I find a configuration of something called reauthentication, why we use the reauthentication after a successful authentication? What's the use of it? Is it a method to achive some real-time authentication?
Potentially a user could introduce a Hub or other switch to the port and only authenticate once and then leave the hub connected as a free-for-all. Unless you apply other security features such as Port Security then it opens a bit of a hole.
802.1x is a port security mechanism to authenticate the user/machine that is connected to a physical port, re-authentication forces the client to validate who it is when the reauthentication timer expires.
Sort of... Ideally you need to deploy Port Security along with 802.1x and restrict the number of MAC addresses to 1 on each access port. This will prevent anyone connecting a hub or switch and then performing 802.1x authentication with one machine and then disconnecting it and connecting another machine to the hub.
What if there are more devices connected to that port like there is another switch or hub?
Cisco has the command
(config-if)#dot1x host-mode multi-host
I don't understand what it does.
When the first user authenticate, doesn't he authenticate the port to all other users connected to that port?
How could this problem be solved using 802.1x and EAPOL?
802.1X is a port control protocal, the port can be physcial or logical. It dosen't authenticate the port, it authenticates the users through the ports, asking for identity and chanlenge response of every client try to connect.
Ok, it authenticates the user through the port. If it uses MD5 Challenges there is no possibility to identify the users behind the port.l This means that it is the the same for the switch it there is one user or 100 users.
The first user comes, enters the right password and the switch opens the port. The second user doesn't need to auth anymore just to transmit cause the port is already opened.
Do I miss something?
Port have two meanings, a phsical one or a logical one.
The physical ports are the holes in the machine, they are always the same, never be closed until the power off or some special management, and one physical ports may have 100 users behind. And for every user there are two logical ports, the controlled port and uncontrolled port. Authentication data pass through the uncontrolled port while the service data pass through the controlled one. The uncontrolled ports are always open, but only a successful authentication can unlock the controlled port, maybe 100 users share a same phsical port, but every one of them have their own two con/uncon ports logically and this two are controlled by 802.1X.
Ok, thank you for the clarification.
But how can a switch differentiate between users behind a port. They are just sending frames to the port.
The switch must function something like this: this frame is from an authenticated user and I let it through, this one is from an unauthenticated user and I filter it and so on.
If they auth using user+password I think they could not be differentiated.
The swith dosn't differentiate between users, the AS differntiate them use EAP-methods which belong to application lever,and the AS tells swith which user's service packets can pass through, the swith can distinguish them from the EAPOL head, which contain user imformaiton, if use a strong security method like EAP-TLS, every authenticated user share a distingushed session key with the AS the key is delivered during authentication, and the user use the right key to encrypt messenges which makes them also disdingushed from others.
Sorry for my poor English, hope it's helpful.
Thank you for the clarification.
Let me know if I understood the process: If the Switch differentiates the users from the MAC Header, the source MAC address is the only way it could differentiates between users behind a port. If this is true we can face here a MAC spoof attack. Right?
I have to disagree with you. Simply, port-security cannot to use with 802.1x.
If you try to enable 802.1X on a secure port, an error message will appear, and 802.1X is not enabled.
Sorry but you are wrong. This is the configuration from a Catalyst 3550 where I have this deployed:
switchport access vlan 10
switchport mode access
switchport port-security maximum 1 vlan access
switchport port-security aging time 3
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos monitor dscp 0 8 24 26 32 46 48 56
no snmp trap link-status
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout server-timeout 5
dot1x timeout reauth-period server
dot1x timeout tx-period 20
wrr-queue bandwidth 5 25 70 1
wrr-queue cos-map 1 1
wrr-queue cos-map 2 0
wrr-queue cos-map 3 2 3 4 6 7
wrr-queue cos-map 4 5
service-policy input USER-DATA-POLICY
ip dhcp snooping limit rate 100
cat-3550#sho dot1x interface fastEthernet 0/5 details
Dot1x Info for FastEthernet0/5
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 5
SuppTimeout = 30
ReAuthPeriod = (From Authentication Server)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 20
RateLimitPeriod = 0
Dot1x Authenticator Client List
Domain = DATA
Supplicant = 000d.9d91.2ee2
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 3051
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = N/A
cat-3550#sho port-security interface fastEthernet 0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 3 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000d.9d91.2ee2:10
Security Violation Count : 0
I don't know what switch you are working on but 802.1x & Port-Security can be configured together: