Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
0
Helpful
6
Replies

802.1X Authentication with VLAN assignment issue.

Go to solution
leeh1002
Level 1
Level 1

‎12-17-2015 09:45 AM - edited ‎03-10-2019 11:20 PM

Hi there,

 

I plan to implement 802.1X authentication with  VLAN assignment on our network and assign different VLAN onto the access switch(Cat2960) according to end devices (for example, VLAN10 for WLAN, VLAN20 for voice, VLA30 for IPTV set-top box, VLAN40 for PC) after successful authentication.

The topology of network is (L3 backbone Switch: Cat6K) <-----> (L2 Access switch: Cat2960) <--------> (L2 Access switch: Cat2960) <--> WLAN/Voice/IPTV/PC. (Please refer to the attahced file for detailed topology)

I have to adhere to (L2 switch) <--> (L2 switch) topology due to cabling issue.

My question is below.

 1. To accommodate various VLAN of end devices, the only way is making trunk port on both L2 switches. is it possible?

     As far as I know, can't enable 802.1X on a trunk port. is it right?

2. If right, is there any solution ?

 

Thank you for your help. :-)

 

 

Labels:
Preview file
793 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Javier Henderson
Level 4
Level 4

‎12-17-2015 09:48 AM

You won't be running 802.1x on the trunk ports between switches, but rather on the ports to which the end-user devices connect.

View solution in original post

0 Helpful

Go to solution
Javier Henderson
Level 4
Level 4
In response to leeh1002

‎12-17-2015 10:53 AM

Right, don't configure 802.1x on the trunk ports on either switch, A or B. Only on the ports on switch B that will have end user computers (or other devices with 802.1x supplicants).

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Javier Henderson
Level 4
Level 4

‎12-17-2015 09:48 AM

You won't be running 802.1x on the trunk ports between switches, but rather on the ports to which the end-user devices connect.

0 Helpful

Go to solution
leeh1002
Level 1
Level 1
In response to Javier Henderson

‎12-17-2015 10:05 AM

Hi Javier,

My understanding for your comment is that I can't use (L2 Switch) <--> (L2 Switch) <--> End-devices and the only possible topology is (L2 Switch) <--> End-devices.

Is it correct?

How about this topology?

     (L2 Switch-A)  Port #1 <-----> (L2 Switch-B) Port #1 <--> VLAN10: AP

                            Port #2  <-----> (L2 Switch-B) Port #2 <--->VLAN20: Voice

                            Port #3 <-------> (L2 Switch-B) Port #3 <---> VLAN30: IPTV Set-top Box , etc.

Is it possible solution?

 

Thank you for your advice.

0 Helpful

Go to solution
Javier Henderson
Level 4
Level 4
In response to leeh1002

‎12-17-2015 10:24 AM

My point is that you won't be activating 802.1x on the ports that are trunks between switches, only on the port(s) that will have end user devices.

So:

Switch-A <------> Switch-B

Above, you will have one port on Switch-A connected to one port on Switch-B, that presumably will be a trunk port, carrying multiple VLANs. You won't have 802.1x configured on either of those two ports.

Then, you will have end user computers on other ports on Switch-B. You will be configuring 802.1x on each of those ports, and on those ports only.

0 Helpful

Go to solution
leeh1002
Level 1
Level 1
In response to Javier Henderson

‎12-17-2015 10:46 AM

Hi Javier,

Thank  you for your answer.

 

That mean I can enable 802.1X ports, excepting trunk port on switch-B  to which end user is connected.

And 802.1X traffic(EAP) can pass though trunk port on Switch-B

Is it correct?

 

 

0 Helpful

Go to solution
Javier Henderson
Level 4
Level 4
In response to leeh1002

‎12-17-2015 10:53 AM

Right, don't configure 802.1x on the trunk ports on either switch, A or B. Only on the ports on switch B that will have end user computers (or other devices with 802.1x supplicants).

0 Helpful

Go to solution
leeh1002
Level 1
Level 1
In response to Javier Henderson

‎12-17-2015 10:58 AM

Thank a lot.

 

Your advice was very helpful answer. :-)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents