Configuring IEEE 802.1x Port-Based Authentication

thomasbst · ‎02-26-2024

Hello,

As part of a project, I need to implement 802.1X within my company. Therefore, I have set up a physical lab consisting of 2 switches and two PCs:

- Two Cisco Catalyst 2960 Series switches with Cisco IOS® Software, Release 15.0(2)SE5
- PC with Microsoft Windows 11
- PC with Microsoft Windows Server which acts as a RADIUS server (ADCS, ADDS, NPS).

I have successfully configured both switches and the RADIUS server to enable supplicant authentication (Windows 11 PC) using the PEAP-MS-CHAPv2 protocol. Now, I am looking to implement authentication for the switches themselves. Here is the topology of the lab:

I configured port G0/1 of SW1 as the authenticator and port G0/0 as the supplicant. The authentication of switch SW2 is working correctly. Below are the configurations made:

SW1 :

interface GigabitEthernet0/1
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable

SW2 :

eap profile auth_switch
method md5

dot1x credentials auth_switch
username switch
password 0 **********

interface GigabitEthernet0/1
switchport mode trunk
dot1x pae supplicant
dot1x credentials auth_switch
dot1x supplicant eap profile auth_switch

Here is my question: How should I configure the ports of the switches (as authenticator or supplicant) in the context of a topology with loops? For example, with the following topology:

Capture d'écran 2024-02-26 163009.png

If I configure the ports as follows (red = port as authenticator, green = port as supplicant):

The loss of the link between SW1 and SW2 exposes the network because port G0/1 of SW3 is not initially configured as an authenticator. Therefore, any device can connect to the network.

How to overcome this issue?

Thanks in advance

MHM Cisco World · ‎02-26-2024

https://www.cisco.com/c/en/us/td/docs/routers/access/800/829/software/configuration/guide/b_IR800config/b_IR800config_chapter_01100.pdf

check this

MHM

thomasbst · ‎02-26-2024

Hello, thank you for your response.

I have reviewed the documentation you sent, it states: "Before CISP is enabled, the 802.1X authentication must be completed as both supplicant and authenticator."

My question pertains to 802.1X authentication between switches in a network topology with loops. The CISP protocol does not seem to assist me in resolving my issue, unless I am mistaken.

Thomas

balaji.bandi · ‎02-26-2024

Hope most of the use case ports are in administrative control , best practice alwyas end device connected ports we runing 802.1X expected to identity to alow the device to access resources.

If you connecting switches to the port, they should not be part of 802.1X they should be trunk port. ( as per my view).

if you properly configure STP and priority, when teh switch 1 to switch 2 loss of connection, other path automatically unlock and STP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomasbst · ‎02-26-2024

Hello, thank you for your response.

Indeed, the ports to which end devices are connected are configured with 802.1X to authenticate the identity and allow the device to access resources.

I also agree with you regarding the inter-switch link, the port should be in trunk mode.

Regarding STP, yes, it is correctly configured to choose another path if necessary.

My question precisely concerns the scenario where another path is used due to the loss of a link. How do you configure ports as supplicant or authenticator in a network topology with loops?

Because, as illustrated in the latest diagram related to my initial message, if the link between SW1 and SW2 is lost, STP allows taking the path between SW3 and SW2. However, the G0/1 port of SW3 is initially configured as a supplicant and not as an authenticator. This has the consequence that any device can connect to the switch via the port:

Thomas