Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2774
Views
10
Helpful
6
Replies

802.1x per host authentication under one port with multi-host access by switch

Black_Rabbit
Level 1
Level 1

‎09-06-2013 07:47 AM - edited ‎03-10-2019 08:52 PM

In the situation with multi-host access to one port of Cisco 2960 Lan Lite by another simple L2 switch, is it possible that we could control per user access by authentication for each?

What happens if I connect to the switch (which already has some trusted devices) a untrusted device?

What happens if I connect to the switch (which already has some untrusted device) a trusted device?

If I use "authentication violation protect" traffic will be blocked only by an untrusted device or all devices connected via a simple L2 switch?

I read the manual, but it is not made ​​detailed clarity.

Please tell me the right way.

I will be very grateful for your advice!

Labels:
Preview file
57 KB
0 Helpful
6 Replies 6

Saurav Lodh
Level 7
Level 7

‎09-06-2013 10:27 PM

You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode ,  only one client can be connected to the 802.1x-enabled switch port. The  switch detects the client by sending an EAPOL frame when the port link  state changes to the up state. If a client leaves or is replaced with  another client, the switch changes the port link state to down, and the  port returns to the unauthorized state.

In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. In this mode,  only one of the attached clients must be authorized for all clients to  be granted network access. If the port becomes unauthorized  (re-authentication fails or an EAPOL-logoff message is received), the  switch denies network access to all of the attached clients.

As the port goes to un auth state / down if untrusted client is connected, so it completely depends on the violation method you configure there to take. If trusted client is connected later on, it depends on the port violation method to grant connection to trusted macs.

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-06-2013 11:27 PM

Hello,

In the situation with multi-host access to one port of Cisco 2960 Lan Lite by another simple L2 switch, is it possible that we could control per user access by authentication for each?

Yes, that's why multi-host mode exists

What happens if I connect to the switch (which already has some trusted devices) a untrusted device? If it's on single host the port will go into error-disabled as the violation of just one client per port has been triggered.

What happens if I connect to the switch (which already has some untrusted device) a trusted device?Same thing than before if being on single mode.

If I use "authentication violation protect" traffic will be blocked only by an untrusted device or all devices connected via a simple L2 switch?

Only for the unknown client MAC address, the trusted devices will be able to comunicate.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

aqjaved
Level 3
Level 3

‎09-09-2013 06:00 AM

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

For Complete Configuration, please check the below link

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

0 Helpful

Black_Rabbit
Level 1
Level 1

‎09-09-2013 06:46 AM

Thank you guys!

This are very useful answers.

All the best.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Black_Rabbit

‎09-09-2013 10:45 AM

Hello Mikhail,

Our pleasure to help

Please mark the question as answered so future users can learn from our discussion

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jan.nielsen
Level 7
Level 7

‎09-09-2013 11:23 AM

You should probably check with your Cisco SE, as i'm not 100% sure that this limitation still exists, but there are alot of dot1x related features that are not supported in the lan-lite edition of the 2960, including dACL support for dot1x.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_presentation_c97-494780.pdf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents