Documente Academic
Documente Profesional
Documente Cultură
Asimplewired802.1XlabPacketLife.net
(/)
Asimplewired802.1Xlab
Bystretch(/users/stretch/)|Wednesday,August6,2008at2:18a.m.UTC
IEEE 802.1X (http://en.wikipedia.org/wiki/802.1X) is a very cool security feature. It was developed to provide real
security for wired and wireless networks at layer two. A client connected to an 802.1Xprotected port can't send any
traffic other than EAP to the switch until he successfully authenticates with the proper credentials or certificate. This
articledemonstrateshowyoucansetupasimple802.1XlabusingaWindowsXPbasedclientandRADIUSserver.
802.1XOperation
A network switch acts as the middleman between an authenticating client and an authentication server. The switch
implementstwoprotocols:EAP(http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol)isusedtocommunicate
with the client at the network perimeter, while RADIUS (http://en.wikipedia.org/wiki/RADIUS) is used to relay
authentication details to the server inside the network. EAP offers a number of authentication mechanisms, but our
setupwillusesimpleusername/passwordauthenticationwithanMD5challenge.Theflowofasuccessfulauthentication
isillustratedhere:
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
1/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
For a better idea of what this exchange looks like on the wire, check out these packet captures of 802.1X
(/captures/802.1X.cap)andRADIUS(/captures/RADIUS.cap)traffic.
ServerConfiguration
Formysetup,IchosetoinstallFreeRADIUS(http://www.freeradius.org/)onmyGentooLinux(http://www.gentoo.org/)
workstation,butanyRADIUSserviceshouldwork.TheconfigurationsinthissectioncorrespondtoabareFreeRADIUS
deployment using cleartext credentials stored in a text file. Obviously, realworld deployments would dictate a much
morerobustandsecureauthenticationmethodsuchasLDAP.
The base server configuration is located in radiusd.conf (on Linux, this file should reside in /etc/raddb/), but we
shouldn'tneedtochangeanyofthedefaultvaluesforthislab.However,wewillneedtoaddthesubnetaddressfrom
which we expect to receive authentication requests (10.0.0.0/24) in clients.conf. Remember that although the 802.1X
clientresidesinVLAN10,theRADIUSclient(theswitch)willbesendingrequestsfromits10.0.0.1interface.Copyand
pastethisblocktoenablethenetworkwiththesharedsecretof MyRadiusKey :
client10.0.0.0/24{
secret=MyRadiusKey
shortname=Lab
}
We'll also define a user/password combination for testing. I've created the user John.McGuirk with the password
S0cc3r.Feelfreetopickyourownusernameandpassword,butmakesuretomaintainthespacingintheconfiguration
file(thereplymessageisoptional):
John.McGuirkCleartextPassword:="S0cc3r"
ReplyMessage="Hello,%u"
Aftercompletingthisconfigurationrememberto(re)starttheRADIUSservice.
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
2/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
SwitchConfiguration
Portbased
802.1X
authentication
(http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_sec/configuration/guide/sw8021x.html)
allowsforsomereallycoolsecuritymeasures(likedynamicVLANassignmentandperuserACLs),butforthislabwe'll
establishabaseconfigurationjustfordemonstration'ssake.
Apreliminarystep,ifyouhaven'tdonesoalready,istoenableIProutingontheswitch:
Switch(config)#iprouting
Before diving into the actual 802.1X configuration, we'll need to enable Authentication, Authorization, and Accounting
(AAA)fortheswitch(thisstepcanbeskippedifAAAisalreadyactive).Awordofcaution:enablingAAAchangesthe
authenticationmethodusedbytheVTY(telnet)linestofittheAAAmodel.It'sagoodideatodefinealocalusername
andpasswordtoauthenticatetotheswitchifyouhaven'tdoneso(thisaccountisunrelatedtoour802.1Xconfiguration,
justawayforustologinagainifweneedto).
Switch(config)#aaanewmodel
Switch(config)#usernameadminsecretMyPassword
Nextwe'llconfiguretheswitchwiththeaddressandsharedkeyofourRADIUSserver.Bydefault,Ciscoswitcheswill
useUDPport1645forRADIUSauthenticationandport1646foraccounting.DependingontheRADIUSdaemonyou
chosetoimplement,youmayneedtomodifytheseportstomatchthoseusedbyyourRADIUSdaemon.FreeRADIUS,
forexample,usesthemorerecentportspecificationdefinedinRFC2138(http://www.faqs.org/rfcs/rfc2138.html), and
requiresadditionalconfigurationontheswitchtoreflecttheportchanges:
Switch(config)#radiusserverhost10.0.0.100authport1812acctport1813key
MyRadiusKey
Now we'll tie these two components together by configuring AAA to reference the RADIUS server for 802.1X
authenticationrequests:
Switch(config)#aaaauthenticationdot1xdefaultgroupradius
This takes care of the RADIUS portion of the configuration. Configuring 802.1X from this point is simple: enable it
globallyfortheswitch,andindividuallyperinterface:
Switch(config)#dot1xsystemauthcontrol
Switch(config)#interfaceg0/12
Switch(configif)#switchportmodeaccess
Switch(configif)#dot1xportcontrolauto
Notethattheinterfacemustbesettostaticaccessmode.Ifleftindynamicmode(whereDTPisusedtonegotiatethe
port's function as either access or trunking), the switch will issue an error message stating that 802.1X cannot be
configuredondynamicports.
Ifyou'reinquisitivelikemeandissueaquestionmarktoinvokethecontextsensitivehelpinthemidstofissuinganew
command,youmighthavenoticedthatthe dot1xportcontrol interfacecommandhasthreeoptions.Theseare:
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
3/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
auto Normal802.1Xauthentication
forceauthorized No802.1Xauthenticationisused(thisisthedefaultsetting,topreventserviceinterruption
whiledeploying802.1X)
forceunauthorized Ignoresauthenticationattempts,portisalwaysunauthorized
Switch#showdot1xinterfaceg0/12
SupplicantMAC
AuthSMState=N/A
BendSMState=N/A
PortStatus=N/A
MaxReq=2
MaxAuthReq=2
HostMode=Single
PortControl=Auto
QuietPeriod=60Seconds
Reauthentication=Disabled
ReAuthPeriod=3600Seconds
ServerTimeout=30Seconds
SuppTimeout=30Seconds
TxPeriod=30Seconds
GuestVlan=0
ClientConfiguration
The last element to configure is the supplicant software on the client. If your client is currently connected, unplug it
temporarilybeforecontinuing(reconnectingaftertheconfigurationhasbeencompletedwillmakeiteasiertoobserve
the802.1Xbehavior).Formylab,IusedaWindowsXPboxwithSP2.
ToenabletheWindows802.1Xservice,openServicesfromthecontrolpanel,andselectandstarttheWirelessZero
Configurationservice.("Butisn'tthisawiredconnection?"Ihearyouask.Thankyou,Microsoft.)(Edit:Wired802.1X
is enabled by a separate service, WiredAutoConfig, in XP SP3. Thanks to Dude for pointing this out!) Next, open
Network Connections from the control panel and open the Connection Properties dialog for the adapter you're
using. You should have an Authentication tab within this window if not, the 802.1X service isn't running and you'll
needtodosometroubleshooting.
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
4/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
Enable 802.1X authentication and set the EAP type to MD5Challenge. This will allow us to use basic
username/password credentials instead of a more secure (and much more complex) PKI scheme. You can safely
deselectthe"authenticateascomputer"and"authenticateasguest"options.
Authenticating
Ifeverythingisconfiguredcorrectly,youshouldnowbeabletoauthenticatevia802.1X.VerifyyourIPaddressingand
connectyourclienttotheswitch.Afterroughlythirtysecondsyoushouldbepromptedforauthenticationcredentialsby
alittleballoon.(Inamoreidealsetup,yourWindowscredentialsand/oraclientcertificatewouldbesentwithoutyour
interaction and 802.1X authentication would occur transparently.) Your prompt may differ from the example shown
here.
EntertheusernameandpasswordyouconfiguredontheRADIUSserverintheauthenticationdialog.
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
5/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
Your client will notify you after a bit if the authentication fails. If you receive no notification, authentication has
succeededandyoushouldbeabletosendtrafficthroughtheswitchport(trypingingthroughtotheRADIUSserverto
verifythis).Issuethe showdot1x commandontheswitchagaintoverifythattheportisnowinthe"authorized"state.
Switch#showdot1xinterfaceg0/12
SupplicantMAC0014.22e9.545e
AuthSMState=AUTHENTICATED
BendSMState=IDLE
PortStatus=AUTHORIZED
MaxReq=2
MaxAuthReq=2
HostMode=Single
PortControl=Auto
QuietPeriod=60Seconds
Reauthentication=Disabled
ReAuthPeriod=3600Seconds
ServerTimeout=30Seconds
SuppTimeout=30Seconds
TxPeriod=30Seconds
GuestVlan=0
Oneotherdetailtonote:Initially,theclient'sportontheswitchwillonlytransitiontoup/down(interfaceup,lineprotocol
down)whenyoufirstconnect.Onlyaftersuccessfullyauthenticatingvia802.1Xwillittransitionfullytoup/up.
Ifauthenticationfailsforsomereasonyou'llhavetodosomesleuthingtodeterminethecause.Keepthefollowingtips
inmind:
EnsurethattheswitchistryingtoauthenticatetothecorrectRADIUSserveronthecorrectUDPport
EnsuretheRADIUSserverisconfiguredtoacceptauthenticationrequestsfromthecorrectsubnet
ReviewtheRADIUSdaemonlogsformessagesconcerningfailedauthenticationormisconfiguration
Useavariationofthe debugdot1x commandontheswitchorapacketsniffertoverifyEAPandRADIUStraffic
TryusingthefreeNTRadPingRADIUSTestUtility(http://www.mastersoftgroup.com/download/)toindependently
verifyoperationoftheRADIUSserver
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
6/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
AbouttheAuthor
(/users/stretch/)
JeremyStretchisanetworkengineerlivingintheRaleighDurham,North
Carolinaarea.HeisknownforhisblogandcheatsheetshereatPacket
Life.Youcanreachhimbyemail(/contact/)orfollowhimonTwitter
(http://twitter.com/packetlife).
Postedin
(http://www.amazon.com/gp/prime/signup/videos?tag=packetlnet20)
Comments
Lee(guest)
August6,2008at2:56a.m.UTC
Great,Iamwaitingthisinfo.longtimeago.
marwooj(guest)(http://www.qsor.pl)
August6,2008at7:28a.m.UTC
Great!!!
Dude(guest)
August6,2008at11:52a.m.UTC
Verynicepost,thankyou.
Marcus(guest)
August6,2008at3:53p.m.UTC
Ihavetinkeredwiththeguestvlanwhenauserisnotauthenticatedandthatworksprettygood.Itwouldbeanice
additiontothiswriteup.NicePost,Thanks!
Robert(guest)
August6,2008at11:02p.m.UTC
WhatisthepurposeofenablingIProuting?It'snotrequiredtododot1x.
Duder(guest)
August6,2008at11:06p.m.UTC
veeerynice
stretch(/users/stretch/)
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
7/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
August6,2008at11:53p.m.UTC
@Marcus:Goodidea!
@Robert: iprouting isonlyneededifyousetupyourlablikeIdid,withamultilayerswitchseparatingtwosubnets.
Robert(guest)
August7,2008at5:17a.m.UTC
Thanks.I'llreadalittlemorebeforeIpostnexttime.Gladthere'sotherpeopleoutthereusingdot1xandguestvlans
Marcus.Ifyoudocoverguestvlanspleasetryandcoverauthfailvlansaswell.
WatchoutforBugIDCSCsc06286ifyouhaveanolderIOS.Itdidn'tmakeitintoanyofthereleasenotes.Thebiggest
problemwefacedwithdot1xinproductionwasreimagingcomputers.I'vedocumentedoursolution,ifyouare
interestedIcouldemailthedoc.
ThanksforthepostingsIenjoyreadingtheblog.
Dinger(guest)
August7,2008at1:31p.m.UTC
HowmuchtweakingisnecessarytoallowyourWindowscredentialstobesentwithoutyourinteractionand802.1X
authenticationwouldoccurtransparently?
zlobb(guest)
August7,2008at4:07p.m.UTC
GoodPost.
Thedynamicvlanassignmentfunctionisneat(WorkswithFreeRadiusaswell).It'salmostalwayspleasanttooassign
vlan'sbasedonuserlogininsteadofamacaddress.
Jacob(guest)
August9,2008at3:34a.m.UTC
Haveyoutriedtodothisusingcertificates?ItriedawhilebackwithalargenumberofWindowsXPsupplicantsandit
wassomewhatunreliable.Justwonderingifanyonehashadbetterluck.
Florin(guest)
August10,2008at1:03p.m.UTC
HyIhaveastrangeproblem.IDonothavetheAuthenticationTABinmyLANadapterproperties..Ihaveonlygeneral
andAdvanced.IhaveenableWZCinregistry.ITisawiredLAN.Thanks
Dude(guest)
August14,2008at7:37a.m.UTC
Ihadthesameissue.InSP3thereisaseparateservicecalled"WiredAutoConfig"forwiredconnections.Itisnot
startedbydefault.Justenableit.
Florin(guest)
August18,2008at7:58p.m.UTC
thanks.it'sworking.
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
8/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
oszkari(guest)
September29,2008at10:41a.m.UTC
Hi,
Iusedot1xwithfewhundredsofxps(SP2/SP3)withfreeradius.Everythingworksfineuntilthepcgoestostanbyor
hibernate..afterthisthethereauthenticationprocesstakescoupleofminutesifIdon'tdoshutdown/noshutdownonthe
affectedswitchport.
Anybodyhassomeexperience/maybesolutionforthis.
Thx
rav(guest)
October9,2008at2:52p.m.UTC
Hi!Thanks,greatarticle!Couldyoupleasegivethemodelsofseveralswitchesthatsupportyourconfiguration?Iknow
itshouldworkwithCat3550,butI'venoideawhetherit'llgowithi.e.Cat29xxornonCiscoswitches.Isitsufficientfor
switchtosupportjust802.1xorithastohaveadditionalfeaturesthatcausesitcandynamicallyassignvlantousers,
basedonradiusserver?
rik(guest)
December11,2008at2:18p.m.UTC
weareusingCiscoSecureServicesclient5.0.2.3andc2950switches,withciscoACSwithanADinordertoperform
MachineandUserauthentication.WeseeaproblemonlaptopswithWINXPSP3.Afterawhiletheytheyareunableto
makeaconnectiontotheLAN.Afterdebuggingitlookslikethatthemachineaccountpasswordchange(after30days)
causesaproblem>theACSgetananswerfromtheADthatthepasswordisnotcorrect>noaccessanymoreto
thenetwork.WhenweforcethelaptopintotheVLANwhereheshouldnormallybeassigned>problemresolvedand
wecanuseagaina802.1xporttoconnectthelaptop.
I'mwonderingifanyonehasseenthisbeforeandhowtheysolvedthisproblem.
Thxinadvance,
Rik
waltdom(guest)
November2,2009at4:00p.m.UTC
Ithereamethodfromtheclienttotestiftheportitisconnectedtois802.1xenabledotherthangoingtotheswitchto
look?Iwouldliketotestaporttovalidatethenetwrokingfolksactuallyenabledtheportfor802.1x
RaMs(guest)
March30,2010at3:46a.m.UTC
GoodPost.Itwasveryhelpfulforme.
VK(guest)
March30,2010at5:05a.m.UTC
Hi..CanyoupleaseexplainthisprocesswithafreebsdmachinewithfreeRADIUSandwithnortelswitch...wired
authenticationThankyou..
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
9/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
RaMs(guest)
August5,2010at4:52a.m.UTC
Hi..CouldyoupleaseexplainmehowtoconfigurelinuxPCasAuthenticationserverforTLScertificate.
802.1XauthenticationworksfinewhenItriedwithMD5Authentication(i.ebyconfiguringusernameandpassword)
RaMs
shvin(/users/shvin/)
October16,2010at10:12a.m.UTC
himylancarddoesnotsupport802.1x.howcaniaddauthenticationtabonlancard...???helpmeplzzz
Aguest
September6,2011at7:11p.m.UTC
tnx
shoaib(guest)
September27,2011at8:14a.m.UTC
Wordofcaution:EAPMD5isveryeasytoconfigureandworkslikeacharmbutitssupportislimitedinWindows7.The
optioninWindows7areMSPEAP,CiscoLEAP,CiscoPEAP,EAPFAST,EAPTTLS.Almostallofthemrequiresa
securechannelbetweenRadiusandNASi.eswitch.Thisisbasedoncertificates.
ConfiguringthatonFreeRadiusischallenging.
Iamcurrentlyworkingonitaspartofmyjob(yes).OnceIamdone,IwillpostastepbystepHowTO.Ideaisthat
eachclient/laptopshouldbehaveacertificateandusershouldbeabletousewindowscredentialseithermanuallyorit
shouldbeautomatic.
buczo(guest)
May10,2012at7:50a.m.UTC
@shoaibdidyoudoneit?isanywhereHowTOaboutWINXP/WinVista/Win7+ActiveDirectory+Cisco+802.1Xand
PKItransparent?
Nagarushi(guest)
July13,2012at5:59p.m.UTC
Hi,
isthereanytoolwhichcansimulatethemachineauthentiation.iwanttosimulate1000machineauthenticationrequests
formytestingpurpose.
Thanks,
Nagarushi
John(guest)
September20,2012at7:52a.m.UTC
ExcellentPost.
Thanks
Pasqu(guest)(http://www.ios4all.net/)
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
10/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
January31,2013at5:28p.m.UTC
Hi,isthereawaytoauthenticatewith802.1XandWindowsserverradiusonlyPCjoinedinthedomain?
MygoalistoblockdomainuserthatwanttoconnecttheirPCstomyoffice'slanandhave(ofcourse)avalidlogin.This
usercancomeinofficewiththeirPCs,enable802.1xinsertinthepopupuserandpasswordandtheirpersonalPcis
authenticated.
thebestsolutionistoauthenticatePCalreadyjoinedinthedomainandwithpopuponlythegroupofadminuserinthe
domain.Notthenormalone.
Anyonehavetrythissetup?
rsccom24(guest)
April18,2013at1:03p.m.UTC
@shvin
sorryforthelateResponse,butjustfordocumentation...
youcanaddtheauthenticationtabasfollows:
gotoServicesandstarttheService"WiredAutoConfig"
shomi(guest)
September18,2013at2:50a.m.UTC
HowisitpossiblethatRadiusservergrantsauthenticationwhichisbeingsentasaMD5hashwhile
username/passwordsareconfiguredinaplaintextonserver?
IsthereasettinginyourcfgfilethatlistsMD5asdefault?
Also,whatwouldhappenifsupplicantclientisconnectedtoasharednetworksegment?Wouldsuccessful
authenticationofoneclientimplicateaccessforothercomputersconnectedtoasegment?
Greatpost.
Thanks.
shantia(guest)
November16,2013at7:41a.m.UTC
thankyou.Itisverynicepost
AnilKumarA(guest)
December27,2013at4:10a.m.UTC
Verynice.PleaseaddpackettransactionswhenclientsendswrongcredentialsandaddGUEST_VLAN,
SERVER_FAIL_VLANandSERVER_REJECT_VLANinfoaswell.
krishnakanth(guest)
July15,2014at7:06a.m.UTC
It'sveryhelpful.thanksalot...
LeaveaComment
Guestname
Guestname
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
11/12
12/9/2014
Asimplewired802.1XlabPacketLife.net
Guestemail
Guestemail
Optionalwillnotbedisplayedpubliclyorgivenout.
GuestURL
GuestURL
Nocommerciallinks.Onlypersonal(e.g.blog,Twitter,orLinkedIn)and/orontopiclinks,please.
Comment
Comment
Challenge
Howmanybitsareinabyte?
Challenge
Save Preview
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/
12/12