Migration to 802.1x for large scale Ethernet network

Unanswered Question
Apr 10th, 2007

Hi all,

I have a very large wired-only Ethernet network which I would like to migrate to 802.1x for stronger authentication of end users. The problem I have is that there are long chains of legacy swtiches which do not support 802.1x (the topology of the network is a complete tree of switches). As far as I know, 802.1x is port based.

So here is the issue:

- the replacement of all switches will take a very long time, but I would like to have all end users authenticated asap

- switches supporting .1x will initially only be located at the roots of the tree. There will still be legacy switches not supporting .1x between end users and newer switches.

- authentication of users on a port of a new switch will be shared between several end users.

Do you know if it possible to enable authentication of all users but having only enabled 802.1x in some more central locations first?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vkapoor5 Mon, 04/16/2007 - 10:53

IEEE 802.1x Authentication

These are the IEEE 802.1x authentication configuration guidelines:

?When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.

?If you try to change the mode of an IEEE 802.1x-enabled port (for example, from access to trunk), an error message appears, and the port mode is not changed.

?If the VLAN to which an IEEE 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.

If the VLAN to which an IEEE 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.

Try these links:




This Discussion