Wired Dot1x Configuration: Step by Step Guide

Wired Dot 1x (802.1x) is a security protocol that controls access to network resources by providing authentication, authorization, and accounting (AAA) services to network devices. Commonly used in enterprise environments to secure wired networks, this protocol employs the Extensible Authentication Protocol (EAP) framework to ensure secure access. It works with various authentication methods, including usernames and passwords, digital certificates, and smart cards. Wired Dot 1x configuration on a wired network requires several components, which we will discuss in this blog. Read on to learn the procedure.

What is Dot1x?

802.1x authentication is an IEEE standard for media-level access control, offering the capability to permit or deny network connectivity based on the identity of a user. The user is authenticated based on their identity, and the associated policies are enforced on the switchport. This mechanism is more secure than port-security, which authenticates users based on their MAC addresses and controls the number of allowed hosts on a switchport.

Benefits of 802.1x

    • Visibility: The 802.1x process collects information about the end user, such as IP address, MAC address, and switchport number. This data can be used for security audits, troubleshooting, and profiling.

    • Security: IEEE 802.1x is the strongest method of device authentication and must be deployed in the network.

    • Identity-based services: This protocol allows you to authenticate a user based on their identity, helping enforce customized authorization attributes like VLANs and dynamic ACLs.

    • User and device authentication: Both users and devices receive authentication through 802.1x.

Roles in IEEE 802.1x

    • Supplicant: The device attempting to connect to the network. Ensure the device supports IEEE 802.1x (e.g., Windows OS version 7 or above).

    • Authenticator: Controls access to the network. In 802.1x deployments, a switch acts as an authenticator, providing endpoint information to the ISE server.

    • Authentication Server: Validates a user/device’s identity. Cisco ISE can function as an authentication server.

Protocols Used in 802.1x

    • Extensible Authentication Protocol (EAP): Used between the supplicant and the authenticator to decide on an authentication method (EAP method).

    • EAP over LAN (EAPOL): A layer 2 protocol defined by the IEEE for transporting authentication data from the supplicant to the authenticator.

    • RADIUS: Provides communication between the authenticator and the authentication server, requiring layer 3 connectivity between them.

Configuring 802.1x

Configuring 802.1x

Supplicant Configuration

To enable 802.1x authentication on a Windows 7 machine:

    1. Open the Services app by typing “Services” in the Windows search bar.

    1. Locate and start the “Wired AutoConfig” service.

Go to the window and type Services and open the Services app.

Open Wired AutoConfig

Start the service

Verification

Authenticator Configuration (Switch Configuration)

Ensure the switch is reachable by the ISE server.

Authentication Server Configuration (ISE Server)

Step 1: Add Devices and Enable the Radius Service

Check the RADIUS box, provide the key, and submit the configuration. Ensure the key matches on both the ISE and the switch.

Step 2 → Add the user to the Identities

Step 3→ Define an Authorization Profile

Give it a name and please select the access type as ACCESS_ACCEPT.

You can add additional things with the authorization policy, like DACL, VLAN-id, SGT, etc. for example :-

Save the configuration.

You can push dynamic ACL from the ISE. By default, there are two DACLs configured in ISE and you can create your own DACL.

Step 4→ Define the policy under PolicySets.

Give it a name and click on + sign.

Drag and drop Wired_802.1x and save the configuration.

Go to the wired_802.1x profile.

Authentication policy (1) → Internal users and save

But I am using the default policy present on the ISE.

Authorization policy → Change the default or you can create your own authorization policy. I am creating a new authorization policy.

Open Authorization Policy

Add a new authorization policy and match attributes. For example, I have matched internal users and username tests and assigned an authorization profile and saved the configuration.

Testing the Configuration

    • Adjust settings to bypass certificate verification and specify user authentication credentials.

    • Enable debugging on the switch and verify the output.

Go to settings and uncheck Certificate verification

Go to Settings and Configure

Make sure that the device is not using the Windows logon name and password for device authentication.

Go to authentication > Additional settings > specify authentication mode > User authentication > add credentials > save

Go to the switch and enable debugging.

You can see the debugging output here :-

You can verify using the following command :-

You can see that the switchport has been assigned to VLAN 10 as per the authorization profile.

Conclusion

Wired Dot 1x is a robust security protocol providing authentication, authorization, and accounting services to network devices. By following the steps outlined above, you can configure Wired Dot 1x on a wired network and ensure network resources are secured against unauthorized access. For more informative blogs, stay tuned with us.

We offer a wide range of networking training so feel free to contact us at +91 88 000 111 38 or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *