AAA and 802.1X Authentication

When it comes to securing the network, AAA and 802.1X authentication are two powerful tools we can use. Let me show you an example why you might want this for your switches:

Switch Connected to RouterNetwork users might bring their own wireless router from home and connect it to the switch so they can share wireless internet with all their colleagues. An access point like this is called a rogue access point and this is something you DON’T want to see on your network. It’s hard to detect because on the switch you’ll only see one MAC address. The router is doing NAT so you will only see one IP address, this is something you can’t prevent with port security.

One way of dealing with issues like this is to use AAA.

AAA stands for Authentication, Authorization and Accounting:

  • Authentication: Verify the identity of the user, who are you?
  • Authorization: What is the user allowed to do? what resources can he/she access?
  • Accounting: Used for billing and auditing.

aaa switch authenticator

The idea behind AAA is that a user has to authenticate before getting access to the network. The fa0/1 interface on SW1 will be blocked and you are not even getting an IP address. The only thing the user is allowed to do is send his/her credentials which will be forwarded to the AAA server. If your credentials are OK the port will be unblocked and you will be granted access to the network.

802.1x port control

802.1X is the mechanism that will block or unblock the interface. It’s called port-based control. In the picture above an unknown user plugged in a cable to the switch.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

510 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Hans,

    Which IOS version are you running? I would expect this device to support all 802.1x commands.

    Rene

  2. Hi Hans
    You need to type ‘dot1x pae authenticator’ instead- it enables 802.1X authentication on the port with default parameters

  3. First off if I post this in wrong place let me know and I will move the question to better forum area.

    I am studying AAA Authentication. I keep hearing it stressed to be aware that its best practice to put “local” on the end of your lines in case your tacacs server or radius server goes down.

    For example I setup switch and AAA Server and PC in Boson Simulator to play with and test:


    username brian  password brian
    !
    aaa new-model
    aaa authentication login auth group tacacs+ local
    tacacs-server host 192.168.1.3 
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    

    I cr

    ... Continue reading in our forum

  4. Hi Brian,

    Good to hear you figured it out. The output of your Boson simulator was indeed that it was unable to connect so this didn’t have anything to do with your AAA configuration :slight_smile: Boson is nice to practice commands but it’s only a simulator so you can’t really test things.

    If you don’t add anything to your VTY line(s) then it will use the default AAA group. If you want to use RADIUS / TACACS+ authentication for some things but not for your VTY lines, then you can also create a second group and use that for the VTY lines. Something like this:

    SW1(config)#aaa 
    ... Continue reading in our forum

  5. Hi Elia,

    It depends on the EAP type that you use. In this lesson, you can see this checkbox on the RADIUS server:

    https://networklessons.com/wp-content/uploads/2014/10/windows-xp-peap-settings.png

    The RADIUS server generated a certificate and when the client connects, it checks the server certificate to see if it’s talking to the correct server. The client then sends a username/password to authenticate the client.

    EAP-TLS allows you to use client certificates which is very safe, but does take time to setup (you need a client c

    ... Continue reading in our forum

33 more replies! Ask a question or join the discussion by visiting our Community Forum