IEEE_802.1X.pdf

(65 KB) Pobierz

IEEE 802.1X

packetlife.net

802.1X Header

Terminology

1

1

2

Extensible Authentication Protocol (EAP)

A flexible authentication framework defined in RFC 3748

Version

Type

Length

EAP

EAP Over LANs (EAPOL)

EAP encapsulated by 802.1X for transport across LANs

EAP Header

Supplicant

The device (client) attached to an access link that requests

authentication by the authenticator

Authenticator

The device that controls the status of a link; typically a

wired switch or wireless access point

1

1

2

Code

Identifier

Length

Data

EAP Flow Chart

Authentication

Server

Authentication Server

A backend server which authenticates the credentials

provided by supplicants (for example, a RADIUS server)

Supplicant

Authenticator

Guest VLAN

Fallback VLAN for clients not 802.1X-capable

Restricted VLAN

Fallback VLAN for clients which fail authentication

Identity Request

802.1X Packet Types

EAP Codes

Identity Response

Access Request

0 EAP Packet

1 Request

1 EAPOL-Start

2 Response

Challenge Request

Access Challenge

2 EAPOL-Logoff

3 Success

3 EAPOL-Key

4 Failure

Challenge Response

Access Request

4 EAPOL-Encap-ASF-Alert

EAP Req/Resp Types

Success

Access Accept

Interface Defaults

1 Identity

Max Auth Requests 2

2 Notification

EAP

RADIUS

Reauthentication Off

3 Nak

Configuration

Quiet Period 60s

4 MD5 Challenge

Global Configuration

! Define a RADIUS server

radius-server host 10.0.0.100

radius-server key MyRadiusKey

! Configure 802.1X to authenticate via AAA

aaa new-model

aaa authentication dot1x default group radius

! Enable 802.1X authentication globally

dot1x system-auth-control

Reauth Period 1hr

5 One Time Password

Server Timeout 30s

6 Generic Token Card

Supplicant Timeout 30s

254 Expanded Types

Tx Period 30s

255 Experimental

Port-Control Options

Interface Configuration

! Static access mode

switchport mode access

! Enable 802.1X authentication per port

dot1x port-control auto

! Configure host mode (single or multi)

dot1x host-mode single-host

! Configure maximum authentication attempts

dot1x max-reauth-req

! Enable periodic reauthentication

dot1x reauthentication

! Configure a guest VLAN

dot1x guest-vlan 123

! Configure a restricted VLAN

dot1x auth-fail vlan 456

dot1x auth-fail max-attempts 3

force-authorized

Port will always remain in authorized state (default)

force-unauthorized

Always unauthorized; authentication attempts are ignored

auto

Supplicants must authenticate to gain access

Troubleshooting

show dot1x [statistics] [interface <interface>]

dot1x test eapol-capable [interface <interface>]

dot1x re-authenticate interface <interface>

by Jeremy Stretch

v2.0

1016647071.044.png

1016647071.045.png

1016647071.046.png

1016647071.047.png

1016647071.001.png

1016647071.002.png

1016647071.003.png

1016647071.004.png

1016647071.005.png

1016647071.006.png

1016647071.007.png

1016647071.008.png

1016647071.009.png

1016647071.010.png

1016647071.011.png

1016647071.012.png

1016647071.013.png

1016647071.014.png

1016647071.015.png

1016647071.016.png

1016647071.017.png

1016647071.018.png

1016647071.019.png

1016647071.020.png

1016647071.021.png

1016647071.022.png

1016647071.023.png

1016647071.024.png

1016647071.025.png

1016647071.026.png

1016647071.027.png

1016647071.028.png

1016647071.029.png

1016647071.030.png

1016647071.031.png

1016647071.032.png

1016647071.033.png

1016647071.034.png

1016647071.035.png

1016647071.036.png

1016647071.037.png

1016647071.038.png

1016647071.039.png

1016647071.040.png

1016647071.041.png

1016647071.042.png

1016647071.043.png

Plik z chomika:

Inne pliki z tego folderu:

IBM - TCP-IP Tutorial and Technical Overview.pdf (6166 KB)
CISCO - Spanning-Tree Protocols (STP RSTP MSTP).pdf (1161 KB)
physical_terminations.pdf (381 KB)
Cisco_IOS_Versions.pdf (67 KB)
VOIP_Basics.pdf (76 KB)

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin