The threat of a network service disruption by unauthorized sources grows when
technology becomes more important in business processes. It is critical for organizations
to protect access to the network. Protection can reduce the probability of intrusions from
threats such as viruses and worms, as well as unauthorized access. Technologies such as
802.1X can be implemented to perform network access control.

IEEE 802.1X Overview

IEEE 802.1X is an industry standard that is used to provide authentication-based port
access control and authorization. With the IEEE 802.1X port-based authentication,
network devices have the following roles
Supplicant: This role is an agent or service running on the device that requests access
to the network. It responds to requests from the switch.

■ Authenticator: Network devices such as LAN switches and wireless LAN controllers
act as authenticators. This device controls physical access to the network based on
the authentication status of the client. Authenticator requests identify information
from the client, verify the information with authentication servers, and relay the
response from authentication servers to the client.
■ Authentication server: This role performs the actual authentication of the client.
The authentication server validates the identity of the client and notifies the
authenticator whether the client is authorized to access the network. Because the
authenticator acts as a proxy, the authentication service is transparent to the client.
In addition, with 802.1X, two possible methods are mainly used for authentication:
■ Digital certificate
■ Username and password

Case Study: Authorization Options

The enterprise campus network consists of several access switches that are located in 
several buildings. Users often migrate from building to building, and you are responsible 
for updating VLAN memberships for the client devices. Because many migrations occur 
every day, much of your daily activity includes moving users from one VLAN to another. 
You are thinking about how to automate this activity.
The campus network is implemented as a three-level architecture. Access layer switches 
are Layer 2 switches. Inter-VLAN routing is done in the aggregation layer. Users are 
 segmented in different VLANs based on their role in the company. Firewall policy is 
implemented in accordance to the VLAN membership, which means that every VLAN 
has a specific IP subnet. Firewall rules are implemented based on these subnets.
You have already implemented 802.1X access control on all access switches in the 
 campus network. When a client is successfully authenticated, it is assigned to the VLAN 
that is configured on the specific port. Therefore, you have to manually change the port 
VLAN membership if the client moves from one location to the other. You are wondering 
whether there is a way to implement automatization in this process.
You came up with a solution to implement a dynamic VLAN assignment. Because 
you have already implemented 802.1X with RADIUS authentication, you can easily 
extend your 802.1X deployment to support authorization. To perform dynamic VLAN 
 assignment, the RADIUS server must return the VLAN attribute in the Access-Accept 
message (refer to Figure below).
With the VLAN assignment, the authentication server can associate a VLAN with a 
particular user or group, and instruct the switch to dynamically assign the authenticated 
user into that VLAN. This method can easily provide strong access control and auditing 
within the enterprise network.
The dynamic VLAN assignment is the easiest way to enforce and segment endpoints, 
because standards support this method. But, on the other hand, VLAN assignment can 
result in subnet change, which is usually not communicated to the endpoints. You also 
need to enforce the VLAN-to-VLAN security policy. It can be costly when you add more VLANs.
Besides assigning appropriate VLANs for users that can successfully authenticate with 
the authentication server, dynamic VLAN assignment can also be used to assign VLANs 
for users who fail the authentication. The advantage of using authentication-server-assigned
VLANs for failed authentication is that VLAN assignment will be centrally logged in the AAA system.
You can also dynamically assign a VLAN based on the configuration of a switch:
■ Guest VLAN: Guest VLAN assignment can be used locally on the switch for users 
who do not have the 802.1X supplicant. You can offer limited network access to 
such users.
■ Restricted VLAN: You can configure restricted VLANs for users who have the 
 supplicant but fail the authentication process. A restricted VLAN allows users who 
do not have valid credentials on an authentication server to access a limited set of 
services.
■ Default VLAN: The default VLAN is the VLAN that is configured on the port. 
When a client successfully authenticates to the server and the authentication server 
does not assign a dynamic VLAN, the default VLAN is retained on the port.
■ Critical VLAN: A critical VLAN is the VLAN that is applied to the 802.1X-enabled 
interface if the authentication server is unavailable.
You also want to extend this solution to limit the access for the external contractors that 
support the internal IT team. You want to dynamically assign access restrictions to only 
allow access to the resources that a specific contractor needs.
You want to implement a simple solution that is also manageable. You are thinking 
of creating a per-contractor VLAN and then limiting access to the systems on the 
SVI interface for that VLAN. But you come to the conclusion that this solution is not 
 scalable. You decide that a better solution is to use downloadable ACLs.
The downloadable ACLs allow you to enable per-user ACLs on the RADIUS server. 
When a user is authenticated on the 802.1X port, the RADIUS sends ACL attributes to 
the switch. The switch applies the attributes to the 802.1X port during the user session 
(see Figure 25-10). The switch removes the per-user ACL configuration when the session 
is over if authentication fails or if a link-down condition occurs.

Downloadable ACLs are a more flexible way of blocking the traffic from the source to 
certain destinations. Because all ACLs are configured on the RADIUS server centrally, 
there is no need to change ACLs on a local switch. But when you are implementing 
ACLs, you must be careful because ACLs consume ternary content-addressable memory 
(TCAM) space on the switch.
You have implemented this solution. The RADIUS server is responsible for assigning a 
common VLAN for all contractors. Each contractor has an ACL applied on the RADIUS 
server, which is downloaded when the contractor is successfully authenticated to the 
 network.


Summary Notes:
■ IEEE 802.1X provides authentication-based port access control and authorization.
■ EAP is a protocol for authentication in IEEE 802.1X.
■ You can assign VLAN or downloadable ACLs through IEEE 802.1X authorization.
■ You should use phased deployment mode for limited impact on network access.
■ Cisco AnyConnect can act as an IEEE 802.1X supplicant.
■ Cisco TrustSec enforces policy based on contextual identity of the endpoint

Written By: Afaq Ahmad - Network Engineering Consultant - CCIE x 2 # 42243