Wired Dot 1x (802.1x) is a security protocol used to control access to network resources. It provides authentication, authorization, and accounting (AAA) services to network devices, and is commonly used in enterprise environments to secure wired networks. Furthermore, the Wired Dot 1x protocol uses an EAP (Extensible Authentication Protocol) framework to provide secure access to network resources. This protocol is designed to work with a variety of authentication methods, such as usernames and passwords, digital certificates, and smart cards. To configure Wired Dot 1x on a wired network, you will need the components which we will discuss in the blog. Read the blog till the end to know the procedure.
What is Dot1x?
802.1x is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity based on the identity of a user. The user is authenticated based on its identity, and the associated policies will be enforced on the switchport. It is a secure mechanism for endpoint authentication in comparison to port-security. As we know, port-security is a technique to authenticate the user based on the mac address, and it can also control the maximum number of allowed hosts on a switchport.
802.1x Benefits
Visibility → The 802.1x process collects information about the end user like an IP address, MAC address, switchport number, etc. This information can be used for security audits, troubleshooting and profiling.
Security → IEEE 802.1x is the strongest method of device authentication and it must be deployed in the network.
Identity-based services → IEEE 802.1x allow you to authenticate a user based on its identity and it helps enforce customized authorization attributes like VLAN, dynamic ACLs, etc.
User and device authentication → 802.1x can provide authentication for the user as well as the device.
IEEE 802.1x Roles
Supplicant → The device trying to connect to the network is known as a supplicant. Make sure the device has IEEE 802.1x support (e.g., Windows OS version 7 or above]
Authenticator → The device that controls access to the network. In the deployment of 802.1x, a switch acts as an authenticator because it is the first point of contact for devices in the network. It will provide the information delivered by an endpoint to the ISE server.
Authentication server → The device that validates a user/device’s identity. Cisco ISE has the ability to function as an authentication server.
802.1x Protocols
802.1x uses the following protocols:
Extensible Authentication Protocol [EAP] → This protocol is being used between the supplicant and the authenticator to decide on an authentication method [EAP method].
EAP over LAN [EAPOL] → It is a layer 2 protocol defined by the IEEE. It is used to transport the authentication data from the supplicant to the authenticator.
RADIUS → This protocol is used to provide communication between the authenticator and the authentication server. It requires layer 3 connectivity between the authenticator and the authentication server.
802.1x Configuration
Supplicant Configuration
I am using a Windows 7 machine in my topology. By default, 802.1x authentication is disabled on the Windows machine for both wired and wireless connections. To enable 802.1x authentication on the Windows machine, you can follow these steps:
Go to the window and type Services and open the Services app.
Open Wired AutoConfig
Start the service
Verification
Authenticator Configuration [Switch Configuration]
Please make sure that the switch is reachable by the ISE server.
Authentication Server Configuration [ISE Server]
Step 1 → Add devices and enable the Radius service.
Check the RADIUS box, provide the key and submit the configuration. Make sure that the key is the same on ISE and Switch.
Step 2 → Add the user to the Identities
Step 3→ Define an Authorization Profile
Give it a name and please select the access type as ACCESS_ACCEPT.
You can add additional things with the authorization policy, like DACL, VLAN-id, SGT, etc. for example :-
Save the configuration.
You can push dynamic ACL from the ISE. By default, there are two DACLs configured in ISE and you can create your own DACL.
Step 4→ Define the policy under PolicySets.
Give it a name and click on + sign.
Drag and drop Wired_802.1x and save the configuration.
Go to the wired_802.1x profile.
Authentication policy (1) → Internal users and save
But I am using the default policy present on the ISE.
Authorization policy → Change the default or you can create your own authorization policy. I am creating a new authorization policy.
Open Authorization Policy
Add a new authorization policy and match attributes. For example, I have matched internal users and username tests and assigned an authorization profile and saved the configuration.
Testing :-
Go to the User and change authentication parameters :-
uncheck → Fallback to unauthorized network access.
Go to settings and uncheck Certificate verification
Go to Settings and Configure
Make sure that the device is not using the Windows logon name and password for device authentication.
Go to authentication > Additional settings > specify authentication mode > User authentication > add credentials > save
Go to the switch and enable debugging.
You can see the debugging output here :-
You can verify using the following command :-
You can see that the switchport has been assigned to VLAN 10 as per the authorization profile.
Conclusion
Wired Dot 1x is a robust security protocol that provides authentication, authorization, and accounting services to network devices. By following the steps outlined above, you can configure Wired Dot 1x on a wired network and ensure that network resources are secured against unauthorized access. For more such informative blogs, stay tuned with us.
We offer a wide range of networking training so feel free to contact us at +91 88 000 111 38 or [email protected].
