Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1441
Views
0
Helpful
4
Replies

Dot.1x Authorization Port

siemenseg
Level 1
Level 1

‎06-08-2009 01:46 AM - edited ‎03-10-2019 04:31 PM

I am configuring all switches port dot1.x ports but i am using IAS server as AAA server and the authentication method machine certficate .

The problem is when one of Joined machine connected to switch port and after authorization if i unplug the network cable the port still authorized !! i mean if i put pc not join its connected .

below the interface config :

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

dot1x timeout quiet-period 30

dot1x timeout tx-period 10

dot1x timeout supp-timeout 60

dot1x max-req 5

dot1x reauthentication

dot1x guest-vlan 30

Labels:
0 Helpful
4 Replies 4

sbilgi
Level 5
Level 5

‎06-12-2009 12:04 PM

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033555

0 Helpful

esdouglas
Level 1
Level 1

‎06-17-2009 08:00 PM

Exactly what kind of security restriction are you trying to accomplish? I'm not sure what version of IOS you are using, but there are better options with later version. such as "multi-auth", which requires every PC that connects to that port to authenticate.

Using "multi-host" mode for dot1x authentication on all ports puts a big hole in any security you try to enforce.

0 Helpful

jms112080
Level 1
Level 1
In response to esdouglas

‎06-23-2009 08:37 AM

I'm testing the Dot1x multi-auth feature of the lastest IOS for the 3750. It works perfectly for two machines that are authorized. Is it possible for the switch allow traffic from an authorized host and deny traffic from a machine that does pass authentication? So far it seems to drop all traffic on the port, as soon as the unathorized machine is connected.

0 Helpful

esdouglas
Level 1
Level 1
In response to jms112080

‎06-23-2009 06:54 PM

If you are using the latests code (12.2.50) using the "authentication host-mode multi-auth" and the "authentication violation protect" commands should do the trick according to Cisco's 3750 documentation. Which also states a limit of 8 (authenticated) hosts.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/command/reference/cli1.html#wp10755487

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents