Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1310
Views
0
Helpful
2
Replies

802.1x Port-Based Authentication on a Catalyst 3560 switch

ArdenceSupport
Level 1
Level 1

‎04-25-2007 01:44 PM - edited ‎03-05-2019 03:41 PM

Hi,

Configuring the Catalyst 3560 to prevent unauthorized access to an enterprise LAN using 802.1x Port-Based Authentication, is there any way to allow a thin client to PXE boot off the network to obtain its OS image (ex. WinXP SP2) and still maintain secure LAN access.

When it comes to Spanning Tree, PortFast can be enabled so that packets sent to the switch are forwarded by the switch first and then Spanning Tree is run to converge the network. This allows thin clients to PXE boot successfully because the initial packets are forwarded to the LAN.

Is there any option similar to PortFast that would allow thin clients or PXE boot clients to boot successfully before 802.1x EAP authentication actually takes place? If so, would someone please describe how this would be accomplished on a Catalyst 3560.

Thanks,

Support

Labels:
0 Helpful
2 Replies 2

sachinraja
Level 9
Level 9

‎04-26-2007 05:06 AM

Hello support,

how exactly does the thin client work ? for any 802.1x implementation, you will need a dot1x supplicant like CSSC , odyssey etc, where you enter the dot1x credentials.. Only if this software is installed, the switchport sees the EAPOL frames and forwards it to the radius server. so, is this installed on ur thin client ? if not, u can configure "guest-vlan" feature of dot1x on the port, and make sure this client goes, atleast to a guest-vlan, which will have limited access.... you can refer on CCO about guest-vlans..

Hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful

ArdenceSupport
Level 1
Level 1
In response to sachinraja

‎04-27-2007 11:35 AM

Thanks. Yes, I understand about using the 802.1x clients, however, in this case, the thin client requires PXE to boot off its network adapter to download its bootstrap file and proceed to boot off a server containing the client's image.

The issue is that if the client is connected to an 802.1x-enabled switch port, the PXE boot packets will not be forwarded by the switch until the client is authenticated and the client cannot get authenticated until it uses the 802.1x client on its OS image to send EAPOL frames.

Currently, the client will fail authentication during PXE boot and the client's port will get placed into the Guest VLAN as you indicated, but once the client boots and attempts to re-authenticate using the 802.1x client, the switch appears to stop forwarding any packets received from the client other than EAPOL frames during the re-authentication phase, which results in the thin client losing its connection to the server hosting the client's image.

If you have any other suggestions, they would be greatly appreciated.

Thanks,

Support

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card