802.1X Port Security - Arista Networks · 802.1X Port Security Description Chapter 14: 802.1X Port Security 14.2 802.1X Port Security Description 802.1X port security controls can

729

Chapter 14

802.1X Port SecurityThis section explains the basic concepts behind 802.1X port security, including switch roles, how theswitches communicate, and the procedure used for authenticating clients.

• Section 14.1: 802.1X Port Security Introduction

• Section 14.2: 802.1X Port Security Description

• Section 14.3: Configuring 802.1X Port Security

• Section 14.4: Displaying 802.1X information

• Section 14.5: 802.1X Configuration Commands

14.1 802.1X Port Security Introduction802.1X is an IEEE standard protocol that prevents unauthorized devices from gaining access to thenetwork.

802.1X defines three device roles,

• Supplicant (client),

• Authenticator (switch)

• Authentication server (RADIUS)

Before authentication can succeed, switchport is in unauthorized mode and blocks all traffic but, afterauthentication has succeeded, normal data can then flow through the switchport.

Port security control who can send or receive traffic from an individual switch port. An end node is notallowed to send or receive traffic through a port until the node is authenticated by a RADIUS server.

This prevents unauthorized individuals from connecting to a switch port to access your network. Onlydesignated valid users on a RADIUS server will be allowed to use the switch to access the network.

730

802.1X Port Security Description Chapter 14: 802.1X Port Security

14.2 802.1X Port Security Description802.1X port security controls can send traffic through and receive traffic from the individual switchports. A supplicant must authenticate itself using EAPoL packets with the switch before it can gain fullaccess to the port. Arista switches act as an authenticator, passing the messages from 802.1Xsupplicants through to the RADIUS server and vice versa. 802.1X can operate in two different modes:

Single Host Mode: Once the 802.1X supplicant is authenticated on the port, only the traffic comingfrom the supplicant's MAC is allowed through the port.

Multi-Host Mode: Once the 802.1X supplicant is authenticated on the port, traffic coming from anysource MAC is allowed through the port.

Both these modes allow only one 802.1X supplicant to be authenticated for one port. Once it issuccessfully authenticated, no other 802.1X supplicant can be authenticated, unless the current onelogs off.

Apart from 802.1X authentication, Arista switches also support MAC-Based Authentication (MBA),which allows devices not speaking 802.1X to have access to the network. The authenticator uses theMAC address of such devices as username/password in its RADIUS request packets. Depending onthe MAC-Based Authentication configuration on the RADIUS server, it decides whether to authenticatethe supplicant or not. Unlike 802.1X supplicants, multiple MBA supplicants are allowed on a single port.The MBA configuration is independent of the 802.1X host modes. MBA supplicants will not beconsidered to allow or reject unauthenticated traffic, based on the host mode.

Arista switches also support Dynamic VLAN assignment, which allows the RADIUS server to indicatethe desired VLAN for the supplicant, using the tunnel attributes with the Access-Accept message. Both802.1X and MBA supplicants can be assigned a VLAN via the RADIUS server. Note that only oneVLAN per port is supported. When the first host authenticates, the authenticator port is put in therespective VLAN (via dynamic VLAN assignment) and subsequently, all other hosts must belong to thatVLAN as well.

802.1X features are now supported on 802.1Q trunk ports allowing the user to have Port-BasedNetwork Access Control (PNAC) on such a port. With this feature, traffic coming into an 802.1Xenabled port with a VLAN tag can also be authenticated via both 802.1X or MBA.

By default, traffic from any unauthenticated device on an 802.1X enabled port is dropped. Byconfiguring Authentication Failure VLAN on the authenticator switch, 802.1X or MBA supplicants’ trafficcan be put into a specific VLAN, if the supplicant fails to authenticate via the RADIUS server.

Note Only one configurable VLAN for failure is supported. That is, failure due to server timeout, serverunreachable, server AUTH-FAIL, or Quarantine.

14.2.1 Switch Roles for 802.1X Configurations

The 802.1X standard specifies the roles of Supplicant (client), Authenticator, and AuthenticationServer in a network. Figure 14-1 illustrates these roles.

Authentication server – The switch that validates the client and specifies whether or not the clientmay access services on the switch. The switch supports Authentication Servers running RADIUS.

Authenticator – The switch that controls access to the network. In an 802.1X configuration, the switchserves as the Authenticator. As the Authenticator, it moves messages between the client and theAuthentication Server. The Authenticator either grants or does not grant network access to the clientbased on the identity data provided by the client, and the authentication data provided by theAuthentication Server.

Chapter 14: 802.1X Port Security 802.1X Port Security Description

731

Supplicant/Client – The client provides a username or password data to the Authenticator. TheAuthenticator sends this data to the Authentication Server. Based on the supplicant’s information, theAuthentication Server determines whether the supplicant can use services given by the Authenticator.The Authentication Server gives this data to the Authenticator, which then provides services to theclient, based on the authentication result.

14.2.2 Authentication Process

The authentication that occurs between a supplicant, authenticator, and authentication server includethe following processes.

• Either the authenticator (a switch port) or the supplicant starts an authentication messageexchange. The switch starts an exchange when it detects a change in the status of a port, or if itgets a packet on the port with a source MAC address that is not included in the MAC address table.

• An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicantstarts the negotiation with an EAPOL-Start packet, to which the authenticator answers with aEAP-Request/Identity packet.

• The supplicant answers with an EAP-Response/Identity packet to the authentication server via theauthenticator.

• The authentication server responds with an EAP-Request packet to the supplicant via theauthenticator.

• The supplicant responds with an EAP-Response.

• The authentication server transmits either an EAP-Success packet or EAP-Reject packet to thesupplicant.

• If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their trafficwill not be forwarded.

Figure 14-1: Authenticator, Supplicant, and Authentication Server in an 802.1X configuration

Client/Supplicant

RADIUS Server(Authentication Server)

Arista Switch(Authenticator)

732


14.2.3 Communication Between the Switches

For communication between the switches, 802.1X port security uses the Extensible AuthenticationProtocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol.

The 802.1X standard defines a method for encapsulating EAP messages so they can be sent over aLAN. This encapsulated kind of EAP is known as EAP over LAN (EAPOL). The standard also specifiesa means of transferring the EAPOL information between the client or Supplicant, Authenticator, andAuthentication Server.

EAPOL messages are passed between the Supplicant’s and Authenticator’s Port Access Entity (PAE).Figure 14-2 shows the relationship between the Authenticator PAE and the Supplicant PAE.

Authenticator PAE: The Authenticator PAE communicates with the Supplicant PAE to receive theSupplicant’s identifying information. Behaving as a RADIUS client, the Authenticator PAE passes theSupplicant’s information to the Authentication Server, which decides whether to grant the Supplicantaccess. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.

Supplicant PAE – The Supplicant PAE provides information about the client to the Authenticator PAEand replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authenticationprocedure with the Authenticator PAE, as well as send logoff messages.

14.2.4 Enable 802.1X Port Control

To enable 802.1X port authentication on the switch, global command configuration is required:

switch(config)#dot1x system-auth-control

Figure 14-2: Authenticator PAE and Supplicant PAE

AuthenticationServer

AuthenticatorPAE

SupplicantPAE


RADIUSMessages

EAPOLMessages

802.1X-EnabledSupplicant


733

Port mode can be set to access/trunk port and 802.1X port access entity is set to authenticator:

switch(config-if-Et1)#switchport mode accessswitch(config-if-Et1)#dot1x pae authenticator

14.2.5 Controlled and Uncontrolled Ports

A physical port on the switch used with 802.1X has two virtual access points that include a controlledport and an uncontrolled port. The controlled port grants full access to the network. The uncontrolledport only gives access for EAPOL traffic between the client and the Authentication Server. When aclient is authenticated successfully, the controlled port is opened to the client.

14.2.5.1 Control Port State

Before the port is authenticated, the port is in an unauthorized state. In this state, only EAPOL packetsare processed by 802.1X agent and all other packets are dropped. After the port is successfullyauthenticated, the port is in the authorized state and all packets are allowed to pass. The statetransition is controlled by authentication exchange between supplicant and authentication server.However, the user can control the state by using any one of the following commands:

switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#dot1x port-control force-unauthorizedswitch(config-if-Et1)#dot1x port-control auto

Figure 14-3: Ports before and after client authentication







PAE PAE

PAE PAE

Services Services

Uncontrolled Port

Physical Port

Controlled Port(Unauthorized)

Uncontrolled Port Controlled Port(Authorized)

Physical Port

Before Authentication After Authentication

734


• force-authorized disables 802.1X authentication and directly put the port to the authorized state.This is the default setting.

• force-unauthorized also disables 802.1X authentication and directly put the port to unauthorizedstate, ignoring all attempts by the client to authenticate.

• auto enables 802.1X authentication and put the port to unauthorized state first. The port stateremains in an unauthorized state or transit to authorized state according to authentication resultand configuration.

