Port-Based Authentication
this feature is based on the IEEE 802.1x standard
both the switch and the end user’s PC must support, and a authentication server for support 802.1x
ps:
only RADIUS is supported for 802.1x in cisco
ps:
802.1x EAPOL(Extensible Authentication Protocol over LANs) is a Layer 2 protocol
ps:
EAPOL,STP,CDP protocols are allowed through the switch port before authentication takes place<\/p>\n\n\n\n
unauthorized condition
1.An 802.1x switch port begins in the unauthorized state (#dot1x port-control auto)
2.The authorized state of the port ends when the user logs out
3.The switch can also time out the user’s authorized session
If this happens, the client must reauthenticate to continue using the switch port<\/p>\n\n\n\n
…………………<\/p>\n\n\n\n
2 3 4 5 6(optional) ………………..<\/p>\n\n\n\n #show dot1x all<\/strong> Port-Based Authenticationthis …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-882","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=882"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/882\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=882"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
1
Enable AAA on the switch.
Switch(config)# aaa new-model<\/strong>
The “new model” is much more scalable than the “old model,” in which the authentication source
was explicitly configured.
It globally enables AAA on the switch, with default lists applied to the VTYs<\/p>\n\n\n\n
Define external RADIUS servers
Switch(config)# radius-server host < hostname | ip-address > [key ]<\/strong>
host\u6307\u5b9aradius\u4f4d\u7f6e
key\u6307\u5b9araidus\u5b9a\u7fa9\u7684secret shared
This command can be repeated to define additional RADIUS servers<\/p>\n\n\n\n
Define the authentication method for 802.1x
Switch(config)# aaa authentication < dot1x > default group radius<\/strong>
\u5404\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
< dot1x > \u6307\u5b9a802.1x\u7684\u8a8d\u8b49\u65b9\u5f0f<\/p>\n\n\n\n
Enable 802.1x on the switch:
Switch(config)# dot1x system-auth-control<\/strong><\/p>\n\n\n\n
Configure each switch port that will use 802.1x:
Switch(config)# interface < interface >
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control < auto | force-authorized | force-unauthorized><\/strong>
\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
auto<\/strong>
The port uses an 802.1x exchange to move from the unauthorized to the authorized state,
each port must be configured the auto state so that connected PCs are forced to authenticate through the 802.1x exchange
force-authorized(default)<\/strong>
The port is forced to always authorize any connected client. No authentication is necessary
\u4fdd\u6301\u8a8d\u8b49\u7684\u72c0\u614b,\u56e0\u6b64\u4e0d\u9700\u8a8d\u8b49\u5373\u53ef\u50b3\u8f38\u8cc7\u6599
force-unauthorized<\/strong>
The port is forced to never authorize any connected client,As a result, the port cannot move to the authorized state to pass traffic to a connected client.
\u4fdd\u6301\u672a\u8a8d\u8b49\u7684\u72c0\u614b
ps:
If the client PC is configured to use 802.lx but the switch does not support it, the PC abandons the protocol and communicates normally.
ps:
\u4e0d\u652f\u63f4Etherchannel,Tunmk port,Span port(Sniffer port)<\/p>\n\n\n\n
Allow multiple hosts on a switch port.
Switch(config-if)# dot1x host-mode multi-host<\/strong><\/p>\n\n\n\n
ex:
radius\u4e3b\u6a5f\u70ba10.1.1.1\u4e26\u4f7f\u7528BigSecret\u505a\u70basecret key
fa0\/1-40\u8981\u6c42client\u4f7f\u7528802.1x\u8a8d\u8b49
switch\u8a2d\u5b9a\u90e8\u4efd<\/strong>
Switch(config)# aaa new-model
Switch(config)# radius-server host 10.1.1.1 key BigSecret
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface range FastEthernet0\/1 – 40
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
client_pc\u8a2d\u5b9a\u90e8\u4efd<\/strong>
\u8a2d\u5b9a802.1x\u76f8\u95dc\u8a2d\u5b9a<\/p>\n\n\n\n
to verify the 802.1x operation on each switch port that is configured to use port-based authentication<\/p>\n","protected":false},"excerpt":{"rendered":"