Home > Articles > Network Technology > Wireless/Optical/High Speed > IEEE 802.1X: Practical Port Control for Switches

IEEE 802.1X: Practical Port Control for Switches


  1. The Problem with Ports
  2. The IEEE 802.1X Standard
  3. Configuring 802.1X on the Switch
  4. Summary

Article Description

Whether there are 500 or 50,000 access (user) ports in a network, it's just not practical to think about how to control what or who can or cannot use a port. The IEEE 802.1X standard may just change that line of thinking.

Configuring 802.1X on the Switch

Cisco Catalyst 5000/5500, 6000/6500, 4000, 2950, or 3550 switches can be configured as an authenticator, provided that they are running at the appropriate code level. For the Catalyst 5000/5500, 6000/6500, and 4000 running COS, version 6.2 or greater is required. The Catalyst 2950 requires Cisco IOS version 12.1(6) EA2 or greater, and the Catalyst 3550 requires Cisco IOS version 12.1(8) EA1 or greater.

The fist step to configuring the authenticator is to provide it with the address and key of the RADIUS server that will act as an authentication server. This is accomplished using the commands listed (this assumes that the switch is already configured with the appropriate IP addressing information):

For COS switches:

COSSwitch (enable) set radius server primary
COSSwitch (enable) set radius key ABC6108

For IOS switches:

IOSSwitch#conf t
IOSSwitch (config)#aaa new-model
IOSSwitch (config)#radius-server host
IOSSwitch (config)#radius-server key ABC6108

The next step in the process is to enable the 802.1X port authentication process. This step makes the switch an authenticator, allows it to send the EAP messages to the supplicant, proxy the information to the authentication (RADIUS) server(s) configured in Step 1, and act on the messages received from those servers to authorize ports. To configure the switch to act as an authenticator, use the following commands.

For COS switches:

COSSwitch (enable) set dot1x system-auth-control enable

For IOS switches:

IOSSwitch (config)#aaa authentication dot1x default group radius

The final step is to configure the ports on the authenticator for authorization. Ports can be in one of three authorization modes. The first mode, force-authorized, is the default mode. In this mode, a port is always authorized and does not require any messages from either the supplicant or the authentication server. Force-authorized mode is used when you do not want to run 802.1X on a particular port. This is typically the case when connecting to another switch, a router ,or a server, and also when connecting to clients that do not support 802.1X. The next mode, auto, is the normal 802.1X mode. A port in auto mode sends EAP packets to the supplicant and will not become authorized unless it receives a positive response from the authentication server. The final mode, force-unauthorized, prevents a port from becoming authorized even if the user has the appropriate credentials. This mode essentially disables the port from use by any user or device. To configure the ports, use the following commands.

For COS switches:

COSSwitch (enable) set port dot1x mod/port port-control 
          [auto | force-authorized | force-unauthorized]

For IOS switches:

IOSSwitch#conf t
IOSSwitch (config)#interface fastethernet mod/port
IOSSwitch (config-if)#dot1x port-control [auto | force-authorized | force-unauthorized]

After a port is configured in auto mode, no clients connected to that port will be allowed to pass user traffic until the port has been authorized by the authorization server. A major portion of the configuration involves the supplicant and the authentication server because so much of the authorization process takes place outside of the switch. A variety of devices and clients can act in these roles, so you have to check the individual vendor-configuration guides for details concerning those devices.

One of the major benefits of a centralized RADIUS server is that the IETF has provided extended TAG information that can be sent along with a RADIUS message. If you are running Catalyst OS 7.2 or greater, you can configure an 802.1X authenticated port and can also assign a VLAN based on the information returned by the RADIUS server. This means that clients can now be placed in a VLAN on a switch based on the credentials of the user and/or device accessing the network. Credentials are separate for different users; therefore, two users logging into the same device (at different times) can be assigned to different VLANs. VLAN assignment requires that the RADIUS server returns IETF attributes [64] Tunnel-Type, [65] Tunnel-Medium-Type, and [81] Tunnel-Private-Group-ID. These attributes must have the following TAGs and settings:

  • [64] Tunnel-Type, TAG 1=VLAN

  • [65] Tunnel-Medium-Type, TAG1=802

  • [81] Tunnel-Private-Group-ID, TAG1="vlan_name"

Attribute 81 returns the Group ID, and this must match the name of the VLAN in the local switch database exactly (the name is case sensitive). If the VLAN name is not found in the VLAN database of the local switch, the port will not be authorized. Currently, the 802.1X VLAN assignment is the only support on COS switches running IOS 7.2 or greater.