Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3477
Views
0
Helpful
5
Replies

802.1x, Single-Host, vmWare/Virtual Machine Question

rvaguilera
Level 1
Level 1

‎07-07-2005 08:00 AM - edited ‎03-09-2019 11:46 AM

Currently testing/piloting 802.1x on Catalyst 4506 and 2950 switches.

When setting a port for 802.1x and only to authenticate Single-Host, I notice that guest virtual machines (vmWare) running on a host machine are still able to pass traffic when the guest virtual machine is configured as a NAT-machine.

If the guest virtual machine is configured as a BRIDGED machine, which is usually default and the most common way people use virutal machines to participate on the network, then traffic is not passed. Only the host machine can pass traffic, which is the desired behavior.

But this does still does not remedy the situation in which someone has configured a virutal machine in NAT-mode, basically sharing the IP address of the host machine, "sitting behind the host machine". Like a router, or Internet Connection Sharing (a wonder if the same behavior would occur?).

Another thought, though...802.1x is working on layer 2 so why is this even an issue? The virtual machines do indeed have their own MAC addresses, so why is 802.1x failing and still allowing traffic to be passed on a port configured only for Single-Host?

Doesn't this pose a security risk for those trying to use 802.1x for network access management?

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jafrazie
Cisco Employee
Cisco Employee

‎07-07-2005 09:52 AM

By default, 802.1x is enforced on a port via the MAC address that got authenticated. In other words, if another MAC shows up on a port, it won't work. If another MAC doesn't show up on the port, it works.

Does this help?

0 Helpful

rvaguilera
Level 1
Level 1
In response to jafrazie

‎07-07-2005 10:18 AM

Okay, so why in the situation where I have a vmWare virtual machine (guest) running on my physical (host) and configured where the virtual machine (guest) is being NATed through my physical (host) machine, the virutal machine is still able to pass traffic through the authenticated port?

The virtual machine has its own "virtual" MAC address, the port should see this and not allow traffic from this machine to pass, correct?

Or is it it different since the traffic is being being routed via NAT?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee

‎07-07-2005 12:52 PM

Without 802.1x, how many MAC Addresses appear on the wire to the switch port?

0 Helpful

rvaguilera
Level 1
Level 1
In response to jafrazie

‎07-08-2005 09:18 AM

without 802.1x only one MAC address appears when the virtual machine is in NAT mode.

when the virtual machine is configured in BRIDGED mode, 2 MAC addresses appear on the port.

so in general, does this mean when a NAT device is connected to a layer 2 switch port, only 1 MAC address, the address of the NAT device appears in the MAC table?

even if there a multiple machines/devices behind the NAT device?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee

‎07-08-2005 10:47 AM

sho mac-address-table interface

sho cam dyn/stat

0 Helpful
Customers Also Viewed These Support Documents