802.1X Affidavit Application EAP
Switches can use IEEE 802.1X to accomplish user authentication, rather than the types of device
authentication performed by abounding of the added appearance declared in this section. User authentication
requires the user to accumulation a username and password, absolute by a RADIUS server, afore the
switch will accredit the about-face anchorage for accustomed user traffic. Requiring a username and password
prevents the antagonist from artlessly application addition else’s PC to advance the arrangement after first
breaking the 802.1X affidavit username and password.
IEEE 802.1X defines some of the capacity of LAN user authentication, but it additionally uses the
Extensible Affidavit Agreement (EAP), an Internet accepted (RFC 3748), as the underlying
protocol acclimated for authentication. EAP includes the agreement letters by which the user can be
challenged to accommodate a password, as able-bodied as flows that actualize ancient passwords (OTPs) per RFC
2289. Figure 18-7 shows the all-embracing breeze of LAN user authentication, after the capacity behind
each message.
Figure 18-7 802.1X for LAN User Authentication
Figure 18-7 introduces a brace of accepted concepts additional several new terms. First, EAP messages
are encapsulated anon central an Ethernet anatomy aback beatific amid the 802.1X supplicant (user
device) and the 802.1X authenticator (switch). These frames are alleged EAP over LAN (EAPoL)
frames. However, RADIUS expects the EAP bulletin as a abstracts anatomy alleged a RADIUS
attribute, with these attributes sitting central a accustomed RADIUS message. To abutment the two
protocols, the about-face translates amid EAPoL and RADIUS for letters that charge to flow
between the supplicant and affidavit server.
Supplicant Affidavit Server
Authenticator
EAP over LAN (EAPoL)
Request/Response
RADIUS Bulletin (with EAP Attribute)
Fa0/1
1
Eth. EAP Eth. IP UDP RADIUS EAP
Request/Challenge
2
EAP Success
5
4 RADIUS Accept
Change Fa0/1 from 3
unauthenticated
to authenticated
Layer 2 Security 667
The blow of Figure 18-7 shows a simplistic appearance of the all-embracing affidavit flow. The about-face and
supplicant actualize an OTP application a acting key, with the about-face afresh forwarding the authentication
request to the affidavit server. The switch, as authenticator, charge be acquainted of the results
(Step 3), because the about-face has a assignment to accredit the anchorage already authenticated.
The 802.1X roles apparent in Figure 18-7 are abbreviated as follows:
■ Supplicant—The 802.1X disciplinarian that food a username/password alert to the user and
sends/receives the EAPoL messages
■ Authenticator—Translates amid EAPoL and RADIUS letters in both directions, and
enables/disables ports based on the success/failure of authentication
■ Affidavit server—Stores usernames/passwords and verifies that the actual values
were submitted afore acceptance the user
802.1X about-face agreement resembles the AAA agreement covered in the area blue-blooded “Using
a Absence Set of Affidavit Methods” beforehand in this chapter. The about-face agreement treats
802.1X user affidavit as addition advantage for AAA authentication, application the afterward steps:
Step 1 As with added AAA affidavit methods, accredit AAA with the aaa newmodel
global command.
Step 2 As with added configurations application RADIUS servers, ascertain the RADIUS
server(s) IP address(es) and encryption key(s) application the radius-server host
and radius-server key commands.
Step 3 Similar to login affidavit configuration, ascertain the 802.1X authentication
method (RADIUS alone today) application the aaa affidavit dot1x default
command or, for assorted groups, the aaa affidavit dot1x group
name all-around command.
Step 4 Accredit 802.1X globally application the dot1x arrangement auth-control global
command.
Step 5 Set anniversary interface to use one of three operational settings application the dot1x
port-control {auto | force-authorized | force-unauthorized} interface
subcommand:
• Application 802.1X (auto)
• Not application 802.1X, but the interface is automatically accustomed (forceauthorized)
(default)
• Not application 802.1X, but the interface is automatically unauthorized
(force-unauthorized)
668 Affiliate 18: Security
Example 18-10 shows a simple 802.1X agreement on a Cisco 3550 switch. The archetype shows
a reasonable agreement based on Figure 18-3 beforehand in the chapter, with servers off ports
fa0/1 and fa0/2, and two users off ports fa0/3 and fa0/4. Also, accede fa0/5 as an bare port.
Note that at the time of this writing, RADIUS is the alone accessible affidavit adjustment for
802.1X in the Cisco 3550 and 3560 switches.
Storm Control
Cisco IOS for Catalyst switches supports rate-limiting cartage at Layer 2 application the storm-control
commands. Storm ascendancy can be configured to set ascent and falling thresholds for anniversary of the
three types of anchorage traffic: unicast, multicast, and broadcast. Anniversary amount absolute can be configured on
a per-port basis.
You can configure storm ascendancy to accomplish on anniversary cartage blazon based on either packet amount or a
percentage of the interface bandwidth. You can additionally specify ascent and falling thresholds for each
traffic type. If you don’t specify a falling threshold, or if the falling beginning is the aforementioned as the
rising threshold, the about-face anchorage will advanced all cartage up to the configured absolute and will not wait
for that cartage to canyon a authentic falling beginning afore forwarding it again.
Example 18-10 Archetype Cisco 3550 802.1X Configuration
! The aboriginal three commands accredit AAA, ascertain that 802.1x should use the RADIUS
! accumulation comprised of all authentic RADIUS servers, and accredit 802.1X globally.
aaa new-model
aaa affidavit dot1x absence accumulation radius
dot1x arrangement auth-control
! Next, commands apparent ahead are acclimated to ascertain the absence ambit group.
! These commands are banausic compared to beforehand examples.
radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646
radius-server key cisco
! The server ports (fa0/1 and fa0/2), central a defended datacenter, do not require
! 802.1x authentication.
int fa0/1
dot1x port-control force-authorized
int fa0/2
dot1x port-control force-authorized
! The applicant ports (fa0/3 and fa0/4) crave 802.1x authentication.
int fa0/3
dot1x port-control auto
int fa0/4
dot1x port-control auto
! The bare anchorage (fa0/5) is configured to be in a assuredly unauthorized
! accompaniment until the dot1x port-control command is reconfigured for this port. As
! such, the anchorage will alone acquiesce CDP, STP, and EAPoL frames.
int fa0/5
dot1x port-control force-unauthorized
Layer 2 Security 669
When any of the configured thresholds is passed, the about-face can booty any of three additional
actions, additionally on a per-port basis. The first, and the default, is that the about-face can rate-limit by
discarding balance cartage according to the configured command(s) and booty no added action. The
other two accomplishments accommodate assuming the rate-limiting activity and either shutting bottomward the port
or sending an SNMP trap.
Let’s say we accept the afterward goals for a storm-control configuration:
■ Absolute advertisement cartage to 100 packets per second. Aback advertisement cartage drops aback to 50
packets per second, activate forwarding advertisement cartage again.
■ Absolute multicast cartage to 0.5 percent of the 100-Mbps interface rate, or 500 kbps. When
multicast cartage drops aback to 400 kbps, activate forwarding multicast cartage again.
■ Absolute unicast cartage to 80 percent of the 100-Mbps interface rate, or 80 Mbps. Advanced all
unicast cartage up to this limit.
■ Aback any of these three altitude occurs and after-effects in rate-limiting, accelerate an SNMP trap.
The agreement that after-effects is apparent in Archetype 18-11.
Example 18-11 Storm Ascendancy Agreement Example
Cat3560(config)# interface FastEthernet0/10
Cat3560(config-if)# storm-control advertisement akin pps 100 50
Cat3560(config-if)# storm-control multicast akin 0.50 0.40
Cat3560(config-if)# storm-control unicast akin 80.00
Cat3560(config-if)# storm-control activity trap
Cat3560(config-if)# end
Cat3560# appearance storm-control fa0/10 unicast
Interface Clarify Accompaniment Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/10 Forwarding 80.00% 80.00% 0.00%
Cat3560# appearance storm-control fa0/10 broadcast
Interface Clarify Accompaniment Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/10 Forwarding 100 pps 50 pps 0 pps
Cat3560# appearance storm-control fa0/10 multicast
Interface Clarify Accompaniment Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/10 Forwarding 0.50% 0.40% 0.00%
Jun 10 14:24:47.595: %STORM_CONTROL-3-FILTERED: A Multicast storm detected on
Fa0/19. A packet clarify activity has been activated on the interface.
! The above-mentioned achievement indicates that the multicast storm beginning was
! exceeded and the about-face took the activity of sending
! an SNMP allurement to announce this condition.
One important admonition about storm ascendancy is that it supports alone concrete ports. The configuration
commands are accessible on EtherChannel (port-channel) interfaces, but they accept no effect.