12/9/2014

Asimplewired802.1XlabPacketLife.net

(/)

Welcome,Guest! | Login(/users/login/) | Register(/users/register/)

Asimplewired802.1Xlab
Bystretch(/users/stretch/)|Wednesday,August6,2008at2:18a.m.UTC
IEEE 802.1X (http://en.wikipedia.org/wiki/802.1X) is a very cool security feature. It was developed to provide real
security for wired and wireless networks at layer two. A client connected to an 802.1Xprotected port can't send any
traffic other than EAP to the switch until he successfully authenticates with the proper credentials or certificate. This
articledemonstrateshowyoucansetupasimple802.1XlabusingaWindowsXPbasedclientandRADIUSserver.

802.1XOperation
A network switch acts as the middleman between an authenticating client and an authentication server. The switch
implementstwoprotocols:EAP(http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol)isusedtocommunicate
with the client at the network perimeter, while RADIUS (http://en.wikipedia.org/wiki/RADIUS) is used to relay
authentication details to the server inside the network. EAP offers a number of authentication mechanisms, but our
setupwillusesimpleusername/passwordauthenticationwithanMD5challenge.Theflowofasuccessfulauthentication
isillustratedhere:

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

1/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

For a better idea of what this exchange looks like on the wire, check out these packet captures of 802.1X
(/captures/802.1X.cap)andRADIUS(/captures/RADIUS.cap)traffic.

ServerConfiguration
Formysetup,IchosetoinstallFreeRADIUS(http://www.freeradius.org/)onmyGentooLinux(http://www.gentoo.org/)
workstation,butanyRADIUSserviceshouldwork.TheconfigurationsinthissectioncorrespondtoabareFreeRADIUS
deployment using cleartext credentials stored in a text file. Obviously, realworld deployments would dictate a much
morerobustandsecureauthenticationmethodsuchasLDAP.
The base server configuration is located in radiusd.conf (on Linux, this file should reside in /etc/raddb/), but we
shouldn'tneedtochangeanyofthedefaultvaluesforthislab.However,wewillneedtoaddthesubnetaddressfrom
which we expect to receive authentication requests (10.0.0.0/24) in clients.conf. Remember that although the 802.1X
clientresidesinVLAN10,theRADIUSclient(theswitch)willbesendingrequestsfromits10.0.0.1interface.Copyand
pastethisblocktoenablethenetworkwiththesharedsecretof MyRadiusKey :

client10.0.0.0/24{
secret=MyRadiusKey
shortname=Lab
}

We'll also define a user/password combination for testing. I've created the user John.McGuirk with the password
S0cc3r.Feelfreetopickyourownusernameandpassword,butmakesuretomaintainthespacingintheconfiguration
file(thereplymessageisoptional):

John.McGuirkCleartextPassword:="S0cc3r"
ReplyMessage="Hello,%u"

Aftercompletingthisconfigurationrememberto(re)starttheRADIUSservice.
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

2/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

SwitchConfiguration
Portbased

802.1X

authentication

(http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_sec/configuration/guide/sw8021x.html)
allowsforsomereallycoolsecuritymeasures(likedynamicVLANassignmentandperuserACLs),butforthislabwe'll
establishabaseconfigurationjustfordemonstration'ssake.
Apreliminarystep,ifyouhaven'tdonesoalready,istoenableIProutingontheswitch:

Switch(config)#iprouting

Before diving into the actual 802.1X configuration, we'll need to enable Authentication, Authorization, and Accounting
(AAA)fortheswitch(thisstepcanbeskippedifAAAisalreadyactive).Awordofcaution:enablingAAAchangesthe
authenticationmethodusedbytheVTY(telnet)linestofittheAAAmodel.It'sagoodideatodefinealocalusername
andpasswordtoauthenticatetotheswitchifyouhaven'tdoneso(thisaccountisunrelatedtoour802.1Xconfiguration,
justawayforustologinagainifweneedto).

Switch(config)#aaanewmodel
Switch(config)#usernameadminsecretMyPassword

Nextwe'llconfiguretheswitchwiththeaddressandsharedkeyofourRADIUSserver.Bydefault,Ciscoswitcheswill
useUDPport1645forRADIUSauthenticationandport1646foraccounting.DependingontheRADIUSdaemonyou
chosetoimplement,youmayneedtomodifytheseportstomatchthoseusedbyyourRADIUSdaemon.FreeRADIUS,
forexample,usesthemorerecentportspecificationdefinedinRFC2138(http://www.faqs.org/rfcs/rfc2138.html), and
requiresadditionalconfigurationontheswitchtoreflecttheportchanges:

Switch(config)#radiusserverhost10.0.0.100authport1812acctport1813key
MyRadiusKey

Now we'll tie these two components together by configuring AAA to reference the RADIUS server for 802.1X
authenticationrequests:

Switch(config)#aaaauthenticationdot1xdefaultgroupradius

This takes care of the RADIUS portion of the configuration. Configuring 802.1X from this point is simple: enable it
globallyfortheswitch,andindividuallyperinterface:

Switch(config)#dot1xsystemauthcontrol
Switch(config)#interfaceg0/12
Switch(configif)#switchportmodeaccess
Switch(configif)#dot1xportcontrolauto

Notethattheinterfacemustbesettostaticaccessmode.Ifleftindynamicmode(whereDTPisusedtonegotiatethe
port's function as either access or trunking), the switch will issue an error message stating that 802.1X cannot be
configuredondynamicports.
Ifyou'reinquisitivelikemeandissueaquestionmarktoinvokethecontextsensitivehelpinthemidstofissuinganew
command,youmighthavenoticedthatthe dot1xportcontrol interfacecommandhasthreeoptions.Theseare:
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

3/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

auto Normal802.1Xauthentication
forceauthorized No802.1Xauthenticationisused(thisisthedefaultsetting,topreventserviceinterruption
whiledeploying802.1X)
forceunauthorized Ignoresauthenticationattempts,portisalwaysunauthorized

Youcanusethe showdot1x commandtoverifytheconfigurationofyourclientfacinginterface:

Switch#showdot1xinterfaceg0/12
SupplicantMAC
AuthSMState=N/A
BendSMState=N/A
PortStatus=N/A
MaxReq=2
MaxAuthReq=2
HostMode=Single
PortControl=Auto
QuietPeriod=60Seconds
Reauthentication=Disabled
ReAuthPeriod=3600Seconds
ServerTimeout=30Seconds
SuppTimeout=30Seconds
TxPeriod=30Seconds
GuestVlan=0

ClientConfiguration
The last element to configure is the supplicant software on the client. If your client is currently connected, unplug it
temporarilybeforecontinuing(reconnectingaftertheconfigurationhasbeencompletedwillmakeiteasiertoobserve
the802.1Xbehavior).Formylab,IusedaWindowsXPboxwithSP2.
ToenabletheWindows802.1Xservice,openServicesfromthecontrolpanel,andselectandstarttheWirelessZero
Configurationservice.("Butisn'tthisawiredconnection?"Ihearyouask.Thankyou,Microsoft.)(Edit:Wired802.1X
is enabled by a separate service, WiredAutoConfig, in XP SP3. Thanks to Dude for pointing this out!) Next, open
Network Connections from the control panel and open the Connection Properties dialog for the adapter you're
using. You should have an Authentication tab within this window if not, the 802.1X service isn't running and you'll
needtodosometroubleshooting.

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

4/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

Enable 802.1X authentication and set the EAP type to MD5Challenge. This will allow us to use basic
username/password credentials instead of a more secure (and much more complex) PKI scheme. You can safely
deselectthe"authenticateascomputer"and"authenticateasguest"options.

Authenticating
Ifeverythingisconfiguredcorrectly,youshouldnowbeabletoauthenticatevia802.1X.VerifyyourIPaddressingand
connectyourclienttotheswitch.Afterroughlythirtysecondsyoushouldbepromptedforauthenticationcredentialsby
alittleballoon.(Inamoreidealsetup,yourWindowscredentialsand/oraclientcertificatewouldbesentwithoutyour
interaction and 802.1X authentication would occur transparently.) Your prompt may differ from the example shown
here.

EntertheusernameandpasswordyouconfiguredontheRADIUSserverintheauthenticationdialog.

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

5/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

Your client will notify you after a bit if the authentication fails. If you receive no notification, authentication has
succeededandyoushouldbeabletosendtrafficthroughtheswitchport(trypingingthroughtotheRADIUSserverto
verifythis).Issuethe showdot1x commandontheswitchagaintoverifythattheportisnowinthe"authorized"state.

Switch#showdot1xinterfaceg0/12
SupplicantMAC0014.22e9.545e
AuthSMState=AUTHENTICATED
BendSMState=IDLE
PortStatus=AUTHORIZED
MaxReq=2
MaxAuthReq=2
HostMode=Single
PortControl=Auto
QuietPeriod=60Seconds
Reauthentication=Disabled
ReAuthPeriod=3600Seconds
ServerTimeout=30Seconds
SuppTimeout=30Seconds
TxPeriod=30Seconds
GuestVlan=0

Oneotherdetailtonote:Initially,theclient'sportontheswitchwillonlytransitiontoup/down(interfaceup,lineprotocol
down)whenyoufirstconnect.Onlyaftersuccessfullyauthenticatingvia802.1Xwillittransitionfullytoup/up.
Ifauthenticationfailsforsomereasonyou'llhavetodosomesleuthingtodeterminethecause.Keepthefollowingtips
inmind:
EnsurethattheswitchistryingtoauthenticatetothecorrectRADIUSserveronthecorrectUDPport
EnsuretheRADIUSserverisconfiguredtoacceptauthenticationrequestsfromthecorrectsubnet
ReviewtheRADIUSdaemonlogsformessagesconcerningfailedauthenticationormisconfiguration
Useavariationofthe debugdot1x commandontheswitchorapacketsniffertoverifyEAPandRADIUStraffic
TryusingthefreeNTRadPingRADIUSTestUtility(http://www.mastersoftgroup.com/download/)toindependently
verifyoperationoftheRADIUSserver

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

6/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

AbouttheAuthor
(/users/stretch/)

JeremyStretchisanetworkengineerlivingintheRaleighDurham,North
Carolinaarea.HeisknownforhisblogandcheatsheetshereatPacket
Life.Youcanreachhimbyemail(/contact/)orfollowhimonTwitter
(http://twitter.com/packetlife).

Postedin

(http://www.amazon.com/gp/prime/signup/videos?tag=packetlnet20)

Comments
Lee(guest)
August6,2008at2:56a.m.UTC

Great,Iamwaitingthisinfo.longtimeago.

marwooj(guest)(http://www.qsor.pl)
August6,2008at7:28a.m.UTC

Great!!!

Dude(guest)
August6,2008at11:52a.m.UTC

Verynicepost,thankyou.

Marcus(guest)
August6,2008at3:53p.m.UTC

Ihavetinkeredwiththeguestvlanwhenauserisnotauthenticatedandthatworksprettygood.Itwouldbeanice
additiontothiswriteup.NicePost,Thanks!

Robert(guest)
August6,2008at11:02p.m.UTC

WhatisthepurposeofenablingIProuting?It'snotrequiredtododot1x.

Duder(guest)
August6,2008at11:06p.m.UTC

veeerynice

stretch(/users/stretch/)
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

7/12

12/9/2014

Asimplewired802.1XlabPacketLife.net
August6,2008at11:53p.m.UTC

@Marcus:Goodidea!
@Robert: iprouting isonlyneededifyousetupyourlablikeIdid,withamultilayerswitchseparatingtwosubnets.

Robert(guest)
August7,2008at5:17a.m.UTC

Thanks.I'llreadalittlemorebeforeIpostnexttime.Gladthere'sotherpeopleoutthereusingdot1xandguestvlans
Marcus.Ifyoudocoverguestvlanspleasetryandcoverauthfailvlansaswell.
WatchoutforBugIDCSCsc06286ifyouhaveanolderIOS.Itdidn'tmakeitintoanyofthereleasenotes.Thebiggest
problemwefacedwithdot1xinproductionwasreimagingcomputers.I'vedocumentedoursolution,ifyouare
interestedIcouldemailthedoc.
ThanksforthepostingsIenjoyreadingtheblog.

Dinger(guest)
August7,2008at1:31p.m.UTC

HowmuchtweakingisnecessarytoallowyourWindowscredentialstobesentwithoutyourinteractionand802.1X
authenticationwouldoccurtransparently?

zlobb(guest)
August7,2008at4:07p.m.UTC

GoodPost.
Thedynamicvlanassignmentfunctionisneat(WorkswithFreeRadiusaswell).It'salmostalwayspleasanttooassign
vlan'sbasedonuserlogininsteadofamacaddress.

