Objective
IEEE 802.1x is a standard which facilitates access control between a client and a server. Before services can beprovided to a client by a Local Area Network (LAN) or switch, the client connected to the switch port has to beauthenticated by the authentication server which runs Remote Authentication Dial-In User Service (RADIUS).
802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity-accessible ports.802.1x authentication is a client-server model. In this model, network devices have the following specificroles:
Client or supplicant — A client or supplicant is a network device that requests access to the LAN. Theclient is connected to an authenticator.
Authenticator — An authenticator is a network device that provides network services and to whichsupplicant ports are connected. The following authentication methods are supported:
802.1x-based — Supported in all authentication modes. In 802.1x-based authentication, the authenticatorextracts the Extensible Authentication Protocol (EAP) messages from the 802.1x messages or EAP over LAN(EAPoL) packets, and passes them to the authentication server, using the RADIUS protocol.
MAC-based — Supported in all authentication modes. With Media Access Control (MAC)-based, theauthenticator itself executes the EAP client part of the software on behalf of the clients seekingnetwork access.
Web-based — Supported only in multi-sessions modes. With web-based authentication, the authenticatoritself executes the EAP client part of the software on behalf of the clients seeking network access.
Authentication server — An authentication server performs the actual authentication of the client. Theauthentication server for the device is a RADIUS authentication server with EAP extensions.
Note: A network device can be either a client or supplicant, authenticator, or both per port.
The image below displays a network that have configured the devices according to the specific roles. In thisexample, an SG350X switch is used.
Guidelines in configuring 802.1x:
Create a Virtual Access Network (VLAN). To create VLANs using the web-based utility of your switch, clickhere.For CLI-based instructions, click here.
Configure Port to VLAN settings on your switch. To configure using the web-based utility, click here.To use the CLI, click here.
Configure 802.1x properties on the switch. 802.1x should be globally enabled on the switch to enable802.1x port-based authentication. For instructions, click here.
(Optional) Configure Time Range on the switch. To learn how to configure time range settings on yourswitch, click here.
Configure 802.1x Port Authentication. This article provides instructions on how to configure 802.1x portauthentication settings on your switch.
To learn how to configure mac-based authentication on a switch, click here.
Applicable Devices
Sx300 Series
Sx350 Series
SG350X Series
Sx500 Series
Sx550X Series
Software Version
1.4.7.06 — Sx300, Sx500
2.2.8.04 — Sx350, SG350X, Sx550X
Configure 802.1x Port Authentication Settings ona Switch
Configure RADIUS Client Settings
Step 1. Log in to the web-based utility of your switch then choose Advanced in the Display Modedrop-down list.
Note: The available menu options may vary depending on the device model. In this example,SG550X-24 is used.
Step 2. Navigate to Security > RADIUS Client.
Step 3. Scroll down to the RADIUS Table section and click Add… to add a RADIUS server.
Step 4. Select whether to specify the RADIUS server by IP address or name in the Server Definitionfield. Select the version of the IP address of the RADIUS server in the IP Version field.
Note: We will be using By IP address and Version 4 in thisexample.
Step 5. Enter in the RADIUS server by IP address or name.
Note: We will be entering the IP address of 192.168.1.146 in the Server IPAddress/Name field.
Step 6. Enter the priority of the server. The priority determines the order the device attempts to contact theservers to authenticate a user. The device starts with the highest priority RADIUS server first. 0 is thehighest priority.
Step 7. Enter the key string used for authenticating and encrypting communication between the device and theRADIUS server. This key must match the key configured on the RADIUS server. It can be entered inEncrypted or Plaintext format. If Use Default is selected,the device attempts to authenticate to the RADIUS server by using the default key string.
Note: We will be using the User Defined (Plaintext) and entering in the keyexample.
To learn how to configure the RADIUS server settings on your switch, click here.
Step 8. In the Timeout for Reply field, select either Use Default or UserDefined. If User Defined was selected, enter the number of seconds the devicewaits for an answer from the RADIUS server before retrying the query, or switching to the next server if themaximum number of retries made. If Use Default is selected, the device uses the default timeoutvalue.
Note: In this example, Use Default was selected.
Step 9. Enter the UDP port number of the RADIUS server port for authentication request in the AuthenticationPort field. Enter the UDP port number of the RADIUS server port for accounting requests in theAccounting Port field.
Note: In this example, we will be using the default value for both authentication port andaccounting port.
Step 10. If User Defined is selected for Retries field, enter the number of requeststhat are sent to the RADIUS server before a failure is considered to have occurred. If UseDefault was selected, the device uses the default value for the number of retries.
If User Defined is selected for Dead Time, enter the number of minutes that must passbefore a non-responsive RADIUS server is bypassed for service requests. If Use Default wasselected, the device uses the default value for the dead time. If you entered 0 minutes, there is no dead time.
Note: In this example, we will be selecting Use Default for both of thesefields.
Step 11. In the Usage Type field, enter the RADIUS server authentication type. The options are:
Login – RADIUS server is used for authenticating users that ask to administer thedevice.
802.1x – RADIUS server is used for 802.1x authentication.
All – RADIUS server is used for authenticating user that ask to administer the deviceand for 802.1x authentication.
Step 12. Click Apply.
Configure 802.1x Port Authentication Settings
Step 1. Log in to the web-based utility of your switch then choose Advanced in the Display Modedrop-down list.
Note: The available menu options may vary depending on the device model. In this example,SG350X-48MP is used.
Note: If you have an Sx300 or Sx500 Series switch, skip to Step 2.
Step 2. Choose Security > 802.1X Authentication > PortAuthentication.
Step 3. Choose an interface from the Interface Type drop-down list.
Port — From the Interface Type drop-down list, choose Port if only a singleport needs to be chosen.
LAG — From the Interface Type drop down list, choose the LAG to configure. This affects thegroup of ports defined in the LAG configuration.
Note: In this example, Port of Unit 1 is chosen.
Note: If you have a non-stackable switch such as a Sx300 Series switch, skip to Step 5.
Step 4. Click Go to bring up a list of ports or LAGs on the interface.
Step 5. Click the port that you want to configure.
Note: In this example, GE4 is chosen.
Step 6. Scroll down the page then click Edit.
Step 7. (Optional) If you want to edit another interface, choose from the Unit and Port drop-down lists.
Note: In this example, port GE4 of unit 1 is chosen.
Step 8. Click the radio button that corresponds to the desired port control in the Administrative Port Controlarea. The options are:
Force Unauthorized — Denies the interface access by moving the port into the unauthorized state. The portwill discard traffic.
Auto — The port moves between an authorized or unauthorized state based on authentication of thesupplicant.
Force Authorized — Authorizes the port without authentication. The port will forward traffic.
Note: In this example, Auto is chosen.
Step 9. Click a RADIUS VLAN Assignment radio button to configure dynamic VLAN assignment on the selected port.The options are:
Disable — Feature is not enabled.
Reject — If the RADIUS server authorized the supplicant, but did not provide a supplicant VLAN, thesupplicant is rejected.
Static — If the RADIUS server authorized the supplicant, but did not provide a supplicant VLAN, thesupplicant is accepted.
Note: In this example, Static is chosen.
Step 10. Check Enable in the Guest VLAN check box to enable Guest VLAN for unauthorized ports.Guest VLAN makes the unauthorized port automatically join the VLAN chosen in the Guest VLAN ID area of the 802.1properties.
Step 11. (Optional) Check the Enable Open Access check box to enable open access. Open Accesshelps you to understand the configuration problems of hosts connecting to the network, monitors bad situationsand enables these problems to be fixed.
Note: When Open Access is enabled on an interface, the switch treats all failures received froma RADIUS server as successes and allows access to the network for stations connected to interfaces regardless ofauthentication results. In this example, Open Access is disabled.
Step 12. Check the Enable 802.1x Based Authentication check box to enable 802.1X authenticationon the port.
Step 13. Check the Enable MAC Based Authentication check box to enable port authentication basedon the supplicant MAC address. Only eight MAC-based authentications can be used on the port.
Note: For MAC authentication to succeed, the RADIUS server supplicant username and password mustbe the supplicant MAC address. The MAC address must be in lower case letters and entered without the . or –separators (such as 0020aa00bbcc).
Note: In this example, MAC-based authentication is disabled.
Step 14. Check the Enable Web Based Authentication check box to enable web-based authenticationon the switch. In this example, web-based authentication is disabled.
Note: In this example, web-based authentication is disabled.
Step 15. (Optional) Check the Enable Periodic Reauthentication check box to force the port tore-authenticate after a given time. This time is defined in the Reauthentication Period field.
Note: In this example, period re-authentication is enabled.
Step 16. (Optional) Enter a value in the Reauthentication Period field. This value represents the amountof seconds before the interface re-authenticates the port. The default value is 3600 seconds and the range isfrom 300 to 4294967295 seconds.
Note: In this example, 6000 seconds is configured.
Step 17. (Optional) Check the Enable Reauthenticate Now check box to force an immediate portre-authentication. In this example, immediate re-authentication is disabled.
The Authenticator State area displays the authorization state of the port.
Step 18. (Optional) Check the Enable Time Range check box to enable a limit on the time that theport is authorized.
Note: In this example, Time Range is enabled. If you prefer to skip this feature, proceed to Step 20.
Step 19. (Optional) From the Time Range Name drop-down list, choose a time range to use.
Note: In this example, Dayshift is chosen.
Step 20. In the Maximum WBA Login Attempts area, click either Infinite for no limit or User Defined to set alimit. If User Defined is chosen, enter the maximum number of login attempts allowed for web-basedauthentication.
Note: In this example, Infinite is chosen.
Step 21. In the Maximum WBA Silence Period area, click either Infinite for no limit or User Defined to set alimit. If User Defined is chosen, enter the maximum length of the silent period for web-based authenticationallowed on the interface.
Note: In this example, Infinite is chosen.
Step 22. In the Max Hosts area, click either Infinite for no limit or User Defined to set a limit. If UserDefined is chosen, enter the maximum number of authorized hosts allowed on the interface.
Note: Set this value to 1 to simulate single-host mode for web-based authentication inmulti-sessions mode. In this example, Infinite is chosen.
Step 23. In the Quiet Period field, enter the time the switch remains in quiet state after a failedauthentication exchange. When the switch is in quiet state, it means the switch is not listening for newauthentication requests from the client. The default value is 60 seconds and the range is from one to 65535seconds.
Note: In this example, the quiet period is set to 120 seconds.
Step 24. In the Resending EAP field, enter the time the switch waits for a response message from thesupplicant before resending a request. The default value is 30 seconds and the range is from one to 65535seconds.
Note: In this example, resending EAP is set to 60 seconds.
Step 25. In the Max EAP Requests field, enter the maximum number of EAP requests that can be sent. EAPis an authentication method used in 802.1X that provides authentication information exchange between the switchand the client. In this case, EAP requests are sent to the client for authentication. The client then has torespond and match the authentication information. If the client does not respond, then another EAP request isset based on the Resending EAP value and the authentication process is restarted. The default value is 2 and therange is from one to 10.
Note: In this example, the default value of 2 is used.
Step 26. In the Supplicant Timeout field, enter the time before EAP requests are resent to thesupplicant. The default value is 30 seconds and the range is from one to 65535 seconds.
Note: In this example, supplicant timeout is set to 60 seconds.
Step 27. In the Server Timeout field, enter the time that elapses before the switch sends a requestagain to the RADIUS server. The default value is 30 seconds and the range is from one to 65535 seconds.
Note: In this example, server timeout is set to 60 seconds.
Step 28. Click Apply then click Close.
Step 29. (Optional) Click Save to save settings to the startup configuration file.
You should now have successfully configured the 802.1x port authentication settings on your switch.
Apply Interface Configuration Settings toMultiple Interfaces
Step 1. Click the radio button of the interface that you want to apply the authentication configuration tomultiple interfaces.
Note: In this example, GE4 is chosen.
Step 2. Scroll down then click Copy Settings.
Step 3. In the to field, enter the range of interfaces that you want to apply the configuration of thechosen interface. You can use the interface numbers or the name of the interfaces as input. You can enter eachinterface separated by a comma (such as 1, 3, 5 or GE1, GE3, GE5) or you can enter a range of interfaces (suchas 1-5 or GE1-GE5).
Note: In this example, the configuration settings will be applied to ports 47 to 48.
Step 4. Click Apply then click Close.
The image below depicts the changes after the configuration.
You should now have successfully copied the 802.1x authentication settings of one port and applied to other portor ports on your switch.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 | 11-Dec-2018 | Initial Release |