Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x or Alternatives?

I'm looking at implimenting some port level security on my switches. This is to prevent someone from walking into my facility and just plugging a laptop in and getting access to the network.

I've started investigating 802.1x but was wondering if there are alternatives out there.

Has anyone encountered any major problems with .1x?

7 REPLIES
bjw Silver
Silver

Re: 802.1x or Alternatives?

How big is your network in number of hosts and number of access switches?

New Member

Re: 802.1x or Alternatives?

About 800 stations, 14 access switches all 4507R's.

bjw Silver
Silver

Re: 802.1x or Alternatives?

Well that's not unreasonably big.

One basic alternative to dynamic validation using dot1.x would be manual static port mac security. Using static mac-address assignments you could lock down all used ports to known hosts via their mac-address. Any unused ports could simply be disabled.

Administratively this would take a lot of upfront work, but should be reasonably easiser once operationaly implemented.

Note that mal-intenders could still spoof mac-addresses if they knew any of your macs.

We use port security mac-address limiting on our switches and have an in-house application developed/run by another division that SCANs all mac-addresses in our system and sends warning notifications when an undocumented MAC(s) is/are seen.

Any way you go, there will always be administrative overhead related to keeping security tables/inventories/processes current.

Re: 802.1x or Alternatives?

hello bjw,

I think dot1x works really fine with both wired and wireless networks.. you also have options of how much security you want, with various versions of EAP... with an ACS server (which can also integrate with your corportate LDAP), u can have single-sign on too !!!!

One of the best features of dot1x is the guest-vlan feature.. with this, if you have a guest logged onto the network, he wil be automatically be put on a seperate VLAN, which you can isolate from your production network..... you can also have dynamic vlan assignments, which bring a big positive for administrators....

so i guess, dot1x with NAC , supported by an ACS server, will be the best fit for your network..

Hope this helps.. all the best.. let us know if you have any more queries in this..

Raj

Cisco Employee

Re: 802.1x or Alternatives?

In addition to Bill's Post you can also use Cisco Clean access to provide a tight control over the network access.

http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd802da1b5.html

-amit singh

New Member

Re: 802.1x or Alternatives?

Thanks for the information. I didn't think of NAC. MAC address filtering has too much over-head for me and my management has already shot that down. I didn't think of NAC though and that might be an option. Thanks for the suggestions.

New Member

Re: 802.1x or Alternatives?

We use it for WLAN-Acess and have big problem with it. Changing the IOS on the Access-Point makes big differences and all your config won't work anymore. The problem with 802.1x is the troubleshooting. There aren't that much tools to search for the problem. Maybe if you work with the Secure ACS but with the IAS from Microsoft...hmpf. Maybe 802.1x wired is better to handle...

1341
Views
0
Helpful
7
Replies