4

We are planning to implement 802.1X. What is not clear is whether a switch supporting 802.1X can successfully and correctly authenticate multiple devices connected to the same switch port (e.g. if we have a department using a hub with a bunch of computers to "share" the port)? If so, how does the protocol validate the source of packets?
Or does implementing 802.1X will require us to purchase huge expensive 802.1X supporting switches, for one port per device?

Alex
  • 1,768
  • 4
  • 30
  • 51

2 Answers2

2

You will still be able to do port-based 802.1x authentication but only for the entire hub. As far as the 802.1x authenticator is concerned it is just able to allow or disallow (or assign to different VLANs) that one port that the hub is attached to. Imagine what will happen with a client authenticates this port to a trusted VLAN but then another client authenticates this port to an untrusted VLAN. From the perspective of the authenticator you will not be able to "validate the source of packets" only the port that your hub is attached too (and hence everything that is attached to it).

If you require port-based authentication on a switch or need to authenticate a device that doesn't support 802.1x you can rely on MAC Authentication Bypass, which is essentially just whitelisting MAC addresses or port as required.

To really take advantage of 802.1x you need a switching infrastructure that fully supports 802.1x (luckily it's pretty common on mid-range enterprise grade switches).

  • what about multiauth mode? http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1309093 – Alex Nov 25 '11 at 07:47
  • 1
    We're not a Cisco shop so take this with a grain of salt but Multiauth mode looks specifically designed for Cisco's VOIP devices and requires Cisco's proprietary [CDP](http://en.wikipedia.org/wiki/Cisco_Discovery_Protocol). Take a look at [Multiple-Host Mode](http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1308773). –  Nov 26 '11 at 00:37
1

Mutli-auth does exactly this. Multi-host is an older mode that allows several devices to share the port but once one is authenticated, they all are authenticated. Multi-auth is a newer mode that forces each unique mac address on a port to authenticate individually. However, some features are disabled when you use it such as different radius assigned vlans, guest vlan and auth fail vlan since you cannot assign a vlan per mac address.

Update - Be advised that there is currently a bug in IOS 12.2(54)SG1 with multi-auth and multi-domain where authorized ports do not pass traffic.

Details

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
Paul Ackerman
  • 2,729
  • 15
  • 23
  • I guess from security point of view it's quite weak? As mac address can be easily sniffed and then spoofed. – Alex Dec 07 '11 at 08:54
  • 1
    You aren't necessarily authenticating with MAC. You can still use certificates or other means to authenticate the devices but the only way the switch can keep track of unique devices on a single port is by mac so, yes if a PC with a valid cert authenticated and then you connected and spoofed the same MAC, I believe you would be granted access on the network, however you can setup periodic re-authentication as well and if this was setup, it is possible that the attacker's PC would respond to the re-auth and cause the port to go unauthorized. Although they could turn off dot1x to avoid this... – Paul Ackerman Dec 07 '11 at 12:43