d****i
发帖数: 1038 | 1 if I use a hub to connect multiple hosts to a port of a 802.1x enabled
switch/router, how can I authenticate each of the host/supplicant? Is there
any such solution? In Cisco IOS 12.0 and earlier, the mulit-host mode of 802
.1x, will allow all the hosts to access the network if one of the host can
be authenticated.
What I wanted to do is, even I used a hub, I want each host to be
authenticated individually. Can I achieve such an objective? I know in Ixia
test solution, on one port they can emula |
L******t
发帖数: 1985 | 2 I believe this basic function can be done by most if not all of current
devices.
there
802
Ixia
【在 d****i 的大作中提到】
: if I use a hub to connect multiple hosts to a port of a 802.1x enabled
: switch/router, how can I authenticate each of the host/supplicant? Is there
: any such solution? In Cisco IOS 12.0 and earlier, the mulit-host mode of 802
: .1x, will allow all the hosts to access the network if one of the host can
: be authenticated.
: What I wanted to do is, even I used a hub, I want each host to be
: authenticated individually. Can I achieve such an objective? I know in Ixia
: test solution, on one port they can emula
|
d****i
发帖数: 1038 | 3 actually, if you read the 802.1x standard, this function should not be
supported by a switch/router, although it should be supported in wireless
access points. Is there any standard/rfc/draft that can be used to support
this function and extends the standard? the requirement is switches/routers
have to use MAC addresses to identify different supplicants. I didn't see
Cisco has any mode in dot1x to support this kind of function from their
website and from my past experience on the cisco switches.
【在 L******t 的大作中提到】
: I believe this basic function can be done by most if not all of current
: devices.
:
: there
: 802
: Ixia
|
L******t
发帖数: 1985 | 4 It's called port-based authentication because 802.1x is originally designed
for wireless access in which a port is a user.
But technically speaking mac-based 802.1x is no difficultier than port-based
802.1x at all. I'm not sure if Cisco's Catalyst switches don't support mac-
based. Even that's the case, I believe the reason being even Catalyst
desktop switches are designed for one port per user. So I guess it's easier
to find mac-based feature on lower-end vendors.
Just googled "mac based 802.1x
【在 d****i 的大作中提到】
: actually, if you read the 802.1x standard, this function should not be
: supported by a switch/router, although it should be supported in wireless
: access points. Is there any standard/rfc/draft that can be used to support
: this function and extends the standard? the requirement is switches/routers
: have to use MAC addresses to identify different supplicants. I didn't see
: Cisco has any mode in dot1x to support this kind of function from their
: website and from my past experience on the cisco switches.
|
z**r
发帖数: 17771 | 5 .1x就是这样,你可以加mac filter啊
there
802
Ixia
【在 d****i 的大作中提到】
: if I use a hub to connect multiple hosts to a port of a 802.1x enabled
: switch/router, how can I authenticate each of the host/supplicant? Is there
: any such solution? In Cisco IOS 12.0 and earlier, the mulit-host mode of 802
: .1x, will allow all the hosts to access the network if one of the host can
: be authenticated.
: What I wanted to do is, even I used a hub, I want each host to be
: authenticated individually. Can I achieve such an objective? I know in Ixia
: test solution, on one port they can emula
|
z**r
发帖数: 17771 | 6 I think you need nac which can be .1x based, l2 IP based or l3 IP based
routers
【在 d****i 的大作中提到】
: actually, if you read the 802.1x standard, this function should not be
: supported by a switch/router, although it should be supported in wireless
: access points. Is there any standard/rfc/draft that can be used to support
: this function and extends the standard? the requirement is switches/routers
: have to use MAC addresses to identify different supplicants. I didn't see
: Cisco has any mode in dot1x to support this kind of function from their
: website and from my past experience on the cisco switches.
|
d****i
发帖数: 1038 | 7 the document says "future firmware release". :P
I think zher is right, currently it may have to work together with NAC to
find a solution. Mac-based 802.1x is still under project planning at vendors
or may have some proprietary solutions not in any standard track yet.
anyway, thanks.
designed
based
mac-
easier
【在 L******t 的大作中提到】
: It's called port-based authentication because 802.1x is originally designed
: for wireless access in which a port is a user.
: But technically speaking mac-based 802.1x is no difficultier than port-based
: 802.1x at all. I'm not sure if Cisco's Catalyst switches don't support mac-
: based. Even that's the case, I believe the reason being even Catalyst
: desktop switches are designed for one port per user. So I guess it's easier
: to find mac-based feature on lower-end vendors.
: Just googled "mac based 802.1x
|
d****i
发帖数: 1038 | 8 thanks, will go to cisco site to further check your nac solutions.
【在 z**r 的大作中提到】
: I think you need nac which can be .1x based, l2 IP based or l3 IP based
:
: routers
|
d****i
发帖数: 1038 | 9 found it:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186
a008044cbc5.html#wp1066402
it is cisco's vpn access control using 802.1x.
hehe
【在 d****i 的大作中提到】
: thanks, will go to cisco site to further check your nac solutions.
|
d****i
发帖数: 1038 | 10 en, you are also right. on cisco swithes, now they support multiple
authentication mode, which is cisco proprietary:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_
guide_chapter09186a00801dd679.html#wp1032759:
"You can specify multiple authentications so that more than one host can
gain access to an 802.1x port. Multiple authentication is Cisco proprietary
and allows multiple dot1x-hosts on a port; every host is authenticated
separately. "
designed
based
mac-
easi
【在 L******t 的大作中提到】
: It's called port-based authentication because 802.1x is originally designed
: for wireless access in which a port is a user.
: But technically speaking mac-based 802.1x is no difficultier than port-based
: 802.1x at all. I'm not sure if Cisco's Catalyst switches don't support mac-
: based. Even that's the case, I believe the reason being even Catalyst
: desktop switches are designed for one port per user. So I guess it's easier
: to find mac-based feature on lower-end vendors.
: Just googled "mac based 802.1x
|
z**r
发帖数: 17771 | 11 cool, thanks for sharing
proprietary
【在 d****i 的大作中提到】
: en, you are also right. on cisco swithes, now they support multiple
: authentication mode, which is cisco proprietary:
: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_
: guide_chapter09186a00801dd679.html#wp1032759:
: "You can specify multiple authentications so that more than one host can
: gain access to an 802.1x port. Multiple authentication is Cisco proprietary
: and allows multiple dot1x-hosts on a port; every host is authenticated
: separately. "
:
: designed
|
