Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1873
Views
12
Helpful
7
Replies

802.1x combined with port security

Go to solution
j.m
Level 1
Level 1

‎01-24-2023 05:25 AM

Hello

I need specific LAN port security solution for our company network.

Conditions:

First: Secured/EAP authentication in, for ex. RADIUS (by certificate, credentials, domain trusted computer...)

Second: based on first, managed switch with dynamic VLAN allow and assign VLAN to LAN port for the computer/device.

Third: through the LAN port, only one authenticated computer must be enabled and have access to the network. It is unwanted, even forbidden, to allow connecting another devices though the LAN port or allow some number of additional MAC addresses/devices. Especially because authenticated devices are assigned to different VLAN.

Maybe can be used basic additional switch on this LAN port, but only one and authenticated computer/device must be allowed or can be connected to this switch.

If other computer/device are connected to/via the switch or communication of different device is detected, LAN port must be set to restricted state and no communication is allowed, or only basic communication.

Additionally, in ideal, for ex. some authenticated computer is connected directly to the LAN port. The Intruder can disconnect the device, scan for its MAC address, connect an additional switch between authenticated device and LAN port and connect another own device with cloned mac address. The system should be capable for recognizing such attacks. Ideally, detect and limit access if a switch or anything else is connected between LAN port and authenticated computer/device. Yes, I understand that this is difficult, therefore..., in ideal...
For beginning is enough to prevent connect more devices through switch or for example NAT router to one LAN port.
I have Cisco CBS 350 switch with similar functionality, but I am confused that 802.1x can't be combined with Port security. I tested 802.1x with port security using multiple-hosts and trying to limit number of clients to 0 or 1, but it is not working. If I connect another device via an additional switch to the LAN port, the authenticated computer enables access to network to anyone else. Such security is useless. And moreover, MAC address based security is not security but for beggining... Can someone suggest/explain the solution?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-24-2023 01:20 PM

You are correct that combining 802.1x and port security on the switchport is not supported. They are competing functions that can introduce race conditions and erratic unpredictable behaviours.

It sounds like when you might be looking for is Multi-Domain Host mode on the switchport. This mode allows only a single MAC address on the VOICE domain and a single MAC address on the DATA domain. Any additional MAC addresses will cause a violation and err-disable the switchport.

See the section on MAC Limits in the Secure Wired Access Prescriptive Deployment Guide (search for 'Table8' as there is not direct link).

View solution in original post

Go to solution
j.m
Level 1
Level 1
In response to Greg Gibbs

‎01-27-2023 08:05 AM - edited ‎01-27-2023 08:06 AM

Hmmm, previous post is not solution for me nor accepted by me. Someone other accepted but it is not.

I found the solution. It is possible to enable single host mode with 802.1x and dynamic VLAN, but it's just a matter of correct setup and the way of setup the switch.

802.1x offers similar functionality as a port security but in my opinion better and there is no need to combine them.
It's functioning nice and almost exactly as I need. The only problem is in case of spoofing/cloning MAC address and it is a big thorn in the a.... I should probably look into MACsec or similar...

I'm sorry that no one told me this simple information earlier, but anyway, thank you for trying to help.

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎01-24-2023 05:35 AM

from cisco doc. 

These examples describe the interaction between 802.1X and port security on the switch:
• When a client is authenticated, and the port security table is not full, the client’s MAC address is
added to the port security list of secure hosts. The port then proceeds to come up normally.
When a client is authenticated and manually configured for port security, it is guaranteed an entry
in the secure host table (unless port security static aging has been enabled).
A security violation occurs if an additional host is learned on the port. The action taken depends on
which feature (802.1X or port security) detects the security violation:
– If 802.1X detects the violation, the action is to err-disable the port.
– If port security detects the violation, the action is to shutdown or restrict the port (the action is
configurable).
The following describes when port security and 802.1X security violations occur:
– In single host mode, after the port is authorized, any MAC address received other than the
client’s will cause a 802.1X security violation.
– In single host mode, if installation of an 802.1X client’s MAC address fails because port
security has already reached its limit (due to a configured secure MAC addresses), a port
security violation is triggered.
– In multi host mode, once the port is authorized, any additional MAC addresses that cannot be
installed because the port security has reached its limit will trigger a port security violation.
• When an 802.1X client logs off, the port transitions back to an unauthenticated state, and all
dynamic entries in the secure host table are cleared, including the entry for the client. Normal
authentication then ensues.
• If you administratively shut down the port, the port becomes unauthenticated, and all dynamic
entries are removed from the secure host table.
• Only 802.1X can remove the client’s MAC address from the port security table. Note that in multi
host mode, with the exception of the client’s MAC address, all MAC addresses that are learned by
port security can be deleted using port security CLIs.
• Whenever port security ages out a 802.1X client’s MAC address, 802.1X attempts to reauthenticate
the client. Only if the reauthentication succeeds will the client’s MAC address be retained in the port
security table.
• All of the 802.1X client’s MAC addresses are tagged with (dot1x) when you display the port security
table by using CLI.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-24-2023 01:20 PM

