7 Essential/New features make deploying Wired 802.1x easier on a Cisco infrastructure
By jheary on Sun, 11/23/08 - 11:27pm.
Well there are the 7 essential 802.1x features you'll almost certainly need to use in your deployment. Are their other features you'd recommend?
Going down the dot1x path is not an easy one to say the least but with these latest features Cisco has made significant strides to make it easier.
Here is the 12.2.33 SXI 802.1x configuration guide where you can find all of the relevant info on how to make this stuff work.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con...
I have lots of other 802.1x topics I could write on so let me know if you’re interested or have specific requests. I’d be glad to oblige.
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.
- About Cisco Security Expert
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
- Archives
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
Sponsored Links
- Masters of Virtualization and Cloud Computing- Trend Micro
- Hitachi IT Operations Analyzer—30-day free trial- Hitachi Data Systems
- Are you gambling with your data? It is at risk. Find out and protect it.- Ultrium LTO
- CA ARCserve r12.5 is More Than Backup! Download Trial Version Today- CA
- Take the Netezza TwinFin TestDrive!- Netezza
- Getting to One 10-minute Webcast, Cloud Computing: Beyond the Hype- Novell
- Watch a step-by-step demo of how Chinese hackers compromised brand name US high-tech companies like Google. - Zscaler
- Cisco Webcast: Leveraging 802.11n, Is your WLAN ready for Enterprise Video?- Cisco
- Turn your desk phone and mobile phone into one with Sprint Mobile Integration.- Sprint
- Discover the Four Trends Driving the Future of Data Centers - Emerson Network Power
-
Network World, Inc
The Leader in Network Knowledge
I hope 3750's will have the
I hope 3750's will have the same feature for smb customers. we pull back from nac due to the lack of multi host feature.
multi host
3750 do support the authentication host-mode multi-domain feature however not the authentication host-mode multi-auth. the difference being that with multi-domain you get one device on the voice vlan (phone) and one host on the data vlan. so two MACs.
With multi-auth you get one device on the voice vlan and unlimited amount of devices on the data vlan, each authenticated separately.
What is your use case for needing multiple hosts or MACs per port? Is it vmware?
Flex Auth/ Multi-Auth type and Multi"user" per port
We have found that Enterasys Networks does a nice job of supporting multiple authentication types per port simultaneously as well as supporting multiple authenticated sessions per port( multi-user). This flex auth like feature has been available for years(operationally reliable),and is supported on stackables through their chassis based products supporting multiple role based acl-like rules per port simultaneously or multiple device vlan per port containment(rfc 3580)simultaneously. This provides essential authentication flexibility when deploying authentication services at the edge. I would recommend to take closer look to see if they work for you - I think if going down this road this feature will make you like easier as you will have less exceptions.
In the DC the chassis switches(n7) allow for large numbers(2-1000+) of authenticated devices per port beneficial for providing dynamic movement of esx vm servers
Environment with 6500 as core, 3750's as access
In our environment we have a 6509 as core switch/router, and smaller access switches throughout the building (currently 2924XL, but plan to upgrade to stackable 3750's. Are these features available in the 3750s? Could you provide information on 802.1x deployment in such a mixed environment? Thanks!
feature navigator
I'd recommend you use cisco's feature navigator, put in your exact switch model and software version.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
12.2(50)SE
See 12.2(50)SE for your 3750 stacks
NAC features: authentication fat-finger
After some lab time a while ago, I concluded that there was a gap in 802.1X features surrounding authentication. Namely, if you fat-finger, there is no separate re-auth interval, you're subject to the general re-auth interval, typically 1 hour or longer so as not to interrupt active users. Seems like there should be a separate, shorter (like 1 minute) re-auth interval for authentication failures.
The workaround I know of is training users to pop their Ethernet out or "Repair" the interface in Windows. Which is pretty ugly.
Has that been fixed, was/am I missing a command, or is that indeed still an issue?
fat finger
You can set how many failed attempts you allow, by default it is 3. then after than you can use the features I addressed in the article to put the user in a guest role.
dot1x and PXE Boot for AccessSwitches Cat2960/3560/3750
I am interested on dot1x supporting PXE boot clients. I think the open authenciction feature could support this.
Our problem is timing, because some PXE clients run in a timeout so they do not get an ip address via dhcp. Unfortunately a tighter timing does not work because dot1x clients do not work well with tighter timing values.
What do you suggest for PXE boot clients ?
Question on code sample for "authentication open":
Is the "ip access-group UNAUTH in" acl only active, when the port is in unauth state ?
On which plattforms will the 12.2(33)SXI features also implemented ?
I have only seen an implementation on Cat4500 IOS 12.2(50)SG. We use cat2960-TT and TC and cat3560/3750 sometimes also the 3560-E/3750-E plattforms in our switch access-layer.
12.2(33)SXI features on other platforms
See 12.2(50)SE for 3750 and 3650 devices.