802.1x for Wired and Wireless Flashcards
Supplicant
Endpoint 802.1X-compliant software service. It communicates with NAD authenticators to request network access
Authenticator
controls access to the network, based on client authentication status. The objective here is for the endpoints to authenticate to the authentication server via some Extensible Authentication Protocol (EAP). NAD authenticators act as an intermediary between the client and the authentication server.
Authentication server
This role performs client authentication. Then authentication server validates client identity and notifies NAD authenticators of client authorization status.
The authorization features include
VLAN assignment
ACL assignment
Time-based access
Security group access
Dynamic VLAN
After successful 802.1x/EAP authentication, the user can be authorized to be on a specific VLAN. This dynamic VLAN is configured on the Cisco ISE RADIUS service and communicated in a RADIUS Access-Accept message. It can also be used when authentication fails.
Default VLAN
the default VLAN is the one that is configured on a wired switch port or for a wireless service set identifier
802.1x Names ACLs
named ACLs provide differentiated access for wireless users. Named ACLs are configured locally on the WLC
802.1X Downloadable ACLs
Downloadable ACLs(dACL) can provide different levels of access to 802.1X authenticated users. The RADIUS server authenticates 802.1x connected users. Based on user identity, it retrieves ACL attributes and sends them to the switch. The switch applies attributes to the 802.1x port during the user session
What is the difference between Names ACL and Downloadable ACLs
- Named ACLs are for wireless users while Downloadable ACLs are for wired
2.dACL are configured on Cisco ISE, and pushed down to the switch during the authentication/ authorization process
Named ACLs are configured locally on the WLC. You merely reference this ACL in a Cisco ISE authorization policy.
Monitor Mode
- 802.1X deployment without any effect on user or endpoint access
- AAA RADIUS accounting provides visibility into 802.1x operation
Monitor mode is configured with
authentication open
authentication host-mode multi-auth interface commands
Low-impact mode
- ingress ACL applied to a port configured in open mode
- ACL allows basic connectivity for the unauthenticated host. (Low-impact mode allows you to incrementally increase security)
Closed Mode
- The default behavior, traditional 802.1x method
2. Dynamic VLAN or DACL assignment for differentiated access
High-security mode
allows only EAPOL traffic until the authentication process completes, which is the default behavior of 802.1x enabled switch port
Single Host Mode
in single-host mode, only one client can be connected to the 802.1x enabled port. When the port state changes to “up”, the switch detect the client and sends an EAPOL frame.
