Solved: Re: dot1x bypass

Joris Deprouw · ‎05-02-2011

Hi all,

I am working on a dot1x setup.

We would like to authenticate devices through dot1x.

I have configured the config below on a access port. Reauthentication on the radius server is set on 60min.

interface FastEthernet1/1

switchport access vlan 10

switchport mode access

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

dot1x pae authenticator

dot1x timeout quiet-period 3

dot1x timeout tx-period 5

spanning-tree portfast

What happens if someone disconnects port fa 1/1 and branches a hub in this port and reconnects the device on the hub. I suppose the device will reauthenticate without problem. Maybe we'll see a port down error in the log.

Now imagine the following scenario.

Someone branches an illegal pc on the hub and sniffs the traffic. He disconnects the device and spoofs the mac address on his illegal pc. Will this pc have access to the network until the reauthentication timer expires? Why not?

Is there a possibility to prevent this? (lowering reauthentication timer will probably create more traffic flow).

Port-security maximum 1? If this is configurable on a dot1x port?

Anyone ideas?

Thanks,

Best Regards,

Joris

Antonio Knox · ‎05-02-2011

Same concept applies. I've updated the link above to one for a 3750. Refresh and try it again.

Please rate helpful posts.

View solution in original post

Antonio Knox · ‎05-02-2011

Yes, this is a possibility.

The vulnerability that is mitigated by port security still leaves a vulnerability due to the nature of it's function. Port security works to protect by using MAC addresses that it detects attempting to communicate. With that said, if a port is connected to a switch with a configured SPAN port (or even a connected TAP) this traffic sniffing would go undetected because the attacker listens but doesn't actively speak or communicate out.

It's not by any stretch perfect, but it's a good deterrent.

Please rate helpful posts.

View solution in original post

Antonio Knox · ‎05-02-2011

Port security is the solution.

This is one of the issues with 802.1x that is a problem. Once a port is authenticated using 802.1x then the port is available for use. Assuming the hub was connected prior to auth, then another could connect to the switch after auth and communicate on the network. The only multi-authentication mechanism with Cisco's implementation of 802.1x is an IP Phone based solution.

Port security is the stop-gap solution for the vulnerability in port authenticaiton behavior.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/sw8021x.html#wp1194824

Message was edited by: Antonio Knox

Joris Deprouw · ‎05-02-2011

Hi Antonio,

What do we do when we do not have a Nexus setup?

If I'm informed correctly a security port cannot be a dot1x port. Can we configure dot1x and port-security on a 3750 or 4500 environment?

Thanks,

Joris

Antonio Knox · ‎05-02-2011

Same concept applies. I've updated the link above to one for a 3750. Refresh and try it again.

Please rate helpful posts.

Joris Deprouw · ‎05-02-2011

Thanks Antonio,

Is there a possibility that the illegal connected pc does not generate traffic and does not trigger the port-security?

eg. professional hacking programs...

Thanks,

Joris

Antonio Knox · ‎05-02-2011

Yes, this is a possibility.

The vulnerability that is mitigated by port security still leaves a vulnerability due to the nature of it's function. Port security works to protect by using MAC addresses that it detects attempting to communicate. With that said, if a port is connected to a switch with a configured SPAN port (or even a connected TAP) this traffic sniffing would go undetected because the attacker listens but doesn't actively speak or communicate out.

It's not by any stretch perfect, but it's a good deterrent.

Please rate helpful posts.

Joris Deprouw · ‎05-02-2011

Thanks Antonio.