Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x Port-Based Authentication on a Catalyst 3560 switch

Hi,

Configuring the Catalyst 3560 to prevent unauthorized access to an enterprise LAN using 802.1x Port-Based Authentication, is there any way to allow a thin client to PXE boot off the network to obtain its OS image (ex. WinXP SP2) and still maintain secure LAN access.

When it comes to Spanning Tree, PortFast can be enabled so that packets sent to the switch are forwarded by the switch first and then Spanning Tree is run to converge the network. This allows thin clients to PXE boot successfully because the initial packets are forwarded to the LAN.

Is there any option similar to PortFast that would allow thin clients or PXE boot clients to boot successfully before 802.1x EAP authentication actually takes place? If so, would someone please describe how this would be accomplished on a Catalyst 3560.

Thanks,

Support

2 REPLIES

Re: 802.1x Port-Based Authentication on a Catalyst 3560 switch

Hello support,

how exactly does the thin client work ? for any 802.1x implementation, you will need a dot1x supplicant like CSSC , odyssey etc, where you enter the dot1x credentials.. Only if this software is installed, the switchport sees the EAPOL frames and forwards it to the radius server. so, is this installed on ur thin client ? if not, u can configure "guest-vlan" feature of dot1x on the port, and make sure this client goes, atleast to a guest-vlan, which will have limited access.... you can refer on CCO about guest-vlans..

Hope this helps.. all the best.. rate replies if found useful..

Raj

New Member

Re: 802.1x Port-Based Authentication on a Catalyst 3560 switch

Thanks. Yes, I understand about using the 802.1x clients, however, in this case, the thin client requires PXE to boot off its network adapter to download its bootstrap file and proceed to boot off a server containing the client's image.

The issue is that if the client is connected to an 802.1x-enabled switch port, the PXE boot packets will not be forwarded by the switch until the client is authenticated and the client cannot get authenticated until it uses the 802.1x client on its OS image to send EAPOL frames.

Currently, the client will fail authentication during PXE boot and the client's port will get placed into the Guest VLAN as you indicated, but once the client boots and attempts to re-authenticate using the 802.1x client, the switch appears to stop forwarding any packets received from the client other than EAPOL frames during the re-authentication phase, which results in the thin client losing its connection to the server hosting the client's image.

If you have any other suggestions, they would be greatly appreciated.

Thanks,

Support

727
Views
0
Helpful
2
Replies