802.1x is an IEEE standard for port-based network access control. It provides an authentication mechanism to devices wishing to attach to a LAN port, either establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for most wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP). Of course this does not mean it cannot work on a wired nework.

Introduction

This article was really written due to the fact that I found very little documentation available online for using 802.1x with wired switched network. Hope all you readers find this useful. Please feel free to email me admin at root dot sg if you wish to add anything.

In 802.1x, there are a few components that we must understand before we can do an actual setup.

1. Supplicant - This is often a software on a client device such as a PC.
2. Authenticator - This is often a medium between the client device asking for access permission and an authentication server. In most cases, this is either a switch or a wireless access point.
3. Authentication server - Most time, this is just a RADIUS database

Background Information

The flow will be something like this:

1. Client connects laptop into 802.1x enabled switched network. 
2. The switch acting as an authenticator will throw a request to the supplicant software running on the laptop requesting for network access credentials.
3. The supplicant will send the network access credentials back to the authenticator (switch).
4. Authenticator will take in the network access credentials and forward it to the authentication server.
5. If there is a match and the configured policy on the authentication server allows it, a success message will be transmitted back to the authenticator (switch) allowing the client into the protected part of the network.
6. A diagram illustrating the technical parts of this can be found here.

Lab Setup and Topology

For the purpose of this HOWTO, we will be doing the setup based on the network diagram below.

 

Setup Information

Some key points to note here:

1. The user database will be stored in the active directory. This HOWTO does not covers how to setup an IAS server, it will assume that you have a working IAS server that is able to read the active directory user database
2. To really simplify things and make it easy for the newcomer to understand, there are 3 networks here:
   
   • VLAN 10 will be the trusted network. This is where clients will be placed if they are successfully authenticated by the authentication server.
   • VLAN 20 will be the guest network. This is where clients will be placed if they are authenticated as a client or if the 802.1x supplicant on the client is not enabled.
   • VLAN 50 will be the quarantine network. This is where clients who failed the authentication process will be placed.
3. The access switches will be configured to access the IAS server with an IP of 192.168.10.60 in order to validate user credentials.
4. The VLAN which the authenticated user belongs to will be configured on the IAS. This means users will be assigned to the designated VLAN based on their active directory user name.
5. For this HOWTO, a Cisco Catalyst 3650 switch was used as the access switch. However, it should work for just any switch running IOS 12.2.x

Global Configuration in Switch

In order for 802.1x to work in your network switches, the switch should be configured with the following global configuration as follows:

#Defines a new AAA model in the switch

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common

#Turn on system auth control for dot1x

dot1x system-auth-control

#Radius parameters

radius-server cache expiry 1
radius-server host 192.168.10.60 auth-port 1812 acct-port 1813 key password
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication

In the above configuration, we defined a new aaa model using the RADIUS protocol. In addition to the above, the "radius-server host" command tells the switch the RADIUS server (our IAS) can be reached at the IP192.168.10.60 with udp port 1812 as the authentication port and udp port 1813 as the accounting port. It also tells us that the secret key is "password". This should be the same in your RADIUS server configuration when you define a new client.

Now, after the above is done, we will need to identify the ports on the switch that should be used for 802.1x authentication. In our example, we will use f0/3 for 802.1x port authentication.

The configuration for f0/3 as follows:

interface FastEthernet0/3
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x violation-mode protect
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 10
 dot1x max-reauth-req 1
 dot1x guest-vlan 20
 dot1x auth-fail vlan 50
 dot1x auth-fail max-attempts 1
 no cdp enable
 spanning-tree portfast
 spanning-tree guard root

The command above basically puts interface FastEthernet0/3 into dot1x enabled mode. An authenticated user will be allowed into the trusted internal network VLAN 1. A guest will be placed into VLAN 20 while  user who has failed authentication will be placed into VLAN 50 without any network access.

Microsoft IAS Configuration - Adding New RADIUS Client

While the previous page touches on the switch configuration, this page will show you how the IAS server can be configured step by step to authenticate and to authorize users into the network.

If you do not know how to install an IAS server, step by step instructions can be found here:

http://www.bla.com

The first step will be to add a new RADIUS client into your IAS.

Log into your IAS server and open up the IAS management console by going to "Administrative Tools", "Internet Authentication Service".

 

Right click on "RADIUS Client" and select "New RADIUS Client".

Enter a Friendly name to identify the switch you will be using as a RADIUS client as well as the switch IP and click next.

 In the "Client-Vendor" field, it is fine leaving it as "RADIUS Standard", however, the shared secret will be the key we configured into our switch in the previous page. This will allow the RADIUS server to switch to authenticate each other. Click"Finish" when done.

You should see the new RADIUS client profile you defined once you finish.

Microsoft IAS Configuration - Adding New Remote Access Policy

Adding a RADIUS client into your IAS serves no purpose if there are no access policies controlling authentication requests inbound to the IAS from thw 802.1x enabled switch.

This page will show you how a remote access policy can be added and used to authenticate and authorize your users.

Right click on "Remote Access Policies" and select "New Remote Access Policies".

Click Next.

Give the policy a name.

Select "Ethernet" for Access Method.

Add a new group that will match this policy. In this case, we will authenticate all domain users. As long as you have a valid domain account, you will be granted access. Select "Group" and click "Add".

Add in "Domain Users".

In this case, we will be using PEAP (Protected EAP). You can read more about it here. Under "Type", select "Protected EAP (PEAP)". Click on "Configure".

Ensure that the EAP type has been selected as "Secured Password (EAP-MSCHAP v2)". You may use a certificate in this case too. This will allow the clients (connecting PCs) to validate the identity of your server. However, this can be left blank.

Click "Finish" to end the wizard.

You should see a new remote access policy added. Do note that this really works like a firewall. If a match is found in rule 1, it will not bother assessing rule 2.

Microsoft IAS Configuration - Dynamic VLAN assignment

The final design will be so much flexible if we could assign users to the respective VLANs based on their identity. In this example, we will assume that any user belong to the "Engineer VPN" security group in your active directory will be assigned into VLAN 10. Do remember to create VLAN 10 on your switches first before going through this!

Go to "Remote Access Policies", create a new policy named "Engineers". Should be no problem for you now if you followed the previous example. Once this is done, right click on the "Engineers" policy and select "Properties".

Click on "Edit Profile"

Click on "Advanced"

Click on "Add" and add a new attribute "Tunnel-Medium-Type" with a value of "802".

 Repeat the above process and add in 2 more attributes, "Tunnel-Pvt-Group-ID" with a value string value of "10" and "Tunnel-Type" with a value of "Virtual LANs (VLAN)".This means users matching this policy will be placed in VLAN 10.If added correctly, you should see the following result:

There you go, easy does it eh?

Client Configuration

This is the final task we have on hand before we can proclaim victory! The following screenshots are based on a vista machine but they are still applicable to a Windows XP machine.

Go to your network properties, right click on your "Local Area Connection" and select "Properties".

Click on the "Authentication" tab.

Enable the setting "Enable IEEE 802.1X authentication". You should select "Protected EAP" as the authentication method. Selecting the option to cache user information will allow subsequent connections from this network to be cached. Click on "Settings" once you are done.

 The selected authentication method should be set to "Secured password (EAP-MSCHAP v2)". Click on "Configure" next.

Tick the option to automatically use your windows username and password. This will prevent users from being prompted everytime they connect to the network.

Now, you may be wondering how will guests of your network be able to connect? The answer is simple, simply make sure the option "Enable IEEE 802.1X authentication" is unchecked and they will be placed into the guest network configured in your switch!