Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
4
Replies

LAP dot1x authentication

luke sawyer
Level 1
Level 1

‎06-27-2014 04:02 PM - edited ‎03-07-2019 07:51 PM

I'm wondering if anyone has an experience with using dot1x to secure a multi-access port. The attached diagram gives an overview of a wireless network in a public meeting space. First a clarification:

**the AP has 4 LAN ports that can be tagged with specific VLANs. All wired traffic is switched at the local access switch and all wireless traffic is tunneled to the controller. I need to support at least 2 VLANs over the access port.

I've achieved basic network functionality by making the link between the access switch (3560) and the AP a dot1q trunk with the AP controller network as the native VLAN. The problem I'm having is securing the uplink port of the switch so that if someone removes it, the port will either die or transition to the guest vlan. My understanding is that dot1x won't function on a trunk ports so I looked at using something like NEAT which can dynamically change an access port to a trunk port by having ACS send the device-traffic-class=switch attribute, however, this feature isn't supported on the 3560e. Does anyone have any experience or ideas on how to secure this type of environment?

Thanks 

**EDIT**

Release notes for 12.2(55) SE and Later lists NEAT as supported on the 3560E. I'm currently running 12.2(55)SE9 but when I check the feature navigator, it doesn't list NEAT as a support feature. Anyone have experience using NEAT with ACS? 

 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/release/notes/OL23053.html

http://tools.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

Labels:
Preview file
39 KB
0 Helpful
4 Replies 4

Sam Byers
Level 1
Level 1

‎06-28-2014 09:14 PM

EEM script to event on the AP to be plugged in (via CDP, maybe), and apply the relevant config might do the trick. If anything other than the AP is plugged in, the script applies a standard access/dot1x config or shuts it down/guest vlan.

I've done this in the past. I guess a hole is that an attacker could craft a CDP packet to get access to a trunk link.

0 Helpful

luke sawyer
Level 1
Level 1
In response to Sam Byers

‎06-30-2014 12:56 PM

Thanks Sam. I'll have to look into that. Do you have any experience with NEAT?

0 Helpful

Sam Byers
Level 1
Level 1
In response to luke sawyer

‎08-13-2014 01:10 PM

I don't. :(

0 Helpful

luke sawyer
Level 1
Level 1

‎06-30-2014 03:35 PM

I was missing a command. Below is the correct switch configuration. The LAN ports are functional once the AP authenticates with ACS but the port won't transition to UP/UP if the AP is unplugged. Hope this solution will be useful to anyone thinking of securing something like the 702w. 

Global Configuration:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 1.1.1.1 auth-port # acct-port # key *******
dot1x system-auth-control


interface configuration:
switchport mode access
switchport access vlan 2700
spanning-tree portfast
authentication host-mode multi-host 
authentication port-control auto
dot1x pae authenticator

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card