Dot1X

基于端口的访问控制，可以根据连接到它得用户或设备的标识动态启用或禁用端口。

在身份验证之前，端点的身份是未知的，并且所有流量都被阻止。身份验证后，端点的身份已知，并且允许来自该端点的所有流量。交换机执行源MAC过滤，以确保只允许经过身份验证的端点发送流量。

802.1X 组成

• 除了以上组件还包括后端身份数据库（AD、LDAP）

有线的802.1X

802.1X 工作流程

请求者可以通过发送EAPoL-Start帧来启动身份验证。EAPoL-Start消息使请求者能够加速认证过程，而无需等待来自交换机的下一个周期性EAP-Request-Identity。
如果认证通过，则授权访问，如果认证无法通过，则定期重新认证。

DETAILED STEPS

| | Step 2 | configure terminal


Example:Device# configure terminal | Enters global configuration mode. | | Step 3 | aaa new-model


Example:Device(config)# aaa new-model | Enables AAA. | | Step 4 | aaa authentication dot1x {default | listname} method1[method2…]


Example:Device(config)# aaa authentication dot1x default group radius | Creates a series of authentication methods that are used to determine user privilege to access the privileged command level so that the device can communicate with the AAA server. | | Step 5 | dot1x system-auth-control


Example:Device(config)# dot1x system-auth-control | Globally enables 802.1X port-based authentication. | | Step 6 | identity profile default


Example:Device(config)# identity profile default | Creates an identity profile and enters dot1x profile configuration mode. | | Step 7 | interface type slot/port


Example:Device(config-identity-prof)# interface Gigabitethernet 1/0/1 | Enters interface configuration mode and specifies the interface to be enabled for 802.1X authentication. | | Step 8 | access-session port-control {auto | force-authorized | force-unauthorized}


Example:Device(config-if)# access-session port-control auto | Enables 802.1X port-based authentication on the interface.
- auto—Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The Device requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the Device by using the supplicant MAC address.

• force-authorized-—Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.

• force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The Device cannot provide authentication services to the supplicant through the port.

| | Step 9 | dot1x pae [supplicant | authenticator | both]


Example:Device(config-if)# dot1x pae authenticator | Sets the Port Access Entity (PAE) type.
- supplicant—The interface acts only as a supplicant and does not respond to messages that are meant for an authenticator.

• authenticator-—The interface acts only as an authenticator and does not respond to any messages meant for a supplicant.

• both—The interface behaves both as a supplicant and as an authenticator and thus does respond to all dot1x messages.

  | | Step 10 | end
  
  
  Example:Device(config-if)# end | Exits interface configuration mode and enters privileged EXEC mode. | | Step 11 | show dot1x
  
  
  Example:Device# show dot1x | Displays whether 802.1X authentication has been configured on the device. |

Device> enable
Device# configure terminal
Device(config)# dot1x system-auth-control
Device(config)# aaa new-model
Device(config)# aaa authentication dot1x default group radius
Device(config)# interface fastethernet2/1
Device(config-if)# switchport mode access
Device(config-if)# authentication port-control auto
Device(config-if)# dot1x pae authenticator
Device(config-if)# end

dot1x.pdf
IEEE 802.1X of Cisco
Configuring IEEE 802.1X Port-Based Authentication
802.1X Authentication Services Configuration Guide
无线的802.1X