How to configure 802.1x authentication on Ruijie Switch

Features

Secure channel: Generally, after 1X authentication is deployed, data packets from unauthenticated user ports are discarded. The secure channel allows user’s access designated websites unauthenticated. It can be deployed to facilitate client distribution, backdoor reservation for leaders and terminals that do not support authentication (for example, printers and all-purpose terminals).

Emergency channel: In an 1X authentication scenario with only one Radius server, all users fail to access the Internet once the Radius server fails, services will be seriously affected. In that case, authentication configuration must be cancelled on all the ports one by one to recover services. If an emergency channel is deployed, the switch allows users access the Internet without authentication when authentication fails multiple times or the Radius server is considered dead.

I. Networking Requirements

1. The 1X function is enabled on the core server for resource access authentication on managed users.

2. Authenticated users can access all resources while unauthenticated users can access only certain Intranet resources.

3. Authentication-free access to intranet resources is enabled for some users (PC2).

4. When the active Radius server fails to function normally, user authentication is switched to the backup Radius server. When both active and standby Radius servers fail, managed users can access resources without authentication (through an emergency channel).

II. Network Topology

III. Configuration Tips

1. On the core server, enable AAA and configure the Radius server and key associated parameters.

2. On the Radius server, configure the related parameters. (In this example, the SAM is used as the Radius server.)

3. Configure a professional ACL to implement server access before user authentication.

4. The core switch, managed users, and the Radius server can be on different network segments, so long as the core switch can properly communicate with the Radius server and the clients can reach the controlled ports on the core switch via the access switch.

5. Configure the parameters for the communication between the switch and the Radius server to deploy an emergency channel.

IV. Configuration Steps

Configure the core server.

1.        Basic dot1x configuration
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#aaa new-model    ------>trun on aaa switch

Ruijie(config)#radius-server host 192.168.33.244   ------>configure radius server

Ruijie(config)#radius-server host 192.168.33.245   ------>configure backup radius server

Ruijie(config)#radius-server key ruijie      ------>configure radius key

Ruijie(config)#aaa authentication dot1x ruijie group radius  none  ------> Define an IEEE802.1x authentication method list.

Ruijie(config)#aaa accounting network ruijie start-stop group radius   ------> Define the AAA network accounting method list.

Ruijie(config)#aaa accounting update periodic 15   ------> Set the account update function.

Ruijie(config)#dot1x authentication ruijie       ------> 802.1X to select the authentication method list

Ruijie(config)#dot1x accounting ruijie            ------> 802.1X to select the accounting method list

Ruijie(config)#interface gigabitEthernet 1/2
Ruijie(config-if-GigabitEthernet 1/2)#switchport mode trunk
Ruijie(config-if-GigabitEthernet 1/2)#dot1x port-control auto       ------> Enable 802.1X authentication on the interface

Ruijie(config-if-GigabitEthernet 1/2)#ip add 192.168.33.161 255.255.255.0    ------> configure switch ip address

Ruijie(config-if-GigabitEthernet 1/2)#end
Ruijie#write   ------> save configuration


2.        Enable the secure channel function
Ruijie(config)#expert access-list extended ruijie
Ruijie(config-exp-nacl)#permit arp any any any any any  ------>make the ip and arp packets free authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.61 any ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.62 any ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.244 any ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit host 192.168.33.163 host 001a.a9c4.062f any any------> This host implements authentication free

Ruijie(config-exp-nacl)#exit
Ruijie(config)#security global access-group ruijie

1x free authentication description
There are two ways to achieve user authentication: (1) configure the security channel to put the IP or MAC address; 2, configure the free VLAN authentication will be the corresponding VLAN users free of authentication
Plan 1：Configure security channel，there are three methods：

Method 1：permit host ip address
expert access-list extended no1x
10 permit arp any any  any any any
20  permit ip host 192.168.1.23 any anyany   ------->permit host ip address

security global access-group no1x

method 2：permit host mac address
expert access-list extended no1x
10 permit arp any any  any any any
30 permit ip any host 0010.123c.513d any any   ------->permit hots mac address

security global access-group no1x

method 3：permit ip+mac
expert access-list extended no1x
10 permit arp any any  any any any
40  permit ip host 192.168.1.23 host 0010.123c.513d any any   ------->permit ip and mac address

security global access-group no1x

Plan 2：Configure direct-vlan
Configuration command：direct-vlan 1-20// direct-vlan can take effect on both 1x authentication and web authentication

Notes:

If the secure channel (in priority over 1x authentication) is enabled, user ARP packets must be allowed to pass. In this way, users can communicate with the gateway. As the secure channel has higher priority, the anti ARP spoofing function will become invalid.

Solution: Do not permit all ARP packets. Permit only ARP packets destined for the gateway. In this way, ARP check is implemented and ARP spoofing among users are prevented. However, ARP spoofing is not completely prevented, because users can still spoof another user on the gateway.

