06-25-2008 04:35 AM - edited 03-05-2019 11:48 PM
I find a configuration of something called reauthentication, why we use the reauthentication after a successful authentication? What's the use of it? Is it a method to achive some real-time authentication?
 
					
				
		
06-25-2008 05:25 AM
Potentially a user could introduce a Hub or other switch to the port and only authenticate once and then leave the hub connected as a free-for-all. Unless you apply other security features such as Port Security then it opens a bit of a hole.
802.1x is a port security mechanism to authenticate the user/machine that is connected to a physical port, re-authentication forces the client to validate who it is when the reauthentication timer expires.
HTH
Andy
06-25-2008 07:03 AM
Thank you for the answer, so can I say a frequent reauthentication can gain a high security?
06-25-2008 07:11 AM
Sort of... Ideally you need to deploy Port Security along with 802.1x and restrict the number of MAC addresses to 1 on each access port. This will prevent anyone connecting a hub or switch and then performing 802.1x authentication with one machine and then disconnecting it and connecting another machine to the hub.
HTH
Andy
06-25-2008 07:20 AM
Thank you very much.
06-25-2008 08:36 AM
What if there are more devices connected to that port like there is another switch or hub?
Cisco has the command
(config-if)#dot1x host-mode multi-host
I don't understand what it does.
When the first user authenticate, doesn't he authenticate the port to all other users connected to that port?
How could this problem be solved using 802.1x and EAPOL?
Thanks
06-25-2008 05:38 PM
802.1X is a port control protocal, the port can be physcial or logical. It dosen't authenticate the port, it authenticates the users through the ports, asking for identity and chanlenge response of every client try to connect.
06-25-2008 11:33 PM
Ok, it authenticates the user through the port. If it uses MD5 Challenges there is no possibility to identify the users behind the port.l This means that it is the the same for the switch it there is one user or 100 users.
The first user comes, enters the right password and the switch opens the port. The second user doesn't need to auth anymore just to transmit cause the port is already opened.
Do I miss something?
06-26-2008 01:19 AM
Port have two meanings, a phsical one or a logical one.
The physical ports are the holes in the machine, they are always the same, never be closed until the power off or some special management, and one physical ports may have 100 users behind. And for every user there are two logical ports, the controlled port and uncontrolled port. Authentication data pass through the uncontrolled port while the service data pass through the controlled one. The uncontrolled ports are always open, but only a successful authentication can unlock the controlled port, maybe 100 users share a same phsical port, but every one of them have their own two con/uncon ports logically and this two are controlled by 802.1X.
06-26-2008 01:29 AM
Ok, thank you for the clarification.
But how can a switch differentiate between users behind a port. They are just sending frames to the port.
The switch must function something like this: this frame is from an authenticated user and I let it through, this one is from an unauthenticated user and I filter it and so on.
If they auth using user+password I think they could not be differentiated.
06-26-2008 06:21 AM
The swith dosn't differentiate between users, the AS differntiate them use EAP-methods which belong to application lever,and the AS tells swith which user's service packets can pass through, the swith can distinguish them from the EAPOL head, which contain user imformaiton, if use a strong security method like EAP-TLS, every authenticated user share a distingushed session key with the AS the key is delivered during authentication, and the user use the right key to encrypt messenges which makes them also disdingushed from others.
Sorry for my poor English, hope it's helpful.
06-26-2008 07:21 AM
Soory I made a mistake, not the EAPOL head, but the MAC frame head.
06-27-2008 12:15 AM
Thank you for the clarification.
Let me know if I understood the process: If the Switch differentiates the users from the MAC Header, the source MAC address is the only way it could differentiates between users behind a port. If this is true we can face here a MAC spoof attack. Right?
06-27-2008 05:25 AM
Yes, for example, the repaly attack and man-in-the-middle attack are based on forged frame.
06-26-2008 12:46 AM
Hi Andy,
I have to disagree with you. Simply, port-security cannot to use with 802.1x.
If you try to enable 802.1X on a secure port, an error message will appear, and 802.1X is not enabled.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide