• Home

  • Documents

  • Dot1x Supplicant Support on the L2 interface - cisco.com · ! configure EAP mode used by supplicant...
4
Dot1x Supplicant Support on the L2 interface This section contains the following topics:. Dot1x Supplicant Support on the L2 interface, on page 1 Dot1x Supplicant Support on the L2 interface Feature is new for release 15.8(3)M1 and applies to the IR829 only IEEE 802.1X authentication enables the access point to gain access to a secured wired network. You can enable the access point as an 802.1X supplicant (client) on the wired network. A user name and password that are encrypted using the MD5 (IR8x9 platform supports only md5 method) algorithm can be configured to allow the access point to authenticate using 802.1X. Figure 1: Supplicant Topology, on page 1 illustrates the Supplicant Topology. Figure 1: Supplicant Topology Supplicant CLI Commands IR800-supplicant(config-eap-profile)#? Eap profile configuration commands: description Provide a description for the EAP profile exit Exit EAP profiles configuration submode method Add an allowed method no Negate a command or set its defaults IR800-supplicant(config-eap-profile)#method ? md5 EAP-MD5 method allowed Refer to Figure 2: Workflow, on page 2 for the workflow. Dot1x Supplicant Support on the L2 interface 1

Dot1x Supplicant Support on the L2 interface - cisco.com · ! configure EAP mode used by supplicant switch to authenticate itself to authenticator switch eap profile EAP_PRO method

  • Upload
    others

  • View
    9

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Dot1x Supplicant Support on the L2 interface - cisco.com · ! configure EAP mode used by supplicant switch to authenticate itself to authenticator switch eap profile EAP_PRO method

Dot1x Supplicant Support on the L2 interface

This section contains the following topics:.

• Dot1x Supplicant Support on the L2 interface, on page 1

Dot1x Supplicant Support on the L2 interfaceFeature is new for release 15.8(3)M1 and applies to the IR829 only

IEEE 802.1X authentication enables the access point to gain access to a secured wired network. You canenable the access point as an 802.1X supplicant (client) on the wired network. A user name and passwordthat are encrypted using the MD5 (IR8x9 platform supports only md5 method) algorithm can be configuredto allow the access point to authenticate using 802.1X. Figure 1: Supplicant Topology, on page 1 illustratesthe Supplicant Topology.Figure 1: Supplicant Topology

Supplicant CLI Commands

IR800-supplicant(config-eap-profile)#?Eap profile configuration commands:description Provide a description for the EAP profileexit Exit EAP profiles configuration submodemethod Add an allowed methodno Negate a command or set its defaults

IR800-supplicant(config-eap-profile)#method ?md5 EAP-MD5 method allowed

Refer to Figure 2: Workflow, on page 2 for the workflow.

Dot1x Supplicant Support on the L2 interface1

Page 2: Dot1x Supplicant Support on the L2 interface - cisco.com · ! configure EAP mode used by supplicant switch to authenticate itself to authenticator switch eap profile EAP_PRO method

Figure 2: Workflow

Workflow details

• On networks that use IEEE 802.1X port-based network access control, a supplicant cannot gain accessto the network until the 802.1X authenticator grants access. If your network uses 802.1X, you mustconfigure 802.1X authentication information on the WAP device, so that it can supply it to theauthenticator.

• Supplicant starts with EAPOL start request to the Authenticator• In Supplicant Request Authenticator send EAP request to supplicant.• Supplicant sends the EAP response (W/MD5 Credentials) to Authenticator• Authenticator sends the relay request to AAA via radius to Authenticate the supplicants• If the supplicant entry is already defined there, Radius sends accept to the Authenticator and the Supplicantport gets authorized by the authenticator

• Now the supplicant works as Authenticator for the host connected to it. The same flow happens whenthe host connects to the Supplicant.

Sample Configuration to Support DOT1x Supplicant on the IR829Note: More details can be found here:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html#anc14

! Enable supplicant switch to authenticate devices connecteddot1x system-auth-control

! Forces the switch to send only multicast EAPOL packets when it receives eitherunicast or multicast packets, which allows NEAT to work on the supplicantswitch in all host modes.dot1x supplicant force-multicast

Dot1x Supplicant Support on the L2 interface2

Dot1x Supplicant Support on the L2 interfaceSample Configuration to Support DOT1x Supplicant on the IR829

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html#anc14
Page 3: Dot1x Supplicant Support on the L2 interface - cisco.com · ! configure EAP mode used by supplicant switch to authenticate itself to authenticator switch eap profile EAP_PRO method

! configure EAP mode used by supplicant switch to authenticate itself to authenticatorswitch eap profile EAP_PRO

method md5

! Configure credentials use by supplicant switch during that authentication.dot1x credentials CRED_PROusername bsnsswitchpassword 0 C1sco123

The connection of the supplicant to the authenticator is already configured to be a trunk port (in contrast toaccess port configuration on the authenticator). At this stage, this is expected; configuration will dynamicallychange when the ISE returns the correct attribute.

interface FastEthernet0/6switchport trunk encapsulation dot1qswitchport mode trunkdot1x pae supplicantdot1x credentials CRED_PROdot1x supplicant eap profile EAP_PRO

Note: For support of Dot1x in IR829 dot1x code is added in IR829 for L2 interface.

IR800-supplicant# show dot1x interface gigabitEthernet 1 detailsDot1x Info for GigabitEthernet1-----------------------------------PAE = SUPPLICANTStartPeriod = 30AuthPeriod = 30HeldPeriod = 60MaxStart = 3Credentials profile = CRED_PROEAP profile = EAP_PRODot1x Supplicant Client List-------------------------------Authenticator = 80e0.1d66.2ce1

Supp SM State = AUTHENTICATEDSupp Bend SM State = IDLE

Port Status = AUTHORIZED

Note: Dot1x supplicant on L3 interfaces is not supported.

Dot1x Supplicant Support on the L2 interface3

Dot1x Supplicant Support on the L2 interfaceSample Configuration to Support DOT1x Supplicant on the IR829

Page 4: Dot1x Supplicant Support on the L2 interface - cisco.com · ! configure EAP mode used by supplicant switch to authenticate itself to authenticator switch eap profile EAP_PRO method

Dot1x Supplicant Support on the L2 interface4

Dot1x Supplicant Support on the L2 interfaceSample Configuration to Support DOT1x Supplicant on the IR829


Introduction to EAP Profile 36. Overview Development of EAP Profile 36 Transition to EAP Profile 36 Update to EAP Profile Expiry Date

Introduction to EAP Profile 36. Overview Development of EAP Profile 36 Transition to EAP Profile 36 Update to EAP Profile Expiry Date

Documents
EAP Orientation

EAP Orientation

Documents
EAP - Onestopenglish

EAP - Onestopenglish

Documents
Lifestyle EAP

Lifestyle EAP

Documents
802.1X EAP Supplicant on COS AP · Configurations Steps for 802 .1x AP Supplicant Configuration and Debug on the AP Side ShowCLI AP Console>show authentication interface wired-port

802.1X EAP Supplicant on COS AP · Configurations Steps for 802 .1x AP Supplicant Configuration and Debug on the AP Side ShowCLI AP Console>show authentication interface wired-port

Documents
Wpa supplicant introduction

Wpa supplicant introduction

Software
PEAP-TLS: Microsoft Supplicant configuration (Windows 7 ......2014/01/14  · PEAP-TLS: Microsoft Supplicant configuration (Windows 7) and Aruba ClearPass This document describes how

PEAP-TLS: Microsoft Supplicant configuration (Windows 7 ......2014/01/14  · PEAP-TLS: Microsoft Supplicant configuration (Windows 7) and Aruba ClearPass This document describes how

Documents
PEAP-TLS: Microsoft Supplicant configuration (Windows 7 ...community.arubanetworks.com/aruba/attachments/... · Microsoft Supplicant configuration (Windows 7) Configure WPA2-Enterprise,

PEAP-TLS: Microsoft Supplicant configuration (Windows 7 ...community.arubanetworks.com/aruba/attachments/... · Microsoft Supplicant configuration (Windows 7) Configure WPA2-Enterprise,

Documents
Diameter EAP Application (draft-ietf-aaa-eap-02.txt)

Diameter EAP Application (draft-ietf-aaa-eap-02.txt)

Documents
EaP Think Bridgeprismua.org/wp-content/uploads/2017/12/EaPThinkBridge_11...EaP Think Bridge, 11, 2017 EaP Think Bridge, 1, 2017 1. 1 1 EaP Think Bridge Eastern Partnership мonthly

EaP Think Bridgeprismua.org/wp-content/uploads/2017/12/EaPThinkBridge_11...EaP Think Bridge, 11, 2017 EaP Think Bridge, 1, 2017 1. 1 1 EaP Think Bridge Eastern Partnership мonthly

Documents
HP 2530 Switch Series - CNET Content Solutions - English · IEEE 802.1X uses an IEEE 802.1X supplicant on the client in conjunction with a RADIUS server to authenticate in accordance

HP 2530 Switch Series - CNET Content Solutions - English · IEEE 802.1X uses an IEEE 802.1X supplicant on the client in conjunction with a RADIUS server to authenticate in accordance

Documents
EAP Handbook for Studentsluj.lakeland.edu/images/EAPprog/EAP_Handbook_for_Students_SU20… · 19/05/2020  · English for Academic Purposes (EAP) Program EAP Handbook for Students

EAP Handbook for Studentsluj.lakeland.edu/images/EAPprog/EAP_Handbook_for_Students_SU20… · 19/05/2020  · English for Academic Purposes (EAP) Program EAP Handbook for Students

Documents
EAP Quick Installation Guide - TP-LinkUN)_V1_QIG.pdf · 7106505995 REV1.0.0 Clients PoE Switch EAP EAP EAP Controller Host EAP Controller Router Internet To quickly set up a wireless

EAP Quick Installation Guide - TP-LinkUN)_V1_QIG.pdf · 7106505995 REV1.0.0 Clients PoE Switch EAP EAP EAP Controller Host EAP Controller Router Internet To quickly set up a wireless

Documents
Catalyst 3750-X and Catalyst 3560-X Switch Command ...€¦ · dot1x supplicant controlled transient command 2-201 dot1x supplicant force-multicast command 2-203 dot1x test eapol-capable

Catalyst 3750-X and Catalyst 3560-X Switch Command ...€¦ · dot1x supplicant controlled transient command 2-201 dot1x supplicant force-multicast command 2-203 dot1x test eapol-capable

Documents
Odattol Daee ( the Asset of the Supplicant)

Odattol Daee ( the Asset of the Supplicant)

Documents
EAP Slide2

EAP Slide2

Documents
Aos & cppm integration & testing document for eap tls & eap peap

Aos & cppm integration & testing document for eap tls & eap peap

Technology
ネットワーク アクセス マネージャの設定 - Cisco...• EAP メソッド群: – EAP-FAST、PEAP、EAP-TTLS、EAP-TLS、および LEAP(IEEE 802.3 有線のみ

ネットワーク アクセス マネージャの設定 - Cisco...• EAP メソッド群: – EAP-FAST、PEAP、EAP-TTLS、EAP-TLS、および LEAP(IEEE 802.3 有線のみ

Documents
HOWTO: EAP/TLS Setup for FreeRADIUS and Windows XP … · 2002. 4. 18. · HOWTO: EAP/TLS Setup for FreeRADIUS and Windows XP Supplicant Version 1.0.1 April 18, 2002 Ken Roser kroser@pobox.com

HOWTO: EAP/TLS Setup for FreeRADIUS and Windows XP … · 2002. 4. 18. · HOWTO: EAP/TLS Setup for FreeRADIUS and Windows XP Supplicant Version 1.0.1 April 18, 2002 Ken Roser [email protected]

Documents
Wireless N Gigabit Access Point EAP120 / EAP220 · 2016-08-10 · Router Internet Switch Master EAP Member EAP Member EAP Enwuvgt The EAP120 and EAP220 provide two management modes:

Wireless N Gigabit Access Point EAP120 / EAP220 · 2016-08-10 · Router Internet Switch Master EAP Member EAP Member EAP Enwuvgt The EAP120 and EAP220 provide two management modes:

Documents
Presentation1 EAP

Presentation1 EAP

Documents
Implementation of an 802.1x supplicant for internet telephony

Implementation of an 802.1x supplicant for internet telephony

Documents
Extensible Authentication ProtocolsFor PEAP Version 1, the supported authentication methods are EAP-GTC, EAP-SIM, EAP-TLS and EAP-Negotiate. The PEAP protocol consists of two phases:

Extensible Authentication ProtocolsFor PEAP Version 1, the supported authentication methods are EAP-GTC, EAP-SIM, EAP-TLS and EAP-Negotiate. The PEAP protocol consists of two phases:

Documents
802.1X, EAP and RADIUS - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l02-8021x-etc-2016.pdf · Ubuntu 15.10 (Wired connection) I ... I only one-sided (client/supplicant) authentication

802.1X, EAP and RADIUS - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l02-8021x-etc-2016.pdf · Ubuntu 15.10 (Wired connection) I ... I only one-sided (client/supplicant) authentication

Documents
NWA1123-ACv2 - Farnell · 2016. 11. 12. · 5 WLAN Security WEP Yes WPA/WPA2-PSK Yes WPA/WPA2-Enterprise Yes EAP type EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-FAST, EAP-AKA and EAP-SIM WMM

NWA1123-ACv2 - Farnell · 2016. 11. 12. · 5 WLAN Security WEP Yes WPA/WPA2-PSK Yes WPA/WPA2-Enterprise Yes EAP type EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-FAST, EAP-AKA and EAP-SIM WMM

Documents
Eap Chapters

Eap Chapters

Documents
Layered Access Control-Six Defenses That Work...7 802.1X Provides a standards-based approach for authentication and authorization Supplicant EAP over Wireless EAP over LAN Supplicant

Layered Access Control-Six Defenses That Work...7 802.1X Provides a standards-based approach for authentication and authorization Supplicant EAP over Wireless EAP over LAN Supplicant

Documents
2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader kurt.baumann@switch.ch

2007 © SWITCH TNC2007 Extending SWITCH Public Wireless LAN with EAP-SIM Kurt Baumann SWITCHmobile Project Leader [email protected]

Documents
EAP Update

EAP Update

Documents
EAP!Conference2016!! FindingtheBalance:! !Language ......EAP!Conference2016!! FindingtheBalance:!!Language!andContent!in!EAP! to!be!held!at!! Medical!and!Biological!SciencesBuilding!

EAP!Conference2016!! FindingtheBalance:! !Language ......EAP!Conference2016!! FindingtheBalance:!!Language!andContent!in!EAP! to!be!held!at!! Medical!and!Biological!SciencesBuilding!

Documents