Configure Cisco IOS 802.1x Supplicant

If you have an intermediate familiarity with Ethernet switching you are more than likely familiar with 802.1x port based authentication. With that assumption let’s assume your environment is locked down tight enough to the point where this security is enabled. Great! However, what if you needed to add another Cisco device to a client facing switch port? Not so great… How do you get the device to authenticate the same way as your PC does? Fortunately the IOS includes a supplicant for 802.1x that will allow us to authenticate just like a wired windows client! Let’s check out the config for reference.

cisp enable
  eap profile EAP
  method mschapv2
dot1x credentials Dot1X_Creds
  username <username>
  password <password>
dot1x supplicant force-multicast
interface GigabitEthernet0/1
  ip address dhcp
  dot1x pae supplicant
  dot1x credentials Dot1X_Creds
  dot1x supplicant eap profile EAP

OK, so lets break this down. First, the CISP option needs to be enabled. This is the Client Information Signaling Protocol. In simple terms it’s a complementary feature to the supplicant for 802.1x.  As you can see in the second line we then create and name an EAP profile and in this example I used MSCHAPv2. There are other options as well including EAP-FAST and MD5.

ROUTER (config-eap-profile)#method ?
  fast     EAP-FAST method allowed
  md5       EAP-MD5 method allowed
  mschapv2 EAP-MSCHAPV2 method allowed

Next, we create a credential profile. This example shows username and password options. Not shown is also the option to include a PKI trustpoint certificate as well.

The “dot1x supplicant force-multicast” global option enables the supplicant in all host modes.

In interface configuration mode, you enable the supplicant and apply the EAP profile and the credential profile. From there you have the typical interface configuration options such as “ip address dhcp” from my example.

Finally, you will find additional information here on Cisco’s website:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-ieee-neat.html

I hope you found this brief configuration discussion helpful! Be sure to comment with questions or feedback!

This entry was posted in Networking and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *