Wednesday, September 10, 2008

802.1x, Guest VLAN and Auth-Fail VLAN

Another security topic from IPExpert videos: 802.1x, nice, not too long, and easy to understand.

Dot1x is a specification for port based authentication, most of the time we hear about 802.1x is when somebody is talking about Wireless (hi Shiraishi). Basically it uses the same concept there, but it was originally created to be a switch based authentication mechanism.

By default, 802.1x uses RADIUS. This is where RADIUS, TACACS and AAA comes on the LAB, and that´s why they´re on the blueprint.

Also, keep in mind that there´s no RADIUS server on the CCIE R&S Lab Exam. So take a look at your diagram, check where the RADIUS server is "pretended" to be connected, and at the details they´re giving to us before stressing too much over it!

So, until the device is authenticated, 802.1x access control allows only Extensible Authentication Protocol (EAP) over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port.

If the switch receives EAPOL packets in a port that is not configured for 802.1x authentication or if the switch does not support 802.1x authentication, then the EAPOL packets are dropped and are not forwarded to any upstream devices.

802.1x needs to be turned on globally and configured at each interface you actually want it:

To turn dot1x on:

(config)#dot1x system-auth-control

And at the interface:

(config-if)#dot1x port-control <type>

The type can be:

  • Auto - If this particular interface doesn´t receive a response from the host, the port will be disabled. It´ll send out the EAPOL packets  (Extensible Authentication Protocol), those EAPOL packets are basically saying: "Hey! Who are you?!" And hopefuly the switch gets a response! If it doesn´t get a response, by default, the port is not enabled. The users will not be able to access the network without authentication;
  • Force-authorized - No authentication is performed, it just pretend that the authentication just happened.  It´s normally used for routers;
  • Force-unauthorized - Similar to shutdown. It pretends that this port wasn´t authorized.

802.1x, Radius and AAA works really close to each other! 802.1x will send EAPOL packets and control the access, AAA will tell the Router/Switch "HOW" to authenticate, and Radius will authenticate the requesting host if configured to do so.

Be careful when doing AAA, otherwise you may get locked out of your switch, and that will force you take your lab again, with better lucky (or better prepared) next time!

Fortunately there are some technics to avoid locking yourself out of the switch! I´ve talked about that before (click here if you want to check that post), but, I consider it so important, that I´ll copy the contents here:

-> Turning 802.1x on in your system (also enabling RADIUS):

dot1x system-auth-control
aaa new-model
aaa authentication dot1x default group radius
radius-server host key ipexpert

-> To avoid further complications with any port using "login" you´ll want to create a workaround. The Proctor will NOT do password recovery for grading you! So, we need to create a workaround for this:

aaa authentication login MyVTY line
aaa authentication login MyCon none
line con 0
login authentication MyCon
line vty 0 4
login authentication MyVTY

-> That way, Console will have no password, and the VTY will use the configured line password.

-> The bottom line is that while it is very irritating to lock yourself out of a switch it is MUCH better than locking the Proctor out!

-> Another thing you may do is "reload in 10" on the switch. If you haven´t validated your config and cancelled the reload, then at least you will fix things yourself!

-> (Do NOT save unvalidated configurations!!!)

As we go through we´re only going to do AAA authentication login, that´s the type of authentication we´re going to do.

But now, if someone responds to the EAPOL packets with incorrect credentials, or even worse, if someone doesn´t have a computer that supports 802.1x and don´t know how to respond to it?! What happen to those guys?! By default, the switch will keep sending EAPOL packets until it receives the correct credentials.

And that´s it?! Those guys will not be able to access the network?! Well, if we want yes, they´ll be out, but, we´re not that mean, right?! We can configure a "guest" VLAN, with limited access to the network, so those guys will be placed there!

With guest-vlan information (or with auth-fail vlan information) we have ways to setting up some options. The port needs to be at  mode access (can´t be dynamic in dot1x):

int fa0/10
switchport mode access
dot1x port-control auto
dot1x guest-vlan 100
dot1x auth-fail vlan 100
dot1x host-mode multi-host

That way, if the guy doesn´t support 802.1x authentication (or, if it´s not configured to do so), it´ll be allowed to use the configured guest-vlan (in our case VLAN100).

Also, if the guy use incorrect credentials (like wrong username/password), it´ll be allowed to use the auth-fail vlan (in this particular case, VLAN100 also).

But, how about that dot1x host-mode multi-host command, what´s that?! That will do 802.1x authentication for EVERY MAC Address using this link.

On the other hand, if we use the command dot1x host-mode single-host  as long as one MAC Address is validate, every MAC Address in this single link is allowed to go through!


You can find more information at this link if you want:


Anonymous said...

Can you please explain more on SIngleHost/MultiHost? I thought that on SongleHost, only one mac is permitted (when switch sees multiple will shut down the interface) and that on multiHost, once one is authenticated, the port on switch is open and others are allowed to pass without being authenticated.

Anonymous said...

I think you've gotten the Single mode and Multi mode information backwards. Per Cisco "In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. In this mode, only one of the attached clients must be authorized for all clients to be granted network access." and obviously Single mode allows one user / MAC only.

Anonymous said...

Do you know if it is correct a EAPOL re-authentication packet to be send VLAN untagged?