Professional Documents
Culture Documents
1X Wired Authentication
This section describes how to configure the Mobility Access Switch (MAS) for 802.1X wired authentication. This section
contains the following information:
About Defining Wired 802.1X Authentication
Configuring Authentication with a RADIUS Server
Authentication Terminated on the Mobility Access Switch
Configuring Access Control Lists
Figure 1 Traffic flow for 802.1X Wired Authentication with Active Directory
Parameter Action/Description
Authentication port 2. Enter the Authentication port number on the authentication server. Default: 1812.
Accounting port 3. Enter the Accounting port number on the authentication server. Default: 1813.
4. You must configure the supplicant (the client device) and authentication server (the Mobility Access Switch) to use the
same EAP type.
The Mobility Access Switch doesn't need to know the EAP type used between the supplicant and authentication server.
5. You must configure the authentication server with the IP address of the RADIUS client, which in this case is the Mobility
Access Switch.
6. Be sure to configure both the Mobility Access Switch and the authentication server to use the same shared secret.
Additional information on EAP types supported in a Windows environment for Microsoft supplicants and the
authentication server is available at http://technet.microsoft.com/en-us/library/cc782851(WS.10).aspx.
In this scenario, the supplicant is configured for EAP-Protected EAP (PEAP) or EAP-Transport Layer Security (TLS).
EAP-PEAP
EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP” methods is used:
EAP-Generic Token Card (GTC)
Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to
server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of an LDAP or RADIUS
server as the user authentication server.
You can also enable caching of user credentials on the Mobility Access Switch as a backup to an external
authentication server.
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as
the backend authentication server.
EAP-TLS
EAP-TLS is used with smart-card user authentication. A smart card holds a digital certificate which, with the user-entered
personal identification number (PIN), allows the user to be authenticated on the network. EAP-TLS relies on digital
certificates to verify the identities of both the client and server.
EAP-TLS requires that you import server and certification authority (CA) certificates onto the Mobility Access Switch. The
client certificate is verified on the Mobility Access Switch (the client certificate must be signed by a known CA) before the
user name is checked on the authentication server.
Ethertype ACLs filter based on the Ethertype field in the frame header. Ethertype ACLs can be either named or numbered,
with valid numbers in the range from 200 to 299. These ACLs can be used to permit IP, while blocking other non-IP
protocols, such as IPX or AppleTalk.
MAC ACL
MAC ACLs filter traffic on a specific source MAC address or range of MAC addresses. MAC ACLs can be either named or
numbered, with valid numbers in the range from 700 to 799 and 1200 to 1299.
Standard IP ACL
Standard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can be either named or
numbered, with valid numbers in the range from 1 to 99 and 1300 to 1399. Standard ACLs use a bit-wise mask to specify
the portion of the source IP address to be matched.
Extended IP ACL
Extended ACLs permit or deny traffic based on the source or destination IP address, or the IP protocol. Extended ACLs can
be named or numbered, with valid numbers in the range from 100 to 199 and 2000 to 2699.
Stateless ACL
Stateless ACLs define stateless packet filtering and quality of service (QoS). A stateless ACL statically evaluates packet
contents. The traffic in the reverse direction is allowed unconditionally.
Note that you can use names only when configuring stateless ACLs.
You can also apply MAC and Ethertype ACLs to a user role. However, these ACLs apply only to a user's non-IP traffic.