Internet connection sharing and 802.1x bypassing.

Unanswered Question
Jul 18th, 2007

We have a need to secure the ports on a switch. This is in a mostly uncontrolled location but the switch itself is secure.

First we thought to use simple mac locking but a consumer router can bypass that out of the box. We also looked into a layer 3 challenge method but it is also trivial to configure a consumer router to send the authentication traffic to a single machine but still allow other machines to share the connection.

So I figured that 802.1x should solve this because it is layer 2 and routers don't do 802.1x clients and the ones that do don't support the more advanced authentications.

Wasn't long after this that I was helping someone setup a internet connection that was using a windows machine as the router to share the connection between multiple machines. This is trivial to setup on a dual nic machine using microsoft internet connection sharing. Looking at the options it does not appear microsoft in anyway restricts traffic from sharing a 802.1x authenticated port. I still have to test this but it appears to defeat my ability to control which machines are attached to the switch.

So any ideas what to try next. We can always go back to VPN solutions but those are such a pain to support in particular when the machine contains another vendors vpn client.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stephen.stack Wed, 07/18/2007 - 12:06

Hi,

I think dot1x is a good way to go. You can auth many mac's on a single port. Cisco dot1x mac-auth-bypass command in conjunction with dot1x multiple-hosts should allow to authorise based on layer 2. All the info you need is here...

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/dot1x.html#wp1225342

Also see my earlier post for more info...

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf269f

I hope this falls into what you are looking to do. You will need some sort of RADIUS server of course.

HTH

Stephen

Actions

This Discussion