Scribd
Upload
164 views1 page

Ieee 8021x

IEEE 802.1X is a standard for port-based network access control. It defines authentication between a supplicant, authenticator, and authentication server. The supplicant is the client requesting access. The authenticator is typically a switch port controlling access. The authentication server authenticates credentials, often a RADIUS server. 802.1X uses EAP over LAN (EAPOL) to encapsulate EAP and carry authentication between the supplicant and authenticator. It provides features like guest VLANs, maximum attempts, and periodic reauthentication to control network access on a per-port basis.

Uploaded by

api-27099791
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
164 views1 page

Ieee 8021x

IEEE 802.1X is a standard for port-based network access control. It defines authentication between a supplicant, authenticator, and authentication server. The supplicant is the client requesting access. The authenticator is typically a switch port controlling access. The authentication server authenticates credentials, often a RADIUS server. 802.1X uses EAP over LAN (EAPOL) to encapsulate EAP and carry authentication between the supplicant and authenticator. It provides features like guest VLANs, maximum attempts, and periodic reauthentication to control network access on a per-port basis.

Uploaded by

api-27099791
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

IEEE 802.1X packetlife.

net

802.1X Header Terminology


Extensible Authentication Protocol (EAP) · A flexible
authentication framework defined in RFC 3748
EAP Over LANs (EAPOL) · The encapsulation used by 802.1X
EAP Header to carry EAP across a layer two segment

Supplicant · The device on one end of a link that requests


authentication by the authenticator
Authenticator · The device that controls the status of a link;
EAP Flow Chart
typically a wired switch or wireless access point

Authentication Server · A backend server which


authenticates the credentials provided by supplicants (for
example, a RADIUS server)
Guest VLAN · Fallback VLAN for clients not 802.1X-capable

Restricted VLAN · Fallback VLAN for clients which fail


authentication

802.1X Packet Types EAP Codes


0 EAP Packet 1 Request
1 EAPOL-Start 2 Response
2 EAPOL-Logoff 3 Success
3 EAPOL-Key 4 Failure
4 EAPOL-Encap-ASF-Alert EAP Req/Resp Types
Interface Defaults 1 Identity
Max Auth Requests 2 2 Notification
Reauthentication Off 3 Nak
Configuration
Quiet Period 60s 4 MD5 Challenge
Global Configuration
Reauth Period 3600s 5 One Time Password
! Define a RADIUS server
radius-server host 10.0.0.100
Server Timeout 30s 6 Generic Token Card
radius-server key MyRadiusKey Supplicant Timeout 30s 254 Expanded Types
! Configure 802.1X to authenticate via AAA
aaa new-model Tx Period 30s 255 Experimental
aaa authentication dot1x default group radius
! Enable 802.1X authentication globally Port-Control Options
dot1x system-auth-control
force-authorized · Port will always remain in authorized state
Interface Configuration (default setting)
! Configure static access mode force-unauthorized · Port will always remain in unauthorized
switchport mode access state, ignoring authentication attempts
! Enable 802.1X authentication per port
dot1x port-control auto auto · Port is authorized only in the presence of a successfully
! Configure host mode (single or multi) authenticated supplicant
dot1x host-mode single-host
! Configure maximum authentication attempts
dot1x max-reauth-req Troubleshooting
! Enable periodic reauthentication
show dot1x [interface <interface>]
dot1x reauthentication
! Configure a guest VLAN show dot1x statistics interface <interface>
dot1x guest-vlan 123
! Configure a restricted VLAN dot1x test eapol-capable [interface <interface>]
dot1x auth-fail vlan 456
dot1x auth-fail max-attempts 3 dot1x re-authenticate interface <interface>

by Jeremy Stretch v1.0

You might also like