Version 4.1 - 5.5.e IEEE 802.1x
I remember when Network Engineers started talking about 802.1x. Cisco was saying it was the greatest thing since sliced bread and encouraged everyone to deploy it for their own security's sake. I was a junior engineer at the time and all the engineers with much more experience were quite opposed to it. It was complex and difficult to deploy and it will surely break the network. So over the years, I "kinda" knew it, but avoided it as much as possible. Then I studied for the SIMOS exam. Now I'm hoping I get 802.1x questions. I already covered 802.1x in section 2.0 - and I will try to not repeat that here.
Section 2.0 showed an example configuration. Here I'd like to get into more details about interface configurations (since many questions could come from the various iterations).
You control the port authorization state by using the "authentication port-control" interface configuration command ("dot1x port-control auto" command in Cisco IOS Release 12.2(33)SXH and earlier releases) and these keywords:
force-authorized > Disables the 802.1x authentication and transitions the port to the authorized state (without actually performing authentication)
force-unauthorized > Causes the port to remain in the unauthorized state and ignores attempts by the client to authenticate
auto > Enables 802.1x and causes the port to begin in the unauthorized state and go through the process to authenticate
Router(config)# interface fastethernet 5/1
Router(config-if)# authentication port-control auto
Router(config-if)# dot1x pae authenticator
Router(config-if)# end
Note that "dot1x pae authenticator" is also needed to enable 802.1x on the interface.
Router(config-if)# authentication host-mode single-host
> Allows a single authenticated host (client) on an authorized port.
Router(config-if)# authentication host-mode multi-host
> Allows multiple clients on an authorized port when one client is authenticated.
Router(config-if)# authentication host-mode multi-domain
> Allows a single IP phone and a single data client to independently authenticate on an authorized port.
Router(config-if)# authentication host-mode multi-auth
> Allows a single IP phone and multiple data clients to independently authenticate on an authorized port.
Note that in this context the word "domain" refers to the data domain and voice domain.
"On a port in multiauth mode, either or both of MAB and web-based authentication can be configured as fallback authentication methods for non-802.1X hosts (those that do not respond to EAPOL). You can configure the order and priority of the authentication methods."
Router(config)# interface gigabit1/1
Router(config-if)# switchport mode access
Router(config-if)# authentication port-control auto
Router(config-if)# dot1x pae authenticator
Router(config-if)# authentication order dot1x mab webauth
(optional)
Router(config-if)# authentication priority method1 [ method2 ] [ method3 ]
The authentication order will first try dot1x and if the client does not have a supplicant, will try mab. If the mac is not in the database, it will try webauth. The priority command is optional. It overrides the relative priority of authentication methods to be used. The three values of method, in the default order of priority, are dot1x, mab, and webauth. You may want to change the method order/priority on a port where you know a printer or AP is connected so it doesn't have to wait for the timeout to use MAB.
Router(config)# ip device tracking
Enables the IP device tracking table, which is required for web-based authentication.
If 802.1X authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the client by using MAC authentication bypass. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an 802.1X port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address.
[In the ISE book, you can see how to add a MAC address to the database.]
Web Authentication will be covered under ISE, but basically:
"When a user initiates an HTTP session, the web-based authentication feature intercepts ingress HTTP packets from the host and sends an HTML login page to the user. The user keys in their credentials, which the web-based authentication feature sends to the AAA server for authentication. If the authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server."
CoA is an extension to the RADIUS protocol that allows the AS to make dynamic and unsolicited changes to the authorization information of an active session hosted by a network access device, such as a switch.
The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server such as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy.
This really makes sense. When a port first initializes, it is in an unauthenticated state. Once the end device (or user) authenticates, a CoA is sent and based on the authentication, new AAA states are sent to the NAD. More on this will be discussed under ISE.
And with that I'm going to end this section. Between this being listed in section 2.0, section 5.5.e and a part of ISE, I would expect around 2 - 5 questions overall on 802.1x. Only one or two may be general functionality questions, but I expect more questions on sample configurations (as shown above).