Using IEEE 8021x for VLAN Assignment

The authentication server component of an 802.1x topology can also help restrict user access to network resources—specifically, VLANs. In addition to configuration on the RADIUS server (that is, the authentication server), the Cisco Catalyst switch is configured with appropriate AAA commands.

After a client (that is, a supplicant) successfully authenticates by providing a username and password, the RADIUS server, which maintains the username-to-VLAN mappings, sends the client's VLAN information to the switch. This is shown in Figure 6-20. Notice that User A and User B are mapped to separate VLANs, and the nonauthenticated user's port is blocked. However, if the RADIUS server is unable to specify a VLAN, or if the port is not performing 802.1x authentication, the client can use the port's access VLAN.

Figure 6-20 Combining 802.1x with Port Security

Figure 6-20 Combining 802.1x with Port Security

Suppose the switch port is configured for multiple-host mode, in which any attached host can authenticate on behalf of all the clients available off the port. All hosts are placed in the VLAN of the authenticated host based on the RADIUS server's username-to-VLAN mappings. Interestingly, if the port is configured for the forced-authorized, unauthorized, or shutdown state, the port is considered to be in its configured access VLAN.

Follow these steps to configure username-to-VLAN assignments:

■ Configure AAA-based authorization on both the Cisco ACS server and the Cisco Catalyst switch.

■ Configure the switch port for 802.1x.

■ Configure appropriate tunnel parameters on the Cisco ACS server. Specifically, the ACS needs to be able to send the following attributes to the switch (that is, the authenticator):

— Attribute 64 (contains the VLAN type)

— Attribute 65 (contains the IEEE 802 value)

— Attribute 81 (contains either the VLAN name or VLAN ID associated with the authenticated user

Cisco Catalyst switches also support the concept of a guest VLAN. Specifically, when a client that is not enabled for 802.1x (or that does not support 802.1x, such as Microsoft Windows 98) is attached to a port, the client does not send EAPOL frames. Nor does the client respond to an EAPOL frame coming from the authentication server, which requests the client's identity. When either of these conditions is observed, the authenticator (the Cisco Catalyst switch) can cause the client's port to dynamically join a guest VLAN. This VLAN typically would have limited access to resources (for example, access to the Internet or access to downloadable IEEE 802.1x software). This guest VLAN feature can be configured with the dotlx guest-vlan supplicant command issued in global configuration mode.

Unlike a guest VLAN, which supports clients that are not enabled for 802.1x authentication, a restricted VLAN can be used to provide limited network access to clients that support 802.1x but that have failed authentication. For example, suppose a user attempts to log onto the network from her 802.1x-compliant laptop, but her authentication fails. Instead of preventing the user from accessing any resources, you can configure your Cisco Catalyst switch to place the laptop's port into a restricted VLAN that has limited access to network resources. If you want users in the guest VLAN and the restricted VLAN to have the same level of access, be aware that these can be the same VLAN.

A switch configured for a restricted VLAN can place a port into the restricted VLAN after a connected client fails to authenticate after a certain number of attempts. This can be configured with the dotlx auth-fail max-attempts command issued in interface configuration mode (with a default of three attempts). After a client is placed in the restricted VLAN, it can attempt to reauthenticate after a certain period of time (with a default time of 1 minute). Even though this reauthentication can be disabled, Cisco recommends that you have reauthentication enabled if the client does not connect directly to the switch port (for example, via a hub connection). The reasoning is that if reauthentication is disabled, and the client disconnects from the hub (or powers down), the switch would not detect a change in the link state and would treat the port as if the unauthenticated client were still connected.

If you choose to use restricted VLANs, be aware of the following caveats:

■ Restricted VLANs are supported only on access ports.

■ Restricted VLANs are compatible with only a switch port running in single-host mode, as opposed to multiple-host mode.

■ A restricted VLAN cannot be a VLAN used for Remote Switch Port Analyzer (RSPAN) purposes.

■ A restricted VLAN cannot be used as an auxiliary VLAN (that is, a voice VLAN).

0 0

Post a comment