NAC/802.1X support in access switches is all over the map

Many switches today support 802.1X authentication, a basic building block in NAC. The key question is what kind of access authenticated users can expect. In the six-test scenarios we developed for this project, we uncovered major differences among products in terms of the conditions under which they'll grant access as well as what sort of access they'll permit.

In the first 802.1X scenario, a client (or supplicant, in 802.1X-speak) successfully gets authenticated and the switch places the client into a statically defined VLAN. All switches passed this basic test, in which the switch connected Juniper Odyssey supplicants to a Juniper Steel-Belted Radius server (see 802.1X table)

The second scenario, involving so-called multi-auth, turned out to be the most problematic, with failures from the Cisco and Dell switches. In this scenario, there are multiple users attached to a single switch port and each must be authenticated before being granted access to the network. We attached multiple users using an unmanaged hub (a common use case in many corporate conference rooms where there's only one Ethernet drop). Other uses for multi-auth include IP phones (which sometimes have a two-port switch to attach a PC through the phone) and wireless LAN access points (especially so-called thin access points, which attach to a switch/controller and field associations from multiple wireless clients).

Most switches require that multi-auth be explicitly configured. The Extreme switch required no additional configuration for multi-auth. After doing so, the Cisco and Dell switches authenticated the first user – but then allowed traffic from the second and subsequent users onto the network without authentication.

The physical-world analog of this behavior is "badge tailgaiting," in which someone with a door badge enters an office building and others follow while the door is open. The security implications are obvious.

Cisco says it strongly discourages customers from using multi-auth except for certain uses, such as an IP phone with a PC attached, and then encourages customers to segregate traffic onto different VLANs.

Strictly speaking, multi-auth is actually a violation of the IEEE's 802.1X standard. The spec's MAC relay function (the port access entity) includes a logical switch that's either on or off. There's no provision for a sort of "selective on/off" state that permits some frames but denies others (see Breaking the standards sidebar). 

Still, since there are common use cases for multi-auth, it's fairly widely supported. The danger, as our test results show, is that network managers may be lulled into a false sense of security, erroneously believing that enabling 802.1X will result in authentication for all traffic.

The third scenario, involving dynamic VLANs, was far more straightforward. This scenario modeled networks in which a roving population of laptop users may plug into any switch port at random. The goal was for the switch to dynamically assign a switch port into a given VLAN after successful authentication.

All switches but one passed this test; The lone exception was Dell's PowerConnect 6248, which doesn't support dynamic VLAN assignment. Extreme's X450 goes the other way: Not only did it pass this scenario, but also allowed the supplicant to be placed into multiple untagged VLANs.

In the fourth scenario, we determined whether the switch could dynamically enable an access control list (ACL) upon successful authentication, governing where the client can and cannot go. As with dynamic VLAN allocation, dynamic ACLs can be useful with mobile work forces, where a given employee should gain access to specific resources regardless of location.

The Cisco, Extreme, Foundry and HP switches all support this feature. We needed to use an undocumented syntax to get dynamic ACLs to work with the HP switch, but the vendor says this has been corrected in currently shipping software (we did not verify this). Switches from Alcatel-Lucent, D-Link and Dell do not support this feature.

So far, all the 802.1X scenarios have covered situations where authentication succeeded. In our fifth scenario, we deliberately failed authentication to determine whether switches would place a client into a guest or restricted VLAN. This is a common requirement, not just for enterprise employees who mistype a password but also for visitors and contractors that may not have authentication credentials. All switches tested offer a guest VLAN capability without issue.

In our final test scenario, we looked for the switch to concurrently support non-802.1X clients as well as those with 802.1X support. For better or worse, 802.1X isn't yet pervasive. There are large numbers of networked devices such as printers that do not have 802.1X supplicant software. For this, it's desirable to have a feature Cisco calls "MAC authentication bypass."

All switches we tested, except two (from D-Link and Dell), support falling back to MAC authentication when a client doesn't support 802.1X. D-Link's 3650 does support MAC authentication, but not concurrently with 802.1X. Dell's PowerConnect 6248 does not support MAC authentication, although it can restrict access to a user-defined number of MAC addresses.

Cisco's Catalyst 3750E also supports three 802.1X scenarios we didn't test for. It can place non-802.1X clients into a special restricted VLAN, distinct from a guest VLAN for unauthorized or unremediated 802.1X clients. It can automatically fall back to Web-based authentication if 802.1X authentication doesn't occur within a given timeframe. And it can authenticate multiple devices on a port and place each in a different VLAN (this is different than the multi-auth case above, where all devices enter the same VLAN). We didn't test any of these additional capabilities.

< Previous story: Tests show that multicast group capacity is a big access switch differentiator | Next story: Most switches help in complying with secure management best practices >

Learn more about this topic

Compare more access switches in our Buyer’s Guide

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)