cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4725
Views
14
Helpful
16
Replies

What's the use of reauthentication in 802.1X switch?

darkeyeonfnight
Level 1
Level 1

I find a configuration of something called reauthentication, why we use the reauthentication after a successful authentication? What's the use of it? Is it a method to achive some real-time authentication?

16 Replies 16

Potentially a user could introduce a Hub or other switch to the port and only authenticate once and then leave the hub connected as a free-for-all. Unless you apply other security features such as Port Security then it opens a bit of a hole.

802.1x is a port security mechanism to authenticate the user/machine that is connected to a physical port, re-authentication forces the client to validate who it is when the reauthentication timer expires.

HTH

Andy

Thank you for the answer, so can I say a frequent reauthentication can gain a high security?

Sort of... Ideally you need to deploy Port Security along with 802.1x and restrict the number of MAC addresses to 1 on each access port. This will prevent anyone connecting a hub or switch and then performing 802.1x authentication with one machine and then disconnecting it and connecting another machine to the hub.

HTH

Andy

Thank you very much.

What if there are more devices connected to that port like there is another switch or hub?

Cisco has the command

(config-if)#dot1x host-mode multi-host

I don't understand what it does.

When the first user authenticate, doesn't he authenticate the port to all other users connected to that port?

How could this problem be solved using 802.1x and EAPOL?

Thanks

802.1X is a port control protocal, the port can be physcial or logical. It dosen't authenticate the port, it authenticates the users through the ports, asking for identity and chanlenge response of every client try to connect.

Ok, it authenticates the user through the port. If it uses MD5 Challenges there is no possibility to identify the users behind the port.l This means that it is the the same for the switch it there is one user or 100 users.

The first user comes, enters the right password and the switch opens the port. The second user doesn't need to auth anymore just to transmit cause the port is already opened.

Do I miss something?

Port have two meanings, a phsical one or a logical one.

The physical ports are the holes in the machine, they are always the same, never be closed until the power off or some special management, and one physical ports may have 100 users behind. And for every user there are two logical ports, the controlled port and uncontrolled port. Authentication data pass through the uncontrolled port while the service data pass through the controlled one. The uncontrolled ports are always open, but only a successful authentication can unlock the controlled port, maybe 100 users share a same phsical port, but every one of them have their own two con/uncon ports logically and this two are controlled by 802.1X.

Ok, thank you for the clarification.

But how can a switch differentiate between users behind a port. They are just sending frames to the port.

The switch must function something like this: this frame is from an authenticated user and I let it through, this one is from an unauthenticated user and I filter it and so on.

If they auth using user+password I think they could not be differentiated.

The swith dosn't differentiate between users, the AS differntiate them use EAP-methods which belong to application lever,and the AS tells swith which user's service packets can pass through, the swith can distinguish them from the EAPOL head, which contain user imformaiton, if use a strong security method like EAP-TLS, every authenticated user share a distingushed session key with the AS the key is delivered during authentication, and the user use the right key to encrypt messenges which makes them also disdingushed from others.

Sorry for my poor English, hope it's helpful.

Soory I made a mistake, not the EAPOL head, but the MAC frame head.

Thank you for the clarification.

Let me know if I understood the process: If the Switch differentiates the users from the MAC Header, the source MAC address is the only way it could differentiates between users behind a port. If this is true we can face here a MAC spoof attack. Right?

Yes, for example, the repaly attack and man-in-the-middle attack are based on forged frame.

Hi Andy,

I have to disagree with you. Simply, port-security cannot to use with 802.1x.

If you try to enable 802.1X on a secure port, an error message will appear, and 802.1X is not enabled.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco