09-06-2013 07:47 AM - edited 03-10-2019 08:52 PM
In the situation with multi-host access to one port of Cisco 2960 Lan Lite by another simple L2 switch, is it possible that we could control per user access by authentication for each?
What happens if I connect to the switch (which already has some trusted devices) a untrusted device?
What happens if I connect to the switch (which already has some untrusted device) a trusted device?
If I use "authentication violation protect" traffic will be blocked only by an untrusted device or all devices connected via a simple L2 switch?
I read the manual, but it is not made detailed clarity.
Please tell me the right way.
I will be very grateful for your advice!
09-06-2013 10:27 PM
You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode , only one client can be connected to the 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. In this mode, only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients.
As the port goes to un auth state / down if untrusted client is connected, so it completely depends on the violation method you configure there to take. If trusted client is connected later on, it depends on the port violation method to grant connection to trusted macs.
09-06-2013 11:27 PM
Hello,
In the situation with multi-host access to one port of Cisco 2960 Lan Lite by another simple L2 switch, is it possible that we could control per user access by authentication for each?
Yes, that's why multi-host mode exists
What happens if I connect to the switch (which already has some trusted devices) a untrusted device? If it's on single host the port will go into error-disabled as the violation of just one client per port has been triggered.
What happens if I connect to the switch (which already has some untrusted device) a trusted device?Same thing than before if being on single mode.
If I use "authentication violation protect" traffic will be blocked only by an untrusted device or all devices connected via a simple L2 switch?
Only for the unknown client MAC address, the trusted devices will be able to comunicate.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-09-2013 06:00 AM
The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
For Complete Configuration, please check the below link
09-09-2013 06:46 AM
Thank you guys!
This are very useful answers.
All the best.
09-09-2013 10:45 AM
Hello Mikhail,
Our pleasure to help
Please mark the question as answered so future users can learn from our discussion
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-09-2013 11:23 AM
You should probably check with your Cisco SE, as i'm not 100% sure that this limitation still exists, but there are alot of dot1x related features that are not supported in the lan-lite edition of the 2960, including dACL support for dot1x.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_presentation_c97-494780.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide