AAA and 802.1X Authentication

When it comes to securing the network, AAA and 802.1X authentication are two powerful tools we can use. Let me show you an example why you might want this for your switches:

Switch Connected to RouterNetwork users might bring their own wireless router from home and connect it to the switch so they can share wireless internet with all their colleagues. An access point like this is called a rogue access point and this is something you DON’T want to see on your network. It’s hard to detect because on the switch you’ll only see one MAC address. The router is doing NAT so you will only see one IP address, this is something you can’t prevent with port security.

One way of dealing with issues like this is to use AAA.

AAA stands for Authentication, Authorization and Accounting:

  • Authentication: Verify the identity of the user, who are you?
  • Authorization: What is the user allowed to do? what resources can he/she access?
  • Accounting: Used for billing and auditing.

aaa switch authenticator

The idea behind AAA is that a user has to authenticate before getting access to the network. The fa0/1 interface on SW1 will be blocked and you are not even getting an IP address. The only thing the user is allowed to do is send his/her credentials which will be forwarded to the AAA server. If your credentials are OK the port will be unblocked and you will be granted access to the network.

802.1x port control

802.1X is the mechanism that will block or unblock the interface. It’s called port-based control. In the picture above an unknown user plugged in a cable to the switch.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

545 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. What’s the name of the follow-up lesson? “In another lesson I will give you a configuration example how to implement this on a Cisco Catalyst Switch.”

    Or does it not yet exist?

  2. Hi Francesco,

    We use RADIUS and TACACS+ for both user authentication and management. For example, with wireless networks we use RADIUS for user authentication (WPA2-enterprise). This allows us to use client and server certificates and it’s a far more secure solution than using pre-shared keys only.

    For network management, it’s useful since you can centralize all your authentication instead of creating usernames/passwords on each and every router, switch, firewall, etc on your network.

    It’s used on local networks, the only time you might use it on the Internet i

    ... Continue reading in our forum

  3. Hello Markos

    Using port security we can do several things. We can restrict the use of a switch port to only one specific preconfigured MAC address or we can specify that only a single MAC address should be seen to be using this port. We can even use IP source guard to determine which will be the allowed source IP address that can use the interface, even on an L2 switch.

    The first case will allow us to lock the port down such that only a specific computer having a specific MAC address can connect to that port. If this were implemented, then port security woul

    ... Continue reading in our forum

  4. Hello Justin

    If I understood your argument correctly, you mean connect something like an access point or a SOHO router to the port-security enabled switchport and have that device perform NAT, where all hosts connected to that device will communicate on the network via the 802.1x enabled port using a single MAC and IP address, thus defeating port security, correct?

    Yes, this would “defeat” 802.1x if you had configured it to allow any single MAC address. However, you can configure it to allow only a particular MAC address, that of the only allowed workstation o

    ... Continue reading in our forum

  5. Hello Harshi

    TACACS+ and RADIUS are two different families of protocols that perform similar functions. Some details about each:

    • TACACS+ is Cisco proprietary but started out as an authentication for UNIX systems in the 1980s
    • TACACS+ can be run on a VM, and there are versions that can be run on Windows as well
    • TACACS+ uses TCP
    • RADIUS is a protocol standardized by the IETF
    • RADIUS can run on most Linux and Windows platforms
    • RADIUS uses UDP by default but can also be configured to use TCP

    Both fundamentally do the same thing but each has some specialisations tha

    ... Continue reading in our forum

27 more replies! Ask a question or join the discussion by visiting our Community Forum