Configuration Guide
User Access and Authentication
802.1x Authentication Configuration
20 min
802 1x authentication configuration 802 1x authentication configuration introduction introduction the 802 1x protocol is a widely used port based network access control protocol in ethernet networks it primarily addresses authentication and security concerns for client access in ethernet environments a typical 802 1x authentication system consists of three entities the client, the device (port), and the authentication server the client refers to the user's endpoint device, capable of initiating 802 1x authentication the device, typically a network device supporting the 802 1x protocol, provides access ports for clients the authentication server offers authentication services to the devices and is often a radius server explanation of principles explanation of principles mab authentication principles description mab authentication principles description mac authentication bypass (mab) is an authentication method that controls user access based on the interface and terminal mac address in this method, terminals undergoing authentication do not require users to input usernames and passwords on the terminal interface instead, authentication is performed based on arp/ip packets sent by the terminal, containing the source mac information this method is commonly used for devices like printers, cameras, and other non interactive endpoints for users undergoing mab authentication, the device uses the pap method the access device receives arp/dhcp/nd/ip packets sent by the terminal, triggering mab authentication the device takes the source mac address of the packet as the authentication username the source mac address, shared key, and a randomly generated value by the device are concatenated in order this concatenated string is then subjected to hash processing using the md5 algorithm the resulting value is encapsulated in the user password attribute and sent to the radius server the radius server takes the values from the received user password attribute, along with the mac address, shared key, and random value of the saved mab authenticated user, concatenates them in order, and applies the md5 algorithm for hash processing if the calculated value matches the value sent by the device, an authentication accept message is sent to the device, allowing the terminal to access the network dot1x authentication principles description dot1x authentication principles description the 802 1x authentication system employs the extensible authentication protocol (eap) for the exchange of authentication information between the client, device (port), and authentication server the interaction between these entities using eap packets occurs as follows eapol (eap over lan) is used between the client and device, where eap packets are carried over the lan eapor (eap over radius) is used between the device and authentication server, where the eap packets sent by the client are relayed these packets are encapsulated in the eapor format and carried over the radius protocol to the radius server the device interacts with the radius server using eap relay, following these steps when users need to access an external network, they open the 802 1x client program and input the previously applied and registered usernames and passwords, initiating a connection request at this point, the client program sends an authentication request frame (eapol start) to start the authentication process the device receives the authentication request frame and sends an identity type request frame (eap request/identity), asking the client program to send the entered username the client program responds to the device's request by sending the username information through an identity type response frame (eap response/identity) the device encapsulates the eap message from the client's response frame in a radius packet (radius access request) and sends it to the authentication server for processing upon receiving the forwarded username information from the device, the radius server compares this information with the username list in the database to find the corresponding password information it encrypts the password using a randomly generated md5 challenge and sends it to the device in a radius access challenge packet the device relays the md5 challenge from the radius server to the client upon receiving the md5 challenge from the device, the client uses it to encrypt the password portion, generating an eap response/md5 challenge frame, and sends it back to the device the device encapsulates this eap response/md5 challenge frame in a radius packet (radius access request) and sends it to the radius server the radius server compares the received encrypted password information with the locally encrypted password information if they match, the user is considered valid, and the radius server sends an authentication success packet (radius access accept) to the device upon receiving the authentication success packet, the device sends an authentication success frame (eap success) to the client, switching the port to an authorized state and allowing the user to access the network through the port authentication triggering methods authentication triggering methods active triggering the client initiates authentication by sending an eapol start frame passive triggering the device triggers authentication by sending an eap request frame in unicast mode authentication modes authentication modes dot1x offers two authentication modes port based and mac based this device adopts the mac based authentication mode port based authentication mode in this mode, once a device connected to a port passes authentication, other devices connected to the same port can access network resources without needing to authenticate mac based authentication mode in this mode, each device connected to the same port requires individual authentication when a user logs off, only that user is unable to use the network radius authentication servers radius authentication servers typically, for the sake of network stability, multiple radius servers are deployed in a network when one server encounters a failure, it won't impact user access the device supports the following two ways to send messages to the servers radius primary secondary (default configuration) \ users specify the primary secondary relationship for the servers if no specific designation is provided during configuration, it follows the order of configuration the first added server is the primary server, and the rest are secondary servers you can add up to four servers when server probing is enabled, all configured servers on the device are probed, with priority given to the primary server if the status of the primary server is down, it switches to the secondary server with a higher priority (determined by the configuration order) if a server with a higher priority comes online, it switches to the server with the higher priority and an "up" status radius server load balancing when the server operates in load balancing mode, upon receiving authentication requests from clients, the device duplicates the requests and sends them to all "up" authentication servers the first response from a server received by the device becomes the selected server for subsequent interactions if this server fails to respond during subsequent interactions, the user's state is marked as "timeout," and a re authentication process is initiated the device then chooses a server that responds positively to the requests for further communication operation command description enter the system configuration view configure terminal configuring radius authentication server operation mode dot1x radius server server mode {master backup|polling} adding radius authentication servers dot1x radius server ip address secret string \[{primary|secondary}] 802 1x reauthentication 802 1x reauthentication reauthentication of successfully authenticated 802 1x users reauthentication of successfully authenticated 802 1x users when changes are made to a user's access privileges or other parameters on the authentication server after they have successfully authenticated and connected, it is necessary to perform a reauthentication for that user to ensure their continued legitimacy the device supports enabling reauthentication on specified interfaces once the designated reauthentication interval is reached, the device will send an eap request frame to the terminal via unicast, requesting the terminal to perform reauthentication for users authenticated using the mab (mac authentication bypass) method, the device will initiate reauthentication by sending an arp request packet the reauthentication process in the mab method is triggered by the terminal's arp response operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure reauthentication time authentication dot1x reauthenticate period time unit minute reauthentication of abnormal 802 1x authentication users reauthentication of abnormal 802 1x authentication users in cases where a user initiates the authentication process, and the device successfully receives the user's eap frame but does not receive a response from the radius server, the device records the user's entry in its table with a "timeout" status this is to ensure that users can successfully authenticate once the network connection is restored before the user entry reaches the aging time limit, the device sends an eap request frame to the user, requesting reauthentication if the user successfully reauthenticates, the device updates their status to "authenticated " however, if the aging time limit is reached and the user still hasn't successfully reauthenticated, the device removes the user's entry from the table operation command description enter the system configuration view configure terminal configure timeout user aging time authentication timeout user aging timer time configure reauthentication attempts authentication timeout user reauth count count configure reauthentication interval authentication timeout user reauth period time it is recommended to configure the aging time as aging time > reauthentication attempts x reauthentication interval authentication and authorization authentication and authorization authentication supports filtering and controlling users' access to network resources through two methods by applying acls or vlan ids through interaction with the radius server protocol, the system dynamically retrieves the authenticated user's account permissions when a user comes online, the radius server or authorization server sends a change of authorization (coa) message that includes the authorization details the device parses this message and applies the authorization information to the corresponding interface acl authorization acl authorization the administrator must first configure the acl rules on the device after the user is authenticated, the authorization server sends the acl rule name according to the user's permission level the device binds the user's access interface to this acl rule after parsing the message when the user goes offline, the device receives a disconnect message (dm) from the radius or authorization server, which includes the mac information of the authorized user the device then unbinds the acl rule from the user's port dynamic vlan authorization dynamic vlan authorization the administrator must pre configure vlans such as guest vlans and authorized user vlans on the device after the user is authenticated, the authorization server sends the vlan id and the vlan mode (tag/untag) based on the user's permissions the device removes the user's interface from the guest vlan and assigns it to the authorized vlan if the user is using dynamic ip allocation, you must configure the authentication dot1x dhcp deny command this ensures that the user only obtains an ip address after successful authentication, and that the ip address belongs to the authorized network segment escape mechanism escape mechanism in cases where the authentication server is down or there are network connectivity issues preventing access to the authentication server, an escape mechanism is employed to ensure network connectivity regardless of whether the provided username and password are correct, users are allowed network access in a non authenticated state this state of authorization, where users are allowed network access without successful authentication, is known as the "escape" state the device supports periodic testing of usernames and passwords for authentication to probe the working status of the radius server as long as responses are received from the radius server, irrespective of whether the test user's authentication result is successful or not, it is considered that the server is functioning normally, and users will not be flagged as being in the escape state by default, the device performs this probe every 60 seconds if two consecutive probes result in timeouts, the authentication server's status is considered abnormal, and users attempting authentication after this point will be marked as escape users users can use the show dot1x server status command to view the results of the authentication server probe when the authentication server is restored and the device receives responses from the server for two consecutive probes, the server is considered to have recovered the device will then trigger a re authentication for all users marked in the escape state if users provide the correct username and password during this re authentication, they can continue to access the network normally if not, they will be forcefully disconnected operation command description enter the system configuration view configure terminal configure the authentication server probe authentication radius server dot1x detect server enable set the number of probe attempts authentication radius server dot1x detect server interval time set the time interval between each probe authentication radius server dot1x detect server timeout count count note due to the inherent delay in detecting authentication server failures (probe count x probe interval), users authenticated during this period cannot be immediately identified as successfully authenticated they may be marked as "timeout" instead if you need to ensure that these users can access the network normally, you should enable the re authentication feature for timeout users additionally, make sure that the aging time for timeout entries is set to be greater than the product of the probe count and probe interval display and maintenance display and maintenance operation command description display dot1x authentication result show dot1x status display dot1x related configuration show authentication dot1x configuration display authentication server status show dot1x server status force logout online users authentication reset dot1x { interface id|mac address } configuration example configuration example network requirements network requirements users access the network through the device's ethernet1,2,3 ports, and the device controls its access to the network with 802 1x authentication for users on this interface all users under the port are individually authenticated, so that when a user goes offline, it does not affect other users of the interface to access the network in the case of server escape, all users are able to access the network normally, and when the server resumes connection, re authentication is performed for the escaped users procedure procedure configure the radius server and add user accounts omit the ip address configuration of each interface configure the radius server on the device \# configure the radius server ip address, shared key and ip address when interacting with the server sonic(config)# authentication radius server 10 110 1 10 dot1x source 2 2 2 2 \# configure the radius server detection function to check whether the radius server is in an escape state sonic(config)# authentication radius server dot1x detect server enable \# create a user for radius server detection sonic(config)# authentication radius server testuser test testpasswd enable 802 1x on the interface sonic(config)# authentication enable sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x enable sonic(config)# interface ethernet 2 sonic(config if 2)# authentication dot1x enable sonic(config)# interface ethernet 3 sonic(config if 3)# authentication dot1x enable verify configuration verify configuration view configuration sonic# show authentication dot1x configuration + + + \| interface | configuration | +===============+=========================================+ \| auth server | server addr = 10 110 1 10 | \| | shared secret = dot1x | \| | source addr = na | \| | vrf = default | + + + \| detect server | detect server = enable | \| | testuser username = test | \| | testuser password = testpasswd | \| | detect interval = 60 | \| | detect timeout count = 3 | + + + view user authentication sonic# show dot1x interface 1 + + + + + \| interface | mac | status | auth type | +=============+===================+============+=============+ \| ethernet1 | 00 00 02 01 01 02 | authorized | > 8021x | \| | 00 00 02 01 01 04 | authorized | 8021x | + + + + +
