Articles
recent

All About 802.1x standards


Overview
IEEE 802.1x standard defines the network control and authentication mechanism. A client server based network access control ensures only authorized users get the access to network. The authentication server authenticates the client connected to network and grant full access only if it passes the authentication. 

This article covers implementation of 802.1x protocol in Cisco Environment. Let’s get started and get familiarise with concept and terminology used. 

Fig 1.1- Network Setup and Terminology
  • Client – a workstation that require network access. Client must run 802.1x compliant authentication software (Supplicant) 
  • Network Switch also known as Authenticator – acts as proxy between client and authentication server. Passes client information to authentication server and authentication status to client.
  • Authentication Server – performs client authentication. It identifies the client and notifies the network to whether client authorised to access network services.
802.1x Port Based Authentication on Switch
When 802.1x port-based authentication is configured on switch, follow is occurs –
  • If client has required supplicant and its identity is valid  authentication is successful and full network access is granted 
  • If client identity is no valid  authentication failed and client is put into restricted VLAN / guest VLAN depending on configuration
  • If 802.1x timer expires (no EAPoL message from client)  fallback mechanism used which is MAC authentication Bypass (MAB); Web-Based Authentication
  • If Authentication server is not responding and authentication bypass is enabled  client is put into critical user specified VLAN 
Authentication Initiation and Message Exchange 
Authentication can be initiated by client or network switch. 

When authentication initiated by client – EAPoL message is generated by client and received on the switch port  Switch response EAPOL message and sends EAP-Request/Identity Message  client response request with its identity information  Switch encapsulate this EAP message into RADIUS and forward to Authentication Server  Authentication Server sends Access-Accept message to switch  switch sends EAP Success message to client 
When authentication initiated by Switch – switch generate the EAP-Request / Identity Message  client response request with its identity information  Switch encapsulate this EAP message into RADIUS and forward to Authentication Server  Authentication Server sends Access-Accept message to switch  switch sends EAP Success message to client
On successful authentication, port is enabled (authorized) and client granted the network access. Once the user intends to logoff, EAPOL-LOGOFF message is generated which is an indication to switch to move the port back to un-authorized state.

Port states
Port state determines whether client will get the network access. Ports on the switch starts with unauthorized state. In unauthorized state port blocks incoming and outgoing traffic except traffic required for 802.1x. Port transition to authorized state once client authenticated and port allows all traffic. 

What if client does not support 802.1x gets connected to 802.1x configure port? 
Switch requests client identity. If client does not supply it’s identity port remains in unauthorized state and client not granted the network access.

What if 802.1x compatible client connects to port that is not configured with 802.1x protocol? Client initiate the authentication process by sending EAPoL message to switch. With no response from switch, after multiple ties – it will start sending frames as if the port is in the authorized state. 
Authentication Enforcement – 802.1x Host Modes.

802.1x Port host mode determines whether single or multiple hosts are connected and how the authentication will be done for the hosts. Below are the host mode 
  • Single-Host Mode – single client can connect to the port. If client leave or another host is connected, port transition to unauthorized and down state. 
  • Multiple-Host Mode – multiple clients can be connected to 802.1x enabled port. Once any of the client authenticated, this port will provide network access to all other clients. In case of authentication failure network access is blocked for all other clients. This mode is valid for wireless scenario where an Access Point is responsible for authenticating the clients attached to it and AP also acts as client to switch. 
  • Multi-Domain Authentication Mode – multi-domain (for instance IP Phone and computer) are authenticated here. This allows IP Phone and a client behind IP Phone authenticated independently on 802.1x enabled port. 
  • Multi-Authentication Mode – when a Hub or Access Point is connected to 802.1x enabled port, Multi-Authentication mode provide security for individual clients connected to AP or Hub. MAB or WebAuth method is used as fallback mechanism. Different hosts are authenticated through different methods connected to single port. 
VLAN Assignment 
After successful authentication and based on the configured database (user to vlan mapping) RADIUS server sends the VLAN assignment to the switch that is to be applied to port. This feature is used to limit the network access to certain users in controlled environment. 

What if, 
  • 802.1x authentication is passed ----> port is placed in RADIUS server supplied VLAN
  • Multiple hosts are connected to port ---->  all ports are placed in same VLAN as the first authenticated client 
  • Multi-Authentication is enabled --->  VLAN assignment is ignored 
  • No VLAN information is provided by server ---> port is using the local access VLAN configuration post authentication 
  • 802.x authentication is enabled but server returned invalid VLAN ---> port returned to unauthorised mode and remain in Access VLAN configuration
  • 802.1x is disabled ---> port is put into location access VLAN mode
Load Balancing using 802.1x Authentication
Yes, RADIS supplied VLAN information can be used to provide the load balancing by distributing multiple authenticated users among multiple VLANs. 

Initially RADIUS server used to provide the single VLAN information to authenticated user. However now using the VLAN Group (that contains multiple VLANs) multiple VLANs information can be provided to authenticated clients. There are two methods to achieve the same :
  • RADIUS server configured to send multiple VLAN IDs to authenticated users. VLAN database tracks the VLAN assignment and achieve load balancing by placing the newly authenticated user in least populated VLAN
  • Define VLAN Group (contains multiple VLANs), RADIUS Server sends the VLAN group name instead of VLAN IDs as part of successful authentication response. Newly authenticated user is placed in the least populated VLAN within the VLAN group
802.1x Authentication with Guest VLAN
In general Guest VLAN is configured to provide the limited access to your network to access Internet Access. When a port is configured with Guest VLAN, the switch places the port in guest VLAN when there is no EAP request/identity response from the client and no fallback method is configured.

802.1x Authentication with Restricted VLANs 
Restricted VLANs allows clients with invalid authentication put into a VLAN with limited access and prevent them to assign to Guest VLAN. Network Administrator has full control to provide the level of access in restricted VLANs. In absence of the Restricted VLAN configuration users with failed authentication cannot access the network and stay in blocking state. 

Port is put into restricted VLAN after specified unsuccessful login attempts. Network switch keep track of these attempts. This count is incremented once the switch receive the REJECT message from RADIUS server. When this count exceeds the maximum value, the port moves to restricted VLAN. 

802.1x Authentication when RADIUS Server is not Reachable 
In case of RADIUS server is not reachable, switch can be configured to allow users to access the network. This can be configured for critical ports. Critical ports is enabled for AAA fail policy where RADIUS server is not reachable and authentication service is not available for clients. 
What if –
  • Port is unauthorized and tries to re-authenticate when server is not reachable  switch puts the port in critical authentication state in user-specified critical VLAN
  • Port is authorised and tries to re-authenticate when server is not reachable  switch puts the port in critical authentication state and previously assigned VLAN
When the authentication server is reachable, all ports that are in critical authentication state are automatically authenticated. 


An article by Pankaj Verma-- Systems Engineer, Cisco Systems

Popular Posts

Powered by Blogger.