- Preface
- Overview of the Hardware and Software
- Basic Router Configuration
- Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
- Configuring Ethernet Virtual Connection Bridge Domain
- Configuring EtherChannel
- Configuring Backup Data Lines and Remote Management
- Configuring Power Efficiency Management
- Configuring Security Features
- Configuring Identity Features on Layer 3 Interface
- Unified Communications on Cisco Integrated Services Routers
- Configuring Next-Generation High-Density PVDM3 Modules
- Multi-Gigabit Fabric on the Router
- Upgrading the Cisco IOS Software
- Wireless Overview
- Configuring the Wireless Device
- Configuring the Radio
- Administering the Wireless Device
- Cisco IOS CLI for Initial Configuration
- Using CompactFlash Memory Cards
- Using ROM Monitor
- Changing the Configuration Register Settings
Configuring Identity Features on Layer 3 Interface
This chapter describes the identify features supported on the Onboard Gigabit Ethernet Layer 3 ports of the Cisco 1921 Integrated Services Router (ISR).
This chapter contains the following sections:
- Authentication Methods
- Controlling Port Authorization State
- Flexible Authentication
- Host mode
- Open Access
- Control-Direction (Wake-on-LAN)
- Preauthentication Access Control List
- Downloadable Access Control List
- Filter-ID or Named Access Control List
- IP Device Tracking
Note
Critical authentication, which is also known as Inaccessible Authentication Bypass or AAA Fail Policy, does not support the Identity features on the Onboard Gigabit Ethernet Layer 3 ports.
Authentication Methods
Identity features support various types of authentication methods that are suitable for different kinds of end hosts and users. The two methods that are mainly used are:
Configuring the IEEE 802.1X
Perform these steps to configure the IEEE 802.1X on the Cisco 1921 ISR.
SUMMARY STEPS
3. interface gigabitethernet slot / port
DETAILED STEPS
Verifying the IEEE 802.1X
Use the show authentication sessions command to verify the configuration:
Configuring the MAC Authentication Bypass (MAB)
SUMMARY STEPS
3. interface gigabitethernet slot / port
DETAILED STEPS
|
|
|
|
|---|---|---|
|
|
Enables privileged EXEC mode. Enter your password if prompted. |
|
|
|
||
interface gigabitethernet slot/port |
||
authentication port-control auto |
||
|
|
||
|
|
Verifying the MAB
Use the show authentication sessions command to verify the configuration:
Controlling Port Authorization State
You can control the port authorization by using the following methods:
- Force-authorized-This is the default setting that disables IEEE 802.1X and causes a port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without IEEE 802.1X-based authentication of the client.
- Force-unauthorized-This causes a port to remain in the unauthorized state, ignoring all the authentication attempts made by a client. A router cannot provide authentication services to clients through the interface.
- Auto-This enables IEEE 802.1X authentication and causes a port to start in the unauthorized state, allowing only Extensible Authentication Protocol over LAN (EAPoL) frames to be sent and received through a port. The authentication process begins when the link state of the port transitions from down to up, or when an EAPoL-start frame is received. The router requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the router with the help of the client's MAC address. If the client is successfully authenticated, the port state changes to authorized, and all the frames from the authenticated client are allowed through the port. If authentication fails, the port remains in the unauthorized state, but authentication can be retried.
Configuring the Controlling Port Authorization State
Perform these steps to configure the Controlling Port Authorization state.
SUMMARY STEPS
3. interface gigabitethernet slot / port
DETAILED STEPS
Verifying the Controlling Port Authorization State
Use the show authentication sessions and show dot1x commands to verify the Controlling Port Authorization state:
Flexible Authentication
Flexible Authentication sequencing allows a user to enable all or some authentication methods on a router port and specify the order in which the methods should be executed.
Configuring Flexible Authentication
For more information about configuring of Flexible Authentication, see:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-service/application_note_c27-573287.html
Host mode
Only single-host mode is supported for the Identity features on the Onboard Gigabit Ethernet Layer 3 ports. In single-host mode, only one client can be connected to the IEEE 802.1X-enabled router port. The router detects the client by sending an EAPol frame when the port link state changes to up state. If a client leaves or is replaced with another client, the router changes the port link state to down, and the port returns to the unauthorized state.
Open Access
The Open Access feature allows clients or devices to gain network access before authentication is performed. This is primarily required for the Preboot eXecution Environment (PXE) scenario where a device is required to access the network before PXE times out and downloads a bootable image, which contains a supplicant.
Configuring Open Access
SUMMARY STEPS
DETAILED STEPS
|
|
|
|
|---|---|---|
|
|
Enables privileged EXEC mode. Enter your password if prompted. |
|
|
|
||
interface gigabitethernet slot/port |
||
|
|
||
|
|
Control-Direction (Wake-on-LAN)
When the router uses IEEE 802.1X authentication with Wake-on-LAN (WoL), the router forwards traffic to the unauthorized IEEE 802.1X ports, including the magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPol packets. The host can receive packets, but cannot send packets to other devices in the network.
Configuring Control-Direction (Wake-on-LAN)
Perform these steps to configure Control-Direction (Wake-on-LAN).
SUMMARY STEPS
3. interface gigabitethernet slot / port
DETAILED STEPS
Verifying Default Control-Direction Setting-Both
Use the show authentication sessions and show dot1x commands to verify the default control-direction setting-both:
c1921#show authentication sessions interface Gi0/1
Authorized By: Authentication Server
Common Session ID: 03030303000000000000BA04
Dot1x Info for GigabitEthernet0/1
Verifying Authentication Control-Direction Setting-in
Use the show authentication sessions and show dot1x commands to verify the authentication control-direction setting-in:
c1921#show authentication sessions interface gi0/1
Authorized By: Authentication Server
Common Session ID: 030303030000000C00310024
c1921#show dot1x interface g0/1
Dot1x Info for GigabitEthernet0/1
Preauthentication Access Control List
When Open-Access is installed, we recommend that a default port access control list (ACL) is configured on the authenticator. The ACL allows the end point to get a minimum access to the network to get its IP Address and running.
Configuring the Preauthentication Access Control List
For information about preconfiguring ACL, see:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/port_acls.html#wp1039754
Downloadable Access Control List
A Downloadable ACL is also referred to as dACL. For a dACL to work on a port, the ip device tracking feature should be enabled and the end point connected to the port should have an IP address assigned. After authentication on the port, use the show ip access-list privileged EXEC command to display the downloaded ACL on the port.
Filter-ID or Named Access Control List
Filter-Id also works as a dACL, but the ACL commands are configured on the authenticator. Authentication, authorization, and accounting (AAA) provides the name of the ACL to the authenticator.
IP Device Tracking
The IP Device Tracking feature is required for the dACL and Filter-ID features to function. To program a dACL or Filter-ID in a device, IP address is required. IP device tracking provides the IP address of the corresponding device to the Enterprise Policy Manager (EPM) module to convert the dACLs to each user by adding the IP address to them.
Feedback