You are correct that combining 802.1x and port security on the switchport is not supported. They are competing functions that can introduce race conditions and erratic unpredictable behaviours.

It sounds like when you might be looking for is Multi-Domain Host mode on the switchport. This mode allows only a single MAC address on the VOICE domain and a single MAC address on the DATA domain. Any additional MAC addresses will cause a violation and err-disable the switchport.

See the section on MAC Limits in the Secure Wired Access Prescriptive Deployment Guide (search for 'Table8' as there is not direct link).

Go to solution
j.m
Level 1
Level 1
In response to Greg Gibbs

‎01-25-2023 08:22 AM

Thanks for reply very nice. I understand that from Cisco look, port security is competing to 802.1x but (maybe I searched weakly) I can't believe that I am the only one who needed such solution, the only one who needed only one device per LAN port with authentication conditions and dynamic VLAN, but no official exact solution is offered, I don't think so. If switch or even switch port is so intelligent that can limit number of MAC address with 802.1x enabled, where is the problem to do so, that for ex. at beginning is LAN port waiting for 802.1x authentication with no limit to specific MAC address but detect if communication is only from one device/MAC address and after authentication, only MAC address of authenticated device is (learned?) enabled on LAN port? If during entire communication multiple devices/MAC addresses is detected/connected to the LAN port or suspicious/malicious communication is detected, a security violation occurs, then LAN port will set to restricted or disabled state?

According to this document I found, it appears that 802.1x and port-security in single-mode is commonly used solution, but how to implement it?

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dot1x.pdf

 

0 Helpful

Go to solution
j.m
Level 1
Level 1
In response to Greg Gibbs

‎01-27-2023 08:05 AM - edited ‎01-27-2023 08:06 AM

Hmmm, previous post is not solution for me nor accepted by me. Someone other accepted but it is not.

I found the solution. It is possible to enable single host mode with 802.1x and dynamic VLAN, but it's just a matter of correct setup and the way of setup the switch.

802.1x offers similar functionality as a port security but in my opinion better and there is no need to combine them.
It's functioning nice and almost exactly as I need. The only problem is in case of spoofing/cloning MAC address and it is a big thorn in the a.... I should probably look into MACsec or similar...

I'm sorry that no one told me this simple information earlier, but anyway, thank you for trying to help.

Go to solution
Luis Lipert
Level 1
Level 1
In response to j.m

‎07-24-2023 01:27 PM

Could you share the switch-side configurations for this implementation?

Go to solution
MHM Cisco World
VIP
VIP
In response to Luis Lipert

‎07-24-2023 01:33 PM

Port secuirty dynamic or stick with max mac 1

This what I think config you need 

0 Helpful

Go to solution
Luis Lipert
Level 1
Level 1
In response to MHM Cisco World

‎07-24-2023 01:48 PM

Thanks for the reply, but my problem is different.

I need to implement port-security with 802.1x (ISE), and each port of the switch must have two MACs (a phone in the voice vlan, and a laptop in the data vlan - it can be vlan X if successfully authenticated, or vlan Z if not successfully authenticated, as a guest).

However, I'm having problems with the 2960L switches. When many ports go down and back at the same time (power failure, for example), some phones try to authenticate via 802.1x instead of entering the voice VLAN, thus occupying a data MAC, and when the laptop tries to authenticate, the port drops into error-disable.
This only occurs on catalyst 2960L. On 2960x switches, for example, it works normally.

According to documentation, it would not be recommended to use 802.1x with port-security, but I think the same as the owner of the post when he says "I understand that from Cisco look, port security is competing to 802.1x but (maybe I searched weakly) I can't believe that I am the only one who needed such solution, the only one who needed only one device per LAN port with authentication conditions and dynamic VLAN, but no official exact solution is offered, I don't think so".

Maybe I should open a new thread about it.

0 Helpful
Customers Also Viewed These Support Documents