Internet connection sharing and 802.1x bypassing.

Unanswered Question
Jul 18th, 2007
User Badges:
  • Blue, 1500 points or more

We have a need to secure the ports on a switch. This is in a mostly uncontrolled location but the switch itself is secure.

First we thought to use simple mac locking but a consumer router can bypass that out of the box. We also looked into a layer 3 challenge method but it is also trivial to configure a consumer router to send the authentication traffic to a single machine but still allow other machines to share the connection.

So I figured that 802.1x should solve this because it is layer 2 and routers don't do 802.1x clients and the ones that do don't support the more advanced authentications.

Wasn't long after this that I was helping someone setup a internet connection that was using a windows machine as the router to share the connection between multiple machines. This is trivial to setup on a dual nic machine using microsoft internet connection sharing. Looking at the options it does not appear microsoft in anyway restricts traffic from sharing a 802.1x authenticated port. I still have to test this but it appears to defeat my ability to control which machines are attached to the switch.

So any ideas what to try next. We can always go back to VPN solutions but those are such a pain to support in particular when the machine contains another vendors vpn client.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephen.stack Wed, 07/18/2007 - 12:06
User Badges:
  • Silver, 250 points or more


I think dot1x is a good way to go. You can auth many mac's on a single port. Cisco dot1x mac-auth-bypass command in conjunction with dot1x multiple-hosts should allow to authorise based on layer 2. All the info you need is here...

Also see my earlier post for more info...

I hope this falls into what you are looking to do. You will need some sort of RADIUS server of course.




This Discussion