Support - 25-802.1X client configuration (2024)

About 802.1X clients

As shown in Figure 1,the 802.1X client feature allows the access device to act as the supplicant inthe 802.1X architecture. For information about the 802.1X architecture, see"802.1X overview."

Figure 1 802.1X client network diagram

Support - 25-802.1X client configuration (1)

802.1X client tasks at a glance

To configure an 802.1X client, perform thefollowing tasks:

1.Enabling the 802.1X client feature

2.Configuring an 802.1X client usernameand password

3.Specifying an 802.1X client EAPauthentication method

4.(Optional.) Configuring an 802.1X client MAC address

5.(Optional.) Specifying an 802.1X client mode forsending EAP-Response and EAPOL-Logoff packets

6.(Optional.) Configuring an 802.1X client anonymousidentifier

7.Specifying an SSL client policy

This task is required when you specify PEAP-MSCHAPv2,PEAP-GTC, TTLS-MSCHAPv2, or TTLS-GTC authentication as the 802.1X client EAPauthentication method.

Enabling the 802.1X client feature

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Enable the 802.1X client feature.

dot1x supplicant enable

By default, the 802.1X client feature isdisabled.

Configuring an 802.1X client username andpassword

Restrictions andguidelines

To ensure successful authentication, makesure the username and password configured on the 802.1X client is consistentwith the username and password configured on the authentication server.

Procedure

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Configure an 802.1X client username.

dot1x supplicant username username

By default, no 802.1X client username is configured.

4.Set an 802.1X client password.

dot1x supplicant password { cipher | simple } string

By default, no 802.1X client password isconfigured.

Specifying an 802.1X client EAPauthentication method

About this task

The following EAP authentication methodsare available for the 802.1X client feature:

·MD5-Challenge.

·PEAP-MSCHAPv2.

·PEAP-GTC.

·TTLS-MSCHAPv2.

·TTLS-GTC.

Restrictions andguidelines

The following matrix shows the restrictionsfor the selection of authentication methods on the 802.1X client and theauthenticator:

Authentication method specified on the 802.1X client

Packet exchange method specified on the authenticator

MD5-Challenge

·CHAP

·EAP

·PEAP-MSCHAPv2

·PEAP-GTC

·TTLS-MSCHAPv2

·TTLS-GTC

EAP

For information about 802.1X packetexchange methods, see "Configuring 802.1X."

Make sure the specified 802.1X client EAPauthentication method is supported by the authentication server.

Procedure

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Specify an 802.1X client EAP authenticationmethod.

dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 }

By default, the EAP authentication method is MD5-Challenge.

Configuring an 802.1X client MAC address

About this task

The authenticator adds the MAC address of anauthenticated 802.1X client to the MAC address table and then assigns accessrights to the client.

If the device has multiple Ethernetinterfaces that act as 802.1X clients to seek MACsec protection, configure a unique MAC address foreach interface to ensure successful 802.1X client authentication. Forinformation about MACsec, see "Configuring MACsec."

You can use either of the following methodsto configure a unique MAC address for each interface:

·Execute the mac-addresscommand in Ethernet interface view. For information about this command, see Layer 2—LAN Switching Command Reference.

·Configure an 802.1X client MAC address.

Procedure

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Configure an 802.1X client MAC address.

dot1x supplicant mac-address mac-address

By default, the 802.1X client on anEthernet interface uses the MAC address of the interface for 802.1X authentication.If the interface's MAC address is unavailable, the client uses the device's MACaddress for 802.1X authentication.

Specifying an 802.1X client mode for sending EAP-Response andEAPOL-Logoff packets

About this task

802.1X client authentication supportsunicast and multicast modes to send EAP-Response and EAPOL-Logoff packets. As abest practice, use multicast mode to avoid 802.1X client authenticationfailures if the NAS device in the network does not support receiving unicastEAP-Response or EAPOL-Logoff packets.

Procedure

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Specify a mode for 802.1X clientauthentication to send EAP-Response and EAPOL-Logoff packets.

dot1x supplicant transmit-mode { multicast | unicast }

By default, 802.1X client authenticationuses unicast mode to send EAP-Response and EAPOL-Logoff packets.

Configuring an802.1X client anonymous identifier

About this task

At phase 1, packets sent to theauthenticator are not encrypted. The use of an 802.1X client anonymousidentifier prevents the 802.1X client username from being disclosed at phase 1.The 802.1X client sends the anonymous identifier to the authenticator insteadof the 802.1X client username. The 802.1X client username will be sent to theauthenticator in encrypted packets at phase 2.

If no 802.1X client anonymous identifier isconfigured, the 802.1X client sends the 802.1X client username at phase 1.

The configured 802.1X client anonymousidentifier takes effect only if one of the following EAP authentication methodsis used:

·PEAP-MSCHAPv2.

·PEAP-GTC.

·TTLS-MSCHAPv2.

·TTLS-GTC.

If the MD5-Challenge EAP authentication isused, the configured 802.1X client anonymous identifier does not take effect. The802.1X client uses the 802.1X client username at phase 1.

Restrictions andguidelines

Do not configure the 802.1X clientanonymous identifier if the vendor-specific authentication server cannotidentify anonymous identifiers.

Procedure

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Configure an 802.1X client anonymousidentifier.

dot1x supplicant anonymous identify identifier

By default, no 802.1X client anonymousidentifier is configured.

Specifying anSSL client policy

About this task

If the PEAP-MSCHAPv2, PEAP-GTC, TTLS-MSCHAPv2,or TTLS-GTC authentication is used, the 802.1X client authentication process isas follows:

·Phase 1—The 802.1X client acts as an SSL client to negotiate with the SSLserver.

The SSL client uses the SSL parameters definedin the specified SSL client policy to establish a connection with the SSLserver for negotiation. The SSL parameters include a PKI domain, supportedcipher suites, and the SSL version. For information about SSL client policyconfiguration, see "Configuring SSL."

·Phase 2—The 802.1X client uses the negotiated result to encrypt andtransmit the interchanged authentication packets.

If the MD5-Challenge authentication isused, the 802.1X client does not use an SSL client policy during theauthentication process.

Procedure

1.Enter system view.

system-view

2.Enter Ethernet interface view.

interface interface-type interface-number

3.Specify an SSL client policy.

dot1x supplicant ssl-client-policy policy-name

By default, the default SSL client policyis used.

Display and maintenance commands for 802.1Xclient

Execute displaycommands in any view.

Task

Command

Display 802.1X client information.

display dot1x supplicant [ interface interface-type interface-number ]

Support - 25-802.1X client configuration (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Reed Wilderman

Last Updated:

Views: 5437

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.