (MD5) EAP-Response-Challenge (MD5) EAP-Success EAP-Fail EAPOL-Logoff Radius-Access-Request Radius-Access-Challenge Radius-Access-Accept Radius-Access-Reject Authentication fail Authentication success Authentication terminated Port unauthorized Port authorized Port unauthorized Authentication Server (RADIUS server)AuthenticatorSupplicant EAPOL conversation between supplicant and switch. RADIUS conversation between switch and RADIUS server. 1 5 4 7 2 10 3 8 6 8 7 Radius-Access-Request Data Session 9
  • 6. Basic Steps in 802.1x Configuration Page 6 | 802.1x Basic Steps in 802.1x Configuration To configure the switch operating as authenticator, follow the instructions below: Figure 4: Configuring 802.1x basic steps Step 1: Configure a RADIUS server for the switch to send requests to awplus(config)# radius-server host 192.168.1.250 key <secret-key> Step 2: Instruct 802.1x to use the configured RADIUS server awplus(config)# aaa authentication dot1x default group radius Step 3: Configure port1.0.5 for 802.1x authentication awplus(config)# interface port1.0.5 awplus(config-if)# dot1x port-control auto awplus(config-if)# spanning-tree portfast Multi-supplicant modes AlliedWare Plus can be configured to accept one or more supplicants downstream of a port. Three authentication host-modes are available:  single-supplicant: the default state, only one supplicant allowed per port.  multi-host: once the first host on a port is authenticated, all other downstream hosts are allowed without being authenticated (piggy-back mode).  multi-supplicant: multiple separate supplicants are individually authenticated on one port. The command (entered in interface configuration mode for a physical port interface) is : awplus(config-if)# auth host-mode {single-supplicant|multihost| multi-supplicant} Switch RADIUS Server Supplicant Authenticator Authentication Server 192.168.1.250 192.168.1.45 port1.0.5
  • 7. 802.1x | Page 7 Basic Steps in 802.1x Configuration This command controls how the switch deals with the situation where multiple authentication supplicants are downstream of a single port.This is possible if an EAP passes through a Layer 2 switch which has been connected to the port, and the supplicants are attached to that Layer 2 switch. Single supplicant The first option that the command can set is single-host. With this option, only one supplicant may be authenticated on the port. Once that host has been authenticated, no other supplicants may be authenticated until the first supplicant’s session has closed.This means, of course, that none of the other hosts downstream of the port will be able to send or receive traffic on that port. This option is recommended when you know that there should only be one host connected to a port. By limiting the port to a single authenticated host, you guard against the consequences of someone accidentally or maliciously connecting a downstream switch to the port. Multi-host The next available host-mode option is multiple host mode (chosen by the parameter value multi-host). With this mode, once the first host has been authenticated on the port, all other downstream hosts are allowed without being authenticated.This is sometimes known as piggy-back mode. It is useful when the downstream switch attached to the authenticating port is an intelligent switch that can act as an authentication supplicant. If you trust that malicious users cannot be connected to that switch but you do not know the identity of those users, then you can simply authenticate the switch and then allow its attached users to have network access. If the valid switch is disconnected and an invalid one is connected which is not configured with the correct authentication credentials, then the devices connected to the invalid switch will be blocked from accessing the network. Figure 5: Configuring 802.1x multi-host x900 Switch RADIUS Server Hosts Authenticator Authentication Server Once the supplicant switch/router is authenticated all traffic from these hosts is allowed Switch or router that can act as 802.1x supplicant
  • 8. 802.1xVLAN Assignment Page 8 | 802.1x 802.1xVLAN Assignment DynamicVLAN assignment Whilst the authentication of devices attaching to the network is primarily driven by security considerations, it has significant spin-off benefits. Once a device has been authenticated, the network knows the identity of the device and/or its user. Decisions can be made, based on this identity. In particular, it is possible to decide what network environment, and level of access, to present to this device and its user. The standard mechanism via which a user’s network environment is controlled isVLAN membership. Once a user’s packets are classified into a particularVLAN, the user’s access to the network will be controlled by the constraints that have been put on thatVLAN throughout the network. For this reason, it is now common for LAN switches to have the ability to dynamically assign theVLAN into which a device’s traffic will be classified, once that device has been authenticated. DynamicVLAN assignment is achieved by a collaboration between the authenticator (the LAN switch) and the authentication server (the RADIUS server). When the RADIUS server sends back a RADIUS accept message to the authenticator, it can also include other attributes in that message that identify aVLAN to which the authenticated device should be assigned. DynamicVLAN assignment is a powerful extension to 802.1x, as it enables:  Identity-based networking—the user gets the same environment no matter where they connect.  Guest Access—guest users are allowed access to very limited parts of the network.  NAC—level of access is based on a workstation’s security status. Figure 6: Dynamic VLAN assignment x900 Switch RADIUS Server Supplicants Authenticator Authentication Server RADIUS access-accept message says “supplicant is accepted, put them into VLAN X”
  • 9. 802.1x | Page 9 802.1x Configuration Example Authenticator configuration In addition to the basic 802.1x configuration, some further configuration is required to enable DynamicVLAN creation on the switch.TheVLANs that can be dynamically assigned must be present in theVLAN database: awplus(config)# vlan database awplus(config-vlan)# vlan x awplus(config-vlan)# vlan y awplus(config-vlan)# vlan z awplus(config-vlan)# exit Ports that acceptVLAN membership dynamically have to be enabled for dynamicVLAN creation: awplus(config)# interface port1.0.5 awplus(config-if)# auth dynamic-vlan-creation 802.1x Configuration Example The following example explains how to configure 802.1x. In this example, the RADIUS Server keeps the Client information, validating the identity of the Client and updating the switch about the authentication status of the client.The switch is the physical access between the two clients and the server. It requests information from the client, relays information to the server and then back to the client. To configure 802.1x authentication, first enable authentication on port1.0.1 and port1.0.2 and then specify the RADIUS Server IP address and port. Figure 7: 802.1x configuration example 802-1x_1.1 Client B Client A 192.126.12.1 port1.1.1 Radius Server port1.1.2 vlan 4
  • 10. 802.1x Configuration Example Page 10 | 802.1x Table 2: 802.1x configuration on the switch awplus# configure terminal Enter the Global Configuration mode. awplus(config)# aaa authentication dot1x default group radius Enable authentication globally. awplus(config)# interface port1.0.1 Specify the interface (port1.0.1) to be configured and enter the Interface mode. awplus(config-if)# dot1x port-control auto Enable authentication (via RADIUS) on port1.0.1. awplus(config-if)# dot1x control-direction both Block traffic in both directions, other than authentication packets, until authentication is complete. awplus(config-if)# exit Exit the Interface Configuration mode and enter the Global Configuration mode. awplus(config)# interface port1.0.2 Specify the interface (port1.0.2) you are configuring and enter the Interface mode. awplus(config-if)# dot1x port-control auto Enable authentication (via RADIUS) on port1.0.2. awplus(config-if)# exit Exit the Interface Configuration mode and enter the Global Configuration mode. awplus(config)# radius-server host 192.126.12.1 auth-port 1812 Specify the RADIUS Server address (192.126.12.1) and authentication port. awplus(config)# radius-server key secret Specify the shared key secret between the RADIUS server and the client. awplus(config)# interface vlan4 Specify the vlan (vlan4) to be configured and enter the Interface mode. awplus(config-if)# ip address 192.126.12.2/24 Set the IP address on vlan4.
  • 11. 802.1x | Page 11 802.1x Configuration Example DynamicVLAN assignment with multiple supplicants In multi-supplicant mode, what happens if two supplicants downstream of the same port are assigned to differentVLANs?The auth dynamic-vlan-creation command has two parameters that govern the operation in this situation: rule and type. The rule parameter The first parameter is the rule parameter. For SBx8100, SBx908 and x900 Series switches (the situation is different for the x210, x230, x310, x510, x600, x610 and x930 Series, as we will see below) it is not possible to assign differentVLANs to untagged traffic from different supplicants. On the SBx8100, SBx908 and x900, dynamicVLAN assignment effectively says ‘the one untaggedVLAN to be used on the authenticating port isVLAN x’. So, if the first supplicant is authenticated and assignedVLAN 45, then the authenticating port will classify all untagged traffic arriving on the port into VLAN 45. But if a second supplicant downstream of the same port then authenticates, and the RADIUS server assignsVLAN 56 to that supplicant, the switch then faces a dilemma. It is already usingVLAN 45 as the untaggedVLAN on that port; it cannot useVLAN 56 as well. There are two ways that the switch can resolve this situation. It can: 1. Allow the second supplicant to access the network, but assign its data toVLAN 45. 2. Block the second supplicant from having network access. The rule parameter configures which of these choices the switch will opt for. If rule is set to permit, then option (1) above is chosen. If rule is set to deny, then option (2) above is chosen. The type parameter The second parameter is the type parameter. The type parameter applies only to the x210, x230, x310, x510, x600, x610 and x930 Series switches.This is because these switches support MAC-basedVLANs, whereas the x8100, x900 Series and SBx908 do not. The effect of the type parameter is to make use of the x210, x230, x310, x510, x600, x610 and x930 MAC-basedVLAN support to provide a better solution to the case where different supplicants downstream of a single port are dynamically allocated to different VLANs. If type is set to the value single, then the MAC-basedVLAN capability is not used, and the port’s behavior in the different-dynamic-VLANs situation will be controlled by the rule parameter. However, if type is set to multi, the switch brings the MAC-basedVLAN capability into play. This capability enables it to support multiple different untaggedVLANs on the same port. This is achieved by associatingVLAN membership with the source MAC address of the incoming packets. So, when different supplicants downstream of a single port are dynamically assigned different VLANs, the switch simply builds a table that maps supplicants’ MAC addresses to their dynamically assignedVLANs.
  • 12. 802.1x Configuration Example Page 12 | 802.1x The combination of these parameters results in three options for handling the case where differentVLANs are assigned to supplicants on the same ports. Option 1 Deny access to supplicant assigned a differentVLAN. If the first supplicant authenticated on the port is assignedVLAN X, then any supplicants subsequently assigned a differentVLAN are denied access.This is the default state when dynamicVLAN creation is enabled. This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule deny Figure 8: Deny access to supplicant assigned to a different VLAN Option 2 Force all supplicants into the sameVLAN If the first supplicant authenticated on the port is assignedVLAN X, then any supplicants subsequently assigned a differentVLAN are allowed access, but forced intoVLAN X This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule permit Figure 9: Force all supplicants into the same VLAN 2. Supplicant accepted and assigned to VLAN11. Authenticator allows access. 1. Supplicant accepted and assigned VLAN 10 x900 Switch 2. Supplicant accepted by RADIUS server and assigned VLAN 11. Authenticator allows access, but puts supplicant into VLAN 10. Authenticator 1. Supplicant accepted and assigned VLAN 10
  • 13. 802.1x | Page 13 802.1x Configuration Example Option 3 Dynamically assign multipleVLANs to one port On the x210, x230, x310, x510, x600, x610 and x930 switches, it is actually possible to assign differentVLANs to different supplicants downstream of the same port. This is configured with: awplus(config-if)# auth dynamic-vlan-creation rule permit type multi Figure 10: Dynamically assign multiple VLANs to one port The switch can assignVLAN membership to packets based on source MAC:  Packets from MAC of supplicant 1 are assigned toVLAN10  Packets from MAC of supplicant 2 are assigned toVLAN11 This feature is not supported on SBx8100, x900 and SwitchBlade x908 switches. Using a guestVLAN Whilst you need to authenticate the users who will have access to the important services within your network, you might also want to provide some basic level of access to users who fail to authenticate. For example, visitors to an enterprise will often need to have Internet access. It would be desirable to have a secure, convenient way to provide this Internet access via the corporate LAN. By default, 802.1x denies access to users who fail authentication. Guests are not known to the RADIUS server, so fail authentication.The solution is to provide a GuestVLAN which is configured with: awplus(config)# interface port1.0.5 awplus(config-if)# auth guest-vlan <vlan id> x600 Switch 2. Supplicant accepted and assigned to VLAN 11. Authenticator allows access and allocates this supplicant’s data to VLAN 11. Authenticator 1. Supplicant accepted and assigned VLAN 10
  • 14. Verify the operation of 802.1x Page 14 | 802.1x Figure 11: Using a guest VLAN If a supplicant attempts authentication and fails or does not even attempt authentication (no 802.1x client in the PC) then they are dynamically assigned to the guestVLAN. Verify the operation of 802.1x When a supplicant has been authenticated on a port the details of the authentication can be seen with: show dot1x supplicant int port1.0.5 Interface port1.0.5 authenticationMethod: dot1x totalSupplicantNum: 1 authorizedSupplicantNum: 1 macBasedAuthenticationSupplicantNum: 0 dot1xAuthenticationSupplicantNum: 1 WebBasedAuthenticationSupplicantNum: otherAuthenticationSupplicantNum: 0 Supplicant name: Engineer01 Supplicant address: 0002.b363.319f authenticationMethod: 802.1x portStatus: Authorized - currentId: 9 abort:F fail:F start:F timeout:F success:T PAE: state: Authenticated - portMode: Auto PAE: reAuthCount: 0 - rxRespId: 0 PAE: quietPeriod: 60 - maxReauthReq: 2 BE: state: Idle - reqCount: 0 - idFromServer: 8 CD: adminControlledDirections: both - operControlledDirections: both CD: bridgeDetected: false KR: rxKey: false KT: keyAvailable: false - keyTxEnabled: false dynamicVlanId: 20 assignment enabled 10/100 Link 1 Gigabit Link Link aggregation x900 stack x600 Supplicant assigned to guest vlan Windows 2008 server AR770 8000GS Internet Private Zone Enterprise CA server Client devices Public/Private Zone ACLs used to ensure GUEST VLAN traffic goes to the Internet and nowhere else <--- Authenticated by 802.1x <--- Supplicant name <---MAC of authenticated device <---VLAN assigned, if dynamicVLA
  • 15. C613-22005-00 REV A North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021 alliedtelesis.com © 2015 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. When a supplicant has been authenticated, and assigned to aVLAN, the port they authenticated on will then be seen to be a member of thatVLAN. Names of commands used dot1x port-control radius-server host radius-server key Validation commands show dot1x show dot1x interface show vlan 20 VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ====================== 20 Engineering STATIC ACTIVE port1.0.5(u) show vlan 30 VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ====================== 30 Marketing STATIC ACTIVE port1.0.5(u)