1

I'm looking for a complete list of switches which will allow 802.1x and normal (non-supplicant) enabled hosts to connect to the same ports on a switch. This is useful for areas where there are semi-open ports such as a lobby area or a library where corporate and guest users may use the same ports but you want them to have different access profiles and where it isn't expected that guests would have 802.1x configured on their system.

For instance, Enterasys and Extreme Networks both have a feature where if the switch doesn't see an EAPOL packet from the client in a certain amount of time, it puts the port into a "guest" VLAN; if it sees an 802.1x supplicant, it tries to authenticate the user via 802.1x and if they succeed, it does what the radius server tells it to do with that port (IE put the port into a certain VLAN, apply certain ACLs, etc)

Do other vendors have this sort of feature, or is it expected that a switch will do both 802.1x and MAC authentication, and the "supplicant timeout" feature is implemented with a blanket allow on the MAC authentication?

chris
  • 11,784
  • 6
  • 41
  • 51

1 Answers1

1

IIRC, Cisco switches support something similar: the port is in the guest VLAN by default, but switches to the VLAN specified by the ACS when a supplicant authenticates. The ACS can specify different VLANs for different PCs/users, too.

blueadept
  • 516
  • 2
  • 6
  • And it will open the port even if it doesn't see a supplicant after a period of time? – chris Apr 27 '10 at 15:04
  • yes =) 8 more to go.. – Antoine Benkemoun Apr 27 '10 at 17:08
  • Heh, I haven't really worked with switches from other vendors, Antoine. Chris, the port is up and connected to the guest VLAN when there is no supplicant; only in the case that there is a supplicant does the port change VLANs. When the port detects media disconnection, the switch puts it back into the guest VLAN. – blueadept Apr 27 '10 at 20:02
  • so the EAPOL traffic goes over the "guest" VLAN? That's interesting -- both the enterasys and the extreme switches have a vlan that's dedicated to the EAPOL traffic, then they drop you off into another vlan depending on the results of the EAP transaction. I guess everyone does it slightly differently to avoid patent issues? – chris Apr 27 '10 at 23:33
  • Chris: if I recall correctly, the EAP traffic is L2 and only between the supplicant and the switch; the switch proxies the authentication to the RADIUS server (in Cisco's case, the ACS). The supplicant never sees the details of the VLAN assignment because it's on an access port and doesn't attempt to acquire an address via DHCP until the authentication process is over. So the traffic's not really forwarded from the port to the rest of the VLAN. When a non-supplicant is connected, it sends only data (non-802.1x) traffic so it talks only to the guest VLAN. – blueadept Apr 28 '10 at 02:08