14.2.5.2 Uncontrolled Port State

The uncontrolled port on the Authenticator is the only one open before a client is authenticated. Theuncontrolled port permits only EAPOL frames to be swapped between the client and the AuthenticationServer. No traffic is allowed to pass through the controlled port in the unauthorized state.

During authentication, EAPOL messages are swapped between the Supplicant PAE and theAuthenticator PAE, and RADIUS messages are swapped between the Authenticator PAE and theAuthentication Server. If the client is successfully authenticated, the controlled port becomesauthorized, and traffic from the client can flow through the port normally.

All controlled ports on the switch are placed in the authorized state, allowing all traffic, by default. Whenauthentication is initiated, the controlled port on the interface is initially set in the unauthorized state. Ifa client connected to the port is authenticated successfully, the controlled port is set in the authorizedstate.

14.2.6 Message Exchange During Authentication

Figure 14-4 illustrates an exchange of messages between an 802.1X-enabled client, a switch operatingas Authenticator, and a RADIUS server operating as an Authentication Server.

Arista switches support MD5-challenge TLS and any other EAP-encapsulated authentication types inEAP Request or Response messages. In other words, the switches are transparent to theauthentication scheme used.

14.2.7 Authenticating Multiple Clients Connected to the Same Port

Arista switches support 802.1X authentication for ports with more than one client connected to them.Figure 14-5 illustrates a sample configuration where multiple clients are connected to a single 802.1Xport. 802.1X authentication may use multi-host mode, or (on selected switches) single-host mode. Inboth modes, the port authenticates the packets received from any one client, and the packets receivedfrom other clients are dropped, until the connected client is authenticated by the RADIUS server.

14.2.7.1 Multi-host Mode

In multi-host mode, once the 802.1X client has been authenticated by the RADIUS server, the port isopen to accept all packets from any connected client, and these packets do not require anyauthentication.

14.2.7.2 Single-host Mode

In single-host mode, once the 802.1X client has been authenticated by the RADIUS server furtherauthentication is not required, but the port accepts packets only from the MAC address of theauthenticated client.


735

14.2.8 802.1X MAC- Based Authentication

The 802.1X MAC-based authentication allows a set of MAC addresses to be programmed into theRADIUS server. These MAC addresses (MAC-based authentication supplicants) do not connect to802.1X profiles but are still allowed access to the network. The authenticator identifies devices that donot support 802.1X and uses the MAC address of these devices as username and password in itsRADIUS request packets.

In a MAC-based authentication, every supplicant trying to gain access to the authenticator port isindividually authenticated as opposed to authenticating just one supplicant on a given VLAN or portwith 802.1X. The behavior is different for MAC-based authentication supplicants when we have a802.1.x supplicant authenticated in single host and multi-host 802.1X modes.

To enable Mac-based authentication, use the following command:

switch(config-if-Et1/1)#dot1x mac based authentication

Note This command is added to the existing 802.1X configuration on the port, so a typical 802.1X interfaceconfiguration with MAC-Based Authentication enabled may look something like this:

switch(config-if-Et1/1)#show active speed forced 1000full dot1x pae authenticator dot1x port-control auto dot1x mac based authentication

Figure 14-4: Message exchange during authentication


Arista Device(Authenticator)

Client/Supplicant

Port Unauthorized

EAP-Response/Identity

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5-Challenge

EAP-Success

EAP-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

736


Figure 14-5: Multiple clients connected to a 802.1X-enabled port



Clients/Supplicants running 802.1X-compliant client software

Hub

Chapter 14: 802.1X Port Security Configuring 802.1X Port Security

737

14.3 Configuring 802.1X Port SecurityBasic steps to implementing 802.1X Port-based Network Access Control and RADIUS accounting onthe switch:

Step 1 A RADIUS server is required on one or more of your network servers or management stations.

802.1X is not supported with the TACACS+ authentication protocol.

Step 2 You must create supplicant accounts on the RADIUS server:

• The account for a supplicant connected to an authenticator port must have a username andpassword combination when set to the 802.1X authentication mode.

• An account for the supplicant connected to an authenticator port and placed in the MACaddress-based authentication mode needs use the MAC address of the node as both theusername and password.

• Connected clients to an 802.1X authenticator port will require 802.1X client software.

Step 3 The RADIUS client must be configured by entering the IP addresses and encryption keys ofthe authentication servers on your network.

Step 4 The port access control settings must be configured on the switch. This includes the following:

• Specifying the port roles.

• Configuring 802.1X port parameters.

• Enabling 802.1X Port-based Network Access Control.

Guidelines

• Do not set a port that is connected to a RADIUS authentication server to the authenticator role asan authentication server cannot authenticate itself.

• A supplicant connected to an authenticator port set to the 802.1X username and passwordauthentication method must have 802.1X client software.

• To prevent unauthorized individuals from accessing the network through unattended networkworkstations, end users of 802.1X port-based network access control should always log off whenthey are finished with a work session.

• The RADIUS client should be configured on the switch before activating port-based access control.

14.3.1 Configuring 802.1X Authentication Methods

IEEE 802.1X port security relies on external client-authentication methods, which must be configuredfor use. The method currently supported on Arista switches is RADIUS authentication. To configure theswitch to use a RADIUS server for client authentication, use the aaa authentication dot1x command.

Example

• This command configures the switch to use RADIUS authentication.

switch(config)# aaa authentication dot1x default group radiusswitch(config)#

14.3.2 Globally Enable IEEE 802.1X

To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-controlcommand.

AAA%20Configuration.pdf

738

Configuring 802.1X Port Security Chapter 14: 802.1X Port Security

• This command enables IEEE 802.1X globally on the switch.

switch(config)#dot1x system-auth-controlswitch(config)

14.3.3 Designating Authenticator Ports

To set the port access entity (PAE) type of an Ethernet or management interface to the authenticator,use the dot1x pae authenticator command.

Example

• These commands configure the PAE type to authenticator on the Ethernet interface 1 to enableIEEE 802.1X on the port.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x pae authenticatorswitch(config-if-Et1)#

For ports to act as authenticator ports to connected supplicants, those ports must be designated usingthe dot1x port-control command.

The auto option of the dot1x port-control command designates an authenticator port for immediateuse, blocking all traffic that is not authenticated by the AAA server.

Example

• This command configures Ethernet 1 to immediately begin functioning as an authenticator port.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control autoswitch(config-if-Et1)#

The force-authorized option of the dot1x port-control command sets the state of the port toauthorized without authentication, allowing traffic to continue uninterrupted.

Example

• These commands designate Ethernet 1 as an authenticator port that will forward packets withoutauthentication.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#

To designate a port as an authenticator but prevent it from authorizing any traffic, use theforce-unauthorized option of the dot1x port-control command.

Example

• The force-unauthorized option of the dot1x port-control command places the specified port inthe unauthorized state, which will deny any access requests from users of the ports.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#

14.3.4 Specifying the Authentication Mode for Multiple Clients

By default, Arista switches authenticate in multi-host mode, allowing packets from any source MACaddress once 802.1X authentication has taken place. To configure the switch for single-host mode(allowing traffic only from the authenticated client’s MAC address), use the dot1x host-modecommand.

Chapter 14: 802.1X Port Security Configuring 802.1X Port Security

739

Example• These commands configure Ethernet interface 1 to use single-host mode for 802.1X

authentication.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x host-mode single-hostswitch(config-if-Et1)#

14.3.5 Configuring Re-authentication

The dot1x reauthentication command enables re-authentication of authenticator ports with thedefault values.

The dot1x timeout reauth-period command allows to customize the re-authentication period ofauthenticator ports.

Example

• These commands configures the configuration mode interface to require re-authentication fromclients at regular intervals.

switch(config)#interface Ethernet 1switch(config-if-Eth)#dot1x reauthentication

• These commands configure the Ethernet interface 1 authenticator to require re-authentication fromclients every 6 hours (21600 seconds).

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600switch(config-if-Et1)#

• These commands deactivate re-authentication on Ethernet interface 1.

switch(config)#interface Ethernet 1switch(config-if-Et1)#no dot1x reauthenticationswitch(config-if-Et1)#

14.3.6 Setting the EAP Request Maximum

The dot1x reauthorization request limit command configures the number of times the switchretransmits an 802.1X Extensible Authentication Protocol (EAP) request packet before ending theconversation and restarting authentication.

Example

• These commands set the number of times the authenticator sends an EAP request packet to theclient before restarting authentication.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x reauthorization request limit 4switch(config-if-Et1)#

The default value is 2.

14.3.7 Disabling Authentication on a Port

To disable authentication on an authenticator port, use the no dot1x port-control command.

740

Configuring 802.1X Port Security Chapter 14: 802.1X Port Security

Example

• These commands disable authentication on Ethernet interface 1.

switch(config)#interface ethernet 1switch(config-if-Et1)#no dot1x port-controlswitch(config-if-Et1)#

14.3.8 Setting the Quiet Period

If the switch fails to immediately authenticate the client, the time the switch waits before trying again isspecified by the dot1x timeout quiet-period command. This timer also indicates how long a client thatfailed authentication is blocked.

Example

• These commands set the 802.1X quiet period for Ethernet interface 1 to 30 seconds.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x timeout quiet-period 30The default value is 60 seconds.

14.3.9 Setting the Dot1x Timeout Reauth-period

The dot1x timeout reauth-period command specifies the time period in seconds that theconfiguration mode interface waits before requiring re-authentication from clients.

• These commands configure the timeout reauth-period to 21600 seconds.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600The default value is 3600 seconds.

14.3.10 Setting the Transmission Timeout

Authentication and re-authentication are accomplished by the authenticator sending an ExtensibleAuthentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which theauthenticator forwards to an authentication server. If the authenticator doesn’t receive a reply to theEAP request, it waits a specified period of time before retransmitting. To configure that wait time, usethe dot1x timeout tx-period command.

Example

• These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAPrequests to the supplicant.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout tx-period 30switch(config-if-Et1)#

The default value is 5 seconds.

14.3.11 Enable Authentication Failure VLAN

Configure Authentication Failure VLAN on a dot1x-enabled port using the following CLI commandunder the interface-config mode. The CLI command to set VLAN10 as authentication failure VLAN isas follows:

switch(config-if-Et1/1)#dot1x authentication failure action traffic allow vlan 10

Chapter 14: 802.1X Port Security Displaying 802.1X information

741

When no authentication failure VLAN is configured on a dot1x-enabled port, the default action is todrop any unauthorized traffic on the port. This behavior can also be specified using the followingcommand:

Example

switch(config-if-Et1/1)#dot1x authentication failure action traffic drop

14.3.12 Clearing 802.1X Statistics

The clear dot1x statistics command resets the 802.1X counters.

Example

• This command clears the 802.1X counters on all interfaces.

switch#clear dot1x statistics allswitch#

• This command clears the 802.1X counters on Ethernet interface 1.

switch#clear dot1x statistics interface ethernet 1switch#

14.4 Displaying 802.1X informationYou can display information about 802.1X on the switch and on individual ports.

14.4.1 Displaying Port Security Configuration Information

The show dot1x command shows information about the 802.1X configuration on the specified port orports.

Example

• This commands displays IEEE 802.1X configuration information for Ethernet interface 5.

switch#show dot1x interface ethernet 5Dot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2switch#

14.4.2 Displaying 802.1X information

Use the show dot1x all brief command to display IEEE 802.1X status for all ports.

Example

• The following commands display a summary of IEEE 802.1X status.

switch#show dot1x all briefInterface Client Status-------------------------------------------------------------Ethernet5 None Unauthorizedswitch#

742

Displaying 802.1X information Chapter 14: 802.1X Port Security

14.4.3 Displaying 802.1X statistics

Use the show dot1x statistics command to display 802.1X statistics for the specified port or ports.

Example

• This command displays IEEE 802.1X statistics for Ethernet interface 5.

switch#show dot1x interface ethernet 5 statisticsDot1X Authenticator Port Statistics for Ethernet5-------------------------------------------------RxStart = 0 RxLogoff = 0 RxRespId = 0RxResp = 0 RxInvalid = 0 RxTotal = 0TxReqId = 0 TxReq = 0 TxTotal = 0RxVersion = 0 LastRxSrcMAC = 0000.0000.0000switch#

14.4.4 Displaying 802.1X supplicant information

Use the show dot1x hosts command to display information for all the supplicants.

Example

• This command displays 802.1X supplicant information.

switch#show dot1x hosts Interface: Ethernet1/1 Supplicant MAC Auth Method State VLAN Id -------------- ----------- ----- ------- e2:29:cb:11:2f:4a EAPOL SUCCESS 300 e2:29:cb:11:2f:4b MAC-BASED-AUTH SUCCESS 300

14.4.5 Displaying VLANS

Use the show vlan command to display if a VLAN has been dynamically assigned to the port.

Example

switch#show vlan VLAN Name Status Ports ----- ------------- --------- ---------------------------------- 1 default active 2 VLAN0002 active Et7, Et17, Et18, Et41 300* VLAN0300 active Et1/1, Et6, Et19, Et20, Et29 Et30, Et31, Et32, Et42, Et43, Et44

* indicates a Dynamic VLAN

14.4.6 Displaying Mac-address Tables

Use the show mac address-table command to display the MAC address of the supplicants allowedto pass the traffic through the port.

Chapter 14: 802.1X Port Security Displaying 802.1X information

743

Example

switch#show mac address-table Mac Address Table ------------------------------------------------------------------ Vlan Mac Address Type Ports Moves Last Move ---- ----------- ---- ----- ----- --------- 300 e229.cb11.2f4a STATIC Et1/1 300 e229.cb11.2f4b STATIC Et1/1 Total Mac Addresses for this criterion: 2

14.4.7 Displaying the Status of the 802.1X Attributes for each Port.

Use the show dotx1 interface interface-id command to display the status of the 802x1 attributes foreach port.

Example

switch(config-if-Et1/1)#show dot1x interface ethernet1/1 Dot1X Information for Ethernet1 -------------------------------------------- PortControl : force-authorized HostMode : multi-host QuietPeriod : 60 seconds TxPeriod : 5 seconds ReauthPeriod : 0 seconds MaxReauthReq : 2 ReauthTimeoutIgnore : No AuthFailVlan : 10

744

802.1X Configuration Commands Chapter 14: 802.1X Port Security

14.5 802.1X Configuration CommandsGlobal Configuration Commands• dot1x system-auth-control

Interface Configuration Commands – Ethernet Interface• dot1x host-mode• dot1x mac based authentication• dot1x pae authenticator• dot1x port-control• dot1x reauthentication• dot1x reauthorization request limit• dot1x timeout quiet-period• dot1x timeout reauth-period• dot1x timeout tx-period

Privileged EXEC Commands• clear dot1x statistics• show dot1x• show dot1x all brief• show dot1x hosts• show dot1x statistics

Chapter 14: 802.1X Port Security 802.1X Configuration Commands

745

clear dot1x statistics

The clear dot1x statistics command resets the 802.1X counters on the specified interface or allinterfaces.

Command ModePrivileged EXEC

Command Syntaxclear dot1x statistics INTERFACE_NAME

Parameters• INTERFACE_NAME Interface type and number. Options include:

• all Display information for all interfaces.

• interface ethernet e_num Ethernet interface specified by e_num.

• interface loopback l_num Loopback interface specified by l_num.

• interface management m_num Management interface specified by m_num.

• interface port-channel p_num Port-Channel Interface specified by p_num.

• interface vlan v_num VLAN interface specified by v_num.

Example• This command resets the 802.1X counters on all interfaces.

switch#clear dot1x statistics allswitch#

746


dot1x host-mode

When multiple clients are connected to an Ethernet interface providing 802.1X authentication, the portcan either accept packets from all MAC addresses once the supplicant has been authenticated(multi-host mode), or it can accept only those packets originating from the MAC address of theauthenticated client (single-host mode). The dot1x host-mode command specifies the host mode forauthentication of multiple clients on the configuration mode interface.

The no dot1x host-mode and default dot1x host-mode commands restore the switch default(multi-host mode) by removing the corresponding dot1x host-mode command for the configurationmode interface.

Command ModeInterface-Ethernet Configuration

Command Syntaxdot1x host-mode [multi-host | single-host]no dot1x host-modedefault dot1x host-mode

Parameters• multi-host configures the interface to use multi-host mode (the default)

• single-host configures the interface to use single-host mode

Example• These commands configure Ethernet interface 1 to use single-host mode for 802.1X

authentication.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x host-mode single-hostswitch(config-if-Et1)#


747

dot1x mac based authentication

The dot1x mac based authentication command enables MAC-based authentication on the existing802.1X authenticator port.

The no dot1x mac based authentication and the default dot1x mac based authenticationcommands restore the switch default by disabling the corresponding dot1x mac basedauthentication command for the specific 802.1X authenticator port.

Command ModeInterface-Ethernet Configuration

Command Syntaxdot1x mac based authenticationno dot1x mac based authenticationdefault dot1x mac based authentication

Related Commands• show dot1x hosts

Example• These commands configure MAC-based authentication on Ethernet interface 1.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x mac based authenticationswitch(config-if-Et1)#

748


dot1x system-auth-control

The dot1x system-auth-control command enables 802.1X authentication on the switch.

The no dot1x system-auth-control and default dot1x system-auth-control commands disables802.1X authentication by removing the dot1x system-auth-control command from running-config.

Command ModeGlobal Configuration

Command Syntaxdot1x system-auth-controlno dot1x system-auth-controldefault dot1x system-auth-control

Example• This command enables 802.1X authentication on the switch.

switch(config)#dot1x system-auth-controlswitch(config)#

• This command disables 802.1X authentication on the switch.

switch(config)#no dot1x system-auth-controlswitch(config)#


749

dot1x pae authenticator

The dot1x pae authenticator command sets the port access entity (PAE) type of the configurationmode interface to authenticator, which enables IEEE 802.1X on the port. IEEE 802.1X is disabled onall ports by default.

The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switchdefault by deleting the corresponding dot1x pae authenticator command from running-config.

Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration

Command Syntaxdot1x pae authenticatorno dot1x pae authenticatordefault dot1x pae authenticator

Example• These commands configure Ethernet interface 2 as a port access entity (PAE) authenticator,

enabling IEEE 802.1X on the port.

switch(config-if-Et1)#interface ethernet 2switch(config-if-Et1)#dot1x pae authenticatorswitch(config-if-Et1)#

• These commands disable IEEE 802.1X authentication on Ethernet interface 2.

switch(config-if-Et1)#interface ethernet 2switch(config-if-Et1)#no dot1x pae authenticatorswitch(config-if-Et1)#

750


dot1x port-control

The dot1x port-control command configures the configuration mode interface as an authenticatorport and specifies whether it will authenticate traffic.

The no dot1x port-control and default dot1x port-control commands configure the port to passtraffic without authorization by removing the corresponding dot1x port-control command fromrunning-config.


Command Syntaxdot1x port-control STATEno dot1x port-controldefault dot1x port-control

Parameters• STATE specifies whether the interface will authenticate traffic. The default value is

force-authorized. Options include:

• auto configures the port to authenticate traffic using Extensible Authentication Protocolmessages.

• force-authorized configures the port to pass traffic without authentication.

• force-unauthorized configures the port to block all traffic regardless of authentication.

Examples• These commands configure Ethernet interface 1 to pass traffic without authentication. This is the

default setting.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#

• These commands configure Ethernet interface 1 to block all traffic.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control force-unauthorizedswitch(config-if-Et1)#

• These commands configure Ethernet interface 1 to authenticate traffic using EAP messages.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control autoswitch(config-if-Et1)#


751

dot1x reauthentication

The dot1x reauthentication command configures the configuration mode interface to requirere-authentication from clients at regular intervals. The interval is set by the dot1x timeoutreauth-period command.

The no dot1x reauthentication and default dot1x reauthentication commands restore the defaultsetting by deleting the corresponding dot1x reauthentication command from running-config.


Command Syntaxdot1x reauthenticationno dot1x reauthenticationdefault dot1x reauthentication

Example• These commands configure the Ethernet interface 1 authenticator to require periodic

re-authentication from clients.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#

752


dot1x reauthorization request limit

The dot1x reauthorization request limit command configures how many times the switch retransmitsan 802.1X Extensible Authentication Protocol (EAP) request packet before ending the conversationand restarting authentication.

The no dot1x reauthorization request limit and default dot1x reauthorization request limitcommands restore the default value of 2 by deleting the corresponding dot1x reauthorization requestlimit command from running-config.


Command Syntaxdot1x reauthorization request limit attemptsno dot1x reauthorization request limitdefault dot1x reauthorization request limit

Parameters• attempts maximum number of attempts. Values range from 1 to 10; default value is 2.

Examples• This command sets the 802.1X EAP-request retransmit limit to 6.

switch(config)#interface ethernet 1 switch(config-if-Et1)#dot1x reauthorization request limit 6switch(config-if-Et1)#

• This command restores the default request repetition value of 2.

switch(config)#interface ethernet 1 switch(config-if-Et1)#no dot1x reauthorization request limit

switch(config-if-Et1)#


753

dot1x timeout quiet-period

If the switch fails to immediately authenticate the client, the time the switch waits before trying again isspecified by the dot1x timeout quiet-period command. This timer also indicates how long a client thatfailed authentication is blocked.

The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore thedefault quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-periodcommand from running-config.


Command Syntaxdot1x timeout quiet-period quiet_timeno dot1x timeout quiet-perioddefault dot1x timeout quiet-period

Parameters• quiet_time interval in seconds. Values range from 1 to 65535. Default value is 60.

Example• These commands set the 802.1X quiet period for Ethernet interface 1 to 30 seconds.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout quiet-period 30switch(config-if-Et1)#

754


dot1x timeout reauth-period

The dot1x timeout reauth-period command specifies the time period that the configuration modeinterface waits before requiring re-authentication from clients.

The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restorethe default period of 60 minutes by removing the corresponding dot1x timeout reauth-periodcommand from running-config.


Command Syntaxdot1x timeout reauth-period reauth_timeno dot1x timeout reauth-perioddefault dot1x timeout reauth-period

Parameters• reauth_time the number of seconds the interface passes traffic before requiring

re-authentication. Values range from 1 to 65535. Default value is 3600.

Example• These commands configure the Ethernet interface 1 authenticator to require re-authentication from

clients every 6 hours (21600 seconds).

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600switch(config-if-Et1)#


755

dot1x timeout tx-period

Authentication and re-authentication are accomplished by the authenticator sending an ExtensibleAuthentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which theauthenticator forwards to an authentication server. If the authenticator does not get a reply to the EAPrequest, it waits a specified period of time before retransmitting. The dot1x timeout tx-periodcommand configures that wait time.

The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the defaultwait time by removing the corresponding dot1x timeout tx-period command from running-config.


Command Syntaxdot1x timeout tx-period tx_timeno dot1x timeout tx-perioddefault dot1x timeout tx-period

Parameters• tx_time Values range from 1 to 65535. Default value is 5.

Example• These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP

requests to the supplicant.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout tx-period 30switch(config-if-Et1)#

756


show dot1x

The show dot1x command displays 802.1X information for the specified interface.

Command ModeEXEC

Command Syntaxshow dot1x INTERFACE_NAME INFO



• ethernet e_num Ethernet interface specified by e_num.

• loopback l_num Loopback interface specified by l_num.

• management m_num Management interface specified by m_num.

• port-channel p_num Port-Channel Interface specified by p_num.

• vlan v_num VLAN interface specified by v_num.

• INFO Type of information the command displays. Values include:

• <no parameter> displays summary of the specified interface.

• detail displays all 802.1X information for the specified interface.

Example• This command displays 802.1X summary information for Ethernet interface 5.

switch#show dot1x interface ethernet 5Dot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2switch#

• This command displays detailed 802.1X information for Ethernet interface 5.

switch#show dot1x interface ethernet 5 detailDot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2

Dot1X Authenticator Client

Port Status : Unauthorizedswitch#


757

show dot1x all brief

The show dot1x all brief command displays the IEEE 802.1X status for all ports.

Command ModeEXEC

Command Syntaxshow dot1x all brief

Example• This command displays the IEEE 802.1X status.

switch#show dot1x all briefInterface Client Status-------------------------------------------------------------Ethernet5 None Unauthorized

switch#

758


show dot1x hosts

The show dot1x hosts command displays 802.1X information for all the supplicants.

Command ModeEXEC

Command Syntaxshow dot1x hosts [ethernet]

Parameters• ethernet e_num Ethernet interface specified by e_num.

Related Commands• dot1x mac based authentication

Example• This command displays 802.1X information for all the supplicants.

switch#show dot1x hostsInterface: Ethernet1/1

Supplicant MAC Auth Method State VLAN Id -------------- ----------- ----- ------- e2:29:cb:11:2f:4a MAC-BASED-AUTH SUCCESS 300


759

show dot1x statistics

The show dot1x statistics command displays 802.1X statistics for the specified port or ports.

Command ModeEXEC

Command Syntaxshow dot1x INTERFACE_NAME statistics



• ethernet e_num Ethernet interface specified by e_num.

• loopback l_num Loopback interface specified by l_num.

• management m_num Management interface specified by m_num.

• port-channel p_num Port-Channel Interface specified by p_num.

• vlan v_num VLAN interface specified by v_num.

Output Fields• RxStart Number of EAPOL-Start frames received on the port.

• TxReqId Number of EAP-Request/Identity frames transmitted on the port.

• RxVersion Version number of the last EAPOL frame received on the port.

• RxLogoff Number of EAPOL-Logoff frames received on the port.

• RxInvalid Number of invalid EAPOL frames received on the port.

• TxReq Number of transmitted EAP-Request frames that were not EAP-Request/Identity.

• LastRxSrcMAC The source MAC address in the last EAPOL frame received on the port.

• RxRespId The number of EAP-Response/Identity frames received on the port

• RxTotal The total number of EAPOL frames transmitted on the port.

• TxTotal The total number of EAPOL frames transmitted on the port.

Example• This command displays the 802.1X statistics for ethernet 5

switch#show dot1x interface ethernet 5 statisticsDot1X Authenticator Port Statistics for Ethernet5-------------------------------------------------RxStart = 0 RxLogoff = 0 RxRespId = 0RxStart= 0 RxInvalid = 0 RxTotal = 0TxReqId = 0 TxReq = 0 TxTotal = 0RxVersion = 0 LastRxSrcMAC = 0000.0000.0000switch#

760


Documents

802.1X Port Security - Arista Networks · 802.1X Port Security Description Chapter 14: 802.1X Port Security 14.2 802.1X Port Security Description 802.1X port security controls can