Who doesn’t like an additional layer of security within your enterprise network? 802.1x has been around forever, so let’s talk about what that brings to the table, shall we?

802.1x Foundations

802,1x is an IEEE standard for port-based network access control (sometimes referred to as PNAC or just NAC). Basically, it’s a layer 2 authentication method for devices that want to attach to a LAN or wireless LAN. It uses EAP (Extensible Authentication Protocol) authentication framework for LAN devices and EAPOL (Extensible Authentication Protocol Over LAN) for wireless devices.

Just a few notes here before we move on to the components and the process of 802.1x authentication

Before authentication, only EAPOL packets are allowed. Wired implementations allow STP and CDP protocols, however, CDP is optional. EAP allows for the exchange of arbitrary authentication data. Authorization is performed using downloadable ACLs (dACLs) or VLANs

802.1x Components

So what actually makes this all work?

802.1x has three main components to it. A Supplicant, which is the client (or client software), a Authenticator (or policy enforcement) which can be a switch/access point and then finally an Authentication Server (such as RADIUS). Next, lets look at the authentication process where these three pieces come into play.

802.1x Authentication Process

The authentication process starts when an EAP request identity frame is received, as a side note, a frame is sent when a port comes up or when an EAP Start request. Next, the Authenticator acts as a proxy between the Supplicant (client) and the RADIUS server. EAP data is encapsulated using two RADIUS EAP-specific attributes, then the authentication method is negotiated. Authentication is then performed, OK message means authentication was accepted/EAP success while the FAIL means access was rejected/EAP failure. If it fails, after a time out “quiet period”, it tries to reauthenticate.

So how do we configure 802.1x? Stay tuned and find out!

802.1x Configuration

I’ll just be covering the configuration from the Authenticator side of things, which is usually a switch or an access point.

First, you have to enable AAA services

aaa-new-model

Then define your RADIUS servers

radius-server host or radius-server name

Enable 802 1.x globally

dot1x system-auth-control auto

Configure 802.1x method list

aaa authentication dot1x default

Finally, configure your switch port

enable access port - switchport mode access

Activate 802.1.x - authentication port control auto

Make sure the port is acting as Authenticator - dot1x pre authenticator

Alright! That should do it! This is a very basic/foundational level of 802.1x authentication. Much more to come but I thought I’d just touch the surface of layer 2 authentication.