Dot.1x Authorization Port

Unanswered Question
Jun 8th, 2009

I am configuring all switches port dot1.x ports but i am using IAS server as AAA server and the authentication method machine certficate .

The problem is when one of Joined machine connected to switch port and after authorization if i unplug the network cable the port still authorized !! i mean if i put pc not join its connected .

below the interface config :

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x violation-mode protect

dot1x timeout quiet-period 30

dot1x timeout tx-period 10

dot1x timeout supp-timeout 60

dot1x max-req 5

dot1x reauthentication

dot1x guest-vlan 30

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sbilgi Fri, 06/12/2009 - 12:04

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. When a client logs off, it sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html#wp1033555

esdouglas Wed, 06/17/2009 - 20:00

Exactly what kind of security restriction are you trying to accomplish? I'm not sure what version of IOS you are using, but there are better options with later version. such as "multi-auth", which requires every PC that connects to that port to authenticate.

Using "multi-host" mode for dot1x authentication on all ports puts a big hole in any security you try to enforce.

jms112080 Tue, 06/23/2009 - 08:37

I'm testing the Dot1x multi-auth feature of the lastest IOS for the 3750. It works perfectly for two machines that are authorized. Is it possible for the switch allow traffic from an authorized host and deny traffic from a machine that does pass authentication? So far it seems to drop all traffic on the port, as soon as the unathorized machine is connected.

esdouglas Tue, 06/23/2009 - 18:54

If you are using the latests code (12.2.50) using the "authentication host-mode multi-auth" and the "authentication violation protect" commands should do the trick according to Cisco's 3750 documentation. Which also states a limit of 8 (authenticated) hosts.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/command/reference/cli1.html#wp10755487

Hope this helps.

Actions

This Discussion