802.1x per host authentication under one port with multi-host access by hub

maweiwei43 · ‎07-22-2008

Dear,

While multi-host connect to one port by hub, it seems that in multi-host mode, after one host passed the authentication, the port change state to up, and the other hosts do not need to authenticate any more. And in single host mode, only one host could access to the network under one port.

In the situation with multi-host access to one port by hub, is it possible that we could control per user access by authentication for each?

We did some test on 3550, it seems that the 3550 doesnot support what we need. And what about 4506?

Thanks!

maweiwei43 · ‎07-22-2008

topo is in the attachment

jafrazie · ‎07-23-2008

No, this is not available on the switch you are testing with. It will be soon, however. This is not advisable in terms of an in-general 802.1X deployment anyway. Also, you'll need to make sure you're hubs are not actually bridges or switches, or they'll eat 802.1X frames anyway.

ipagliani · ‎10-21-2008

Hello, what does it mean with: "It will be soon, however" ?

Is it possible a new feature coming up ?

thank's

jafrazie · ‎10-22-2008

Yes, this is a new feature coming up on 6500, 4500, and 3750 switches. Please coordinate with your local account team for timeframes and switch specifics.

blenka · ‎09-11-2013

Multiauthentication Mode

Available in Cisco IOS Release 12.2(33)SXI and later releases, multiauthentication (multiauth) mode allows one 802.1X/MAB client on the voice VLAN and multiple authenticated 802.1X/MAB/webauth clients on the data VLAN. When a hub or access point is connected to an 802.1X port (as shown in Figure 60-5), multiauth mode provides enhanced security over the multiple-hosts mode by requiring authentication of each connected client. For non-802.1X devices, MAB or web-based authentication can be used as the fallback method for individual host authentications, which allows different hosts to be authenticated through different methods on a single port.

Multiauth also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the data that the VSAs received from the authentication server.

Release 12.2(33)SXJ and later releases support the assignment of a RADIUS server-supplied VLAN in multiauth mode, by using the existing commands and when these conditions occur:

•The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.

•Subsequent hosts are authorized with a VLAN that matches the operational VLAN.

•A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN assignment, or their VLAN information matches the operational VLAN.

•The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are subject to the conditions specified in the VLAN list.

•After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port.

•The behavior of the critical-auth VLAN is not changed for multiauth mode. When a host tries to authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.

NOTE :

•Only one voice VLAN is supported on a multiauth port.

•You cannot configure a guest VLAN or an auth-fail VLAN in multiauth mode.

for more information :

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html