What's the use of reauthentication in 802.1X switch?

Unanswered Question
Jun 25th, 2008
User Badges:

I find a configuration of something called reauthentication, why we use the reauthentication after a successful authentication? What's the use of it? Is it a method to achive some real-time authentication?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
andrew.butterworth Wed, 06/25/2008 - 05:25
User Badges:
  • Gold, 750 points or more

Potentially a user could introduce a Hub or other switch to the port and only authenticate once and then leave the hub connected as a free-for-all. Unless you apply other security features such as Port Security then it opens a bit of a hole.


802.1x is a port security mechanism to authenticate the user/machine that is connected to a physical port, re-authentication forces the client to validate who it is when the reauthentication timer expires.


HTH


Andy

darkeyeonfnight Wed, 06/25/2008 - 07:03
User Badges:

Thank you for the answer, so can I say a frequent reauthentication can gain a high security?

andrew.butterworth Wed, 06/25/2008 - 07:11
User Badges:
  • Gold, 750 points or more

Sort of... Ideally you need to deploy Port Security along with 802.1x and restrict the number of MAC addresses to 1 on each access port. This will prevent anyone connecting a hub or switch and then performing 802.1x authentication with one machine and then disconnecting it and connecting another machine to the hub.


HTH


Andy


wizassonic Wed, 06/25/2008 - 08:36
User Badges:

What if there are more devices connected to that port like there is another switch or hub?


Cisco has the command

(config-if)#dot1x host-mode multi-host


I don't understand what it does.


When the first user authenticate, doesn't he authenticate the port to all other users connected to that port?


How could this problem be solved using 802.1x and EAPOL?


Thanks


darkeyeonfnight Wed, 06/25/2008 - 17:38
User Badges:

802.1X is a port control protocal, the port can be physcial or logical. It dosen't authenticate the port, it authenticates the users through the ports, asking for identity and chanlenge response of every client try to connect.

wizassonic Wed, 06/25/2008 - 23:33
User Badges:

Ok, it authenticates the user through the port. If it uses MD5 Challenges there is no possibility to identify the users behind the port.l This means that it is the the same for the switch it there is one user or 100 users.

The first user comes, enters the right password and the switch opens the port. The second user doesn't need to auth anymore just to transmit cause the port is already opened.


Do I miss something?



darkeyeonfnight Thu, 06/26/2008 - 01:19
User Badges:

Port have two meanings, a phsical one or a logical one.

The physical ports are the holes in the machine, they are always the same, never be closed until the power off or some special management, and one physical ports may have 100 users behind. And for every user there are two logical ports, the controlled port and uncontrolled port. Authentication data pass through the uncontrolled port while the service data pass through the controlled one. The uncontrolled ports are always open, but only a successful authentication can unlock the controlled port, maybe 100 users share a same phsical port, but every one of them have their own two con/uncon ports logically and this two are controlled by 802.1X.

wizassonic Thu, 06/26/2008 - 01:29
User Badges:

Ok, thank you for the clarification.


But how can a switch differentiate between users behind a port. They are just sending frames to the port.

The switch must function something like this: this frame is from an authenticated user and I let it through, this one is from an unauthenticated user and I filter it and so on.

If they auth using user+password I think they could not be differentiated.


darkeyeonfnight Thu, 06/26/2008 - 06:21
User Badges:

The swith dosn't differentiate between users, the AS differntiate them use EAP-methods which belong to application lever,and the AS tells swith which user's service packets can pass through, the swith can distinguish them from the EAPOL head, which contain user imformaiton, if use a strong security method like EAP-TLS, every authenticated user share a distingushed session key with the AS the key is delivered during authentication, and the user use the right key to encrypt messenges which makes them also disdingushed from others.

Sorry for my poor English, hope it's helpful.

wizassonic Fri, 06/27/2008 - 00:15
User Badges:

Thank you for the clarification.

Let me know if I understood the process: If the Switch differentiates the users from the MAC Header, the source MAC address is the only way it could differentiates between users behind a port. If this is true we can face here a MAC spoof attack. Right?


darkeyeonfnight Fri, 06/27/2008 - 05:25
User Badges:

Yes, for example, the repaly attack and man-in-the-middle attack are based on forged frame.

Surya Dathan Thu, 06/26/2008 - 00:46
User Badges:

Hi Andy,


I have to disagree with you. Simply, port-security cannot to use with 802.1x.


If you try to enable 802.1X on a secure port, an error message will appear, and 802.1X is not enabled.

andrew.butterworth Thu, 06/26/2008 - 01:56
User Badges:
  • Gold, 750 points or more

Sorry but you are wrong. This is the configuration from a Catalyst 3550 where I have this deployed:


interface FastEthernet0/5

description Laptop-802.1x

switchport access vlan 10

switchport mode access

switchport port-security maximum 1 vlan access

switchport port-security

switchport port-security aging time 3

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos monitor dscp 0 8 24 26 32 46 48 56

no snmp trap link-status

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x timeout server-timeout 5

dot1x timeout reauth-period server

dot1x timeout tx-period 20

dot1x reauthentication

wrr-queue bandwidth 5 25 70 1

wrr-queue cos-map 1 1

wrr-queue cos-map 2 0

wrr-queue cos-map 3 2 3 4 6 7

wrr-queue cos-map 4 5

priority-queue out

spanning-tree portfast

service-policy input USER-DATA-POLICY

ip dhcp snooping limit rate 100

end


cat-3550#sho dot1x interface fastEthernet 0/5 details


Dot1x Info for FastEthernet0/5

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = Both

HostMode = SINGLE_HOST

Violation Mode = PROTECT

ReAuthentication = Enabled

QuietPeriod = 60

ServerTimeout = 5

SuppTimeout = 30

ReAuthPeriod = (From Authentication Server)

ReAuthMax = 2

MaxReq = 2

TxPeriod = 20

RateLimitPeriod = 0


Dot1x Authenticator Client List

-------------------------------

Domain = DATA

Supplicant = 000d.9d91.2ee2

Auth SM State = AUTHENTICATED

Auth BEND SM State = IDLE


Port Status = AUTHORIZED

ReAuthPeriod = 3600

ReAuthAction = Reauthenticate

TimeToNextReauth = 3051

Authentication Method = Dot1x

Authorized By = Authentication Server

Vlan Policy = N/A


cat-3550#sho port-security interface fastEthernet 0/5

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 3 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000d.9d91.2ee2:10

Security Violation Count : 0


cat-3550#


I don't know what switch you are working on but 802.1x & Port-Security can be configured together:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1112738


Andy

Actions

This Discussion