Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

802.1x – Port Based Authentication aka Authentication on the switchport

8021x-port-controlSometimes, especially if you are an administrator of let’s say not entirely trusted environment you may want to provide “level 0” security. This type of security is provided even before host obtains address from DHCP pool, because switch which discovers a hosts on particular interfaces firstly sends the question: “Who are you ?” forcing in this way authentication. The protocol which stands for that is called  802.1x or dot1x


Before I go over broader explanation, please take a look at the picture below and basic explanation of some crucial terms:

Authenticator (switch in our case) checks credentials on Authentication Server given by Supplicant.

Authentication Server – the server which has Radius server capability. It may be ACS (Access Control Server) or ISE (Identity Services Engine), Windows NAP. Caution! TACACS server doesn’t support 802.1x protocol !

Supplicant – end device, supply credentials to Authenticator which forward them to Radius server.


Now we need to understand how connection is being established between Supplicant – Authenticator – Server.  For entire connection the EAP (Extensible Authentication Protocol) is responsible. EAPOL (EAP over LAN)  sends EAP requests towards Supplicant from Authenticator port that Supplicant is connected to. Authentication takes place at very beginning, even before Supplicant (host) obtain DHCP address. Supplicant sends credentials to Authenticator. Now, Authenticator (Switch) checks credentials using Radius protocol  on Authentication Server. Because Radius is used which is unencrypted, whole conversation is  visible and might be intercepted. In order to avoid that we may use Tunneled EAP with TLS  (eg. Protected EAP- PEAP). Then we may use 2 kinds of EAP-TLS authentication : self signed certificate or certificate obtained from 3rd part Certificate Authority.


If you are using Microsoft Windows (but works also with Linux) on Supplicant for sure you will be using EAP-MSCHAP which  works with Microsoft products including Active Directory (authentication based on AD users). EAP MSCHAP requires from Authentication Server only having certificate, the Supplicant is authenticated via login/password.

EAP-FAST (Flexible Authentication via Secure Tunneling) variation of Tunneled EAP, also uses TLS as Protected PEAP (PEAP) but has been invented by Cisco.

EAPOL – (EAP over LAN) is an encapsulation technique which takes place during exchanging data between Supplicant and Authenticator.

Now take a look on below table (I found it somewhere, unfortunately I don’t remember which site so I can’t mention the author, sorry) that clarify everything:

dot1x comparission


We have 2 states of the Authenticator port:

Unauthorized – CDP or STP protocols will be working fine, trunk connection also. Authorized port – will be subjected to authentication. Hosts and other devices (IP phones) will be connected to.
If we have Authentication Server as ACS or ISE we may push policies to positively authenticated  supplicant and authorized them as which  Vlan authenticated host will belong to, ACL policies, Time based access (host will have an access to the network only for a fixed time).

What if we have 2 devices on single port or we want to authenticate user and his computer before we grant access to the network ?

Cisco provided a method which is called “Chaining” with using of EAP-FAST, during this authentication both credentials are sent via single EAP Tunnel.

Because of numbers and ways of connected devices we distinguish 4 modes of configuration of 802.1x authentication

single-host – there is only ONE MAC address behind the authenticated switch port

multi-host – there may be several MAC addresses behind the authenticated switch port, the first of them which has been authenticated opens the way for the remained hosts without any authentication.

multi-domain – for Voice and Data, IP phone and Host (like 2 Vlans on the same port Voice VLAN and Data VLAN), authentication consists in authentication of voice Vlan and data Vlan

multi-authentication – authentication of each device, each MAC address on the switchport has to be authenticated

MAB “Mac address bypass” – some devices doesn’t have possibility to authenticate itself by 802.1x cause they can’t play a role of Supplicant (software can’t be installed on). An example of this device is a printer. Then we have to use MAB. Switch ( Authenticator ) after sending EAP query will be waiting a fixed time, and if will not hear any answer, then may authenticate Printer based on Mac address. Authenticator sends Printer Mac address to the Authentication Server and if Server confirm that knows given MAC address, then Printer will be “let in”.

Configuration on the Authenticator (Switch)

Below configuration is very basic, there is a much more to configure ragarding dot1x but this configuration makes dot1x working 

We point out Radius server in our network
radius-server host auth-port 1812 key KEY

We force utilizing dot1x and radius protocol to authentication
aaa authentication dot1x default group radius

We force globally utilizing of 802.1x on the switch
dot1x system-auth-control

Configuration on switchport

Hard coded Access type port has to be set up
switchport mode access

We force using dot1x on specified port
dot1x port-control auto
authentication port-control auto


Configuration on Supplicant (Windows host)

Firstly we have to start service that is called ‘Wired AutoConfig’

In case we use PEAP type with MSCHAPv2 authentication method , from Properties of network interface we choose Authentication tab and mark as below

1dot1x art bookmark win7

 For Microsoft Protected EAP we choose Settings andselect Authentication method ‘EAP-MSCHAPv2’ 

2dot1x art bookmark win7



Then under Additional Settings on Authentication tab we specify Authentication Mode 

3dot1x art bookmark win7


Onlain bookmaker bet365.com - the best bokie