这篇文档是我当时部署 CHEVRON 中国区 802.

1X 的设计实施文档, 由本人领导项目, 带领团

队执行, 事后书写成文. 每个企业环境不尽相同, 大家可供参考!

请关注李桃梅微信公众号查看更多下载资源和原创文章
 802.1x Authentication

Li, Taomei Ryan

Published: August 26, 2012

Latest Update: May 24, 2015
Revision Number: 6.0

© 2015 Chevron Corporation. All Rights Reserved

802.1x Authentication ii
Contents
Understanding IEEE 802.1x Port-Based Authentication ..................................................... 1
Why Does Chevron Need 802.1x? ...................................................................................... 3
The Components of 802.1x for Chevron ............................................................................. 4
Configure GIL3 Computer for 802.1x Authentication ......................................................... 5
What Credentials Will be Used for the 802.1x Authentication? ........................................ 7
Configure Authentication Server (SBR) ............................................................................. 14
Configure Switch for 802.1x Authentication .................................................................... 18
802.1x Authentication and Switch Stacks ......................................................................... 20
IEEE 802.1x Authentication with Voice VLAN Ports .......................................................... 21
Supporting 802.1x on Cisco Unified IP Phones ................................................................. 22
802.1x Authentication with Inaccessible Authentication Bypass ..................................... 24
Configuring Backup RADIUS Server .................................................................................. 27
Configuring Periodic Re-Authentication ........................................................................... 28
Configuring Port Security .................................................................................................. 29
Deploy 802.1x on Router 1811 ......................................................................................... 32
Troubleshooting 802.1x with VMware ............................................................................. 35
Appendix ........................................................................................................................... 38

NOTE
Some of following contents are quoted from CISCO/VMware official production documentation
which all copyrights reserved by CISCO/VMware.

i
Understanding IEEE 802.1x Port-Based Authentication
The 802.1x standard defines a client-server-based access control and authentication protocol
that prevents unauthorized clients from connecting to a LAN through publicly accessible ports
unless they are properly authenticated. The authentication server authenticates each client
connected to a switch port before making available any services offered by the switch or the
LAN.

Until the client is authenticated, 802.1x access control allows only Extensible Authentication
Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP)
traffic through the port to which the client is connected. After authentication is successful,
normal traffic can pass through the port.

• Supplicant —the device (workstation) that requests access to the LAN and switch services and
responds to requests from the switch. The workstation must be running 802.1x-compliant client
software such as that offered in the Microsoft Windows XP operating system. (The client is the
supplicant in the 802.1x standard.)

• Authenticator (edge switch or wireless access point)—controls the physical access to the
network based on the authentication status of the client. The switch acts as an intermediary
(proxy) between the client and the authentication server, requesting identity information from
the client, verifying that information with the authentication server, and relaying a response to
the client. The switch includes the RADIUS client, which is responsible for encapsulating and
decapsulating the EAP frames and interacting with the authentication server. (The switch is the
authenticator in the 802.1x standard.)
When the switch receives EAPOL frames and relays them to the authentication server, the
Ethernet header is stripped, and the remaining EAP frame is re-encapsulated in the RADIUS
format. The EAP frames are not modified during encapsulation, and the authentication server
must support EAP within the native frame format. When the switch receives frames from the
authentication server, the server’s frame header is removed, leaving the EAP frame, which is
then encapsulated for Ethernet and sent to the client.

802.1x Authentication 1
• Authentication server —performs the actual authentication of the client. The authentication
server validates the identity of the client and notifies the switch whether or not the client is
authorized to access the LAN and switch services. Because the switch acts as the proxy, the
authentication service is transparent to the client. In this release, the RADIUS security system
with Extensible Authentication Protocol (EAP) extensions is the only supported authentication
server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates
in a client/server model in which secure authentication information is exchanged between the
RADIUS server and one or more RADIUS clients.

The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst
3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst
2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These
devices must be running software that supports the RADIUS client and 802.1x authentication.