Jacob(guest)
August9,2008at3:34a.m.UTC

Haveyoutriedtodothisusingcertificates?ItriedawhilebackwithalargenumberofWindowsXPsupplicantsandit
wassomewhatunreliable.Justwonderingifanyonehashadbetterluck.

Florin(guest)
August10,2008at1:03p.m.UTC

HyIhaveastrangeproblem.IDonothavetheAuthenticationTABinmyLANadapterproperties..Ihaveonlygeneral
andAdvanced.IhaveenableWZCinregistry.ITisawiredLAN.Thanks

Dude(guest)
August14,2008at7:37a.m.UTC

Ihadthesameissue.InSP3thereisaseparateservicecalled"WiredAutoConfig"forwiredconnections.Itisnot
startedbydefault.Justenableit.

Florin(guest)
August18,2008at7:58p.m.UTC

thanks.it'sworking.

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

8/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

oszkari(guest)
September29,2008at10:41a.m.UTC

Hi,
Iusedot1xwithfewhundredsofxps(SP2/SP3)withfreeradius.Everythingworksfineuntilthepcgoestostanbyor
hibernate..afterthisthethereauthenticationprocesstakescoupleofminutesifIdon'tdoshutdown/noshutdownonthe
affectedswitchport.
Anybodyhassomeexperience/maybesolutionforthis.
Thx

rav(guest)
October9,2008at2:52p.m.UTC

Hi!Thanks,greatarticle!Couldyoupleasegivethemodelsofseveralswitchesthatsupportyourconfiguration?Iknow
itshouldworkwithCat3550,butI'venoideawhetherit'llgowithi.e.Cat29xxornonCiscoswitches.Isitsufficientfor
switchtosupportjust802.1xorithastohaveadditionalfeaturesthatcausesitcandynamicallyassignvlantousers,
basedonradiusserver?

rik(guest)
December11,2008at2:18p.m.UTC

weareusingCiscoSecureServicesclient5.0.2.3andc2950switches,withciscoACSwithanADinordertoperform
MachineandUserauthentication.WeseeaproblemonlaptopswithWINXPSP3.Afterawhiletheytheyareunableto
makeaconnectiontotheLAN.Afterdebuggingitlookslikethatthemachineaccountpasswordchange(after30days)
causesaproblem>theACSgetananswerfromtheADthatthepasswordisnotcorrect>noaccessanymoreto
thenetwork.WhenweforcethelaptopintotheVLANwhereheshouldnormallybeassigned>problemresolvedand
wecanuseagaina802.1xporttoconnectthelaptop.
I'mwonderingifanyonehasseenthisbeforeandhowtheysolvedthisproblem.
Thxinadvance,
Rik

waltdom(guest)
November2,2009at4:00p.m.UTC

Ithereamethodfromtheclienttotestiftheportitisconnectedtois802.1xenabledotherthangoingtotheswitchto
look?Iwouldliketotestaporttovalidatethenetwrokingfolksactuallyenabledtheportfor802.1x

RaMs(guest)
March30,2010at3:46a.m.UTC

GoodPost.Itwasveryhelpfulforme.

VK(guest)
March30,2010at5:05a.m.UTC

Hi..CanyoupleaseexplainthisprocesswithafreebsdmachinewithfreeRADIUSandwithnortelswitch...wired
authenticationThankyou..

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

9/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

RaMs(guest)
August5,2010at4:52a.m.UTC

Hi..CouldyoupleaseexplainmehowtoconfigurelinuxPCasAuthenticationserverforTLScertificate.
802.1XauthenticationworksfinewhenItriedwithMD5Authentication(i.ebyconfiguringusernameandpassword)
RaMs

shvin(/users/shvin/)
October16,2010at10:12a.m.UTC

himylancarddoesnotsupport802.1x.howcaniaddauthenticationtabonlancard...???helpmeplzzz

