Dot.1x Authorization Port

Unanswered Question
Jun 8th, 2009
User Badges:

I am configuring all switches port dot1.x ports but i am using IAS server as AAA server and the authentication method machine certficate .

The problem is when one of Joined machine connected to switch port and after authorization if i unplug the network cable the port still authorized !! i mean if i put pc not join its connected .

below the interface config :

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

dot1x timeout quiet-period 30

dot1x timeout tx-period 10

dot1x timeout supp-timeout 60

dot1x max-req 5

dot1x reauthentication

dot1x guest-vlan 30

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sbilgi Fri, 06/12/2009 - 12:04
User Badges:
  • Silver, 250 points or more

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.

esdouglas Wed, 06/17/2009 - 20:00
User Badges:

Exactly what kind of security restriction are you trying to accomplish? I'm not sure what version of IOS you are using, but there are better options with later version. such as "multi-auth", which requires every PC that connects to that port to authenticate.

Using "multi-host" mode for dot1x authentication on all ports puts a big hole in any security you try to enforce.

jms112080 Tue, 06/23/2009 - 08:37
User Badges:

I'm testing the Dot1x multi-auth feature of the lastest IOS for the 3750. It works perfectly for two machines that are authorized. Is it possible for the switch allow traffic from an authorized host and deny traffic from a machine that does pass authentication? So far it seems to drop all traffic on the port, as soon as the unathorized machine is connected.

esdouglas Tue, 06/23/2009 - 18:54
User Badges:

If you are using the latests code (12.2.50) using the "authentication host-mode multi-auth" and the "authentication violation protect" commands should do the trick according to Cisco's 3750 documentation. Which also states a limit of 8 (authenticated) hosts.

Hope this helps.


This Discussion