In a previous post, I explained how to configure dot1x in a switch global configuration. In this article, I’ll explain the best practice about dot1x interface configurations.
If you do not know what are the benefits that dot1x framework gives, I suggest you to read this article.
Let’s start :)
First of all, define a basic interface configuration:
Ciscozine-SW(config-if)#description DOT1X + PHONE Ciscozine-SW(config-if)#switchport mode access Ciscozine-SW(config-if)#switchport voice vlan 150 Ciscozine-SW(config-if)#spanning-tree portfast
Remember: if you don’t set the interface as ‘mode access’, none of the authentication-related commands will be accepted.
802.1x mandatory commands
dot1x pae authenticator
Enable dot1x on the switch port.
no authentication open authentication control-direction in
This is the suggested configuration if you want enable WOL on your devices. The port changes to the spanning-tree forwarding state and it can send packets to the host but cannot receive packets from the host until the authentication process has been completed.
When you use the authentication control-direction both command the port is controlled in both directions. In this state, the port does not receive or send packets until the authentication process has been completed. WOL will not work.
authentication port-control auto
Start authentication when the link state changes from down to up state.
authentication order dot1x mab
authentication priority dot1x mab
802.1X & MAB ordering/priority is more subjective than the other settings, but in general leaving the default order of 802.1X and MAB is recommended. If you are interested to understand when changing order can be useful, check this discussion: https://community.cisco.com/…/dot1x-mab-priority-and-order/
authentication host-mode multi-auth
Allows multiple hosts and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an IEEE 802.1x-authorized port. This is very useful when you connect an unmanaged switch.
authentication violation restrict
Configure the violation modes that occur when a new device connects to a port; four mode are available:
- Shutdown: Disable the port
- Restrict: Generate a syslog error and drop packet of the unauthenticated device.
- Protect: Drop packets from any new device that sends traffic to the port.
- Replace: Removes the current session and authenticates with the new host.
My suggestion is to use “restrict mode”.
Enable mac address authentication. This is mandatory when your network must authenticate not only via EAP protocol (TLS, PEAP, TEAP, …). MAB enables port-based access control using the MAC address of the endpoint. This method is used to authenticate printer, scanner, camera and other “dumb” devices.
802.1x optional commands
Authentication event settings
authentication event fail action authorize vlan <vlan_id>
If the authentication process fails (e.g. wrong password, expired certificate, …), the device is assigned to the vlan <vlan_id>.
Note: The same result can be done with a Cisco ISE policy.
authentication event server dead action authorize vlan <vlan_id>
If the radius servers aren’t responding (e.g. server dead), the device is placed to the vlan <vlan_id>; it is a fallback vlan, named “critical vlan”.
authentication event server dead action authorize voice
If the radius server is dead, the voice vlan is authorized. This is an optional command but I suggest to use it.
Note: The voice vlan is defined by the command “switchport voice vlan <vlan_id>”.
authentication event server alive action reinitialize
If the radius servers comes back up, the command will automatically re-authorize the session, removing the client from the critical auth vlan (defined with the command authentication event server dead action authorize vlan <vlan_id>) and assigning the correct vlan/dacl. Even though optional, I recommend to use it.
authentication event no-response action authorize vlan <vlan_id>
If the client does not send any EAP packet, the switch places the client to the vlan after a timeout period. The vlan is named “guest vlan”.
Note: The command can be replaced by a Cisco ISE policy.
Enable the reauthentication and inactivity timer for the port. Use the command to enable automatic reauthentication on a port whether the values are statically assigned on the port or are derived from the RADIUS server.
authentication timer reauthenticate server
To specify the period of time to reauthenticate the authorized port and to allow the reauthentication timer interval (session timer) to be downloaded to the switch from the RADIUS server.
authentication timer inactivity server dynamic
Allow the inactivity timer interval to be downloaded to the switch from the RADIUS server. The dynamic keyword instructs the switch to send out an ARP probe before removing the session to make sure the device is indeed disconnected.
dot1x timeout tx-period 7
dot1x max-reauth-req 3
At link-up, the switch sends an EAP Request-Identity frame. It waits for a period of time defined by the dot1x timeout tx-period timer and then sends another Request-Identity frame.
The number of times it resends the Request-Identity frames is defined by dot1x max-reauth-req variable.
The combination of tx-period and max-reauth-req is especially important to non-IEEE-802.1X-capable endpoints. Endpoints without a supplicant must wait until 802.1X times out before getting network access via a fallback mechanism. The total time it takes for 802.1X to time out is determined by the following formula:
Timeout = (max-reauth-req +1) * tx-period
The best practice configuration for the 802.1X timeout period that works for most environments is about 30 seconds.
Note: The Request-Identity frames are sent only in the session initiation phase. During the subsequent authentication process, the retransmission of EAP Request frames are handled by max-req, not max-reauth-req.
Note: Supp-timeout and max-req are similar to tx-period and max-reauth-req except that they apply only after the supplicant has responded to the initial Request-Identity message. They are not commonly invoked, because they take effect only during rare events such as a supplicant that stops functioning mid-authentication or a transmission failure on the wire.
Dot1x interface configuration:
description DOT1X + PHONE switchport mode access switchport voice vlan 2070 authentication control-direction in authentication event fail action authorize vlan 666 authentication event server dead action authorize vlan 666 authentication event server dead action authorize voice authentication event no-response action authorize vlan 666 authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 spanning-tree portfast edge