Configuring 802.1X
Port-based access control has the effect of creating two types of access on the switch ports. One point of access enables uncontrolled communication, regardless of the authorization state (uncontrolled port). The other point of access authorizes communication between a host and the switch.
The 802.1x is an IEEE standard for port-based network access control. The 802.1x framework enables a device (the supplicant) to request port access from a remote device (authenticator) to which it is connected. Only when the supplicant requesting port access is authenticated and authorized is it permitted to send data to the port. Otherwise, the authenticator discards the supplicant data unless the data is sent to a Guest VLAN and/or non-authenticated VLANs.
Authentication of the supplicant is performed by an external RADIUS server through the authenticator. The authenticator monitors the result of the authentication.
In the 802.1x standard, a device can be a supplicant and an authenticator at a port simultaneously, requesting port access and granting port access. However, this device is only the authenticator, and does not take on the role of a supplicant.
The following varieties of 802.1X exist:
- Single session 802.1X:
- A1--Single-session/single host. In this mode, the switch, as an authenticator, supports a single 802.1x session and grants permission to use the port to the authorized supplicant. All access by other devices received from the same port are denied until the authorized supplicant is no longer using the port or the access is to the unauthenticated VLAN or guest VLAN.
- Single session/multiple hosts--This follows the 802.1x standard. In this mode, the switch as an authenticator allows any device to use a port as long as it has been granted permission.
- Multi-Session 802.1X--Every device (supplicant) connecting to a port must be authenticated and authorized by the switch (authenticator) separately in a different 802.1x session. This is the only mode that supports Dynamic VLAN Assignment (DVA).
Dynamic VLAN Assignment (DVA)
Dynamic VLAN Assignment (DVA) is also referred to as RADIUS VLAN Assignment in this guide. When a port is in Multiple Session mode and is DVA-enabled, the switch automatically adds the port as an untagged member of the VLAN that is assigned by the RADIUS server during the authentication process. The switch classifies untagged packets to the assigned VLAN if the packets originated from the devices or ports that are authenticated and authorized.
For a device to be authenticated and authorized at a port which is DVA-enabled:
- The RADIUS server must authenticate the device and dynamically assign a VLAN to the device.
- The assigned VLAN must not be the default VLAN and must have been created on the switch.
- The switch must not be configured to use both a DVA and a MAC-based VLAN group together.
- A RADIUS server must support DVA with RADIUS attributes tunnel-type (64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private- group-id = a VLAN ID.
Authentication Methods
The authentication methods can be:
- 802.1x--The switch supports the authentication mechanism as described in the standard to authenticate and authorize 802.1x supplicants.
- MAC-based--The switch can be configured to use this mode to authenticate and authorized devices that do not support 802.1x. The switch emulates the supplicant role on behalf of the non 802.1x capable devices, and uses the MAC address of the devices as the username and password when communicating with the RADIUS servers. MAC addresses for username and password must be entered in lower case and with no delimiting characters (for example: aaccbb55ccff). To use MAC-based authentication at a port:
You can configure a port to use 802.1x, MAC-based, or 802.1x and MAC-based authentication. If a port is configured to use both 802.1x and MAC-based authentication, 802.1x supplicant has precedence over non-802.1x device. The 802.1x supplicant preempts an authorized but non-802.1x device at a port that is configured with a single session.
Unauthenticated VLANs and the Guest VLAN
Unauthenticated VLANs and Guest VLAN provide access to services that do not require the subscribing devices or ports to be 802.1x or MAC-Based authenticated and authorized.
An unauthenticated VLAN is a VLAN that allows access by both authorized and unauthorized devices or ports. You can configure one or more VLAN to be an unauthenticated in the Creating VLANs section i. An unauthenticated VLAN has the following characteristics:
The Guest VLAN, if configured, is a static VLAN with the following characteristics.
- Must be manually defined from an existing static VLAN.
- Is automatically available only to unauthorized devices or ports of devices that are connected and Guest-VLAN-enabled.
- If a port is Guest-VLAN-enabled, the switch automatically adds the port as untagged member of the Guest VLAN when the port is not authorized, and removes the port from the Guest VLAN when the first supplicant of the port is authorized.
- The Guest VLAN cannot be used as the Voice VLAN and an unauthenticated VLAN.
The switch also uses the Guest VLAN for the authentication process at ports configured with Multiple Session mode and MAC-based authentication. Therefore, you must configure a Guest VLAN before you can use the MAC authentication mode.
802.1X Parameters Workflow
Define the 802.1X parameters as follows:
- (Optional) Set a time range(s) using the Time Range and Recurring Time Range pages. These are used in the Edit Port Authentication page.
- (Optional) Define one or more static VLANs as unauthenticated VLANs as described in the Defining 802.1X Properties section. 802.1x authorized and unauthorized devices or ports can always send or receive packets to or from unauthenticated VLANs.
- Define 802.1X settings for each port by using the Edit Port Authentication page.
Note the following:
- On this page, DVA can be activated on a port by selecting the RADIUS VLAN Assignment field.
- You can select the Guest VLAN field to have untagged incoming frames go to the guest VLAN.
- Define host authentication parameters for each port using the Port Authentication page.
- View 802.1X authentication history using the Authenticated Hosts page.