Aguest
September6,2011at7:11p.m.UTC

tnx

shoaib(guest)
September27,2011at8:14a.m.UTC

Wordofcaution:EAPMD5isveryeasytoconfigureandworkslikeacharmbutitssupportislimitedinWindows7.The
optioninWindows7areMSPEAP,CiscoLEAP,CiscoPEAP,EAPFAST,EAPTTLS.Almostallofthemrequiresa
securechannelbetweenRadiusandNASi.eswitch.Thisisbasedoncertificates.
ConfiguringthatonFreeRadiusischallenging.
Iamcurrentlyworkingonitaspartofmyjob(yes).OnceIamdone,IwillpostastepbystepHowTO.Ideaisthat
eachclient/laptopshouldbehaveacertificateandusershouldbeabletousewindowscredentialseithermanuallyorit
shouldbeautomatic.

buczo(guest)
May10,2012at7:50a.m.UTC

@shoaibdidyoudoneit?isanywhereHowTOaboutWINXP/WinVista/Win7+ActiveDirectory+Cisco+802.1Xand
PKItransparent?

Nagarushi(guest)
July13,2012at5:59p.m.UTC

Hi,
isthereanytoolwhichcansimulatethemachineauthentiation.iwanttosimulate1000machineauthenticationrequests
formytestingpurpose.
Thanks,
Nagarushi

John(guest)
September20,2012at7:52a.m.UTC

ExcellentPost.
Thanks

Pasqu(guest)(http://www.ios4all.net/)
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

10/12

12/9/2014

Asimplewired802.1XlabPacketLife.net
January31,2013at5:28p.m.UTC

Hi,isthereawaytoauthenticatewith802.1XandWindowsserverradiusonlyPCjoinedinthedomain?
MygoalistoblockdomainuserthatwanttoconnecttheirPCstomyoffice'slanandhave(ofcourse)avalidlogin.This
usercancomeinofficewiththeirPCs,enable802.1xinsertinthepopupuserandpasswordandtheirpersonalPcis
authenticated.
thebestsolutionistoauthenticatePCalreadyjoinedinthedomainandwithpopuponlythegroupofadminuserinthe
domain.Notthenormalone.
Anyonehavetrythissetup?

rsccom24(guest)
April18,2013at1:03p.m.UTC

@shvin
sorryforthelateResponse,butjustfordocumentation...
youcanaddtheauthenticationtabasfollows:
gotoServicesandstarttheService"WiredAutoConfig"

shomi(guest)
September18,2013at2:50a.m.UTC

HowisitpossiblethatRadiusservergrantsauthenticationwhichisbeingsentasaMD5hashwhile
username/passwordsareconfiguredinaplaintextonserver?
IsthereasettinginyourcfgfilethatlistsMD5asdefault?
Also,whatwouldhappenifsupplicantclientisconnectedtoasharednetworksegment?Wouldsuccessful
authenticationofoneclientimplicateaccessforothercomputersconnectedtoasegment?
Greatpost.
Thanks.

shantia(guest)
November16,2013at7:41a.m.UTC

thankyou.Itisverynicepost

AnilKumarA(guest)
December27,2013at4:10a.m.UTC

Verynice.PleaseaddpackettransactionswhenclientsendswrongcredentialsandaddGUEST_VLAN,
SERVER_FAIL_VLANandSERVER_REJECT_VLANinfoaswell.

krishnakanth(guest)
July15,2014at7:06a.m.UTC

It'sveryhelpful.thanksalot...

LeaveaComment

Guestname
Guestname
http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

11/12

12/9/2014

Asimplewired802.1XlabPacketLife.net

Guestemail
Guestemail
Optionalwillnotbedisplayedpubliclyorgivenout.

GuestURL
GuestURL
Nocommerciallinks.Onlypersonal(e.g.blog,Twitter,orLinkedIn)and/orontopiclinks,please.

Comment
Comment

Challenge
Howmanybitsareinabyte?
Challenge
Save Preview

Home(/) | Blog(/blog/) | CheatSheets(/library/cheatsheets/) | Captures(/captures/) | Armory(/armory/) |

Toolbox(/toolbox/) | Bookshelf(/bookshelf/) | ContactMe(/contact/) | About(/about/)
Morecoolstuff
networkingforum.com(http://networkingforum.com/) | r/Networking(http://www.reddit.com/r/networking/) |
Internetworkpro(http://inetpro.org/wiki/) | firewall.cx(http://firewall.cx/) |
NetworkEngineering@StackExchange(http://networkengineering.stackexchange.com/)

http://packetlife.net/blog/2008/aug/06/simplewired8021xlab/

12/12