4402015
Description
Mind Map by John Lodge, updated more than 1 year ago
|
Created by John Lodge
almost 10 years ago
|
|
802.1x mind map
- Port based authentication
- The flow
- Device comes up, authenticator sends a EAP request (who are you)
- Supplicant will reply with credentials (if supplicant software is installed)
- Authenticator will send credentials to authenticaton server using RADIUS, however it can encrypt this using PEAP which in turn uses TLS with an access-request
- Remember TLS implies digital certificates are required
- authentication server will reply with an access-challenge
- Remember TLS implies digital certificates are required
- note that also as part of this process the server will go
through negotiations with the supplicant for which eap
protocol to use and also if configured and using tls
certificates will be exchanged to authenticate the server
- Authenticator will send credentials to authenticaton server using RADIUS, however it can encrypt this using PEAP which in turn uses TLS with an access-request
- chaining
- if you want to authenticate a user and a device separately this is called chaining
- if you want to perform chaining the EAP protocol you will need is EAP-Fast
- if you want to perform chaining the EAP protocol you will need is EAP-Fast
- if you want to authenticate a user and a device separately this is called chaining
- Supplicant will reply with credentials (if supplicant software is installed)
- Device comes up, authenticator sends a EAP request (who are you)
- modes
- single-host
- one device, one mac address only on this port
- one device, one mac address only on this port
- multi-host
- one mac address authenticates and then any other mac address can use that port also as long as port stays up
- one mac address authenticates and then any other mac address can use that port also as long as port stays up
- multi-doman (MDA)
- One each mode, allows one mac address for data and one mac address for voice
- One each mode, allows one mac address for data and one mac address for voice
- multi-auth
- each device needs to authenticate individually, each mac address will need its own supplicant to authenticate
- each device needs to authenticate individually, each mac address will need its own supplicant to authenticate
- MAB
- Mac address bypass, if no supplicant is installed, after a set
time the 802.1x will timeout and move to next method, if Mac
address is set in ISE then will authenticate with MAC address
- Mac address bypass, if no supplicant is installed, after a set
time the 802.1x will timeout and move to next method, if Mac
address is set in ISE then will authenticate with MAC address
- single-host
- The flow
- configuring
- on switch (authenticator)
- aaa authentication dot1x default group radius
- dot1x system-auth-control
- int# authentication host-mode [multi-auth]
- int# authentication [open/
- open- for testing, allows all even if failed
- int# dot1x pae authenticator
- tells port that it is the authenticator
- int# authentcation port-control-auto
- tells port to allow dot1x to control access
- to verify its working before leaving open mode use
int# show authentication int g0/1 or int# show
authentication sessions int g0/1
- radius server attribute 6 on-for-login-auth
- if using MAB, sends mac address to ISE
- INT# MAB
- ALLOWS MAB
- int# authentication order dot1x mab
- ALLOWS MAB
- if using MAB, sends mac address to ISE
- tells port to allow dot1x to control access
- tells port that it is the authenticator
- open- for testing, allows all even if failed
- int# authentication [open/
- int# authentication host-mode [multi-auth]
- dot1x system-auth-control
- aaa authentication dot1x default group radius
- on switch (authenticator)
- Methods
- 802.1X
- Periodic re-authentication (disabled by default)
- Periodic re-authentication (disabled by default)
- MAB
- No periodic re-authenticaion
- uses RADIUS service type 6
- No periodic re-authenticaion
- how methods are chosen
- int# authentication order dot1x mab webauth
- dot1x is chosen first, if timesout goes to mab then to webauth
- dot1x is chosen first, if timesout goes to mab then to webauth
- int# authentication priority dot1x mab webauth
- first choice is dictated by order, but if switch receives a dot1x request it will switch to dot1x
- first choice is dictated by order, but if switch receives a dot1x request it will switch to dot1x
- authentication event fail action next-method/ authorize vlan x
- next method goes to next method, should only
be used if webauth configured or cycles
endlessly, authorize vlan x puts port into vlan x
- authentication fallback command needed to enable webauth
- authentication fallback command needed to enable webauth
- next method goes to next method, should only
be used if webauth configured or cycles
endlessly, authorize vlan x puts port into vlan x
- int# authentication order dot1x mab webauth
- 802.1X
Want to create your own Mind Maps for free with GoConqr? Learn more.