Who is really doing 802.1x wired

Unanswered Question
Oct 20th, 2008

I am creating a lab environment to test 802.1x prior to implementing it into production.

I wanted to know what is the pros and cons of this security feature at layer 2?

How does it really work behind the scenes?

The reason why i want to implement this feature/function is becuase I'm just one of two network administrators who manage well over 800 networking device (totally cisco shop) and 62 remote sites, and we struggle with the moves, adds, and changes, port vlan assignment (management), users moving there workstations, users moving there voip phones, etc. If anyone can speak on implementing 802.1x wired in a medium to large large network i will be happy to hear about the real life pros and cons

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.sir Mon, 10/20/2008 - 23:32

We implemented 802.1x in my previous company (similar size as yours)

You are right it can brings lot of problems.

Before we deployed management solution Cisco LMS 3.0... It really helped us with configuration, config backup, network overview, discrepancy reports, user tracking, troubleshooting (get rid of fake hubs etc..) ... It cleaned our network and saved lot of time .. I suggest to have good management solution before you move to 802.1x

We also separated devices what are not able to authenticate via 802.1x (printers, faxes) to separate VLAN

Than we started in one segment (vlan) which was most stable (no changes, no moves)...

It worked fine.. Than we smoothly moved to other vlans step by step..

The true is that it took lot of time (one of my colleagues was working only on this project for some time).. But we managed it and it works fine.. It would also asked your cisco vendor for consultancy and help

Hope that helps


umamon Tue, 10/21/2008 - 06:52


Thanks for the feedback, it helps to chat with someone who has actually been through this.

The management solution you used was LMS 3.0?

How did you handle legacy pc (windows 2000, 98) if there were any?

What about RDP (Remote Desktop), do you encounter problems trying to manage desktops remotely?

umamon Tue, 10/21/2008 - 13:20


Is there any tips that you can give me, prior to deployment that ended up being gotcha during deployment.

fsmontenegro Thu, 10/23/2008 - 21:19

Yes, most of the issues you'll have will be on the Windows side and not on the Cisco side. A few come to mind:

- Windows XP (even SP3) has issues with executing logon scripts while the network is being changed (VLAN assignments) on boot.

- Use machine authentication to support environments that need logon scripts.

- Consider MAC authentication as well to support environments that need remote boot/management.

- Start small, fail open at first: even if user "fails" 1x auth, put them on the production VLAN while you test the entire environment.

I'm doing an 802.1x rollout for about 500 PCs (plus 500 devices that are not 1x capable) right now and these are some of the issues we've seen.

umamon Fri, 10/24/2008 - 07:07

Hi fsmontenegro,

So for windows logon scripts issues, how did you resolve that issue?

When you say machine authentication are speaking Active Directory or local machine logon?

m.sir Tue, 10/21/2008 - 13:43

Yes LMS 3.0.. We were lucky , only win XP, RDP worked fine



This Discussion