Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x per host authentication under one port with multi-host access by switch

In the situation with multi-host access to one port of Cisco 2960 Lan Lite by another simple L2 switch, is it possible that we could control per user access by authentication for each?

What happens if I connect to the switch (which already has some trusted devices) a untrusted device?

What happens if I connect to the switch (which already has some untrusted device) a trusted device?

If I use "authentication violation protect" traffic will be blocked only by an untrusted device or all devices connected via a simple L2 switch?

I read the manual, but it is not made ​​detailed clarity.

Please tell me the right way.

I will be very grateful for your advice!

Everyone's tags (3)
6 REPLIES

802.1x per host authentication under one port with multi-host ac

You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode ,  only one client can be connected to the 802.1x-enabled switch port. The  switch detects the client by sending an EAPOL frame when the port link  state changes to the up state. If a client leaves or is replaced with  another client, the switch changes the port link state to down, and the  port returns to the unauthorized state.

In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. In this mode,  only one of the attached clients must be authorized for all clients to  be granted network access. If the port becomes unauthorized  (re-authentication fails or an EAPOL-logoff message is received), the  switch denies network access to all of the attached clients.

As the port goes to un auth state / down if untrusted client is connected, so it completely depends on the violation method you configure there to take. If trusted client is connected later on, it depends on the port violation method to grant connection to trusted macs.

802.1x per host authentication under one port with multi-host ac

Hello,

In the situation with multi-host access to one port of Cisco 2960 Lan Lite by another simple L2 switch, is it possible that we could control per user access by authentication for each?

Yes, that's why multi-host mode exists

What happens if I connect to the switch (which already has some trusted devices) a untrusted device? If it's on single host the port will go into error-disabled as the violation of just one client per port has been triggered.

What happens if I connect to the switch (which already has some untrusted device) a trusted device?Same thing than before if being on single mode.

If I use "authentication violation protect" traffic will be blocked only by an untrusted device or all devices connected via a simple L2 switch?

Only for the unknown client MAC address, the trusted devices will be able to comunicate.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Bronze

802.1x per host authentication under one port with multi-host ac

The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

For Complete Configuration, please check the below link

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

New Member

802.1x per host authentication under one port with multi-host ac

Thank you guys!

This are very useful answers.

All the best.

802.1x per host authentication under one port with multi-host ac

Hello Mikhail,

Our pleasure to help

Please mark the question as answered so future users can learn from our discussion

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

802.1x per host authentication under one port with multi-host ac

You should probably check with your Cisco SE, as i'm not 100% sure that this limitation still exists, but there are alot of dot1x related features that are not supported in the lan-lite edition of the 2960, including dACL support for dot1x.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_presentation_c97-494780.pdf

937
Views
10
Helpful
6
Replies