Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
6414
Views
3
Helpful
0
Comments

DOT1X IOS commands overview

Meddane
VIP
VIP
‎05-21-2022 03:14 PM

Radius server configuration for 802.1X

 

Server radius test1

Address ipv4 10.1.1.1

Key 1234

!

Server radius test2

Address ipv4 10.1.1.2

Key 1234

!

aaa group server radius TEST-gr

 server name test1

 server name test2

!         

aaa authentication dot1x default group TEST-gr

aaa authorization network default group TEST-gr      

aaa accounting dot1x default start-stop group TEST-gr

 

Enable Change of Authorization (CoA)

 

aaa server radius dynamic-author

client 10.1.1.1 server-key shared_secret

 

Enable dot1x globally and per port

 

SW(config)#dot1x system-auth-control

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

 

802.1X Host Modes

 

Single-Host Mode 


Only one client can be connected to an 802.1X-enabled port. 


 

SW(config-if)# authentication host-mode single-host


 

Multiple-Host Mode

Multiple clients are connected to the 802.1X-enabled port, through a hub for example. Only one client must be authenticated and all clients have access to Network.

 

SW(config-if)# authentication host-mode multi-host


 

Multidomain Authentication Mode

This mode is also called Multidomain Authentication (MDA) mode, an IP Phone and a single host behind an 802.1X-enabled port, the IP Phone are authenticated independently. Multidomain refers to two domains:

Data domain

Voice domain

 

SW(config-if)# authentication host-mode multi-domain

 

Multiauthentication Mode

This mode allows one 802.1X client on a voice VLAN and multiple authenticated 802.1X clients on a data VLAN. In this mode, each client connected needs to be authenticated individually.

 


SW(config-if)# authentication host-mode multi-auth

 

If you want the interface to change to the guest VLAN state for a non-802.1X-capable client, regardless of the EAPOL packet history, use the following global configuration command: 

SW(config-if)# authentication event no-response action authorize vlan 10

To configure a restricted VLAN, the new command on a Cisco IOS switch is as follows:

SW(config-if)# authentication event fail [retryretries] action authorize vlan 10

Useful show command for verification

Switch#sh authentication sessions interface gigabitEthernet 1/0/24 


Quiet Period 


When the switch cannot authenticate the client for some reason (for example, failed authentication), the switch remains idle for a set period of time and then tries again. The idle time is determined by the quiet-period value. The default is 60 seconds. This timer can be tweaked to provide a faster response. 
To configure this timer on a Cisco IOS switch, enter the following command: 


SW(config-if)# dot1x timeout quiet-period seconds



Switch-to-Client Retransmission Time (tx-period)

The client responds to the EAP-request/identity frame from the switch with an EAP- response/identity frame. If the switch does not receive this response, it waits a set period of time, which is known as the retransmission time, and then retransmits the frame. You can tweak the amount of time that the switch waits for notification from 1 to 65535 sec- onds. The default is 30 seconds.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config)# dot1x timeout tx-period seconds

Switch-to-Client Retransmission Time for EAP-Request Frames (supp-timeout)

The client notifies the switch that it received the EAP-request frame. If the switch does not receive this notification, the switch waits a set period of time and then retransmits the frame. This timer can be tweaked to set the amount of time that the switch waits for notification from 1 to 65535 seconds. The default is 30 seconds.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config-if)# dot1x timeout supp-timeout seconds

Switch-to-Authentication-Server Retransmission Time for Layer 4 Packets (server-timeout)

The authentication server notifies the switch each time it receives a transport layer packet (Layer 4). When the switch does not receive a notification after sending a packet, it waits a set period of time and then retransmits the packet. This can be tweaked to set the amount of time that the switch waits for notification from 1 to 65535 seconds. The default is 30 seconds.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config-if)# dot1x timeout server-timeout seconds

Switch-to-Client Frame Retransmission Number (max-reauth-req)

The client notifies the switch that it received the EAP-request frame. If the switch does not receive this notification, the switch waits a set period of time, and then retransmits the frame. Apart from tweaking supp-timeout, we can tweak the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process from 1 to 10. The default is 2.

To configure this timer on a Cisco IOS switch, enter the following command:

SW(config-if)# dot1x max-reauth-req count

The best practice is to always prefer the stronger authentication method (dot1x). The dot1x method is also the default of all Cisco Switches.

SW(config-if)#authentication priority dot1x mab

There are certain deployment methods where MAC-Authentication Bypass (MAB) should occur before 802.1X authentication. For those corner cases, Cisco switches do allow for a network administrator to set a user-definable authentication order. However, the best practice is to maintain the order of dot1x and then MAB.

SW(config-if)#authentication order dot1x mab

DOT1X deployment mode

 

Monitor mode

Called also audit mode, the client has full access to the network, regardless if the authentication is successful or failed, often used for initial deployment to see if your policis in the Cisco ISE works as expected, Cisco ISE provides visibility through the radius live logs, which device is authenticated successfully or not. You can achieve this by using the authentication open command.

 

SW(config)#int g0/1

SW(config-if)#Authentication open

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

 

Low-impact mode

This mode is similar to the monitor mode, except that a port-ACL is applied to limit access to clients, after a successful authentication, a dACL is applied to grant full access to the network, the dACL overrides the port-ACL.

 

SW(config)#int g0/1

SW(config-if)#Authentication open

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

SW(config-if)#Ip access-group pre-acl in

 

Closed mode

This is the default mode of 802.1X, only EAP packets are allowed on the port before a successful authentication.

 

SW(config)#int g0/1

SW(config-if)#authentication port-control auto

SW(config-if)#dot1x pae authenticator

SW(config-if)#mab

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents