at8000 s configurando_8021x

Marvell Confidential

IEEE 802.1XPort Based Authentication

AT - 8000S


Agenda• 802.1x Overview

System rolesWhat is EAPAuthentication InitiationMessage ExchangePort statesEnhanced featuresOperating system support

• AT - 8000S implementationFunctional descriptionUser controlsUser guidelinesEnhanced featuresControl and status parameters

• CLI Configuration• 802.1x - Configuration Example


IEEE 802.1x

Feature Overview


802.1x Overview

• Standard set by the IEEE 802.1 working group—approved in December 2001

• Designed to address and provide port-based access control using authentication.

• Describes a standard link layer protocol used for transporting higher-level authentication protocols (i.e. EAP)

• The authentication server authenticates the clients connected to a switch port before making available any services offered by the switch or the LAN.


802.1x Overview (Cont.)

• Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected.

• After authentication is successful, regular traffic can pass through the port.


System Roles

Workstations(clients)

AuthenticationServer

(RADIUS)

•Devices that are attach to a LAN, are referred to as systems.

•A device or a device port is able to adopt one of the roles within an access control interaction:

•Switch (Authenticator Or back-end authenticator)

•Client (Supplicant)

•Authentication Server

Switch/Router(AT - 8000S)


• Controls the physical access to the network based on the authentication status of the client.

• The switch acts as intermediary between the client and the authentication server, requesting identity information from the client, verifying the information with the authentication server, and relaying the server’s response to the client.

• The switch acts as a RADIUS client, which is responsible for encapsulating/de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server.

• When the switch receives EAP Over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format.

The Switch - Authenticator


The Switch – Authenticator (Cont.)• The EAP frames are not modified or examined during

encapsulation, and the authentication server must support EAP within the native frame format.

• When the switch receives frames from the authentication server, the server’s frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.

• The devices that can act intermediaries must run software that supports both the RADIUS client and 802.1X.


The Client (Supplicant)

• The device that requests access to the LAN/switch services and responds to requests from the switch.

• It must be running 802.1x client software.


• Performs the actual authentication of the client.

• The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services.

• Because the switch acts as the intermediate, the authentication service is transparent to the client.

• RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

The Authentication Server


A closer look at the process

Login Req.

Accept

Send Credentials Forward Credentials to the server

Authentication Successful

Policy Instructions

Actual Authentication is between Client and the Server using EAP; The switch is just the middleman, but is aware of what’s going on

802.1x RADIUS


What Is EAP ?

• EAP—The Extensible Authentication Protocol

• A flexible protocol used to carry arbitrary authentication information

• Typically rides on top of another protocol Such as 802.1x or RADIUS (could be TACACS+, etc.)

• Specified in RFC 2284


802.1x EAP

• Transports authentication information in the form of Extensible Authentication Protocol (EAP) payloads.

• The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information

• Three forms of EAP:– EAP-MD5—MD5 Hashed Username/Password– EAP-OTP—One-Time Passwords– EAP-TLS—Strong PKI Authenticated Transport Layer

Security (SSL)

Ethernet Header 802.1x Header EAP Payload


EAPOL (EAP over 802.1x) Frame Format

Authenticator to Supplicant

Destination MAC: 01-80-C2-00-00-03

Source MAC: Unicast Authenticator MAC

Supplicant to Authenticator

Destination MAC: 01-80-C2-00-00-03

Source MAC: Unicast Supplicant MAC

Destination MAC Source MAC Ether Type Version Type

Length Body …

0 6 12 14 15 16

18 n


EAPOL Frame Types

• EAPOL-Start: The frame is an EAPOL-start frame.

• EAPOL-Logoff: The frame is an explicit EAPOL-logoff request frame.

• EAP-Packet: The frame carries an EAP packet – see 4 code types in previous slide.

• EAPOL-Key: The frame is an EAPOL-Key frame.

• EAPOL-Encapsulated-ASF-Alert: The frame carries an EAPOL-Encapsulated ASF Alert.


EAP Header Format

• Initially developed for PPP Authentication

• Code: Request, Response, Success, or Failure

• Identifier is used to match responses with requests

• Format of the data field depends on the code field


Authentication Initiation

• The switch or the client can initiate authentication.

• If you enable authentication on a port, the switch must initiate authentication when it determines that the port link state transitions from down to up.

• The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information).

• Upon receipt of the frame, the client responds with an EAP-response/identity frame.


Authentication Initiation (Cont.)

• If during client boot-up, the client does not receive an EAP-request/identity frame from the switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client’s identity.

• If 802.1X is not enabled or supported on the network access device, EAPOL frames from the client are dropped.

• If the client does not receive an EAP-request/identity frame after three attempts, the client sends traffic as if the port is in the authorized state.

• A port in the authorized state effectively means that the client has been successfully authenticated.


Message Exchange

• When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the authentication server until authentication succeeds or fails.

• If the authentication succeeds, the switch port becomes authorized.

• The specific exchange of EAP frames depends on the authentication method being used.


Message Exchange ( Cont.)• Generally the message exchange look like this:

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/challenge

EAP-Response/challenge(password)

EAP-Success/failure

Port authorized/not authorizedEAPOL-Logoff

Port not authorized


Port States

• The switch port state determines whether or not the client is granted access to the network.

• The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.

• When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic to/from the client to pass normally.

• If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.


Port States (Cont.)

• If the authentication server cannot be reached, the switch can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.

• When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.

• If the link state of a port transitions from up to down, the port returns to the unauthorized state.


802.1X Un-supported

• If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.

• When an 802.1X- enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received, the client sends the request for a fixed number of times. When no response is received, the client begins sending frames as if the port is in the authorized state.


Enhanced Features

• Single-host/Multiple-hosts

• Guest VLAN

• Unauthenticated VLANs

• User based VLAN


Single-host / Multiple-hostsSingle host • Enables only the first host that has been authorized to get access

to the port.

• Filtering is based on the source MAC address.

Multiple hosts• This is the per standard mode

• Enables multiple hosts to be attached to a single 802.1x port.

• Only one of the attached hosts must be authorized for all the hosts to be granted network access.

• If the port Transits to unauthorized, all the attached client are denied access to the network.


Guest VLAN• An option to provide limited network access to an

unauthorized port

• Typical applications:– Management traffic to an unauthorized stations.– Provide guest access to the Internet.

• One of the VLANs in the switch would be the “guest VLAN“.

• The “guest VLAN“ would be the “untagged” VLAN of ports in the unauthorized state.

• Guest VLAN is defined dynamically on an unauthenticated port


Unauthenticated VLANs

• VLANs in the switch which are always available to the users, even if the port is unauthorized, for the use of some applications like IP telephony.

• Those VLANs are defined as “Unauthenticated” VLANs.


802.1x un-authenticated VLAN/ Guest VLAN differences

Port mode un-authenticated VLAN Guest VLANForced / Auto Authorized

Whenever port mode changes to authorized, the port remainson the un-authenticated VLANand behaves according to dot1Q settings

Whenever port mode changes to authorized, the port is removed from the guest VLANand behaves according to dot1Q settings

Auto/Forced Unauthorized

Whenever port mode changesto unauthorized, the port remains on the un-authenticated VLAN and will forward only tagged traffic towards the unauthenticated VLAN

Whenever port mode changedto unauthorized, its VLAN membership and PVID will be overridden by the the guestVLAN settings, which will take affect instead..


User based VLAN

• 802.1x ports are assigned to a VLAN based on the username of the client connected to that port.

• The Authentication server database maintains the username-to-VLAN mappings.

• After successful authentication of the port, the Authentication server sends the VLAN assignment to the Authenticator.


Operating System Support

• Windows XP— shipped with support.

• Windows 2000— available with SP3 + Hotfix or SP4.

• Windows NT/98/Me—limited availability or 3rd party (MeetingHouse).

• Linux—open source http://www.open1x.org

• Solaris—3rd party via MeetingHouse Communications http://www.mtghouse.com

http://www.open1x.org/�

http://www.mtghouse.com/�


IEEE 802.1xImplementation

AT - 8000S


Functional Description

• The system implements 802.1x Port Based Authentication as per the standard, In addition to enhanced features described on the next slides

• The authentication server authenticates each client connected to a switch port before any communication (except EAPOL traffic) can take place.

• Authentication is performed using AAA services – such as RADIUS

• The status of the controlled port is a function of the communication between the authentication server and the supplicant.


Functional Description (Cont.)

• The port status can be modified by the user.

• Any access to the LAN is subject to the status of the port.

• An uncontrolled port (always authorized) is used to communicate with the authentication (RADIUS) server using EAP.


AT - 8000S– 802.1X User Controls • Enable 802.1x on the system.

• Specify how often client authentication occurs.

• Control the port authorization state, or allow it to be set automatically (force-authorized, force-unauthorized, auto).

• View 802.1x statistics.

• Trigger manual re-authentication.

• Adjust quiet period.

• Reset each value to the default.


AT - 8000S – 802.1X User Controls Enhanced Features

• Enable Single-host / Multiple-hosts on an interface

• Un-authenticated VLANs– Define a VLAN as an as “Unauthenticated” VLAN

• Guest VLAN– Define a VLAN as a “guest VLAN”

– Enable guest VLAN on an interface– Guest VLAN cannot be an un-authenticated VLAN and cannot

be the default VLAN


AT - 8000S 802.1x - User Guidelines

• AAA services must be enabled in order for 802.1x to work.

• In a shared medium environment, a designated host will be the authenticated device. As long as it is authorized, all hosts will be granted access to the network. When it becomes unauthorized, all hosts will be denied access.

• 802.1x cannot be defined on:– a LAG. – a port which is a member of a LAG. – A port that is configured with 802.1x cannot be added to a

LAG.

• If 802.1x is not enabled or supported on the device, the host will send frames as if the port is in the authorized state, meaning that the host has effectively been authenticated.


Control and Status parameters

Port status:

• Authorized - The client has full access to the port.

• Unauthorized - The client has limited access to the port.


Control and Status parameters (Cont.)

Port administrative control:

• ForceAuthorized - The port is Authorized unconditionally. In this state clients are not required to be authenticated. This state is the default.

• ForceUnauthorized - The port is Unauthorized. clients can’t log on.

• Auto - clients are required to authenticate. After successful authentication, the port will be authorized, otherwise the port would be Unauthorized.


IEEE 802.1xCLI Configuration

AT - 8000S


Enable 802.1x on the Device

• Use The following Global Configuration command to enable Port-Based Network Access Control on the device:

dot1x system-auth-control

• To disable the Port-Based Network Access Control on the device, use:

no dot1x system-auth-control

console(config)# dot1x system-auth-control


Configuring the AAA methods

• Use the following Global Configuration command to specify one or more AAA methods for use when running IEEE 802.1x :

aaa authentication dot1x default method1 [method2]

method:Radius –radius server for authentication.None – no authentication needed.

• To remove use: no aaa authentication dot1x default command.

console (config)# aaa authentication dot1x default none


Unauthorized VLAN• Use the following VLAN interface configuration command to

enable unauthorized users access to that VLAN:dot1x auth-not-req

• To disable the access use:no dot1x auth-not-req

console(config)# interface vlan 10console (config-if)# dot1x auth-not-req


Manual Authorization State

• Use the following Interface Configuration command to define the authorization state of the port: Use the “no” form of this command to return to the default setting (force authorized):

dot1x port-control {auto | force-authorized | force-unauthorized}

console(config)# interface ethernet 1/e1console (config-if)# dot1x port-control auto


Allowing Multiple Hosts

• Use the following Interface Configuration command to allow multiple hosts (clients) on an 802.1X (auto) authorized port:

dot1x multiple-hosts

• To return to the default Use the no form of this command.• By default multiple hosts are disabled.• If Multiple-host is enabled, and a certain host is authorized

– all other host on interface are also authorized

console(config)# interface ethernet 1/e1console (config-if)# dot1x multiple-hosts


Violation Action

• Use the following Interface Configuration to configure the action to be taken, when a station whose MAC address is not the supplicant MAC address, attempts to access the interface:

dot1x single-host-violation {forward | discard | discard-shutdown} [trap seconds]

• The default is discarding with source address not the supplicant address. No traps sent.


Violation Action (Cont.)

• To return to default use: no port dot1x single-host-violation

• Example:

console(config)# interface ethernet 1/e1console (config-if)# dot1x single-host-violation forward trap 100


802.1x - Guest VLAN Commands

• Use the following Interface VLAN mode command to define a dot1x guest VLAN. Use the “no” form of command to return to default configuration:

dot1x guest-vlanNo dot1x guest-vlan

• Use the following Interface Ethernet mode command to enable dot1x guest VLAN on a port. Use the “no” form of command to disable guest VLAN (default):

dot1x guest-vlan enableNo dot1x guest-vlan enable


802.1x - Guest VLAN Example

console(config)# interface vlan 11console(config-if)# dot1x guest-vlanconsole(config-if)# exitconsole(config)# interface ethernet 1/e10console(config-if)# dot1x guest-vlan enableconsole(config-if)# dot1x port-control auto


802.1x - Guest VLAN Exampleconsole# show dot1x advanced ethernet 1/e10

Guest VLAN: 10

Unauthenticated VLANs:

Interface Multiple Hosts Guest VLAN--------- -------------- ----------1/g10 Disabled Enabled

Single host parameters

Violation action: Discard

Trap: Disabled

Trap frequency: 10

Status: Not in auto mode

Violations since last trap: 0


802.1x - Guest VLAN Example

console# show vlan

Vlan Name Ports Type Authorization---- ----------------- --------------------------- ------------ -------------1 1 e(2-9,11-48),g(1-4),ch(1-8) other Required

10 10 permanent Not Required11 11 e10 permanent Guest


Quiet State Time

• Use the following Interface Configuration command to set the number of seconds that the switch remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password).

dot1x timeout quiet-period seconds

• quiet state – no authentication is granted during this period.

• To return to the default use:no dot1x timeout quiet-period


Quiet State Time (Cont.)

• During the quiet period, the switch does not accept or initiate any authentication requests.

• The default value of this command should only be changed to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

• If it is necessary to provide a faster response time to the user, a smaller number than the default should be entered.

console (config-if)# dot1x timeout quiet-period 3600


EAP Response Time

• Use the following Interface Configuration command to set the number of seconds that the switch waits for a response to an EAP - request/identity frame, from the client, before resending the request for the first time:

dot1x timeout tx-period seconds

• To return to the default use:

no dot1x timeout tx-period

console (config-if)# dot1x timeout tx-period 3600


EAP Retransmission Time

• Use the following Interface Configuration command to set the time for the retransmission of an Extensible Authentication Protocol (EAP)-request frame to the client:

dot1x timeout supp-timeout seconds

• To return to the default setting use:

no dot1x timeout supp-timeout

console (config)# dot1x timeout supp-timeout 3600


Maximum Requests

• Use The following Interface Configuration command to set the maximum number of times that the switch sends an EAP - request/identity frame to the client, before restarting the authentication process:

dot1x max-req count

• To return to the default setting use:no dot1x max-req

• Count – Range: 1 - 10 The default count is 2.

• This mechanism acts as a verification that port should stay in authorized state. If no responses are received port goes into an unauthorized state

console (config-if)# dot1x max-req 6


Periodic re-authentication

• Use the following Interface Configuration command to enable periodic re-authentication of the client.

dot1x re-authentication

• To return to the default setting use

no dot1x re-authentication.

console (config-if)# dot1x re-authentication


Re-Authentication Period

• Use the following Interface Configuration commands to set the number of seconds between re-authentication attempts:

dot1x timeout re-authperiod seconds

• To return to the default setting use :no dot1x timeout re-authperiod

console (config-if)# dot1x timeout re-authperiod 3600


Initiating Re-authentication

• Use the following privileged EXEC command to manually initiate an instant re-authentication of all 802.1X-enabled ports or the specified 802.1X-enabled port.

dot1x re-authenticate [ethernet interface]

console# dot1x re-authenticate ethernet 1/e8


Server Timeout

• Use the following Interface Configuration command to set the time for the retransmission of packet to the authentication server:

dot1x timeout server-timeout seconds

• To return to the default use: no dot1x timeout server-timeout

console (config-if)# dot1x timeout server-timeout 300


Dot1x - Show Commands• show dot1x [ethernet interface] - displays 802.1X status for

the switch or for the specified interface.

• show dot1x advanced [ethernet interface] - displays 802.1X advanced features for the switch or for the specified interface.

• show dot1x users [username username] - displays the 802.1X users for the switch.

• show dot1x statistics ethernet interface - displays 802.1X statistics for the specified interface.


IEEE 802.1x

Configuration Example


AT - 8000S Configuration

console(config)# interface ethernet g2console(config-if)# ip address 15.1.1.1 /24console(config-if)# exitconsole(config)# dot1x system-auth-controlconsole(config)# aaa authentication dot1x default radiusconsole(config)# radius-server host 15.1.1.2 key mafteach usage dot1.xconsole(config)# interface ethernet g1console(config-if)# dot1x port-control auto01-Jan-2000 01:09:58 %SEC-W-PORTUNAUTHORIZED: Port g1 is unAuthorized01-Jan-2000 01:09:58 %LINK-W-Down: Vlan 1console(config-if)#

Note: “usage dot1x” parameter must be used when defining Radius server for dot1x configuration


Radius Server Configuration –Connecting


Radius Server – RAS Client


Radius – Authentication Key


Radius Server – Adding a User


Radius Server - Password


Radius Server – Saving Configuration


Client PC - 802.1x Configuration• Make sure that the 802.1x service is started on the

computer:


PC - Client Authentication


PC - Enable 802.1X On The Client


PC - Result Of Client Configuration

• After configuring the client, you can see that it is trying to authenticate:


Client – Entering Username and PW


AT - 8000S - Authentication Completed!

01-Jan-2000 02:00:56 %SEC-I-PORTAUTHORIZED: Port g1 is Authorized01-Jan-2000 02:00:56 %LINK-I-Up: Vlan 101-Jan-2000 02:00:56 %STP-W-PORTSTATUS: g1: STP status Blocking01-Jan-2000 02:01:26 %STP-W-PORTSTATUS: g1: STP status Forwarding

at8000 s configurando_8021x

Technology

eapol eap

switch port

eapthe authentication

switch authenticator

authenticator switch

switch acts

xradius marvell confidential

authentication protocols