https://community.cisco.com/t5/routing-and-sd-wan/internet-connection-sharing-and-802-1x-bypassing/m-p/713103#M43073 <P>We have a need to secure the ports on a switch. This is in a mostly uncontrolled location but the switch itself is secure.</P><P></P><P>First we thought to use simple mac locking but a consumer router can bypass that out of the box. We also looked into a layer 3 challenge method but it is also trivial to configure a consumer router to send the authentication traffic to a single machine but still allow other machines to share the connection.</P><P></P><P>So I figured that 802.1x should solve this because it is layer 2 and routers don't do 802.1x clients and the ones that do don't support the more advanced authentications.</P><P></P><P>Wasn't long after this that I was helping someone setup a internet connection that was using a windows machine as the router to share the connection between multiple machines. This is trivial to setup on a dual nic machine using microsoft internet connection sharing. Looking at the options it does not appear microsoft in anyway restricts traffic from sharing a 802.1x authenticated port. I still have to test this but it appears to defeat my ability to control which machines are attached to the switch. </P><P></P><P>So any ideas what to try next. We can always go back to VPN solutions but those are such a pain to support in particular when the machine contains another vendors vpn client.</P> Mon, 04 Mar 2019 01:56:00 GMT tdrais 2019-03-04T01:56:00Z https://community.cisco.com/t5/routing-and-sd-wan/internet-connection-sharing-and-802-1x-bypassing/m-p/713103#M43073 <P>We have a need to secure the ports on a switch. This is in a mostly uncontrolled location but the switch itself is secure.</P><P></P><P>First we thought to use simple mac locking but a consumer router can bypass that out of the box. We also looked into a layer 3 challenge method but it is also trivial to configure a consumer router to send the authentication traffic to a single machine but still allow other machines to share the connection.</P><P></P><P>So I figured that 802.1x should solve this because it is layer 2 and routers don't do 802.1x clients and the ones that do don't support the more advanced authentications.</P><P></P><P>Wasn't long after this that I was helping someone setup a internet connection that was using a windows machine as the router to share the connection between multiple machines. This is trivial to setup on a dual nic machine using microsoft internet connection sharing. Looking at the options it does not appear microsoft in anyway restricts traffic from sharing a 802.1x authenticated port. I still have to test this but it appears to defeat my ability to control which machines are attached to the switch. </P><P></P><P>So any ideas what to try next. We can always go back to VPN solutions but those are such a pain to support in particular when the machine contains another vendors vpn client.</P> Mon, 04 Mar 2019 01:56:00 GMT https://community.cisco.com/t5/routing-and-sd-wan/internet-connection-sharing-and-802-1x-bypassing/m-p/713103#M43073 tdrais 2019-03-04T01:56:00Z https://community.cisco.com/t5/routing-and-sd-wan/internet-connection-sharing-and-802-1x-bypassing/m-p/713104#M43074 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I think dot1x is a good way to go. You can auth many mac's on a single port. Cisco dot1x mac-auth-bypass command in conjunction with dot1x multiple-hosts should allow to authorise based on layer 2. All the info you need is here...</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/dot1x.html#wp1225342" target="_blank">http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/dot1x.html#wp1225342</A></P><P></P><P>Also see my earlier post for more info...</P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Network%20Infrastructure&amp;topic=LAN%2C%20Switching%20and%20Routing&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf269f" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Network%20Infrastructure&amp;topic=LAN%2C%20Switching%20and%20Routing&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf269f</A></P><P></P><P>I hope this falls into what you are looking to do. You will need some sort of RADIUS server of course.</P><P></P><P>HTH</P><P></P><P>Stephen</P></BODY></HTML> Wed, 18 Jul 2007 19:06:29 GMT https://community.cisco.com/t5/routing-and-sd-wan/internet-connection-sharing-and-802-1x-bypassing/m-p/713104#M43074 stephen.stack 2007-07-18T19:06:29Z