802.1x for Wired and Wireless Flashcards
Supplicant
Endpoint 802.1X-compliant software service. It communicates with NAD authenticators to request network access
Authenticator
controls access to the network, based on client authentication status. The objective here is for the endpoints to authenticate to the authentication server via some Extensible Authentication Protocol (EAP). NAD authenticators act as an intermediary between the client and the authentication server.
Authentication server
This role performs client authentication. Then authentication server validates client identity and notifies NAD authenticators of client authorization status.
The authorization features include
VLAN assignment
ACL assignment
Time-based access
Security group access
Dynamic VLAN
After successful 802.1x/EAP authentication, the user can be authorized to be on a specific VLAN. This dynamic VLAN is configured on the Cisco ISE RADIUS service and communicated in a RADIUS Access-Accept message. It can also be used when authentication fails.
Default VLAN
the default VLAN is the one that is configured on a wired switch port or for a wireless service set identifier
802.1x Names ACLs
named ACLs provide differentiated access for wireless users. Named ACLs are configured locally on the WLC
802.1X Downloadable ACLs
Downloadable ACLs(dACL) can provide different levels of access to 802.1X authenticated users. The RADIUS server authenticates 802.1x connected users. Based on user identity, it retrieves ACL attributes and sends them to the switch. The switch applies attributes to the 802.1x port during the user session
What is the difference between Names ACL and Downloadable ACLs
- Named ACLs are for wireless users while Downloadable ACLs are for wired
2.dACL are configured on Cisco ISE, and pushed down to the switch during the authentication/ authorization process
Named ACLs are configured locally on the WLC. You merely reference this ACL in a Cisco ISE authorization policy.
Monitor Mode
- 802.1X deployment without any effect on user or endpoint access
- AAA RADIUS accounting provides visibility into 802.1x operation
Monitor mode is configured with
authentication open
authentication host-mode multi-auth interface commands
Low-impact mode
- ingress ACL applied to a port configured in open mode
- ACL allows basic connectivity for the unauthenticated host. (Low-impact mode allows you to incrementally increase security)
Closed Mode
- The default behavior, traditional 802.1x method
2. Dynamic VLAN or DACL assignment for differentiated access
High-security mode
allows only EAPOL traffic until the authentication process completes, which is the default behavior of 802.1x enabled switch port
Single Host Mode
in single-host mode, only one client can be connected to the 802.1x enabled port. When the port state changes to “up”, the switch detect the client and sends an EAPOL frame.
Multiple Host Mode
in multiple-host mode, you can attach multiple hosts to a single 802.1x enabled port. In this mode, only the first client that attaches clients must be authorized. All subsequent client is granted network access based on this authentication. If the port becomes unauthorized, the authenticator denies network access to all attached client
Multiple Domain Authentication Mode
multidomain authentication mode allows an IP phone, and a single host behind the IP phone, to authenticate independently via 802.1x, MAB, or web-based authentication. In this application, multidomain refers to two domains (data and voice VLAN). Only one MAC address is allowed per domain
Multiple Authentication Mode
Multiple Authentication mode allows one 802.1x or MAB client on the voice VLAN. it also allows multiple authenticated 802.1X, MAB, or web authorization client on the data VLAN. When a hub or access point is connected to an 802.1x port, multi-auth mode provides enhanced security over the multi-host mode by requiring authentication of each connected client
802.1x implementation Guidelines
- 802.1x is supported on layer 2 wired and wireless access ports
- 802.1x is not supported on: Dynamic port and EtherChannel Port
