Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
2
Replies

802.1x switches as intermediaries

Go to solution
dianakbrown
Level 1
Level 1

‎11-17-2006 06:26 AM - edited ‎03-09-2019 04:54 PM

While viewing the documentation for configuring 802.1x on Cat Series switches; there is a statement to the effect that certain switches (Cat 2940 through Cat 3750) can be used as intermediaries. What does this really mean? Is this the edge switch itself as the intermediary between the client and the authentication server?Does it mean if I am using the Cat 4506, THEN I can use the intermediary switch between the 4506 and the client to "pass-through" the 802.1x request to the 4506? Surely this means that the intermediary switches cannot be used as the edge switch on their own?

I am assuming from the documentation that whatever switch is being used as the edge switch is the intermediary between the client and the authentication server.

Any enlightenment will be appreciated.

Diana

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎11-18-2006 08:51 PM

Q: Is this the edge switch itself as the intermediary between the client and the authentication server?

A: Yes

Q: Does it mean if I am using the Cat 4506, THEN I can use the intermediary switch between the 4506 and the client to "pass-through" the 802.1x request to the 4506?

A: Not necessarily. You can directly use Cat4500 as intermediary.

Q: Surely this means that the intermediary switches cannot be used as the edge switch on their own?

A: No, you can use them both as edge and intermediary.

***************************************************

For 802.1x, the intermediary devices can be Cat4000 series, Cat3550, Cat2950 or wireless AP. In other words, they are edge devices.

The intermediary here means that the device will act like a proxy or 'middle-man' between the client device requesting for access authentication (802.1x) and the authenication server, for example Cisco ACS server.

Basically, what happened is, the switch will request credential information from the client (i.e username/password), then forward the info to ACS server. ACS Server will check & verify the ID, and will respond with PASS or FAILED response to the switch. The switch, in turn, will grant or deny access to the client, based on the info/response.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8c4.html#xtocid2

http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800ddb0d.html#1133261

For NAC Layer2 + 802.1x, devices that can act as intermediaries are Cat6500 (depend on IOS ver), Cat4500, Cat3750, Cat3560, Cat3550, Cat2960/2970/2955/2950/2940, C7600 series router, Cisco Gigabit Ethernet Switching Module (CGESM) switches.

http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_configuration_guide09186a00805764fd.html#wp1202047

Hope this helps. Pls rate useful post(s).

AK

View solution in original post

0 Helpful

Go to solution
jafrazie
Cisco Employee
Cisco Employee
In response to a.kiprawih

‎11-20-2006 11:12 AM

Right:

802.1X frames typically are not bridgeable through a switch. Technically, if something is 802.1D-compliant, then the fames cannot be forwarded, nor should they be.

802.1X as per the standard, uses a multicast MAC destination address to communicate between supplicants (client) and authenticators (switch). This multicast address is out of the BPDU range for 802.1D. The reason for this

is so that the switch is aware that it must intercept the frame for processing as 802.1x, much like STP BPDUs. All 802.1D switches must not forward BPDU range frames transparently.

So, what ends up happening is that the first L2 hop switch will not forward a 1X frame to the next switch up - nor should it.

From a protocol perspective, this is why you cannot rely on things like 802.1X to work correctly on anything but EDGE ports.

Hope this helps,

View solution in original post

0 Helpful
2 Replies 2

Go to solution
a.kiprawih
Level 7
Level 7

‎11-18-2006 08:51 PM

Q: Is this the edge switch itself as the intermediary between the client and the authentication server?

A: Yes

Q: Does it mean if I am using the Cat 4506, THEN I can use the intermediary switch between the 4506 and the client to "pass-through" the 802.1x request to the 4506?

A: Not necessarily. You can directly use Cat4500 as intermediary.

Q: Surely this means that the intermediary switches cannot be used as the edge switch on their own?

A: No, you can use them both as edge and intermediary.

***************************************************

For 802.1x, the intermediary devices can be Cat4000 series, Cat3550, Cat2950 or wireless AP. In other words, they are edge devices.

The intermediary here means that the device will act like a proxy or 'middle-man' between the client device requesting for access authentication (802.1x) and the authenication server, for example Cisco ACS server.

Basically, what happened is, the switch will request credential information from the client (i.e username/password), then forward the info to ACS server. ACS Server will check & verify the ID, and will respond with PASS or FAILED response to the switch. The switch, in turn, will grant or deny access to the client, based on the info/response.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8c4.html#xtocid2

http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800ddb0d.html#1133261

For NAC Layer2 + 802.1x, devices that can act as intermediaries are Cat6500 (depend on IOS ver), Cat4500, Cat3750, Cat3560, Cat3550, Cat2960/2970/2955/2950/2940, C7600 series router, Cisco Gigabit Ethernet Switching Module (CGESM) switches.

http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_configuration_guide09186a00805764fd.html#wp1202047

Hope this helps. Pls rate useful post(s).

AK

0 Helpful

Go to solution
jafrazie
Cisco Employee
Cisco Employee
In response to a.kiprawih

‎11-20-2006 11:12 AM

Right:

802.1X frames typically are not bridgeable through a switch. Technically, if something is 802.1D-compliant, then the fames cannot be forwarded, nor should they be.

802.1X as per the standard, uses a multicast MAC destination address to communicate between supplicants (client) and authenticators (switch). This multicast address is out of the BPDU range for 802.1D. The reason for this

is so that the switch is aware that it must intercept the frame for processing as 802.1x, much like STP BPDUs. All 802.1D switches must not forward BPDU range frames transparently.

So, what ends up happening is that the first L2 hop switch will not forward a 1X frame to the next switch up - nor should it.

From a protocol perspective, this is why you cannot rely on things like 802.1X to work correctly on anything but EDGE ports.

Hope this helps,

0 Helpful
Customers Also Viewed These Support Documents