cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4402
Views
0
Helpful
2
Replies

Using 802.1x and 2 hosts (one physical and one virtual) on the same port

moogeboo1
Beginner
Beginner

Hello,

We trying to utilize the following scenario:

BYOD with users' windows based laptops and Apple Mac Books

Virtual machines within each of the physical machines:  For Windows, the VMs will be Windows 7 VMs running within VM Workstation.  For Macs, users will be running Windows 7 VMs within Fusion.

802.1x set for multi-host

Using 802.1x, we have a guest network that places the user's physical machine in once it fails authentication.  The virtual machine runs the corporate image, and we'd like to have this VM connected to our corporate VLAN.

We have been running into this scenario though:

1.     User plugs his BYOD laptop from into the network.  His laptop gets attached to the guest network because it fails the 802.1x check.

2.      The VM is powered on.  It successfully is connected to the corporate network.

3.      Now,  the user unplugs his network cable from his host machine and waits 10 seconds.

4.      He then re-plugs the network cable to his host machine.

5.      The VM is the first to authenticate to the 802.1x network and it gains access to the corporate network.

       6.      Due to the VM being the first to authenticate on 802.1x, the host network connection piggybacks off of the VM, and therefore the host gains access to the corporate network

Obviously this represents a no-go if the user's BYOD computer is able to access the corporate network.  Is there is any specific way that 802.1x can be configured to prevent this from happening?

Thanks,

Mooge

2 Replies 2

shoaibkhan
Beginner
Beginner

Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.

You need to set host-mode to  "multi-auth"

And i believe VLAN change will be a problem for you, if you use multi auth, as your port only can be in one vlan. You could use dACL's instead.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers