06-08-2009 01:46 AM - edited 03-10-2019 04:31 PM
I am configuring all switches port dot1.x ports but i am using IAS server as AAA server and the authentication method machine certficate .
The problem is when one of Joined machine connected to switch port and after authorization if i unplug the network cable the port still authorized !! i mean if i put pc not join its connected .
below the interface config :
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x violation-mode protect
dot1x timeout quiet-period 30
dot1x timeout tx-period 10
dot1x timeout supp-timeout 60
dot1x max-req 5
dot1x reauthentication
dot1x guest-vlan 30
06-12-2009 12:04 PM
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.
06-17-2009 08:00 PM
Exactly what kind of security restriction are you trying to accomplish? I'm not sure what version of IOS you are using, but there are better options with later version. such as "multi-auth", which requires every PC that connects to that port to authenticate.
Using "multi-host" mode for dot1x authentication on all ports puts a big hole in any security you try to enforce.
06-23-2009 08:37 AM
I'm testing the Dot1x multi-auth feature of the lastest IOS for the 3750. It works perfectly for two machines that are authorized. Is it possible for the switch allow traffic from an authorized host and deny traffic from a machine that does pass authentication? So far it seems to drop all traffic on the port, as soon as the unathorized machine is connected.
06-23-2009 06:54 PM
If you are using the latests code (12.2.50) using the "authentication host-mode multi-auth" and the "authentication violation protect" commands should do the trick according to Cisco's 3750 documentation. Which also states a limit of 8 (authenticated) hosts.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: