802.1X Deployment Guide: Interface configuration

In a previous post, I explained how to configure dot1x in a switch global configuration. In this article, I’ll explain the best practice about dot1x interface configurations.

If you do not know what are the benefits that dot1x framework gives, I suggest you to read this article.

Let’s start :)

First of all, define a basic interface configuration:

Ciscozine-SW(config-if)#description DOT1X + PHONE
Ciscozine-SW(config-if)#switchport mode access
Ciscozine-SW(config-if)#switchport voice vlan 150
Ciscozine-SW(config-if)#spanning-tree portfast

Remember: if you don’t set the interface as ‘mode access’, none of the authentication-related commands will be accepted.

802.1x mandatory commands

dot1x pae authenticator

Enable dot1x on the switch port.

no authentication open
authentication control-direction in

This is the suggested configuration if you want enable WOL on your devices. The port changes to the spanning-tree forwarding state and it can send packets to the host but cannot receive packets from the host until the authentication process has been completed.

When you use the authentication control-direction both command the port is controlled in both directions. In this state, the port does not receive or send packets until the authentication process has been completed. WOL will not work.

authentication port-control auto

Start authentication when the link state changes from down to up state.

authentication order dot1x mab
authentication priority dot1x mab

802.1X & MAB ordering/priority is more subjective than the other settings, but in general leaving the default order of 802.1X and MAB is recommended. If you are interested to understand when changing order can be useful, check this discussion: https://community.cisco.com/…/dot1x-mab-priority-and-order/

authentication host-mode multi-auth

Allows multiple hosts and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an IEEE 802.1x-authorized port. This is very useful when you connect an unmanaged switch.

authentication violation restrict

Configure the violation modes that occur when a new device connects to a port; four mode are available:

  • Shutdown: Disable the port
  • Restrict: Generate a syslog error and drop packet of the unauthenticated device.
  • Protect: Drop packets from any new device that sends traffic to the port.
  • Replace: Removes the current session and authenticates with the new host.

My suggestion is to use “restrict mode”.

Mab

Enable mac address authentication. This is mandatory when your network must authenticate not only via EAP protocol (TLS, PEAP, TEAP, …). MAB enables port-based access control using the MAC address of the endpoint. This method is used to authenticate printer, scanner, camera and other “dumb” devices.

802.1x optional commands

Authentication event settings

authentication event fail action authorize vlan <vlan_id>

If the authentication process fails (e.g. wrong password, expired certificate, …), the device is assigned to the vlan <vlan_id>.

Note: The same result can be done with a Cisco ISE policy.

authentication event server dead action authorize vlan <vlan_id>

If the radius servers aren’t responding (e.g. server dead), the device is placed to the vlan <vlan_id>; it is a fallback vlan, named “critical vlan”.

authentication event server dead action authorize voice

If the radius server is dead, the voice vlan is authorized. This is an optional command but I suggest to use it.

Note: The voice vlan is defined by the command “switchport voice vlan <vlan_id>”.

authentication event server alive action reinitialize

If the radius servers comes back up, the command will automatically re-authorize the session, removing the client from the critical auth vlan (defined with the command authentication event server dead action authorize vlan <vlan_id>) and assigning the correct vlan/dacl. Even though optional, I recommend to use it.

authentication event no-response action authorize vlan <vlan_id>

If the client does not send any EAP packet, the switch places the client to the vlan after a timeout period. The vlan is named “guest vlan”.

Note: The command can be replaced by a Cisco ISE policy.

Timer settings

authentication periodic

Enable the reauthentication and inactivity timer for the port. Use the command to enable automatic reauthentication on a port whether the values are statically assigned on the port or are derived from the RADIUS server.

authentication timer reauthenticate server

To specify the period of time to reauthenticate the authorized port and to allow the reauthentication timer interval (session timer) to be downloaded to the switch from the RADIUS server.

authentication timer inactivity server dynamic

Allow the inactivity timer interval to be downloaded to the switch from the RADIUS server. The dynamic keyword instructs the switch to send out an ARP probe before removing the session to make sure the device is indeed disconnected.

dot1x timeout tx-period 7
dot1x max-reauth-req 3

At link-up, the switch sends an EAP Request-Identity frame. It waits for a period of time defined by the dot1x timeout tx-period timer and then sends another Request-Identity frame.

The number of times it resends the Request-Identity frames is defined by dot1x max-reauth-req variable.

The combination of tx-period and max-reauth-req is especially important to non-IEEE-802.1X-capable endpoints. Endpoints without a supplicant must wait until 802.1X times out before getting network access via a fallback mechanism. The total time it takes for 802.1X to time out is determined by the following formula:

Timeout = (max-reauth-req +1) * tx-period

The best practice configuration for the 802.1X timeout period that works for most environments is about 30 seconds.

Note: The Request-Identity frames are sent only in the session initiation phase. During the subsequent authentication process, the retransmission of EAP Request frames are handled by max-req, not max-reauth-req.

Note: Supp-timeout and max-req are similar to tx-period and max-reauth-req except that they apply only after the supplicant has responded to the initial Request-Identity message. They are not commonly invoked, because they take effect only during rare events such as a supplicant that stops functioning mid-authentication or a transmission failure on the wire.

Dot1x interface configuration:

  description DOT1X + PHONE
  switchport mode access
  switchport voice vlan 2070
  authentication control-direction in
  authentication event fail action authorize vlan 666
  authentication event server dead action authorize vlan 666
  authentication event server dead action authorize voice
  authentication event no-response action authorize vlan 666
  authentication event server alive action reinitialize 
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity server dynamic
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 7
  dot1x max-reauth-req 3
  spanning-tree portfast edge

References:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.