Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
8
Helpful
2
Replies

more than one client on the same port

pinkheart
Level 1
Level 1

‎07-14-2004 11:37 AM - edited ‎03-10-2019 07:54 AM

hi

I have 3550 switch with SMI , and I want to authenticate more that one client , on the same port using Radius, (Microsoft IAS 2003) , so , I will connect a hub to eah port , so is that possible . I want the switch to stop only the unathorized user , and not to block the port if there is an authorized user , and how can I do that ,

thanx in advance

Labels:
0 Helpful
2 Replies 2

jafrazie
Cisco Employee
Cisco Employee

‎07-14-2004 07:05 PM

You can attach multiple hosts to a single 802.1X-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received), all attached clients are denied access to the network. So, you can do it, but you can only 802.1x-authenticate one device/user.

Here's an example:

Switch(config)# interface fastethernet0/1

Switch(config-if)# dot1x port-control auto

Switch(config-if)# dot1x multiple-hosts

Having stated the above, it's generally a good idea to run port-security on the port in addition to 802.1x. Use 802.1x to authenticate a device and turn the port up. Use port-security to enforce the port (limit other MAC Addresses, age them out, etc.).

Other than that, 802.1x is a port-based access control solution, and there are design considerations to take into account when dealing with hubs.

Also a reminder, that if you're "hub" is really any type of 802.1D aware switch, it will drop any 802.1x traffic by design, since the PAE group MAC Address for 802.1x falls into the range of 16 reserved by 802.1D.

pinkheart
Level 1
Level 1
In response to jafrazie

‎07-15-2004 02:20 AM

Thank you very much for that informations.

actuall , I have APs and some of them does not support Radius authonication therfore I want some way to restrict users access . (About 400 user)

I checked the static port security and it works but the problem is that I have to add each mac address . for each port , I wonder if there is a way to add macs for a group of ports or VLAN and restric access only for that MACs . for TCP/IP traffics.

one other question , I didn't get the sticky port security , I tried it and it addes the MACs and I save it in the startup cofiguration file , but the port does not give that MACs access . It is just collect the MACs and but does not give them access.

thanx again in advance

0 Helpful
Customers Also Viewed These Support Documents