Ethernet 802.1X configuration – Cisco (most models)

In this topic, you will learn how to configure Cisco switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

General configuration (IOS/NX-OS)

This is a general configuration template for Cisco switches with the IOS or NX-OS operating system.

Warning: We tested this configuration on several models and several versions of Cisco operating systems (IOS and NX-OS) but we cannot guarantee that it will cover every Cisco model. Also, the configuration is general and may not fit every single environment. Therefore, to get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Cisco on these topics for your particular device model and OS version.

Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces.

Enable AAA services on the device.
```
aaa new-model
```
Create a new RADIUS server group.
```
aaa group server radius PORTNOX
```
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
1. Add a group member to represent the US RADIUS server.
```
server name PORTNOX-CLOUD-US
```
2. Add a group member to represent the Europe RADIUS server.
```
server name PORTNOX-CLOUD-EMEA
```
3. Exit group member configuration.
```
exit
```
Configure the switch to use the RADIUS server group for authentication.
```
aaa authentication dot1x default group PORTNOX
```
Configure the switch to use the RADIUS server group for authorization.
```
aaa authorization network default group PORTNOX
```
Send new accounting information to the RADIUS server group.
```
aaa accounting update newinfo
```
Send all session start and stop events to the RADIUS server group.
```
aaa accounting identity default start-stop group PORTNOX
```
Warning: If your switch responds with the following warning, type No and proceed to the next step: This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. Do you wish to continue?
Send all session stop events to the RADIUS server group even if there is no start event.
```
aaa accounting send stop-record always
```
Enable 802.1X port-based authentication on the device.
```
dot1x system-auth-control
```
Optional: Enable critical EAP over LAN (EAPOL) frames, allowing them to be processed with higher priority in the authentication process.
```
dot1x critical eapol
```
Optional: Specify the time interval during which critical EAP over LAN (EAPOL) frames must be received for successful recovery in case of interruption.
```
dot1x critical recovery delay 2000
```
Optional: Specify that the switch considers the RADIUS server as dead if no response is received within 30 seconds for four consecutive attempts.
```
radius-server dead-criteria time 30 tries 4
```
Optional: Set the amount of time during which a RADIUS server is considered unreachable or dead after a specified number of consecutive failed attempts.
```
radius-server deadtime 30
```
Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
1. Add the US Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-US
```
```
address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
```
```
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
```
```
exit
```
2. Add the Europe Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-EMEA
```
```
address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
```
```
key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
```
```
exit
```
Configure 802.1X authentication on interface 0/1:
```
interface gigabitethernet 0/1
```
Note: This is an example interface. Adjust the interface in the configuration to your specific interface.
1. Enable auto port control for authentication, allowing the switch port to dynamically determine whether to permit or restrict traffic based on the authentication status of the connected device.
```
authentication port-control auto
```
2. Configure the 802.1X Port Access Entity (PAE) on a switch port to operate in authenticator mode, enabling the port to control access based on the authentication status of connected devices.
```
dot1x pae authenticator
```
3. Enable the single-host mode for authentication, allowing only one MAC address per port to be authenticated, preventing multiple devices from connecting through a single port.
```
authentication host-mode single-host
```
4. Optional: Enable MAC address bypass authentication on the interface.
```
mab
```
5. Configure the order in which authentication methods are attempted on a port, specifying that the switch should first attempt 802.1X authentication and then fall back to MAC Authentication Bypass (MAB) if 802.1X authentication is not successful.
```
authentication order dot1x mab
```
Optional: Configure a critical auth VLAN

Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.

Note: This function may be unsupported on some switches. Consult Cisco documentation for more information about its availability for your specific model and software version.
1. Define the VLAN that will be used for critical authentication:
```
vlan 10
```
  In this example, we are using VLAN 10, but you can use a different configuration.
2. Assign an IP Address to the VLAN:
```
interface vlan 10 ip address 10.0.10.0 255.255.255.0
```
  In this example, we are using the network 10.0.10.0/24 but you can use a different configuration.
3. Configure the g0/1 interface to use the critical auth VLAN:
```
interface gigabitethernet g0/1
```
```
authentication event server dead action authorize vlan 10
```
  If you’re using a different VLAN, change the vlan 10 parameter.

Verify the 802.1X configuration.

show dot1x all

Expected output:

Sysauthcontrol Enabled
Dot1x Protocol Version 2
Dot1x Info for GigabitEthernet0/1
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Critical Auth VLAN = 10
Server Dead Action = Authorize VLAN 10

Optional: Debug the 802.1X configuration, if necessary.

debug mab all

debug dot1x all

debug radius

debug aaa authentication

debug aaa authorization

Here is the entire example configuration for your convenience:

aaa new-model
!
aaa group server radius PORTNOX
  server name PORTNOX-CLOUD-US
  server name PORTNOX-CLOUD-EMEA
  exit
!
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
aaa accounting update newinfo
aaa accounting identity default start-stop group PORTNOX
aaa accounting send stop-record always
!
dot1x system-auth-control
!
dot1x critical eapol
dot1x critical recovery delay 2000
!
radius-server dead-criteria time 30 tries 4
radius-server deadtime 30
!
radius server PORTNOX-CLOUD-US
  address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
!
radius server PORTNOX-CLOUD-EMEA
  address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
!
interface gigabitethernet 0/1
  authentication port-control auto
  dot1x pae authenticator
  authentication host-mode single-host 
  mab
  authentication order dot1x mab
!
vlan 10
interface vlan 10 ip address 10.0.10.0 255.255.255.0
!
interface gigabitethernet 0/1
authentication event server dead action authorize vlan 10

IBNS 2.0 (multi-domain)

This is a multi-domain configuration template for Cisco switches with IBNS 2.0.

Enable AAA services on the device.
```
aaa new-model
```
Add your individual Portnox Cloud RADIUS server IPs and ports to the switch configuration:
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
1. Add the US Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-US
```
```
address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
```
```
key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
```
```
exit
```
2. Add the Europe Cloud RADIUS server:
```
radius server PORTNOX-CLOUD-EMEA
```
```
address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
```
```
key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
```
```
exit
```
Create a new RADIUS server group.
```
aaa group server radius PORTNOX
```
In this configuration, we assume that you are using both Portnox Cloud RADIUS servers.
1. Add a group member to represent the US RADIUS server.
```
server name PORTNOX-CLOUD-US
```
2. Add a group member to represent the Europe RADIUS server.
```
server name PORTNOX-CLOUD-EMEA
```
3. Exit group member configuration.
```
exit
```
Configure the switch to use the RADIUS server group for authentication.
```
aaa authentication dot1x default group PORTNOX
```
Configure the switch to use the RADIUS server group for authorization.
```
aaa authorization network default group PORTNOX
```
Enable 802.1X port-based authentication on the device.
```
dot1x system-auth-control
```

Verify or configure the needed class-map types that will be used in the interface policy-map supporting 802.1X.

class-map type control subscriber match-all DOT1X

  match method dot1x

class-map type control subscriber match-all DOT1X_FAILED

  match method dot1x

  match result-type method dot1x authoritative

class-map type control subscriber match-all DOT1X_NO_RESP

  match method dot1x

  match result-type method dot1x agent-not-found

class-map type control subscriber match-all MAB

  match method mab

class-map type control subscriber match-all MAB_FAILED

  match method mab

  match result-type method mab authoritative

Configure the subscriber policy-map that will be used to control 802.1X authentication.

policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN

  event session-started match-all

    10 class always do-until-failure

      10 authenticate using dot1x priority 10

      20 authenticate using mab priority 20

  event authentication-failure match-first

    10 class DOT1X_FAILED do-until-failure

      10 terminate dot1x

    20 class MAB_FAILED do-until-failure

      10 terminate mab

      20 authenticate using dot1x priority 10

    30 class DOT1X_NO_RESP do-until-failure

      10 terminate dot1x

      20 authentication-restart 60

    40 class always do-until-failure

      10 terminate mab

      20 terminate dot1x

      30 authentication-restart 60

  event agent-found match-all

    10 class always do-until-failure

      10 terminate mab

      20 authenticate using dot1x priority 10

Configure appropriate interfaces to use 802.1X authentication.

interface GigabitEthernet1/0/1

  switchport access vlan 613

  switchport mode access

  switchport voice vlan 612

  access-session closed

  access-session host-mode multi-domain

  access-session port-control auto

mab

  dot1x pae authenticator

  spanning-tree portfast

  service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN

Optional: Debug the 802.1X configuration, if necessary.
```
debug mab all
```
```
debug dot1x all
```
```
debug radius
```
```
debug pre all
```
Note: Optionally, for debug pre, you can use only event and/or rule to limit the output to the information relevant to IBNS 2.0.
```
debug aaa authentication
```
```
debug aaa authorization
```

Here is the entire example configuration for your convenience:

aaa new-model
!
radius server PORTNOX-CLOUD-US
  address ipv4 20.119.69.248 auth-port 10322 acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
radius server PORTNOX-CLOUD-EMEA
  address ipv4 52.232.122.157 auth-port 10476 acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
aaa group server radius PORTNOX
  server name PORTNOX-CLOUD-US
  server name PORTNOX-CLOUD-EMEA
  exit
aaa authentication dot1x default group PORTNOX
aaa authorization network default group PORTNOX
!
dot1x system-auth-control
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
policy-map type control subscriber DOT1X_MAB_MULTIDOMAIN
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
      20 authenticate using mab priority 20
  event authentication-failure match-first
    10 class DOT1X_FAILED do-until-failure
      10 terminate dot1x
    20 class MAB_FAILED do-until-failure
      10 terminate mab
      20 authenticate using dot1x priority 10
    30 class DOT1X_NO_RESP do-until-failure
      10 terminate dot1x
      20 authentication-restart 60
    40 class always do-until-failure
      10 terminate mab
      20 terminate dot1x
      30 authentication-restart 60
  event agent-found match-all
    10 class always do-until-failure
      10 terminate mab
      20 authenticate using dot1x priority 10
!
interface GigabitEthernet1/0/1
  switchport access vlan 613
  switchport mode access
  switchport voice vlan 612
  access-session closed
  access-session host-mode multi-domain
  access-session port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  service-policy type control subscriber DOT1X_MAB_MULTIDOMAIN