Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
10
Helpful
3
Replies

Wired Dot1x hijacking the port

khaliddaloub
Level 1
Level 1

‎02-02-2021 10:43 AM - edited ‎02-02-2021 10:45 AM

Hi there Guys, 

My boss has asked me to secure his switches using Dot1x.

 

I am just labbing it out in GNS3 and I've come across an issue where it is possible to remove the authenticated device and plug in a rogue device.

It can ping around the network but does not connect to the domain.

(this session remains on the switch after the cable is disconnected long enough for the rogue device to access the network)

---show authentication sessions

Interface MAC Address Method Domain Status Fg Session ID

Gi0/1 0cf3.a743.d500 dot1x DATA Auth 000000000000001200268D24

 

Is there any way to remove session after the cable is removed? 

I know i could make a EEM applet to trigger clear dot1x all but i was wondering if there was an easy fix.

 

I was told not to use sticky ports also. 

also using NPS as the Radius server. 

 

Labels:
3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

‎02-02-2021 11:14 AM

Can you share your interface configuration? I have not done this in gns before, but does the interface state go up/down at all? 

khaliddaloub
Level 1
Level 1
In response to Damien Miller

‎02-02-2021 12:55 PM

Hi damien, 

 

interface GigabitEthernet0/1
switchport mode access
media-type rj45
negotiation auto
authentication port-control auto
dot1x pae authenticator

 

The interface goes :

*Feb 2 20:52:44.667: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
*Feb 2 20:52:45.671: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

 

and when the command ;

#show authentication sessions 

is issued the output is;

Interface MAC Address Method Domain Status Fg Session ID

Gi0/1 0cf3.a743.d500 dot1x DATA Auth 000000000000001200268D24

 

with the line protocol down and status down. 

 

 

0 Helpful

khaliddaloub
Level 1
Level 1
In response to khaliddaloub

‎02-04-2021 05:13 AM

Hi Again, 

 

Ive created an EEM that fixes the issue but it is not clean and would require X amounts of Applets for the X amounts of interfaces. Anyone with experience could make this more automated. 

 

event manager applet CLEAR_DOT1x_VAR_G1
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down"
action 1.1 cli command "enable"
action 1.2 cli command "clear dot1x interface GigabitEthernet0/1"
action 1.3 syslog msg "CLEAR DOT1X AFTER COMP IS REMOVE PREVENT ROGUE DEVICE INT1"
action 1.4 cli command "end"

 

 

event manager applet CLEAR_DOT1x_VAR_G2
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down"
action 1.1 cli command "enable"
action 1.2 cli command "clear dot1x interface GigabitEthernet0/2"
action 1.3 syslog msg "CLEAR DOT1X AFTER COMP IS REMOVE PREVENT ROGUE DEVICE INT2"
action 1.4 cli command "end"

 

Kind Regards. 

0 Helpful
Customers Also Viewed These Support Documents