You are on page 1of 2

Yan Linn Aung asked a question.

Hi guys,
Do u know about dot1x authentication?
http://www.shanekillen.com/2012/06/how-does-8021x-work-in-cisco.html

Zaw Min Htann Lab . aaa server .. portable ekon
.. security .. AAA
create user Port access .. MAC bind username , password
..situation login login

MAC PC clone ..
Zaw Min Htann NUS Student Campus Network . ..
dot1x ..
http://www.nus.edu.sg/comcen/gethelp/dot1x/index.html...
Kyaw Wai Yan Tun stretch from packetlife explains this very well. u might want to check
out http://packetlife.net/.../aug/06/simple-wired-8021x-lab/
Zay Yar Phyoe Dot1x is usually used to control network access at switch port level. There are a few ways you can use it,
username/password, computer name, certificate. The basic concept is - when a device connect to a switch, switch will send
the device a challenge using eap protocol, when it received a reply from the device, it will forward it to radius server for
authentication. Server will verify the credentials and reply it with access accept reply together with other attributes such as
vlan id, access list, etc. There are a lot of applications that you can use dot1x for. In cisco, radius server will be either ACS
or ISE.
Zay Yar Phyoe Dot1x implementations are usually very policy driven. It's different from a company to another company
how they deploy it.

Here is the flow chart of the dot1x that we deployed on one project. This is just one scenario.

The dot1x authentication process of the wired network is as follow.
1.Client connects to switch port.
2.Switch checks the dot1x capability of the device.
3.Switch requests the identity of the client if the device is dot1x capable. The device is assigned to Guest VLAN, if dot1x is
not supported.
4.The machine replies with a response packet containing an machine identity and the switch forward the packet to radius
server.
5.If the authentication succeeded, the radius server sends accept packet to the switch together with VLAN name and the
machine is assigned to dummy network.
6.User then login with username/password credential and the machine reinitiates the dot1x authentication process. The
switch forwards the packet to radius server containing user identity.
7.If the authentication succeeded, the radius server sends accept packet to the switch together with VLAN name and the
machine is assigned to dummy network. If the authentication failed, the radius server sends fail response to the switch.
8.If the authentication was successful, switch place the port into authorized state and assigned to the respective VLAN. If
the authentication failed, switch repeats the process 2 more times before the switch finally puts the client into guest VLAN.

After successful authentication, port will be in forwarding state for 60 minutes and when expired, switch will block the port.
However, switch asks the client to provide the credentials again for re-authentication before it blocks the port so that it will
not affect the current session.

Note: Client devices need to be configured to use windows login credential for dot1x login to enjoy seamless network
connection.

Phyo Htet Aung bro Zay yar Phyoe it is possible to integrate Microsoft AD as radius server rather than ACS?
can we prefer local aaa than external radius server in case radius server failure or client is wireless AP.
Zay Yar Phyoe yes. it is possible.. But, it depends on how well you can configure Microsoft AD as radius server. You can
definitely use it for basic authentication server. But, it will be difficult to implement most of the dot1x function as there are
not enough documentation for that. I have never tired before.

on the second question, you can configure the switch to use critical vlan feature if reachability to external radius server is
lost. if we're talking about dot1x, i don't think we can use a switch as both authenticator and authentication server.
Lin Lin Oo Dot1x protocol is Port-based authentication protocol.802.1X standard defines a client-server-based access
control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible
ports. The authentication server authenticates each client connected to a switch port before making available any services
offered by the switch or the LAN.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL)
traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through
the port. You should use RADIUS SERVER for authentication from CLIENTS. Clients should support for
802.1x. http://www.cisco.com/.../configuration/guide/Sw8021x.html ( Cisco Link )