Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3065
Views
0
Helpful
1
Replies

Internet connection sharing and 802.1x bypassing.

tdrais
Level 7
Level 7

‎07-18-2007 10:35 AM - edited ‎03-03-2019 05:56 PM

We have a need to secure the ports on a switch. This is in a mostly uncontrolled location but the switch itself is secure.

First we thought to use simple mac locking but a consumer router can bypass that out of the box. We also looked into a layer 3 challenge method but it is also trivial to configure a consumer router to send the authentication traffic to a single machine but still allow other machines to share the connection.

So I figured that 802.1x should solve this because it is layer 2 and routers don't do 802.1x clients and the ones that do don't support the more advanced authentications.

Wasn't long after this that I was helping someone setup a internet connection that was using a windows machine as the router to share the connection between multiple machines. This is trivial to setup on a dual nic machine using microsoft internet connection sharing. Looking at the options it does not appear microsoft in anyway restricts traffic from sharing a 802.1x authenticated port. I still have to test this but it appears to defeat my ability to control which machines are attached to the switch.

So any ideas what to try next. We can always go back to VPN solutions but those are such a pain to support in particular when the machine contains another vendors vpn client.

Labels:
0 Helpful
1 Reply 1

stephen.stack
Level 4
Level 4

‎07-18-2007 12:06 PM

Hi,

I think dot1x is a good way to go. You can auth many mac's on a single port. Cisco dot1x mac-auth-bypass command in conjunction with dot1x multiple-hosts should allow to authorise based on layer 2. All the info you need is here...

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/dot1x.html#wp1225342

Also see my earlier post for more info...

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf269f

I hope this falls into what you are looking to do. You will need some sort of RADIUS server of course.

HTH

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful
Customers Also Viewed These Support Documents