https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194066#M1076448 <P>Hello everyone,</P><P>Please consider the following example:</P><P>Radius-server------Router port2-----port2-SW-port1---work station</P><P>Above, we have:</P><P>SW with dot1x enabled on port1. This will ensure only authorized work station can connect to network.</P><P>&nbsp;But if some one just take the cable on port2 on SW, and attach rogue work station , then it can gain access to network i.e.:<BR />Radius-server------Router port2------ Rogue work station.</P><P>Can we do following to overcome this ?</P><P>1) We install CA certs on SW.</P><P>2) We enable dot1x on router port2.</P><P>3)&nbsp; When SW is connected to port2 on router, it will be subject to machine authentication using dot1x. Therefore if any rogue device is connected to port2 on router, it will be denied access.</P><P>The only thing I am thinking is dot1x is supposed to deployed at the access layer.</P><P>Any thoughts?</P><P>Thanks and have a good day!!</P> Sun, 06 Dec 2020 04:20:29 GMT Jackyhope 2020-12-06T04:20:29Z https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194066#M1076448 <P>Hello everyone,</P><P>Please consider the following example:</P><P>Radius-server------Router port2-----port2-SW-port1---work station</P><P>Above, we have:</P><P>SW with dot1x enabled on port1. This will ensure only authorized work station can connect to network.</P><P>&nbsp;But if some one just take the cable on port2 on SW, and attach rogue work station , then it can gain access to network i.e.:<BR />Radius-server------Router port2------ Rogue work station.</P><P>Can we do following to overcome this ?</P><P>1) We install CA certs on SW.</P><P>2) We enable dot1x on router port2.</P><P>3)&nbsp; When SW is connected to port2 on router, it will be subject to machine authentication using dot1x. Therefore if any rogue device is connected to port2 on router, it will be denied access.</P><P>The only thing I am thinking is dot1x is supposed to deployed at the access layer.</P><P>Any thoughts?</P><P>Thanks and have a good day!!</P> Sun, 06 Dec 2020 04:20:29 GMT https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194066#M1076448 Jackyhope 2020-12-06T04:20:29Z https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194078#M1076449 Hi,<BR /><BR />You can configure dot1x supplicant to authenticate with radius server on<BR />port#2.<BR /><BR />However, the standard design always assumes that uplinks and network<BR />equipment are well secured and can't be physically accessed. Also, if the<BR />link on port#2 is broken, in general, you will have bigger problems rather<BR />than a workstation. In most cases, it will cause a complete outage to the<BR />site (users, phones, wireless, servers, etc). It might even break the<BR />connectivity radius server.<BR /><BR />The point I am trying to make is that dot1x is mainly made for access<BR />layers rather than core/distribution layers. Your scenario, technically<BR />possible but not practical and can't go unnoticed.<BR /><BR />***** please remember to rate useful posts<BR /> Sun, 06 Dec 2020 07:33:43 GMT https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194078#M1076449 Mohammed al Baqari 2020-12-06T07:33:43Z https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194133#M1076459 <P>802.1x is L2 security, you need L3 security to protect router and that can achieve via acl.</P><P>config acl in way even if rogue is bypass L2 it will failed to pass L3.</P> Sun, 06 Dec 2020 12:33:45 GMT https://community.cisco.com/t5/network-security/802-1x-authentication-question/m-p/4194133#M1076459 MHM Cisco World 2020-12-06T12:33:45Z