Ruijie(config)#expert access-list extended permit1x
Ruijie(config-exp-nacl)#permit ip any any host 192.168.1.254 any          ------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit arp any any any any any   ------> Allow ARP message interaction between a user and a gateway

Ruijie(config)#security global access-group permit1x
Ruijie(config-exp-nacl)#permit arp any any any any host 192.168.33.1

3.      
You can change the time parameter between the switch and the Radius server to switch the authentication method. For example, the configuration "aaa authentication dot1x ruijie group radius none
" indicates that authentication by the active Radius server is implemented first, is switched to the backup Radius server if the active Radius server does not respond in a specified period, and is switched to none authentication mode if both the active and backup Radius servers fail to respond.

Ruijie(config)#radius-server timeout 2       ------> Specify the waiting time before the router resend request (2 s by default)

Ruijie(config)#radius-server retransmit 2   ------> Specify the times of sending requests before the router confirms Radius invalid (3 by default)

Ruijie(config)#radius-server dead-criteria time 6 tries 3     ------>define the dead-criteria time and tries of the server

Ruijie(config)#radius-server deadtime 5    ------> Specify the waiting time before the server is considered dead in case of no response to the request sent by the device (5 minutes by default).

Ruijie(config)#dot1x timeout server-timeout 20  

dot1x timeout indicates the timeout period of 1x authentication. The parameter is independent from the Radius timeout period (radius timeout*). However, radius timeout* (retransmit+1) must be smaller than dot1x timeout server-timeout. Otherwise, the emergency channel does not take effect. In this example, 2*(2+1)=6s, which is smaller than 20s, and therefore, the emergency channel is effective.

V. Verification

1. Before authentication, users can access the resources inside the secure channel, but can not access the resources inside the non secure channel

The same can also be verified, the security channel is free to authenticate users of IP and MAC, the user can also communicate properly.

2、When the radius server hangs, the user can achieve escape function

Check the user info.

4.      
open debug radius event, you can see the entire process of an escape function：

Ruijie#debug radius event
Ruijie#*Mar 16 18:07:20: %7: [radius] aaa req authentication to group radius
*Mar 16 18:07:20: %7:  __rds_add_attr  type = 24 len = 0
*Mar 16 18:07:20: %7: [radius] 16 send
*Mar 16 18:07:20: %7: pkt len 676 code 1 id 16
*Mar 16 18:07:20: %7: calcu msg auth ok
*Mar 16 18:07:20: %7: [radius] radius access requests(12).   ------> sent access-request for the first time

*Mar 16 18:07:22: %7: [radius] user 16 retry
*Mar 16 18:07:22: %7: [radius] 16 send
*Mar 16 18:07:22: %7: pkt len 676 code 1 id 16
*Mar 16 18:07:22: %7: calcu msg auth ok
*Mar 16 18:07:22: %7: [radius] radius access requests retransmissions(18) timeout(18). ------>timeout for the first time after 2 seconds

*Mar 16 18:07:24: %7: [radius] user 16 retry
*Mar 16 18:07:24: %7: [radius] 16 send
*Mar 16 18:07:24: %7: pkt len 676 code 1 id 16
*Mar 16 18:07:24: %7: calcu msg auth ok
*Mar 16 18:07:24: %7: [radius] radius access requests retransmissions(19) timeout(19).   ------> timeout for the second time after 4 seconds

*Mar 16 18:07:26: %7: [radius] user 16 retry
*Mar 16 18:07:26: %7: [rds_user] rds delete user, state 2, atype 0
*Mar 16 18:07:26: %7: [rds_user] rds free user id 7, pkid 16   ------> timeout for the third time after 6 seconds

*Mar 16 18:07:26: %AAA-7-FAILOVER: Failing over from 'dot1x' for client 0021.cccf.6f70 on Interface GigabitEthernet 0/1.
*Mar 16 18:07:26: %7: [radius] aaa req accounting to group radius
*Mar 16 18:07:26: %7: [accounting] acct len 116
*Mar 16 18:07:26: %7:  __rds_add_attr  type = 25 len = 0
*Mar 16 18:07:26: %7: [radius] 17 send
*Mar 16 18:07:26: %7: [radius] radius acc requests(5) and pending(3).
*Mar 16 18:07:28: %7: [radius] user 17 retry
*Mar 16 18:07:28: %7: [radius] 17 send
*Mar 16 18:07:28: %7: [radius] radius acc retransmissions(5) timeout(5).
*Mar 16 18:07:30: %7: [radius] user 17 retry
*Mar 16 18:07:30: %7: [radius] 17 send
*Mar 16 18:07:30: %7: [radius] radius acc retransmissions(6) timeout(6).
*Mar 16 18:07:32: %7: [radius] user 17 retry
*Mar 16 18:07:32: %7: [rds_user] rds delete user, state 2, atype 2
*Mar 16 18:07:32: %7: [rds_user] rds free user id 7, pkid 17