Transcription of IEEE 802 - PacketLife.net
1 Jeremy HeaderConfiguration! Define a RADIUS serverradius-server host key MyRadiusKey! Configure to authenticate via AAAaaa new-modelaaa authentication dot1x default group radius! Enable authentication globallydot1x system-auth-controlGlobal Configuration! Static access modeswitchport mode access! Enable authentication per portdot1x port-control auto! Configure host mode (single or multi)dot1x host-mode single-host! Configure maximum authentication attemptsdot1x max-reauth-req! Enable periodic reauthenticationdot1x reauthentication! Configure a guest VLANdot1x guest-vlan 123! Configure a restricted VLANdot1x auth-fail vlan 456dot1x auth-fail max-attempts 3 Interface Packet TypesEAP Codes0 EAP Packet1 EAPOL-Start2 EAPOL-Logoff3 EAPOL-Key4 EAPOL-Encap-ASF-Alert1 Request2 Response3 Success4 FailureTerminologyEAP Over LANs (EAPOL)EAP encapsulated by for transport across LANsExtensible Authentication Protocol (EAP)A flexible authentication framework defined in RFC 3748 Authentication ServerA backend server which authenticates the credentials provided by supplicants (for example, a RADIUS server)
2 Troubleshootingshow dot1x [statistics] [interface <interface>]dot1x test eapol-capable [interface <interface>]dot1x re-authenticate interface <interface>EAP HeaderEAP Flow ChartSupplicantThe device (client) attached to an access link that requests authentication by the authenticatorAuthenticatorThe device that controls the status of a link; typically a wired switch or wireless access pointGuest VLANF allback VLAN for clients not VLANF allback VLAN for clients which fail authenticationInterface DefaultsMax Auth Requests2 ReauthenticationOffQuiet Period60sReauth Period1hrServer Timeout30sEAP Req/Resp Types1 Identity2 Notification3 Nak4MD5 ChallengeSupplicant Timeout30sTx Period30s5 One Time Password6 Generic Token Card254 Expanded Types255 ExperimentalPort-Control Optionsforce-unauthorizedAlways unauthorized.
3 Authentication attempts are ignoredforce-authorizedPort will always remain in authorized state (default)autoSupplicants must authenticate to gain accessIdentity RequestIdentity ResponseChallenge RequestChallenge ResponseSuccessAccess RequestAccess ChallengeAccess RequestAccess AcceptEAPRADIUSCodeIdentifierLengthData1 12 VersionTypeLengthEAP112 SupplicantAuthenticatorAuthenticationSer ver