802.1X Configuration on Cisco Switches – A Practical Lesson
In this lesson, I will explain how to configure, verify, and troubleshoot 802.1X port-based authentication on Cisco switches. This security feature is crucial for protecting network access at the port level, ensuring that only authenticated devices can connect to your network.
Lesson Objectives
After completing this lesson, you will be able to:
- Configure basic 802.1X authentication on switch ports
- Set up RADIUS server integration
- Verify 802.1X operations
- Troubleshoot common authentication issues
- Implement best practices for port security
Prerequisites
- Cisco switch running IOS 15.0 or later
- RADIUS server (like Cisco ISE or FreeRADIUS)
- Basic understanding of AAA concepts
- Knowledge of Cisco switch CLI
- Understanding of Layer 2 switching concepts
Part 1: Basic 802.1X Configuration
Initial AAA Setup
First, let’s configure AAA and RADIUS server settings:
Switch# configure terminal
! Enable AAA
Switch(config)# aaa new-model
! Configure RADIUS server
Switch(config)# radius server RAD1
Switch(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key RadiusKey123
Switch(config-radius-server)# exit
! Configure AAA methods
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
Understanding the Output
After entering these commands, verify the configuration:
Switch# show running-config | section aaa
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
Key points to check:
- AAA new-model is enabled
- The authentication method is properly set
- RADIUS server configuration is complete
Part 2: Port Configuration
Enabling 802.1X Globally
Switch(config)# dot1x system-auth-control
Configuring Individual Ports
Switch(config)# interface gigabitethernet 1/0/1
Switch(config-if)# authentication port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# no shutdown
Verification Output
Switch# show authentication sessions interface gi1/0/1
Interface MAC Address Method Domain Status Session ID
Gi1/0/1 0000.0000.0001 dot1x DATA Authorized 0A1B2C3D4E5F
What to Look For:
- Status should show “Authorized” for authenticated clients
- The method should display “dot1x”
- Verify the correct interface and MAC address
Part 3: Advanced Features
MAB (MAC Authentication Bypass) Configuration
Switch(config-if)# authentication event no-response action authorize vlan 100
Switch(config-if)# mab
Guest VLAN Setup
Switch(config-if)# authentication event fail action authorize vlan 999
Switch(config-if)# authentication event no-response action authorize vlan 999
Verification Commands
Check MAB and Guest VLAN status:
Switch# show authentication registrations
Switch# show authentication sessions
Switch# show dot1x all
Common Issues and Solutions
Problem 1: Authentication Failing
Symptoms:
Switch# show dot1x interface gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
Solution:
- Verify RADIUS server connectivity
Switch# test aaa group radius user1 password123 new-code
- Check port configuration
- Verify client supplicant settings
Problem 2: RADIUS Server Timeout
Switch# debug dot1x all
*Mar 1 00:00:00.000: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812 is not responding
Solution:
- Check network connectivity
- Verify shared secret
- Confirm server ports
Practical Exercise
Lab Setup:
- Configure basic 802.1X on one access port
- Set up MAB for printer connection
- Configure guest VLAN
- Test authentication scenarios:
- Valid user authentication
- Invalid credentials
- Non-802.1X capable device
Key Takeaways
- Always enable AAA before 802.1X
- Test RADIUS connectivity before port configuration
- Use guest VLANs for non-802.1X devices
- Implement MAB for devices without supplicants
- Monitor authentication status regularly
Next Steps
- Learn about Cisco ISE integration
- Explore Flexible Authentication
- Study CoA (Change of Authorization)
- Implement downloadable ACLs
Quick Reference Commands
# Basic Verification
show dot1x all
show authentication sessions
show running-config | section dot1x
# Troubleshooting
debug dot1x all
debug authentication
show dot1x statistics
Verification Checklist
- [ ] AAA configuration complete
- [ ] RADIUS server reachable
- [ ] Ports configured correctly
- [ ] Global 802.1X enabled
- [ ] Authentication status verified
- [ ] Guest VLAN working
- [ ] MAB functioning