802.1X Configuration on Cisco Switches – A Practical Lesson

In this lesson, I will explain how to configure, verify, and troubleshoot 802.1X port-based authentication on Cisco switches. This security feature is crucial for protecting network access at the port level, ensuring that only authenticated devices can connect to your network.

Lesson Objectives

After completing this lesson, you will be able to:

  • Configure basic 802.1X authentication on switch ports
  • Set up RADIUS server integration
  • Verify 802.1X operations
  • Troubleshoot common authentication issues
  • Implement best practices for port security

Prerequisites

  • Cisco switch running IOS 15.0 or later
  • RADIUS server (like Cisco ISE or FreeRADIUS)
  • Basic understanding of AAA concepts
  • Knowledge of Cisco switch CLI
  • Understanding of Layer 2 switching concepts

Part 1: Basic 802.1X Configuration

Initial AAA Setup

First, let’s configure AAA and RADIUS server settings:

Switch# configure terminal
! Enable AAA
Switch(config)# aaa new-model

! Configure RADIUS server
Switch(config)# radius server RAD1
Switch(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key RadiusKey123
Switch(config-radius-server)# exit

! Configure AAA methods
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius

Understanding the Output

After entering these commands, verify the configuration:

Switch# show running-config | section aaa
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

Key points to check:

  • AAA new-model is enabled
  • The authentication method is properly set
  • RADIUS server configuration is complete

Part 2: Port Configuration

Enabling 802.1X Globally

Switch(config)# dot1x system-auth-control

Configuring Individual Ports

Switch(config)# interface gigabitethernet 1/0/1
Switch(config-if)# authentication port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# no shutdown

Verification Output

Switch# show authentication sessions interface gi1/0/1
Interface  MAC Address     Method  Domain  Status         Session ID
Gi1/0/1    0000.0000.0001 dot1x   DATA    Authorized     0A1B2C3D4E5F

What to Look For:

  • Status should show “Authorized” for authenticated clients
  • The method should display “dot1x”
  • Verify the correct interface and MAC address

Part 3: Advanced Features

MAB (MAC Authentication Bypass) Configuration

Switch(config-if)# authentication event no-response action authorize vlan 100
Switch(config-if)# mab

Guest VLAN Setup

Switch(config-if)# authentication event fail action authorize vlan 999
Switch(config-if)# authentication event no-response action authorize vlan 999

Verification Commands

Check MAB and Guest VLAN status:

Switch# show authentication registrations
Switch# show authentication sessions
Switch# show dot1x all

Common Issues and Solutions

Problem 1: Authentication Failing

Symptoms:

Switch# show dot1x interface gi1/0/1
Dot1x Info for GigabitEthernet1/0/1
-----------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0

Solution:

  1. Verify RADIUS server connectivity
Switch# test aaa group radius user1 password123 new-code
  1. Check port configuration
  2. Verify client supplicant settings

Problem 2: RADIUS Server Timeout

Switch# debug dot1x all
*Mar  1 00:00:00.000: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812 is not responding

Solution:

  1. Check network connectivity
  2. Verify shared secret
  3. Confirm server ports

Practical Exercise

Lab Setup:

  1. Configure basic 802.1X on one access port
  2. Set up MAB for printer connection
  3. Configure guest VLAN
  4. Test authentication scenarios:
  • Valid user authentication
  • Invalid credentials
  • Non-802.1X capable device

Key Takeaways

  • Always enable AAA before 802.1X
  • Test RADIUS connectivity before port configuration
  • Use guest VLANs for non-802.1X devices
  • Implement MAB for devices without supplicants
  • Monitor authentication status regularly

Next Steps

  • Learn about Cisco ISE integration
  • Explore Flexible Authentication
  • Study CoA (Change of Authorization)
  • Implement downloadable ACLs

Quick Reference Commands

# Basic Verification
show dot1x all
show authentication sessions
show running-config | section dot1x

# Troubleshooting
debug dot1x all
debug authentication
show dot1x statistics

Verification Checklist

  • [ ] AAA configuration complete
  • [ ] RADIUS server reachable
  • [ ] Ports configured correctly
  • [ ] Global 802.1X enabled
  • [ ] Authentication status verified
  • [ ] Guest VLAN working
  • [ ] MAB functioning

Subscribe to Ping Labz

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe