This article explains how to enable 802.1x authentication on Dell Networking Force10 switches.
Objectives
- What is 802.1x?
- Important things to remember
- Enable 802.1x
- Set up RADIUS Server connection
- Verify configuration
What is 802.1x?
802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification.
802.1X employs extensible authentication protocol (EAP) to transfer a device’s credentials to an authentication server (typically RADIUS) using a mandatory intermediary network access device, in this case, a Dell Networking switch. The network access device mediates all communication between the end-user device and the authentication server so that the network remains secure. The network access device uses EAP-over-Ethernet (EAPOL) to communicate with the end-user device and EAP-over-RADIUS to communicate with the server.
The Dell Networking Operating System (OS) supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
Important Things to Remember
- Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
- All platforms support only RADIUS as the authentication server.
- If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured.
- 802.1X is not supported on port-channels or port-channel members.
Enable 802.1x
Command |
Parameters |
FTOS# configure |
Enter configuration mode. |
FTOS(conf)# dot1x authentication |
Globally enable dot1x authentication |
FTOS(conf)# interface range te 1/1 – 2 |
Enter a specific range of ports to be configured. |
FTOS(conf-if-te-1/1-2)# switchport |
Enable Layer 2 switchport mode on the interface. |
FTOS(conf-if-te-1/1-2)# dot1x authentication |
Enable dot1x authentication on the port level for the specified range. |
Set up RADIUS Server Connection
Command |
Parameters |
FTOS# configure |
Enter configuration mode. |
FTOS(conf)#radius-server host 10.180.58.10 |
Set IP address or host name that points to the RADIUS server location. |
FTOS(conf)#radius-server key {encryption-type} key |
Set the RADIUS server key for handshake with RADIUS server. encryption-type options are: 0 Specify an UNENCRYPTED key will follow 7 Specify a HIDDEN key will follow LINE The UNENCRYPTED (cleartext) user key (max 42 chars) |
FTOS(conf)#dot1x auth-server radius |
Identify the dot1x authentication server as a RADIUS server. |
Verify 802.1x configuration
The following commands will show the 802.1x configured on the switch.
FTOS#show running-config | find dot1x
dot1x authentication
!
[output omitted]
!
interface TenGigabitEthernet 1/1
no ip address
dot1x authentication
no shutdown
FTOS#show dot1x interface TenGigabitEthernet 1/1
802.1x information on Te 1/1
:-----------------------------
Dot1x Status: Enable
Port Control: AUTO
Port Auth Status: UNAUTHORIZED
Re-Authentication: Disable
Untagged VLAN id: None
Guest VLAN: Disable
Guest VLAN id: NON
EAuth-Fail VLAN: Disable
Auth-Fail VLAN id: NONE
Auth-Fail Max-Attempts: NONE
Mac-Auth-Bypass: Disable
Mac-Auth-Bypass Only: Disable
Tx Period: 30 seconds
Quiet Period: 60 seconds
ReAuth Max: 2
Supplicant Timeout: 30 seconds
Server Timeout: 30 seconds
Re-Auth Interval: 3600 seconds
Max-EAP-Req: 2
Host Mode: SINGLE_HOST
Auth PAE State: Initialize
Backend State: Initialize
FTOS#show run | grep radius|dot1x
dot1x authentication
dot1x authentication
radius-server host 10.180.58.10 key 7 7bb92471cb453a73