Question on 802.1x

SysAdmin4066SysAdmin4066 Member Posts: 443
Hey guys, I'll be taking the BCMSN on Saturday August 22nd. I've been studying for it for almost 2 months now and I feel very strong in most areas.

I have one question that I wanted to run by everyone though. I understand the interface configuration of 802.1x turns authentication on for that particular port. I also understand the function of the 3 modes, Force-Authorized, Force-Unauthorized and Auto. What I dont understand is why you would ever use anything but Auto? Can anyone elaborate on this topic with some real world examples?
In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

Next Up: CCIE R&S Lab

Comments

  • jason_lundejason_lunde Member Posts: 567
    Its my understanding that once the command:

    Switch(config)#dot1x system-auth-control

    ...and the appropriate aaa new-model and radius server(s) are defined, that all ports are placed into the "force-unauthorized" state by default. This basically turns the ports off, and is just a good default security measure. By going into port config mode and selecting auto you are allowing people to authenticate on a port (those that CAN authenticate properly through the radius server). And then then force-authorize is like an explicit permit for the switchport. We did this for users that were using one of the public access computers within the facility (because if you leave the switchport blank...without the
    "dot1x port-control auto" command it is going to deny access by default). Hopes this helps, and is accurate. Most of it is based on the theory I have from reading, and the past configs/advice from previous engineers. I should lab it up and see if the ports are indeed blocked after the dot1x system-auth-control command.
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    From the BCMSN Official Exam Guide 4th Edition:

    Step 4 Enable 802.1x on the switch:
    Switch(config)#dot1x system-auth-control
    Step 5 Configure each switch port that will use 802.1x:
    Switch(config)# interface type mod/num
    Switch(config-if)#dot1x port-control {force-authorized | forceunauthorized
    | auto}
    Here, the 802.1x state is one of the following:
    force-authorized—The port is forced to always authorize any
    connected client. No authentication is necessary. This is the default state
    for all switch ports when 802.1x is enabled.
    394 Chapter 15: Securing Switch Access
    force-unauthorized—The port is forced to never authorize any
    connected client. As a result, the port cannot move to the authorized state
    to pass traffic to a connected client.
    auto—The port uses an 802.1x exchange to move from the unauthorized
    to the authorized state, if successful. This requires an 802.1x-capable
    application on the client PC.

    Under Force-authorized, it states it is the default port state once dot1x is enabled. On the other hand, Cisco.com Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(9)EA1 section for configuring 802.1x says that unathorized is the default. Which confirms your post.

    There lies my confusion, is the default authorized or unauthorized and if it's authorized, what point is there to unauthorized? Why ever use it over auto? I've labbed it but wasnt really looking for this particular issue. Maybe i'll run through the setup again and see for myself, but does anyone else have any experience with this? Thanks for your input by the way.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • jason_lundejason_lunde Member Posts: 567
    SysAdmin,
    Did an interesting little lab on this tonight on one of my 3550's. Ran the commands:
    aaa new-model
    radius-server host xxx.xxx.xxx.xxx
    aaa authentication dot1x default group radius
    dot1x system-auth-contol

    I then did a show dot1x all and received the usual output. The show dot1x interface [type/num] revealed nothing however. I added the command dot1x port-control auto on fa0/1 and ran the show dot1x interface fa0/1 command again to verify that I got some output...and I did. However, when I hooked a laptop up to port fa0/2 (which I had ran no interface commands on yet), the port stayed up and up, and I was able to ping throughout the network (hmmm...). Just to play a bit I ran the port through the different states (auto, force-auth, force-unauth), and they reacted as expected.

    So I guess your question has some genuine validity that I would now like to know the answer to as well. Why have force-auth, or force-unauth as command choices if
    1) Auto forces you to authenticate, and if you cant it puts the line protocol in the down state, and
    2) by default you are allowed access through the switchport (with no switchport config)

    I can see why you would not want the switch to automatically default to a force-unauthorized state though. Think about a case where you are implementing dot1x on a live switch....if it defaulted to unauthorized and you had users working they would immediately be dropped and forced to re authenticate. Would probably piss some people off. But it seems like the more secure choice. Ya, why go through the trouble of typing dot1x port-control force-unauthorize when you can type shutdown?

    Good topic!
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    See, See!!!! Confusion lol. I didnt get a chance to lab it last night, but I have labbed it before and my memory is getting a bit sharper on the subject. I do remember it NOT defaulting to force-unauth. It defaulted to nothing, and all traffic was allowed to flow. Anyone know why you would ever use anything but no configuration or auto on an interface? Why is force-auth or force-unauth necessary? Thanks Jason for the curiousity with me, when do you take the BCMSN?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • jason_lundejason_lunde Member Posts: 567
    I am looking at early September. Good luck on yours Saturday. Let us know.
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Most def, i'm looking forward to it. Then it's on to the ISCW, then finishing up with the ONT. A short break, maybe a month, then on to the CCIE written.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Why have force-auth, or force-unauth
    While printers may be getting smarter, most network printers still probably wouldn't have a clue about how to log into the network.

    And for forced-unauth, while you should have physical security and people shouldn't have access to plug anything they want into unused switchports, it's sort of the same reason people who get home alarm systems also put sensors on windows -- while no one should be entering the house through the window, some buglers "didn't get the memo" or don't have manners and don't follow the rules.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    If you read the posts, you would understand why we are asking these questions. It isnt necessarily as cut and dry as you state, which was a little insulting. I understand the need for security. Your post is common sense.

    For printers, dont set any dot1x statement on that port. The default behavior in practice seems to be nothing, always open. For secure ports, set an auto state. It requires authentication and if none is received, you cant access the port. So why would you use force-unauth when you could just use Auto or no config? I'm going to lab it again tonight and make sure that is what's happening, but I am fairly sure that is the default behavior after dot1x system-auth-control is run. All ports are placed into an open state. Why would you lock down a port with force-unauth, a state that allows for no traffic to pass and cannot be authenticated ever?

    Has ANYONE used this feature extensively, and if so, what was the context? Can anyone give any real insight as to why you would use the above mentioned option?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Like Mike said its just another layer of security. Force auth would be used on ports that plug into something that doesn't authenticate like a printer as he stated. I think you are just looking way too deep into it.
    An expert is a man who has made all the mistakes which can be made.
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    Well I have been in a environment with 802.1x but never had the switch side setup (I did setup FreeRadius and OpenSSL as a test for some WPA enterprise for wireless). I want to say that the net admins used force-authorized for anything that didn't support 802.1x (or anything they didn't want to support). Just a guess but in this environment they had VoIP phones and would disable any computer account and do a force-unauthorized on the port when a computer was out off compliance. The phones did not take part in the authentication process. With shutdown it would cut out the phone but with force-unauthorized it would still work. I don't have the ability to lab this up right now but you may want to look at something along those lines.

    I haven't had a chance to lab this up and try it so I do not know for sure.
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Turning on complicated services to enable the same level of security that could be gained by simply shutting down a port is a bad security solution. I cant believe that the IEEE would have designed the command for that purpose. But maybe you're right. Doesnt make sense which is why in my head there's got to be a deeper level that i'm just not aware of.

    Force-auth essentially works like a shutdown command Wastedtime, so the phones would not work. That wouldnt work, but thanks for your weigh in. What a purplexing question. I guess it doesnt matter for the exam, just really curious as far as the theory is concerned.
    Like Mike said its just another layer of security. Force auth would be used on ports that plug into something that doesn't authenticate like a printer as he stated. I think you are just looking way too deep into it.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    For some odd reason I got everything to lab this up but Cat V cables and power for a few 7941 phones. Later this week I plan on getting this up to try it out.
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Good deal Wasted, let me know how that works out. I dont have any phones, so I cant lab that portion of it. What types of switches do you have?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    If I get a chance to do it tomorrow it will be 3550 SMI (no PWR), 1760 with CME, some 7941s, and windows 2k3 for Radius/certificate server. I should have 2 power cubes in the mail tomorrow.
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    Well I went through and set it up. Like usual I had some issues with the certificate authentication and I don't have time to work it out. I did however get a chance to look at the dot1x config and a bit of how Cisco works around the voice vlan with 802.1x. Regardless of the host mode or dot1x status the phone will work (with voice vlan/CDP enabled). From the debugs it look like it makes a automatic host access entry for the mac of the phone. One thing I did notice is even with force-authorized the switch will still send EAPOL start, but right after that it sends a EAP Success.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    wastedtime wrote: »
    Well I have been in a environment with 802.1x but never had the switch side setup (I did setup FreeRadius and OpenSSL as a test for some WPA enterprise for wireless). I want to say that the net admins used force-authorized for anything that didn't support 802.1x (or anything they didn't want to support). Just a guess but in this environment they had VoIP phones and would disable any computer account and do a force-unauthorized on the port when a computer was out off compliance. The phones did not take part in the authentication process. With shutdown it would cut out the phone but with force-unauthorized it would still work. I don't have the ability to lab this up right now but you may want to look at something along those lines.

    I haven't had a chance to lab this up and try it so I do not know for sure.

    Did you happen to run dynamic vlans? This topic always catches my attention. I never got dynamic vlans to work in an environment with roaming profiles. Local profiles worked fine if I remember correctly.
  • jason_lundejason_lunde Member Posts: 567
    How did the exam go SysAdmin? Hope it went well...I am going to take a swing in 2-3 weeks!
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    Did you happen to run dynamic vlans? This topic always catches my attention. I never got dynamic vlans to work in an environment with roaming profiles. Local profiles worked fine if I remember correctly.

    Sorry it took me long to respond, I didn't do dynamic vlans. I did try out guest vlans though. I mostly did this to find the differences between the different port-control modes and how 802.1x effects phones in the voice vlan.
    How did the exam go SysAdmin?

    ditto
Sign In or Register to comment.