Please enable JavaScript.

Coggle requires JavaScript to display documents.

Module 13. Endpoint Security, image, image, image, image, image, image,…

- - - - 802.1X Topology
        
        Supplicant (Client): The device requesting access to the LAN, running 802.1X-compliant client software.
        
        Authenticator (Switch): Controls access based on the client's authentication status, acting as a proxy between the client and authentication server, and using RADIUS for communication.
        
        Authentication server: Validates the client's identity and notifies the switch whether access should be granted.
        
        802.1X access control initially restricts traffic to specific protocols (EAPOL, CDP, STP) until the client is authenticated. After successful authentication, the port allows normal traffic. Ports start in an unauthorized state, and if a client doesn't support 802.1X, access is denied. The message exchange involves EAPOL frames between the client and switch, and RADIUS encapsulation between the switch and the authentication server.
        
        802.1X Message Exchange
        
        If the client is successfully authenticated (the switch receives an “accept” frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are enabled through the port.
        If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the authentication server cannot be reached, the switch can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
        When a client logs out, it sends an EAPOL-logout message, causing the switch port to transition to the unauthorized state.
    - - It may be necessary to configure a switch port to override the 802.1X authentication process. To do this, use the authentication port-control interface configuration command to control the port authorization state. The parameters for this command are shown below. The individual port on the authenticator switch is configured with this command, in this case, port F0/1 of S1. By default, a port is in the force-authorized state meaning it can send and receive traffic without 802.1x authentication
      - To enable 802.1X authentication, use the authentication port-control auto command.
        When the client is successfully authenticated, the port changes to an authorized state, allowing all frames from the client. If authentication fails, the port stays in the unauthorized state, with the option to retry. If the authentication server is unreachable, the switch will resend the request; after multiple failed attempts, access is denied.
        When a client logs off, it sends an EAPOL-logoff message, causing the port to revert to the unauthorized state. Additionally, if the port link state changes from up to down, the port returns to the unauthorized state.
    - - This scenario is implemented the same topology as above. A PC is attached to F0/1 on the switch and the device is will be authenticated via 802.1X with a RADIUS server. Unlike in previous AAA scenarios in which administrators were authenticated to the router configuration lines, in this scenario, an endpoint is authenticated before access is granted to the network.
      - Configuring 802.1X requires a few basic steps:
        
        tep 1. Enable AAA using the aaa new-model command.
        
        Step 2. Designate the RADIUS server and configure its address and ports.
        
        Step 3. Create an 802.1X port-based authentication method list using the aaa authentication dot1x command.
        
        Step 4. Globally enable 802.1X port-based authentication using the dot1x system-auth-control command.
        
        Step 5. Enable port-based authentication on the interface using the authentication port-control auto command.
        
        Step 6. Enable 802.1X authentication on the interface using the dot1x pae command. The authenticator options sets the Port Access Entity (PAE) type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant.