Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1672
Views
0
Helpful
2
Replies

802.1x authentication question

Go to solution
Jackyhope
Level 1
Level 1

‎12-05-2020 08:18 PM - edited ‎12-05-2020 08:20 PM

Hello everyone,

Please consider the following example:

Radius-server------Router port2-----port2-SW-port1---work station

Above, we have:

SW with dot1x enabled on port1. This will ensure only authorized work station can connect to network.

 But if some one just take the cable on port2 on SW, and attach rogue work station , then it can gain access to network i.e.:
Radius-server------Router port2------ Rogue work station.

Can we do following to overcome this ?

1) We install CA certs on SW.

2) We enable dot1x on router port2.

3)  When SW is connected to port2 on router, it will be subject to machine authentication using dot1x. Therefore if any rogue device is connected to port2 on router, it will be denied access.

The only thing I am thinking is dot1x is supposed to deployed at the access layer.

Any thoughts?

Thanks and have a good day!!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-05-2020 11:33 PM

Hi,

You can configure dot1x supplicant to authenticate with radius server on
port#2.

However, the standard design always assumes that uplinks and network
equipment are well secured and can't be physically accessed. Also, if the
link on port#2 is broken, in general, you will have bigger problems rather
than a workstation. In most cases, it will cause a complete outage to the
site (users, phones, wireless, servers, etc). It might even break the
connectivity radius server.

The point I am trying to make is that dot1x is mainly made for access
layers rather than core/distribution layers. Your scenario, technically
possible but not practical and can't go unnoticed.

***** please remember to rate useful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-05-2020 11:33 PM

Hi,

You can configure dot1x supplicant to authenticate with radius server on
port#2.

However, the standard design always assumes that uplinks and network
equipment are well secured and can't be physically accessed. Also, if the
link on port#2 is broken, in general, you will have bigger problems rather
than a workstation. In most cases, it will cause a complete outage to the
site (users, phones, wireless, servers, etc). It might even break the
connectivity radius server.

The point I am trying to make is that dot1x is mainly made for access
layers rather than core/distribution layers. Your scenario, technically
possible but not practical and can't go unnoticed.

***** please remember to rate useful posts
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-06-2020 04:33 AM

802.1x is L2 security, you need L3 security to protect router and that can achieve via acl.

config acl in way even if rogue is bypass L2 it will failed to pass L3.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top