Configuring 802.1x & IBNS

Before a port enters an authorized state, 802.1X allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) packets to traverse the port.
Configuring 802.1X port authentication is supported on Layer 2 static access ports, voice VLAN–enabled ports, and Layer 3 routed ports. It is not supported on dynamic ports, trunk ports, or Switched Port Analyzer (SPAN) or Remote SPAN (RSPAN) ports.

Configure Cisco IOS 802.1x Authenticator

  • Specify RADIUS Server on IOS: Configure two RADIUS servers to provide a redundant set of AAA servers. Also, use a strong value for the authentication key and consider using different authentication keys for each 802.1X switch, The cryptographic authentication key is used to protect the session.
    Optionally, you can change the authentication and accounting ports from the defaults, UDP 1645 and 1646, which are used by Cisco Secure ACS to the standard RADIUS ports, UDP 1812 and 1813
    Router(config)# radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key rad123
  • Enable AAA and Specify RADIUS for Authentication: enable AAA and configure an AAA authentication method that will be used between this IOS Authenticator and RADIUS Server
    Router(config)# aaa new model
    Router(config)# aaa authentication dot1x default group radius none
  • Enable 802.1x Globally and on Individual Port:
    Router(config)# dot1x system-auth-control
    Router(config)# interface FastEthernet 2/1
    Router(config-if)# switchport mode access
    Router(config-if)# switchport access vlan 90
    Router(config-if)# authentication port-control auto
  • (Optional) Configure Periodic Re-authentication: Without re-authentication,  the switch will not detect that the client has disconnected and leave the port in an authenticated state. By default, 802.1X re-authentication is not enabled.
    Router(config)# interface FastEthernet 2/1
    Router(config-if)# authentication periodic
    Router(config-if)# authentication timer reauthentication 600
        //default is 3600 seconds
  •  (Optional) Tune Timers and Thresholds.
    The authenticator expects to receive the EAP-Response/Identity frame as a response to its
    EAP-Request/Identity frame. If it has not received this frame within the default retransmission time, it will resend the Request frame. The default retransmission timer is 30 seconds. You can tune it for faster response.
    Router(config-if)# dot1x timeout tx-period 10
    If the switch fails to authenticate a client, such as the user entering a bad password, the switch waits a period of time before trying again. The default value for this quiet timer is 60 seconds.
    Router(config-if)# dot1x timeout quiet-period 10
  •  (Optional) Configure Guest and Authentication Failed Policy:
    A special-purpose VLAN is designated for clients that either fail authentication (Restricted VLAN) or that do not have an 802.1X supplicant (Guest VLAN). In the case of authentication failure, you must specify the number of times that the switch should retry authentication before assigning the user to the restricted VLAN.
    Router(config-if)# authentication event fail retry 2 action authorize vlan 100
    Router(config-if)# authentication event no-response action authorize vlan 100
  • Verify 802.1x Basic Function:
    Router# show dot1x
    Router# show dot1x all summary

Configure Cisco ACS AAA Sever

  • Add 802.1x enabled switch/router/AP into ACS server as AAA client
    input the same Key you configured for Securing the RADIUS message, which is also configured on the switch/router/AP.
  • Select specific Authentication Mechanism for AAA service.
    EAP-MD5, LEAP, PEAP, EAP-TLS etc.
  • create user credential in local authentication database in AAA server.

Configure and Deploy 802.1x Supplicant on Client Machine. .