Procedure 2 - Authentication Settings: Flexible Authentication And High Availability

The default behavior of 802.1X is to deny access to the network when an authentication fails. This behavior was discovered to be undesirable in many customer deployments because it does not allow for guest access, nor does it allow employees to remediate their computer systems and gain full network access. The next phase in handling 802.1X authentication failures was to provide an "Auth-Fail VLAN" to allow a device/user that failed authentication to be granted access to a VLAN that provided limited resources.

This step was a step in the right direction, but was still not as practical as needed, especially in environments that must use MAC Authentication Bypass for all the printers and other nonauthenticating devices. With the default behavior of 802.1X, an administrator would have to configure ports for printers and other devices that do not have supplicants differently from the ports on which they planned to do authentication.

Therefore, Cisco created Flexible Authentication (Flex-Auth). Flex-Auth allows a network administrator to set an authentication order and priority on the switchport, thereby allowing the port to attempt 802.1X, MAC Authentication Bypass, and then Web Authentication in order. All of these functions are provided while maintaining the same configuration on all access ports, thereby providing a much simpler operational model for customers than traditional 802.1X deployments.

As mentioned previously, there are multiple methods of authentication on a switchport: 802.1X (dot1x), MAC Authentication Bypass (MAB), and Web-based Authentication (Web-Auth). With 802.1X authentication, the switch sends an identity request (EAP-Identity-Request) periodically after the link state has changed to "up" (see the "Authentication Settings - Timers " section for recommended timer changes). Additionally, the endpoint supplicant should send a periodic EAP over LAN Start (EAPoL-Start) message into the switchport to speed up authentication. If a device is not able to authenticate, it merely has to wait until the dot1x timeout occurs, and MAC Authentication Bypass (MAB) will occur. Assuming the device MAC address is in the correct database, it will then be authorized to access the network.

The following steps walk you through the configuration of Flex-Auth and the configurable actions for authentication high availability.

Step 1
Configure the authentication method priority on the switchports.

There are certain deployment methods where MAC Authentication Bypass (MAB) should occur before 802.1X authentication. For those corner cases, Cisco switches do allow for a network administrator to set a user-definableauthentication order. However, the best practice is to maintain the order of dot1x and then MAB.

  • C3750X(config-if-range)#authentication priority dot1x mab
Step 2
Configure the authentication method order on the switchports.

An authentication method is required to instruct the switch on which group of RADIUS servers to use for 802.1X authentication requests:

  • C3750X(config-if-range)#authentication order dot1x mab
Step 3
Configure the port to use Flex-Auth, as follows:

  • C3750X(config-if-range)#authentication event fail action next-method
Configure the port to use a local VLAN when the RADIUS server is down. In the "Configure the Global RADIUS Commands" procedure, we configured the RADIUS server entry to use a test account that will proactively alert the switch when Cisco ISE has stopped responding to RADIUS requests. Now we will configure the switchport to locally authorize the port when that server is found to be "dead" and reinitialize authentication when the server is up again.

  • C3750X(config-if-range)#authentication event server dead action reinitialize vlan vlan-id
This feature was introduced to resolve problems with multiple authentication hosts on a single port when a portion of them already authenticate while the RADIUS server is operational, and others (new hosts) are trying to authenticate when the RADIUS server is down.

Step 4
Configure the port to allow a phone onto the network when the RADIUS server is down.

A phone is placed on the voice domain after successful authentication by configuring the RADIUS server to pass down the attribute device-traffic-class=voice. However, when the RADIUS server is not available, the phone won't be able to access the voice network and therefore cannot operate. As a result, there is a new feature called Critical Voice VLAN.

With this new feature, when the port is in critical authentication mode and traffic coming from the host is tagged with the voice VLAN, the device (a phone) is put into the configured voice VLAN for the port. The phone learns the voice VLAN identification through Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), or DHCP. The command to enable this feature is:

  • C3750X(config-if-range)#authentication event server dead action authorize voice
Step 5
Set the host mode of the port.

The default behavior of an 802.1X-enabled port is to authorize only a single MAC address per port. There are other options, most notably Multi-Domain Authentication (MDA) and Multiple Authentication (Multi-Auth) modes. Duringthe initial phases of any Cisco TrustSec deployment, it is best practice to use Multi-Auth mode to ensure that there is no denial of service while deploying 802.1X.

Multi-Auth mode will allow virtually unlimited MAC addresses per switchport, and require an authenticated session for every MAC address. When the deployment moves into the late stages of the authenticated phase, or into theenforcement phase, it is then recommended to use Multi-Domain mode. Multi-Domain Authentication will allow a single MAC address in the data domain and a single MAC address in the voice domain per port.

  • C3750X(config-if-range)#authentication host-mode multi-auth
Step 6
Configure the violation action.

When an authentication violation occurs, such as when there are more MAC addresses than are allowed on the port, the default action is to put the port into an error-disabled state. Although this behavior may seem to be nice and secure, it can create an accidental denial of service, especially during the initial phases of deployment. Therefore, we will set the action to be restricted. This mode of operation will allow the first authenticated device to continue with its authorization and deny any additional devices.

  • C3750X(config-if-range)#authentication violation restrict