802.1x Authentication 2
Why Does Chevron Need 802.1x?
By implementing 802.1x, we can restrict unauthorized devices from connecting to the LAN port
and prevent unauthorized access into the Chevron network.
At 3rd party sites, JV sites, and other offices that have publicly accessible locations, there is a
risk of unauthorized access to the Chevron network by connecting to a LAN port.

802.1x Authentication 3
The Components of 802.1x for Chevron
The components of 802.1x are:

 Supplicant - Native Vista EAP supplicant on the GIL3 computer

 Authenticator – 802.1X enabled closet Switch
 Authentication Server – Steel Belted RADIUS (SBR)

802.1x Authentication 4
Configure GIL3 Computer for 802.1x Authentication
By installing GIL Desktop Utility - Version 2.0 - 802.1X Enable package AIR ID 71314 on the GIL
Options Panel (GOP).

Note
GIL Production Release 3.006 (or above) will include this package.

802.1x Authentication 5
After you install the package, you will find your Ethernet NIC has a more label –
“Authentication” as below figure. That means your computer had already has 802.1x function.

Please mind every items following are exactly same as your computer.

802.1x Authentication 6
What Credentials Will be Used for the 802.1x
Authentication?
 Machine certificate will be used for the 802.1x authentication.
 Authentication will be completely transparent to the user
 No action will be required from the user.

By default, Machine certificates have already been loaded into all GIL3 machines when built it.
You can follow below steps to check your computer’s certificate:

1. Click Start, type mmc in start search bar, use !Bang Account run mmc.exe.
Note that to view certificates in the local machine store, you must be in the Administrator role.

802.1x Authentication 7
 2. On the File menu, click Add/Remove Snap-in.

3. Under Snap-in, double-click Certificates.

802.1x Authentication 8
 4. Click Computer account, and then click Next.
Click Local computer, and then click Finish.

802.1x Authentication 9
 5. Certificates (Computer Name) appears on the list of selected snap-ins for the new
console, and then click OK.

802.1x Authentication 10
 6. And you will see local computer certificate as below.

802.1x Authentication 11
 7. Double click the local computer certificate to see the detail information.
Verify expire date.

If you can see the certificate as above, which means the computer has been loaded the
certificate successful.

If NOT, Please follow below steps install the certificate manually.

802.1x Authentication 12
There are 2 options to trigger an enrollment, both require administrator rights (!Bang Account)
and need to be executed in administrator context:

1) Execute “gpupdate /force “with !Bang Account in CMD.

It will take a minute or so to enroll.

2) Use the MMC (more deterministic)

a. Open MMC.exe with !Bang Account.
b. On the File menu, click Add/Remove Snap-in.
c. Under Snap-in, double-click Certificates.
d. Click Computer account, and then click Next.
Click Local computer, and then click Finish.
e. Certificates (Computer Name) appears on the list of selected snap-ins for the
new console, and then click OK.
f. On the top level (Certificates), right-click and under “All Tasks”, select
“Automatically Enroll and Retrieve Certificates”
g. If the above wizard does not show any certificates available, then you already
have a certificate or the computer has no rights to enroll a certificate (non CT
systems may experience this).
h. Expand Personal\Certificates to check the certificate was enrolled.
i. If not, then you need to submit a helpdesk request to get US team for manual
enrollment.

802.1x Authentication 13
Configure Authentication Server (SBR)
1. Launch SBR client and log in. Select “RADIUS Clients”,
then press “Add” button, enter the information.

802.1x Authentication 14
 2. Log in SBR with GUI. Select “Configure > Radius Advanced”

Select “General Configuration > proxy.ini > Download”

Add below commands to proxy.ini , then Upload.

[AuthAttributeMap]
EAP-TLS
Nas-IP-Address = 1.1.1.1

802.1x Authentication 15
802.1x Authentication 16
 Restart the Services:
Select “Operations > Advanced Operations > Start/Stop Services”

Find the “Steel-Belted Radius” Service and click

Stop and Start Service

802.1x Authentication 17
Configure Switch for 802.1x Authentication

aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
!
radius-server host 2.2.2.2 auth-port 1645 acct-port 1646
radius-server timeout 10
radius-server key test
!
interface GigabitEthernet1/0/13
switchport access vlan 101
switchport mode access
switchport voice vlan 201
dot1x port-control auto
dot1x pae authenticator
spanning-tree portfast
!
interface Vlan999
ip address 1.1.1.1 255.255.255.0
!
ip default-gateway 1.1.1.2
!
ip radius source-interface Vlan999 (Optional)

Note:
1. 2.2.2.2 is SBR’s ip address.
2. Data and Voice VLAN dependent on your network design.
3. The different IOS version has a slight different commands:
dot1x port-control auto = authentication port-control auto
4. radius-server key test
Make sure change a complicated key when you deploy in production.
5. ip radius source-interface Vlan999 (Optional)
Make sure the switch ip is matching with what has been configured in SBR.
802.1x Authentication 18
Switch 3750-E logging information:

 Connect a GIL-Computer to Gi1/0/13 port:

*Mar 1 01:18:35.504: %LINEPROTO-5-UPDOWN: Line protocol on Interface

GigabitEthernet1/0/13, changed state to down

*Mar 1 01:18:35.513: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.7288.651c) on

Interface Gi1/0/13

*Mar 1 01:18:35.672: %DOT1X-5-SUCCESS: Authentication successful for client

(001d.7288.651c) on Interface Gi1/0/13

*Mar 1 01:18:35.672: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for

client (001d.7288.651c) on Interface Gi1/0/13

*Mar 1 01:18:35.689: %LINEPROTO-5-UPDOWN: Line protocol on Interface

GigabitEthernet1/0/13, changed state to up

*Mar 1 01:18:36.712: %AUTHMGR-5-SUCCESS: Authorization succeeded for client

(001d.7288.651c) on Interface Gi1/0/13

 Connect a Non-GIL-Computer to Gi1/0/13 port:

*Mar 1 01:58:46.994: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on

Interface Gi1/0/13

*Mar 1 01:58:46.994: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x'

for client (Unknown MAC) on Interface Gi1/0/13

*Mar 1 01:58:46.994: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown
MAC) on Interface Gi1/0/13

*Mar 1 01:58:46.994: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods

for client (Unknown MAC) on Interface Gi1/0/13

*Mar 1 01:58:46.994: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on

Interface Gi1/0/13

802.1x Authentication 19
802.1x Authentication and Switch Stacks
If a switch is added to or removed from a switch stack, 802.1x authentication is not affected as
long as the IP connectivity between the RADIUS server and the stack remains intact. This
statement also applies if the stack master is removed from the switch stack. Note that if the
stack master fails, a stack member becomes the new stack master by using the election process,
and the 802.1x authentication process continues as usual.

If IP connectivity to the RADIUS server is interrupted because the switch that was connected to
the server is removed or fails, these events occur:

 Ports that are already authenticated and that do not have periodic re-authentication
enabled remain in the authenticated state. Communication with the RADIUS server is
not required.
 Ports that are already authenticated and that have periodic re-authentication enabled
(with the dot1x re-authentication global configuration command) fail the authentication
process when the re-authentication occurs. Ports return to the unauthenticated state
during the re-authentication process. Communication with the RADIUS server is
required.
For an ongoing authentication, the authentication fails immediately because there is no
server connectivity.

If the switch that failed comes up and rejoins the switch stack, the authentications might or
might not fail depending on the boot-up time and whether the connectivity to the RADIUS
server is re-established by the time the authentication is attempted.

To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant
connection to it. For example, you can have a redundant connection to the stack master and
another to a stack member, and if the stack master fails, the switch stack still has connectivity to
the RADIUS server.

For more information,

Please see the “Configuring IEEE 802.1x Port-Based Authentication”.

802.1x Authentication 20
IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:

 VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP
phone connected to the port.
 PVID to carry the data traffic to and from the workstation connected to the switch
through the IP phone. The PVID is the native VLAN of the port.

The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port.
This allows the phone to work independently of IEEE 802.1x authentication.

A voice VLAN port becomes active when there is a link, and the device MAC address appears
after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from
other devices. As a result, if several IP phones are connected in series, the switch recognizes
only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice
VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.

When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is
equal to a voice VLAN.

For more information,

Please see the “Configuring IEEE 802.1x Port-Based Authentication”.

802.1x Authentication 21
Supporting 802.1x on Cisco Unified IP Phones
Cisco Unified IP phones and Cisco Catalyst switches have traditionally used Cisco Discovery
Protocol (CDP) to identify each other and to determine parameters such as VLAN allocation and
inline power requirements. However, CDP is not used to identify any locally attached PCs.
Therefore, Cisco Unified IP Phones provide an EAPOL pass-through mechanism, whereby a PC
locally attached to the IP phone may pass through EAPOL messages to the 802.1X authenticator
in the LAN switch. This capability prevents the IP phone from having to act as the authenticator,
yet allows the LAN switch to authenticate a data end point prior to accessing the network.

In conjunction with the EAPOL pass-through mechanism, Cisco Unified IP Phones provide a
proxy EAPOL-Logoff mechanism. If the locally attached PC is disconnected from the IP phone,
the LAN switch would not see the physical link fail, because the link between the LAN switch and
the IP phone is maintained. To avoid compromising network integrity, the IP phone sends an
EAPOL-Logoff message to the switch on behalf of the downstream PC, which triggers the LAN
switch to clear the authentication entry for the downstream PC.

The Cisco Unified IP phones contain an 802.1X supplicant in addition to the EAPOL pass-through
mechanism. This supplicant allows network administrators to control the connectivity of IP
phones to the LAN switch ports. The IP phone 802.1X supplicant implements the EAP-MD5
option for 802.1X authentication.

For more information,

Please see the “An Overview of the Cisco Unified IP Phone”.

Note:
1. Our IP Phones (7965 & 7945)’s IOS firmware has already supporting 802.1x.
Means they can send EAPLO-Logoff message to switch on behalf PC.
2. See below Switch 3750-E logging information.

802.1x Authentication 22
Switch 3750-E logging information:

*Mar 1 04:17:00.735: dot1x-packet(Gi1/0/13): Received an EAPOL frame

*Mar 1 04:17:00.735: dot1x-ev(Gi1/0/13): Received pkt saddr =0016.d32f.d56c , daddr =

0180.c200.0003,

pae-ether-type = 888e.0102.0000

*Mar 1 04:17:00.735: dot1x-packet(Gi1/0/13): Received an EAPOL-Logoff packet

*Mar 1 04:17:00.735: EAPOL pak dump rx

*Mar 1 04:17:00.735: EAPOL Version: 0x1 type: 0x2 length: 0x0000

*Mar 1 04:17:00.735: dot1x-sm(Gi1/0/13): Posting EAPOL_LOGOFF on Client 0xC200001D

*Mar 1 04:17:00.735: dot1x_auth Gi1/0/13: during state auth_authenticated,

Dot1x-Test-3750#got event 7(eapolLogoff)

*Mar 1 04:17:00.735: @@@ dot1x_auth Gi1/0/13: auth_authenticated -> auth_disconnected

*Mar 1 01:18:35.504: %LINEPROTO-5-UPDOWN: Line protocol on Interface

GigabitEthernet1/0/13, changed state to down

*Mar 1 01:18:35.513: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.7288.651c) on

Interface Gi1/0/13

802.1x Authentication 23
802.1x Authentication with Inaccessible Authentication
Bypass
Use the inaccessible authentication bypass feature, also referred to as critical authentication or
the AAA fail policy, when the switch cannot reach the configured RADIUS servers and new hosts
cannot be authenticated. You can configure the switch to connect those hosts to critical ports.

When a new host tries to connect to the critical port, that host is moved to a user-specified
access VLAN, the critical VLAN. The administrator gives limited authentication to the hosts.

When the switch tries to authenticate a host connected to a critical port, the switch checks the
status of the configured RADIUS server. If a server is available, the switch can authenticate the
host. However, if all the RADIUS servers are unavailable, the switch grants network access to the
host and puts the port in the critical-authentication state, which is a special case of the
authentication state.

For more information,

Please see the “Configuring IEEE 802.1x Port-Based Authentication”.

Note:
1. Our solution is when the switch can’t reach the SBR, all users also can access the
network, so we configure the critical VLAN same as Data VLAN.
2. We’ve already tested and succeeded.
3. We decide to use New Commands support this feature.
4. See below detail commands.

802.1x Authentication 24
There are two kinds of commands support this feature:

C3750E-UNIVERSALK9-M 12.2(35)SE5 – Old Commands

radius-server dead-criteria time 4 tries 2

radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 test user CHEVRON key test
!
dot1x critical eapol (Optional)
dot1x critical recovery delay 2000 (Optional)
!
interface GigabitEthernet1/0/13
switchport access vlan 101
switchport mode access
switchport voice vlan 201
dot1x critical
dot1x critical recovery action reinitialize
dot1x critical vlan 101
dot1x port-control auto
dot1x pae authenticator
spanning-tree portfast

C3750E-UNIVERSALK9-MZ. 12.2(50)SE2 – New Commands

radius-server dead-criteria time 4 tries 2

radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 test user CHEVRON key test
!
dot1x critical eapol (Optional)
authentication critical recovery delay 2000 (Optional)
!
interface GigabitEthernet1/0/13
switchport access vlan 101
switchport mode access
switchport voice vlan 201
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

802.1x Authentication 25
If you want to deploy “802.1x Authentication with Inaccessible Authentication Bypass”, Make
sure you configure the command as mentioned:

radius-server host 2.2.2.2 auth-port 1645 acct-port 1646

test username CHEVRON key test

If you miss this command, the dot1x RADIUS server status will be in flapping between DEAD and
ALIVE. This is an older bug for Cisco: “CSCsi18697”.

As action plan:
If the server tester is not running, then the AAA client will continually cycle through all
configured RADIUS servers (regardless of whether any RADIUS communication is possible) and
will mark them as ALIVE. This allows them to be retried. If, on the other hand, the server tester
is configured, the AAA client will periodically send RADIUS requests to each server to determine
whether it's DEAD or ALIVE. Once a server has been marked as DEAD, it will not be changed to
ALIVE again until it responds to a RADIUS request. To configure the RADIUS server tester, add
the "test <username>" keyword to the "radius-server host" command.

The test username value parameter is used for configuring the dummy username that tests
whether the AAA server is active or not. This feature will send dummy authentication requests
to radius server periodically and only when server actually responds, the server will be marked
ALIVE.

You can check RADIUS SERVER’s status by using "show aaa server”
RADIUS: id 1, priority 1, host 2.2.2.2, auth-port 1645, acct-port 1646
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 181488, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 8ms
Transaction: success 181488, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 15w3d22h7m

802.1x Authentication 26
Configuring Backup RADIUS Server
Configure backup RADIUS server is very important to prevent single point failure.
We will configure Singapore SBR1 and SBR2 acts as backup RADIUS Server for CDB SBR.

radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 test user CHEVRON key test
radius-server host 2.2.2.3 auth-port 1645 acct-port 1646 test user CHEVRON key test
radius-server host 2.2.2.4 auth-port 1645 acct-port 1646 test user CHEVRON key test

 2.2.2.2 – CDBSBR
 2.2.2.3 – SGDCSBR1
 2.2.2.4 – SGDCSBR2

802.1x Authentication 27
Configuring Periodic Re-Authentication
You can enable periodic 802.1x client re-authentication and specify how often it occurs. If you
do not specify a time period before enabling re-authentication, the number of seconds between
attempts is 3600.

Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of
the client and to configure the number of seconds between re-authentication attempts. This
procedure is optional.

This example shows how to enable periodic re-authentication and set the number of seconds
between re-authentication attempts to 4000:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

For more information,

Please see the “Configuring IEEE 802.1x Port-Based Authentication”.

Note:
1. This is optional feature.
We don’t want to deploy it,
because our IP Phone has already has “EAPOL-Logoff” function.

802.1x Authentication 28
Configuring Port Security
Port Security can be work with 802.1x to enhance the security level on the certain interface
which is connect a Printer, Wireless AP, UPS and so on.

You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the stations allowed to access the port. When you assign secure MAC
addresses to a secure port, the port does not forward packets with source addresses outside the
group of defined addresses. If you limit the number of secure MAC addresses to one and assign
a single secure MAC address, the workstation attached to that port is assured the full bandwidth
of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is
reached, when the MAC address of a station attempting to access the port is different from any
of the identified secure MAC addresses, a security violation occurs. Also, if a station with a
secure MAC address configured or learned on one secure port attempts to access another
secure port, a violation is flagged.

Secure MAC Addresses

You configure the maximum number of secure addresses allowed on a port by using the
switchport port-security maximum value interface configuration command.

The switch supports these types of secure MAC addresses:

 Static secure MAC addresses — these are manually configured by using the switchport
port-security mac-address mac-address interface configuration command, stored in the
address table, and added to the switch running configuration.
 Dynamic secure MAC addresses — these are dynamically configured, stored only in the
address table, and removed when the switch restarts.
 Sticky secure MAC addresses — these can be dynamically learned or manually
configured, stored in the address table, and added to the running configuration. If these
addresses are saved in the configuration file, when the switch restarts, the interface
does not need to dynamically reconfigure them.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC
addresses and to add them to the running configuration by enabling sticky learning. To enable
sticky learning, enter the switchport port-security mac-address sticky interface configuration
command. When you enter this command, the interface converts all the dynamic secure MAC
addresses, including those that were dynamically learned before sticky learning was enabled, to
sticky secure MAC addresses. All sticky secure MAC addresses are added to the running
configuration.

The sticky secure MAC addresses do not automatically become part of the configuration file,
which is the startup configuration used each time the switch restarts. If you save the sticky
802.1x Authentication 29
secure MAC addresses in the configuration file, when the switch restarts, the interface does not
need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.

Security Violations

It is a security violation when one of these situations occurs:

 The maximum number of secure MAC addresses have been added to the address table
and a station whose MAC address is not in the address table attempts to access the
interface.
 An address learned or configured on one secure interface is seen on another secure
interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be
taken if a violation occurs:

 Protect — when the number of secure MAC addresses reaches the maximum limit
allowed on the port, packets with unknown source addresses are dropped until you
remove a sufficient number of secure MAC addresses to drop below the maximum value
or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
Note We do not recommend configuring the protect violation mode on a trunk port.
The protect mode disables learning when any VLAN reaches its maximum limit, even if
the port has not reached its maximum limit.

 Restrict — when the number of secure MAC addresses reaches the maximum limit
allowed on the port, packets with unknown source addresses are dropped until you
remove a sufficient number of secure MAC addresses to drop below the maximum value
or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. An SNMP trap is sent, a syslog message is logged,
and the violation counter increments.
 Shutdown — a port security violation causes the interface to become error-disabled and
to shut down immediately, and the port LED turns off. An SNMP trap is sent, a syslog
message is logged, and the violation counter increments. When a secure port is in the
error-disabled state, you can bring it out of this state by entering the errdisable
recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration
commands. This is the default mode.

802.1x Authentication 30
Table - Security Violation Mode Actions

Sends Sends Displays Violation Shuts

Violation Traffic is SNMP syslog error counter down
Mode forwarded1 trap message message2 increments port

protect No No No No No No
restrict No Yes Yes No Yes No
shutdown No Yes Yes No Yes Yes

1
Packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses.
2
The switch returns an error message if you manually configure an address that would cause a security
violation.

Here’s a example :

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address aaaa.bbbb.cccc
Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#errdisable recovery interval 30

For more information,

Please see the “Configuring Port Security”.

802.1x Authentication 31
Deploy 802.1x on Router 1811

The Cisco 1811 fixed-configuration router is used at small branch office or other remote office
usually. The biggest advantage is that integrate router and switch module, it contained 2 x FE
WAN ports (FE0, FE1) and 8 x FE switch ports (FE2 – FE9). It’s very easy and useful to deploy it on
small office with only one device.

According to IP compliance, deploy security policy on 1811 is required. But there are some
challenges we must faced.

1. Can 1811 support both Data and Voice?

Normally, 8 x FE switch ports (FE2 – FE9) do NOT provide POE function. You need plug extra POE
adapter to 1811 to support FE2 – FE9 POE function.
In that case, we are able to connect IPPhone between 1811 and computer.
On the old IOS version c181x-advipservicesk9-mz.124-6.T11.bin, you need configure the switch
port as following to support both data and voice:
interface FastEthernet2
(switchport access vlan 1)
switchport mode trunk
switchport voice vlan 2
spanning-tree portfast

Only if set switch port to trunk mode can be support both Data and Voice working fine.
(Both interface vlan 1 and interface vlan2 can be up).
If you set switch port to access mode, interface vlan 2 (voice) will be down.

But if you want to configure 802.1x on this port, you must set switch port to access mode. Then
the port can be support 802.1x commands. So it’s definitely having a conflict to support both
Voice and 802.1x on the old IOS version.

Solution:
Upgrade IOS version to c181x-adventerprisek9-mz.151-4.M.bin.
This is a latest IOS version and already fixed the bug. You just simply configure as following to
support data and voice.
interface FastEthernet2
(switchport access vlan 1)
(switchport mode access)
switchport voice vlan 2
spanning-tree portfast

On this basis, you can configure 802.1x on this port with access mode. And data, voice and
802.1x can be work well together.

802.1x Authentication 32
2. Which interface can be selected as radius source interface?

If deploy 802.1x on normal switch (3560/3750/4506…), we don’t need care select which
interface as radius source interface. Normally, we configure interface vlan 1 for management.
Also this interface will be selected as radius source interface by default. So we don’t need
configure the command “ip radius source-interface vlan 1”.

On 1811 environment, we must think about this. Here are four options we can choose:
1. WAN Interface (FE0 or FE1)
2. Interface vlan 1 (Data VLAN)
3. Interface vlan 2 (Voice VLAN)
4. Loopback Interface

Let’s analyze one by one.

1. If configure intranet ip address on WAN interface. (Such as MPLS/Leased line).
We definitely can use WAN interface as radius source interface.
Because WAN interface can communicate with RADIUS Server.
If configure public internet ip address on WAN interface. (Such as Site-to-Site VPN).
We definitely can NOT use WAN interface as radius source interface.
Because WAN interface can NOT communicate with RADIUS Server.
2. First thing we must know, only FE2-FE9 port connect to some devices. The interface vlan
1 can be up. But if we deploy the 802.1x on FE2-FE9. Initially, interface vlan 1 is down.
And connect computer to one of FE2-FE9. The port must be authentication 802.1x first.
But as interface vlan 1 was down, the 1811 can NOT communicate with RADIUS Server.
So all port 802.1x authentication fail.
3. On the previous chapter “IEEE 802.1x Authentication with Voice VLAN Ports”. We
already know the IPPhone can be work independently of 802.1x. So whatever connects
ANY device to FE2-FE9. The interface vlan 2 will be up. Then the 1811 can communicate
with RADIUS Server.
4. Loopback Interface never down. As long as there is route to guarantee Loopback can
communicate with RADIUS Server. That will be works.

Conclusion:
1. WAN Interface (FE0 or FE1)
When configure intranet ip address on WAN interface can be as radius source
interface.
2. Interface vlan 1 (Data VLAN)
NOT able to selected as radius source interface.
3. Interface vlan 2 (Voice VLAN)
Are able to selected as radius source interface.
4. Loopback Interface
Are able to selected as radius source interface.

802.1x Authentication 33
3. If 1811 can NOT communicate with SBR?

On the previous chapter “802.1x Authentication with Inaccessible Authentication Bypass”.

We already know we can deploy “inaccessible authentication bypass feature” to fix this
problem. But on the latest IOS version. 1811 still does NOT support this feature. So we only
have below workaround:
1. Make SBR always up by redundancy device/link.
2. Wait Cisco publish newer IOS to support this feature.

Configure 802.1x on 1811:

aaa new-model
!
aaa group server radius CVX
server-private 2.2.2.2 test username CHEVRON key test
server-private 2.2.2.3 test username CHEVRON key test
server-private 2.2.2.4 test username CHEVRON key test
aaa authentication dot1x default group CVX
!
dot1x system-auth-control
!
radius-server timeout 10
!
interface FastEthernet2
(switchport access vlan 1)
(switchport mode access)
dot1x pae authenticator
dot1x port-control auto
switchport voice vlan 2
spanning-tree portfast
!
interface Vlan2
ip address 1.2.3.4 255.255.255.248
!
ip radius source-interface Vlan2

802.1x Authentication 34
Troubleshooting 802.1x with VMware

Sometimes some users will able to run VMware on GIL machine, especially IT staff. It may cause
problem when 802.1x enable.

Normally, there are there modes on VMware Network Adapter:

4. Bridged
Bridged networking connects a virtual machine to a network by using the host
computer’s network adapter. If your host computer is on a network, this is often the
easiest way to give your virtual machine access to that network. The virtual network
adapter in the virtual machine connects to the physical network adapter in your host
computer, allowing it to connect to the LAN the host computer uses.
Bridged networking configures your virtual machine as a unique identity on the network,
separate from and unrelated to its host. It makes the virtual machine visible to other
computers on the network, and they can communicate directly with the virtual machine.
Bridged networking works with both wired and wireless physical host network cards.

802.1x Authentication 35
5. NAT
Network Address Translation (NAT) configures a virtual machine to share the IP and
MAC addresses of the host. The virtual machine and the host share a single network
identity that is not visible outside the network. NAT can be useful when your network
administrator lets you use a single IP address or MAC address. If cannot give your virtual
machine an IP address on the external network, you can use NAT to give your virtual
machine access to the Internet or another TCP/IP network. NAT uses the host
computer’s network connection. NAT works with Ethernet, DSL, and phone modems.

6. Host-only
Host-only networking creates a network that is completely contained within the host
computer. Host‐only networking provides a network connection between the virtual
machine and the host computer, using a virtual network adapter that is visible to the
host operating system. This approach can be useful if you need to set up an isolated
virtual network. In this configuration, the virtual machine cannot connect to the Internet.

802.1x Authentication 36
If VMware on the “Bridged” mode, the VMware Virtual Ethernet Adapter will send out some
traffic (DHCP/DNS…) via computer’s real Ethernet adapter to switch port. That means switch
port will receive new MAC address (VMware Virtual Ethernet Adapter) for authentication. This
will trigger 802.1x security-violations and put this port in err-disable state.

Apr 21 10:54:14 CN: %AUTHMGR-5-START: Starting 'dot1x' for client (001c.25bc.c83b) on

Interface Gi3/47 AuditSessionID 922D7F190064E1FF8506EEDF

Apr 21 10:54:15 CN: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface

GigabitEthernet3/47, new MAC address (000c.2972.85d3) is seen.AuditSessionID Unassigned

Apr 21 10:54:15 CN: %PM-4-ERR_DISABLE: security-violation error detected on Gi3/47, putting

Gi3/47 in err-disable state

001c.25bc.c83b: Computer’s real Ethernet MAC address.

000c.2972.85d3: VMware Virtual Ethernet MAC address.

So must configure VMware on the “NAT” mode to solve this problem.

On the “NAT” mode, switch port will only receive traffic with computer’s real Ethernet MAC
address. VMware Virtual Ethernet Adapter will NOT send out traffic through real Ethernet
Adapter directly. It must NAT first then send out.

802.1x Authentication 37
Appendix

Reference document:

Cisco - “Configuring IEEE 802.1x Port-Based Authentication”.

Cisco - “An Overview of the Cisco Unified IP Phone”.
Cisco Bug Toolkit - “CSCsi18697”.
Cisco - “Configuring Port Security”.

802.1x Authentication 38