802.1X and MAC address Bypass with EAP.

Basic configuration for 802.1X, MAC address Bypass with EAP supplicant. On CISCO IOS 15.2. It follows on from the RADIUS configuration

Note: Anything inside <> is user defined text (ie. WORD or Port number)

  • Enable 802.1X
    • Dot1x system-auth-control
  • Define 802.1x login(note that default is defined based on available login options for RADIUS)
    • (config)#aaa authentication dot1x default group radius
  • Define Authentication
    • (config)#aaa authentication dot1x default group radius
  • Define accounting
    • (config)#aaa accounting dot1x default start-stop group radius
  • Define Authorization (network services)
    • (config)##aaa authorization network default group radius
  • Add attributes to include in RADIUS data
    • Attribute 8 IP address information
      • (config)#radius-server attribute 8 include-in-access-request
    • Attribute 4 network access server attribute IP address and 6 for service type.
      • (config)#radius-server attribute 4 <NAS IP ADDRESS>
      • (config)#radius-server attribute 6 on-for-login-auth
    • Configure switch ports for 802.1X and MAB
      • (config-if)#switchport mode access
      • (config-if)#spanning-tree portfast
      • Enable MAB
        • (config-if)#mab
      • Enable 802.1x authentication
        • (config-if)#dot1x pae authenticator
        • (config-if)#authentication port-control auto
      • Define port authentication mode (in this case we set multi-auth)
        • (config-if)#authentication host-mode multi-auth
      • Define priority for either MAB or 802.1x
        • (config-if)#authentication order mab dot1x
        • (config-if)#authentication priority dot1x mab

 

Verify 802.1x and MAB

  • #show dot1x all
  • #show mab all
  • #debug radius authentication
  • #debug radius accounting
  • #show authentication session

 

 

MAC address Bypass debug verification extract: Note User-name and Method

 

 

*Jul  5 06:59:17.091: RADIUS: Received from id 1645/1 192.168.59.5:1812, Access-Accept, len 179

*Jul  5 06:59:17.092: RADIUS:  authenticator 46 34 C0 E3 EE 01 83 9B – 8D D4 92 FC D9 B2 0D 6B

*Jul  5 06:59:17.092: RADIUS:  User-Name           [1]   19  “00-0C-29-C2-99-C4”

*Jul  5 06:59:17.092: RADIUS:  State               [24]  40

…………………………………

*Jul  5 06:59:27.177: RADIUS:  authenticator 11 5C A9 23 06 0D E5 D3 – 4C 7B DF B6 9B 61 B1 0D

*Jul  5 06:59:27.177: RADIUS:  Framed-IP-Address   [8]   6   192.168.90.11

*Jul  5 06:59:27.177: RADIUS:  User-Name           [1]   19  “00-0C-29-C2-99-C4”

*Jul  5 06:59:27.177: RADIUS:  Vendor, Cisco       [26]  49

*Jul  5 06:59:27.177: RADIUS:   Cisco AVpair       [1]   43  “audit-session-id=C0A83B870000000D00233F45”

*Jul  5 06:59:27.177: RADIUS:  Vendor, Cisco       [26]  18

*Jul  5 06:59:27.177: RADIUS:   Cisco AVpair       [1]   12  “method=mab”

*Jul  5 06:59:27.177: RADIUS:  Called-Station-Id   [30]  19  “00-47-91-D2-FA-01”

*Jul  5 06:59:27.177: RADIUS:  Calling-Station-Id  [31]  19  “00-0C-29-C2-99-C4”

*Jul  5 06:59:27.177: RADIUS:  NAS-IP-Address      [4]   6   192.168.59.135

*Jul  5 06:59:27.177: RADIUS:  NAS-Port-Id         [87]  20  “GigabitEthernet0/1”

*Jul  5 06:59:27.177: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

*Jul  5 06:59:27.177: RADIUS:  NAS-Port            [5]   6   50001

*Jul  5 06:59:27.177: RADIUS:  Acct-Session-Id     [44]  10  “00000003”

*Jul  5 06:59:27.177: RADIUS:  Class               [25]  48

 

 

 

802.1X debug verification extract: Note Method, Framed IP address (attribute 6), EAP key, etc.

*Jul  5 07:04:40.494: RADIUS:  EAP-Key-Name        [102] 2   *

*Jul  5 07:04:40.494: RADIUS:  Vendor, Cisco       [26]  49

*Jul  5 07:04:40.494: RADIUS:   Cisco AVpair       [1]   43  “audit-session-id=C0A83B870000000D00233F45”

*Jul  5 07:04:40.494: RADIUS:  Vendor, Cisco       [26]  20

*Jul  5 07:04:40.494: RADIUS:   Cisco AVpair       [1]   14  “method=dot1x”

*Jul  5 07:04:40.494: RADIUS:  Framed-IP-Address   [8]   6   192.168.90.11

*Jul  5 07:04:40.494: RADIUS:  NAS-IP-Address      [4]   6   192.168.59.135

*Jul  5 07:04:40.494: RADIUS:  NAS-Port-Id         [87]  20  “GigabitEthernet0/1”

*Jul  5 07:04:40.494: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

*Jul  5 07:04:40.494: RADIUS:  NAS-Port            [5]   6   50001

 

……………………………………………………………………………………………………………………………………………..

*Jul  5 07:04:41.041: RADIUS: Received from id 1645/10 192.168.59.5:1812, Access-Accept, len 321

*Jul  5 07:04:41.042: RADIUS:  authenticator 83 45 8E A8 96 35 65 16 – 18 BE EB DA 9F 38 7C 2F

*Jul  5 07:04:41.042: RADIUS:  User-Name           [1]   6   “tony”

*Jul  5 07:04:41.042: RADIUS:  State               [24]  40