Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LAP dot1x authentication

I'm wondering if anyone has an experience with using dot1x to secure a multi-access port. The attached diagram gives an overview of a wireless network in a public meeting space. First a clarification:

**the AP has 4 LAN ports that can be tagged with specific VLANs. All wired traffic is switched at the local access switch and all wireless traffic is tunneled to the controller. I need to support at least 2 VLANs over the access port.

I've achieved basic network functionality by making the link between the access switch (3560) and the AP a dot1q trunk with the AP controller network as the native VLAN. The problem I'm having is securing the uplink port of the switch so that if someone removes it, the port will either die or transition to the guest vlan. My understanding is that dot1x won't function on a trunk ports so I looked at using something like NEAT which can dynamically change an access port to a trunk port by having ACS send the device-traffic-class=switch attribute, however, this feature isn't supported on the 3560e. Does anyone have any experience or ideas on how to secure this type of environment?



Release notes for 12.2(55) SE and Later lists NEAT as supported on the 3560E. I'm currently running 12.2(55)SE9 but when I check the feature navigator, it doesn't list NEAT as a support feature. Anyone have experience using NEAT with ACS?

Everyone's tags (1)
New Member

EEM script to event on the AP

EEM script to event on the AP to be plugged in (via CDP, maybe), and apply the relevant config might do the trick. If anything other than the AP is plugged in, the script applies a standard access/dot1x config or shuts it down/guest vlan.

I've done this in the past. I guess a hole is that an attacker could craft a CDP packet to get access to a trunk link.

New Member

Thanks Sam. I'll have to look

Thanks Sam. I'll have to look into that. Do you have any experience with NEAT?

New Member

I don't. :(

I don't. :(

New Member

I was missing a command.

I was missing a command. Below is the correct switch configuration. The LAN ports are functional once the AP authenticates with ACS but the port won't transition to UP/UP if the AP is unplugged. Hope this solution will be useful to anyone thinking of securing something like the 702w. 

Global Configuration:

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host auth-port # acct-port # key *******
dot1x system-auth-control

interface configuration:
switchport mode access
switchport access vlan 2700
spanning-tree portfast
authentication host-mode multi-host 
authentication port-control auto
dot1x pae authenticator