Cisco® CCNA Security Exam Notes : 802.1x Authentication

2. Secure Access

2.3 802.1X authentication

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Important features of 802.1X on wired networks:

1. Visibility: 802.1X provides greater visibility into the network because the authentication process provides a way to link a username with an IP address, MAC address, switch, and port.

2. Security: 802.1X provides a strong authentication method. 802.1X acts at Layer 2 in the network, allowing you to control network access at the access edge.

3. Identity-based services: 802.1X enables you to leverage an authenticated identity to dynamically deliver customized services. For example, a user might be authorized into a specific VLAN or assigned a unique access list that grants appropriate access for that user.

4. Transparency: It is possible to deploy 802.1X in a way that is transparent to the end user.

5. User and device authentication: 802.1X can be used to authenticate devices and users.

Features not available in 802.1X:

1. Legacy endpoint support: By default, 802.1X provides no network access to endpoints that cannot authenticate because they do not support 802.1X.

2. Delay: By default, 802.1X allows no access before authentication.

802.1X authentication involves three parties:

1. Supplicant: The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term "supplicant" is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

2. Authenticator: The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator.

3. Authentication server: An authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

Example: Consider the following configuration commands:

authentication order mab dot1x web-auth
authentication priority mab dot1x web-auth
authentication event fail action next-method
authentication fallback web-auth

Supplicant authentication using MAB and IEEE 802.1X are failing, and the third authentication method Web-Auth is not enabled .

Solution: As per the given commands, MAB (MAC Authentication Bypass) will be tried first. If MAB fails, dot1x authentication will be tried, and lastly the web-auth authentication. Since, both MAB and dot1x are failing, and web-auth is not enabled yet, the supplicant will never get any kind of access to the network.

There are some variations possible in the configuration. For example, consider:

authentication order mab dot1x 
authentication priority dot1x mab 

authentication event fail action next-method
authentication event no-response authorize VLAN 123

In the above command sequence, if the auth-fail VLAN is configured, endpoints that fail IEEE 802.1X authentication after successful MAB will be placed in the auth-fail VLAN, and no other methods will be attempted. This will ensure, indefinite attempts are not made to dot1x after each successful mab attempt. The same is depicted in the figure below:

IEEE 802.1X authentication

Example: A Cisco switch is configured with the following commands:

authentication order mab dot1x 
authentication priority dot1x mab
authentication event fail action authorize vlan 123

Though MAB is authenticating, supplicant authentication using IEEE 802.1X is failing.

If a device fails IEEE 802.1X authentication after successful MAB (short for MAC Authentication Bypass), the device will have temporary network access between the time MAB succeeds and IEEE 802.1X authentication fails. What happens next depends on the configured event-fail behavior.

  • If next-method is configured and a third authentication method (such as WebAuth) is not enabled, then the switch will return to the first method (MAB) after the held period. MAB will succeed, and the device will again have temporary access until and unless the supplicant tries to authenticate again. This behavior is supplicant dependent. Some supplicants will give up on IEEE 802.1X authentication after some number of failures, and some may continue forever. If the supplicant stops attempting IEEE 802.1X authentication altogether, then the device will eventually end up with MAB-authorized access.
  • If the supplicant continues to attempt IEEE 802.1X authentication, then the device will have intermittent access as it cycles between successful MAB and failed IEEE 802.1X authentication. To avoid this potential loop, you can specify an authentication failure behavior. The two options are a) Next-method with local WebAuth and b) the auth-fail VLAN

Internet edge: It typically houses ASA firewall, WLC, and MDM devices. MDM (Mobile Device Management) module provides all policies and profiles, digital certificates, applications, and configuration settings for all the BYOD devices.

The WAN module in cloud-based deployment provides:

1. MPLS VPN connectivity for the branch office to corporate network,

2. Internet access to the branch offices,

3. Access to cloud-based MDM functionality.

MDM provides all the policies and profiles, digital certificates, applications and configuration settings for all BYOD devices.

Previous   Contents   Next