Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port security question

All, I know this should be in the security forum, but Im not having much luck understanding this at the moment. Can you guys please help me understand one thing in particular:

Im trying to find out how to use Dot1x port authentication. What Im trying to do is boot clientless system into a guest vlan OR if its a regular PC, Im trying to allow it into a native vlan. Im trying to understand "port authentication". Below is a paragraph from "Deploying 802.1x-Based Port Authentication on the Cisco ECT Solution". A little different scenario but the same goal in mind. See below the paragraph, and my question below it please:

PARAGRAPH READS:

"When a new IP host is connected to the switch port, the router initiates the communication using Extensible Authentication Protocol over LAN (EAPoL). The supplicant running on the device will respond to it. Then the router proceeds with further authentication. If there is no response from the device it is considered as a clientless device. Once the router gathers the credentials from the device, it is forwarded to the RADIUS server for authentication. If the credentials are valid, the port becomes enabled and gets attached to the trusted VLAN. If the credentials are invalid, the port is shut."

QUESTION:

From this sentance: "Then the router proceeds with further authentication.", what IS the authentication? What credentials are being sent from the client? Windows login? Mac-address? I dont know.

QUESTION 2:

From this sentance: "If the credentials are valid, the port becomes enabled and gets attached to the trusted VLAN."

Agan, what credentials? I dont think its Windows authentication, but I have no idea on what the client is sending?

ANY help would be appreciated. Thanks.

2 REPLIES
New Member

Re: Port security question

Also, if anyone has deployed this solution before, would you be so kind as to post a sample config or an existing config of the switch and what you may have done in ACS? Thanks.

New Member

Re: Port security question

Hi Mike,

EAP is a framework actually not a particular authentication mechanism. you can use different methods types for that. There is known a few of them. From MD5 Challenge to Digital Certs etc. So what you implement is that what is send/recieved.

More info/examples:

http://standards.ieee.org/getieee802/download/802.1X-2001.pdf

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html

regards

malina

100
Views
3
Helpful
2
Replies