Port-Based Authentication
this feature is based on the IEEE 802.1x standard
both the switch and the end user’s PC must support, and a authentication server for support 802.1x
ps:
only RADIUS is supported for 802.1x in cisco
ps:
802.1x EAPOL(Extensible Authentication Protocol over LANs) is a Layer 2 protocol
ps:
EAPOL,STP,CDP protocols are allowed through the switch port before authentication takes place
unauthorized condition
1.An 802.1x switch port begins in the unauthorized state (#dot1x port-control auto)
2.The authorized state of the port ends when the user logs out
3.The switch can also time out the user’s authorized session
If this happens, the client must reauthenticate to continue using the switch port
…………………
1
Enable AAA on the switch.
Switch(config)# aaa new-model
The “new model” is much more scalable than the “old model,” in which the authentication source
was explicitly configured.
It globally enables AAA on the switch, with default lists applied to the VTYs
2
Define external RADIUS servers
Switch(config)# radius-server host < hostname | ip-address > [key ]
host指定radius位置
key指定raidus定義的secret shared
This command can be repeated to define additional RADIUS servers
3
Define the authentication method for 802.1x
Switch(config)# aaa authentication < dot1x > default group radius
各參數說明如下
< dot1x > 指定802.1x的認證方式
4
Enable 802.1x on the switch:
Switch(config)# dot1x system-auth-control
5
Configure each switch port that will use 802.1x:
Switch(config)# interface < interface >
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control < auto | force-authorized | force-unauthorized>
參數說明如下
auto
The port uses an 802.1x exchange to move from the unauthorized to the authorized state,
each port must be configured the auto state so that connected PCs are forced to authenticate through the 802.1x exchange
force-authorized(default)
The port is forced to always authorize any connected client. No authentication is necessary
保持認證的狀態,因此不需認證即可傳輸資料
force-unauthorized
The port is forced to never authorize any connected client,As a result, the port cannot move to the authorized state to pass traffic to a connected client.
保持未認證的狀態
ps:
If the client PC is configured to use 802.lx but the switch does not support it, the PC abandons the protocol and communicates normally.
ps:
不支援Etherchannel,Tunmk port,Span port(Sniffer port)
6(optional)
Allow multiple hosts on a switch port.
Switch(config-if)# dot1x host-mode multi-host
ex:
radius主機為10.1.1.1並使用BigSecret做為secret key
fa0/1-40要求client使用802.1x認證
switch設定部份
Switch(config)# aaa new-model
Switch(config)# radius-server host 10.1.1.1 key BigSecret
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface range FastEthernet0/1 – 40
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
client_pc設定部份
設定802.1x相關設定
………………..
#show dot1x all
to verify the 802.1x operation on each switch port that is configured to use port-based authentication