Port security question

Unanswered Question
Dec 1st, 2007

All, I know this should be in the security forum, but Im not having much luck understanding this at the moment. Can you guys please help me understand one thing in particular:

Im trying to find out how to use Dot1x port authentication. What Im trying to do is boot clientless system into a guest vlan OR if its a regular PC, Im trying to allow it into a native vlan. Im trying to understand "port authentication". Below is a paragraph from "Deploying 802.1x-Based Port Authentication on the Cisco ECT Solution". A little different scenario but the same goal in mind. See below the paragraph, and my question below it please:

PARAGRAPH READS:

"When a new IP host is connected to the switch port, the router initiates the communication using Extensible Authentication Protocol over LAN (EAPoL). The supplicant running on the device will respond to it. Then the router proceeds with further authentication. If there is no response from the device it is considered as a clientless device. Once the router gathers the credentials from the device, it is forwarded to the RADIUS server for authentication. If the credentials are valid, the port becomes enabled and gets attached to the trusted VLAN. If the credentials are invalid, the port is shut."

QUESTION:

From this sentance: "Then the router proceeds with further authentication.", what IS the authentication? What credentials are being sent from the client? Windows login? Mac-address? I dont know.

QUESTION 2:

From this sentance: "If the credentials are valid, the port becomes enabled and gets attached to the trusted VLAN."

Agan, what credentials? I dont think its Windows authentication, but I have no idea on what the client is sending?

ANY help would be appreciated. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
mikedurbin Sat, 12/01/2007 - 22:45

Also, if anyone has deployed this solution before, would you be so kind as to post a sample config or an existing config of the switch and what you may have done in ACS? Thanks.

xounmalina Sun, 12/02/2007 - 01:28

Hi Mike,

EAP is a framework actually not a particular authentication mechanism. you can use different methods types for that. There is known a few of them. From MD5 Challenge to Digital Certs etc. So what you implement is that what is send/recieved.

More info/examples:

http://standards.ieee.org/getieee802/download/802.1X-2001.pdf

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html

regards

malina

Actions

This Discussion