12/9/2014 A si mpl e wi red 802.1X l ab - PacketLi fe.net ht tp: //packetl ife.net/bl og/2008/ aug/06/simpl e-wi red-8021x-l ab/ 1/12 Welc ome, Guest! | Log in (/users/login/) | Register (/users/register/) (/) A simple wired 802.1X lab By stretch (/users/stretch/) | Wednesday, August 6, 2008 at 2:18 a.m. UTC IEEE 802.1X (http://en.wikipedia.org/wiki/802.1X) is a very cool security feature. It was developed to provide real security for wired and wireless networks at layer two. A client connected to an 802.1X-protected port can't send any traffic other than EAP to the switch until he successfully authenticates with the proper credentials or certificate. This articl e demonstrateshow you can setup a simple 802.1X lab using a Windows XP-based client and RADIUS server. 802.1X Operation A network switch acts as the middlema n between an authen ticating client and an authe ntication server. The switch implements two protocols: EAP (http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol) is used to communicate with the client at the network perimeter, whi le RADIUS (http://en.wikipedia.org/wiki/RADIUS) is used to relay authentication details to the server inside the network. EAP offers a number of authentication mechanisms, but oursetup will use simple username/password authentication with an MD5 challenge. The flow of a successful authentication is illustrated here:
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
8/9/2019 A simple wired 802.1X lab - PacketLife.pdf
force‐authorized - No 802.1X authentication is used (this is the default setting, to prevent service interruption
while deploying 802.1X)
force‐unauthorized - Ignores authentication attempts, port is always unauthorized
You can use the show dot1x command to verify the configuration of your client-facing interface:
Switch# show dot1x interface g0/12
Supplicant MAC
AuthSM State = N/A BendSM State = N/A
PortStatus = N/A
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
PortControl = Auto
QuietPeriod = 60 Seconds
Re‐authentication = Disabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest‐Vlan = 0
Client Configuration
The last element to configure is the supplicant software on the client. If your client is currently connected, unplug it
temporarily before continuing (reconnecting after the configuration has been completed will make it easier to observe
the 802.1X behavior). For my lab, I used a Windows XP box with SP2.
To enable the Windows 802.1X service, open Services from the control panel, and select and start the Wireless Zero
Configuration service. ("But isn't this a wired connection?" I hear you ask. Thank you, Microsoft.) (Edit: Wired 802.1X
is enabled by a separate service, Wired AutoConfig, in XP SP3. Thanks to Dude for pointing this out!) Next, openNetwork Connections from the control panel and open the Connection Properties dialog for the adapter you're
using. You should have an Authentication tab within this window; if not, the 802.1X service isn't running and you'll
need to do some troubleshooting.
8/9/2019 A simple wired 802.1X lab - PacketLife.pdf
@Robert: ip routing is only needed if you set up your lab like I did, with a multilayer switch separating two subnets.
Robert (guest)
August 7, 20 08 at 5:17 a.m. UTC
Thanks. I'll read a little more before I post next time. Glad there's other people out there using dot1x and guest vlans
Marcus. If you do cover guest vlans please try and cover auth-fail vlans as well.
Watch out for Bug ID CSCsc06286 if you have an older IOS. It didn't make it into any of the release notes. The biggest
problem we faced with dot1x in production was re-imaging computers. I've documented our solution, if you are
interested I could email the doc.
Thanks for the postings I enjoy reading the blog.
Dinger (guest)
August 7, 20 08 at 1:31 p.m. UTC
How much tweaking is necessary to allow your Windows credentials to be sent without your interaction and 802.1Xauthentication would occur transparently?
zlobb (guest)
August 7, 20 08 at 4:07 p.m. UTC
Good Post.
The dynamic vlan assignment function is neat (Works with FreeRadius aswell). It's almost always pleasant too assign
vlan's based on user login instead of a mac-address.
Jacob (guest)
August 9, 20 08 at 3:34 a.m. UTC
Have you tried to do this using certificates? I tried awhile back with a large number of Windows XP supplicants and it
was somewhat unreliable. Just wondering if anyone has had better luck.
Florin (guest)
August 10, 2 008 at 1:03 p.m. UTC
Hy I have a strange problem. I Do not have the Authentication TAB in my LAN adapter properties. . I have only general
and Advanced. I have enable WZC in registry. IT is a wired LAN. Thanks
Dude (guest)
August 14, 2 008 at 7:37 a.m. UTC
I had the same issue. In SP3 there is a separate service called "Wired AutoConfig" for wired connections. It is not
started by default. Just enable it.
Florin (guest)
August 18, 2 008 at 7:58 p.m. UTC
thanks. it's working.
8/9/2019 A simple wired 802.1X lab - PacketLife.pdf
Hi.. Could you please explain me how to configure linux PC as Authentication server for TLS certificate.
802.1X authentication works fine when I tried with MD5 Authentication(i.e by configuring username and password)
-RaMs
shvin (/users/shvin/)
October 16, 2010 at 10:12 a.m. UTC
hi my lan card does not support 802.1x . how can i add authentication tab on lan card...??? help me plzzz
A gu est
September 6, 2011 at 7:11 p.m. UTC
tnx
shoaib (guest)
September 27, 2011 at 8:14 a.m. UTCWord of caution: EAP-MD5 is very easy to configure and works like a charm but its support is limited in Windows 7. The
option in Windows 7 are MS PEAP, Cisco LEAP, Cisco PEAP, EAP-FAST, EAP-TTLS. Almost all of them requires a
secure channel between Radius and NAS i.e switch. This is based on certificates.
Configuring that on FreeRadius is challenging.
I am currently working on it as part of my job (yes). Once I am done, I will post a step-by-step How-TO. Idea is that
each client/laptop should be have a certificate and user should be able to use windows credentials either manually or it
should be automatic.
buczo (guest)
May 10, 2012 at 7:50 a.m. UTC
@shoaib did you done it ? is anywhere How-TO about WINXP/WinVista/Win7 + ActiveDirectory + Cisco + 802.1X and
PKI transparent ?
Nagarushi (guest)
July 13, 2012 at 5:59 p.m. UTC
Hi,
is there any tool which can simulate the machine authentiation. i want to simulate 1000 machine authentication requests
Hi, is there a way to authenticate with 802.1X and Windows server radius only PC joined in the domain?
My goal is to block domain user that want to connect their PCs to my office's lan and have (of course) a valid login. This
user can come in office with their PCs, enable 802.1x insert in the pop-up user and password and their personal Pc is
authenticated.
the best solution is to authenticate PC already joined in the domain and with popup only the group of admin user in the
domain. Not the normal one.
Anyone have try this setup?
rsccom24 (guest)
April 18, 2 013 at 1:03 p.m. UTC
@shvin
sorry for the late Response, but just for documentation...
you can add the authentication tab as follows:
go to Services and start the Service "Wired AutoConfig"
shomi (guest)
September 18, 2013 at 2:50 a.m. UTC
How is it possible that Radius server grants authentication which is being sent as a MD5 hash whileusername/passwords are configured in a plain text on server?
Is there a setting in your cfg file that lists MD5 as default?
Also, what would happen if supplicant client is connected to a shared network segment? Would successful
authentication of one client implicate access for other computers connected to a segment?
Great post.
Thanks.
shantia (guest)
November 16, 2013 at 7:41 a.m. UTC
thank you . It is very nice post
Anil Kumar A (guest)
December 27, 2013 at 4:10 a.m. UTC
Very nice. Please add packet transactions when client sends wrong credentials and add GUEST_VLAN,
SERVER_FAIL_VLAN and SERVER_REJECT_VLAN info as well.
krishna kanth (guest)
July 15, 2014 at 7:06 a.m. UTC
It's very helpful. thanks a lot...
Guest name
Guest name
8/9/2019 A simple wired 802.1X lab - PacketLife.pdf