Ethernet 802.1X configuration – Cisco (most models)
In this topic, you will learn how to configure Cisco switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.
General configuration (IOS/NX-OS)
This is a general configuration template for Cisco switches with the IOS or NX-OS operating system.
-
Enable AAA services on the device.
aaa new-model
-
Create a new RADIUS server group.
aaa group server radius PORTNOX
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
-
Configure the switch to use the RADIUS server group for authentication.
aaa authentication dot1x default group PORTNOX
-
Configure the switch to use the RADIUS server group for authorization.
aaa authorization network default group PORTNOX
-
Send new accounting information to the RADIUS server group.
aaa accounting update newinfo
-
Send all session start and stop events to the RADIUS server group.
Warning: If your switch responds with the following warning, type No and proceed to the next step:
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. Do you wish to continue?.
Do not answer Yes, or you may irreversibly change your configuration; to fix it, you will have to reset your switch to factory settings.
aaa accounting identity default start-stop group PORTNOX
-
Send all session stop events to the RADIUS server group even if there is no start event.
aaa accounting send stop-record always
-
Enable 802.1X port-based authentication on the device.
dot1x system-auth-control
- Optional:
Enable critical EAP over LAN (EAPOL) frames, allowing them to be processed with higher priority in the
authentication process.
dot1x critical eapol
- Optional:
Specify the time interval during which critical EAP over LAN (EAPOL) frames must be received for successful
recovery in case of interruption.
dot1x critical recovery delay 2000
- Optional:
Specify that the switch considers the RADIUS server as dead if no response is received within 30 seconds for four
consecutive attempts.
radius-server dead-criteria time 30 tries 4
- Optional:
Set the amount of time during which a RADIUS server is considered unreachable or dead after a specified number of
consecutive failed attempts.
radius-server deadtime 30
-
Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
-
Configure 802.1X authentication on interface 0/1:
interface gigabitethernet 0/1
Note: This is an example interface. Adjust the interface in the configuration to your specific interface. -
Configure a critical auth VLAN
Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.Note: This function may be unsupported on some switches. Consult Cisco documentation for more information about its availability for your specific model and software version.
-
Verify the 802.1X configuration.
show dot1x all
Expected output:
Sysauthcontrol Enabled Dot1x Protocol Version 2 Dot1x Info for GigabitEthernet0/1 PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = SINGLE_HOST QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 Critical Auth VLAN = 10 Server Dead Action = Authorize VLAN 10
- Optional:
Debug the 802.1X configuration, if necessary.
debug mab all
debug dot1x all
debug radius
debug aaa authentication
debug aaa authorization
Here is the entire example configuration for your convenience:
aaa new-model
!
aaa group server radius PORTNOX
server name PORTNOX-CLOUD-US
server name PORTNOX-CLOUD-EMEA
exit
!
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
aaa accounting update newinfo
aaa accounting identity default start-stop group PORTNOX
aaa accounting send stop-record always
!
dot1x system-auth-control
!
dot1x critical eapol
dot1x critical recovery delay 2000
!
radius-server dead-criteria time 30 tries 4
radius-server deadtime 30
!
radius server PORTNOX-CLOUD-US
address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
exit
!
radius server PORTNOX-CLOUD-EMEA
address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
exit
!
interface gigabitethernet 0/1
authentication port-control auto
dot1x pae authenticator
authentication host-mode single-host
mab
authentication order dot1x mab
!
vlan 10
interface vlan 10 ip address 10.0.10.0 255.255.255.0
!
interface gigabitethernet 0/1
authentication event server dead action authorize vlan 10
IBNS 2.0 (multi-domain)
This is a multi-domain configuration template for Cisco switches with IBNS 2.0.
-
Enable AAA services on the device.
aaa new-model
-
Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
-
Create a new RADIUS server group.
aaa group server radius PORTNOX
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
-
Configure the switch to use the RADIUS server group for authentication.
aaa authentication dot1x default group PORTNOX
-
Configure the switch to use the RADIUS server group for authorization.
aaa authorization network default group PORTNOX
-
Enable 802.1X port-based authentication on the device.
dot1x system-auth-control
-
Verify or configure the needed class-map types that will be used in the interface policy-map supporting
802.1X.
class-map type control subscriber match-all DOT1X
match method dot1x
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
class-map type control subscriber match-all MAB
match method mab
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
-
Configure the subscriber policy-map that will be used to control 802.1X authentication.
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
10 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
40 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
-
Configure appropriate interfaces to use 802.1X authentication.
interface GigabitEthernet1/0/1
switchport access vlan 613
switchport mode access
switchport voice vlan 612
access-session closed
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN
- Optional:
Debug the 802.1X configuration, if necessary.
debug mab all
debug dot1x all
debug radius
debug pre all
Note: Optionally, for debug pre, you can use only event and/or rule to limit the output to the information relevant to IBNS 2.0.debug aaa authentication
debug aaa authorization
Here is the entire example configuration for your convenience:
aaa new-model
!
radius server PORTNOX-CLOUD-US
address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
exit
radius server PORTNOX-CLOUD-EMEA
address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
exit
aaa group server radius PORTNOX
server name PORTNOX-CLOUD-US
server name PORTNOX-CLOUD-EMEA
exit
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
!
dot1x system-auth-control
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
10 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
40 class always do-until-failure
10 terminate mab
20 terminate dot1x
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
!
interface GigabitEthernet1/0/1
switchport access vlan 613
switchport mode access
switchport voice vlan 612
access-session closed
access-session host-mode multi-domain
access-session port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN
!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
event authentication-failure match-first
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate dot1x
20 authentication-restart 60
30 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
!