topic RE: Can 802.1x multiple supplicant support be disabled? in ExtremeSwitching (EXOS/Switch Engine)

Can 802.1x multiple supplicant support be disabled?

EtherNation_Use — Wed, 08 Jan 2014 06:02:00 GMT

Create Date: May 31 2013 2:05PM

The EXOS 15.3 concepts guide says:

"An important enhancement over the IEEE 802.1x standard is that ExtremeXOS supports multiple clients(supplicants) to be individually authenticated on the same port.

As I understand it, 802.1x says that what's controlled is the physical layer. The port is either authenticated, or not. If there's another switch attached to that port, and there are a dozen clients connected through that switch, that doesn't matter. Once the port is authenticated, it's authenticated for anything with physical access to that port. What happens at layer 2 is irrelevant.

But, EXOS has "enhanced" this to track authentication on a per-MAC basis. It maintains a list of all the MACs seen on the port (from the FDB, I imagine), and for each one, tracks if it's authenticated or not. Frames from an unauthenticated MAC are dropped.

What if I want to disable this "enhancement"? Is there a way to behave according to the 802.1x standard, and enable the *whole* port once it's authenticated? (from Phil_Frost)

RE: Can 802.1x multiple supplicant support be disabled?

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 6 2013 11:00PM

Hey bitglue

can you tell me if you are using isp mode or campus mode? ISP mode is where the port stays in a VLAN and the user is just authenticated. Campus mode is where we send VSAs to move the user to another VLAN once authenticated

The concepts guides states "Multiple supplicants are supported in ISP mode for web-based, 802.1x, and MAC-based authentication."
"In addition, multiple supplicants are supported in Campus mode if you configure and enable network"
"login MAC-based VLANs. For more information, see Configuring Network Login MAC-Based VLANs."

You may be able to do this in campus mode. If not a colleague of mine wrote a script that would essentially disable .1x after a user gets authenticated allowing other devices to just come on board. once there is a link failure the script re-enables .1x so the next user would get authenticated.

Let me know your thoughts.

P
(from Paul_Russo)

RE: Can 802.1x multiple supplicant support be disabled?

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 10 2013 3:51PM

I am using ISP mode. Are you saying that in campus mode, I get the behavior specified by 802.1X?I'd be reluctant to rely on a script to disable/enable 802.1X to work around this. That seems likely to open the network security to a huge, new class of attacks and failures. (from Phil_Frost)

RE: Can 802.1x multiple supplicant support be disabled?

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 11 2013 4:30PM

bitglue wrote:
The EXOS 15.3 concepts guide says:

"An important enhancement over the IEEE 802.1x standard is that ExtremeXOS supports multiple clients(supplicants) to be individually authenticated on the same port.

As I understand it, 802.1x says that what's controlled is the physical layer. The port is either authenticated, or not. If there's another switch attached to that port, and there are a dozen clients connected through that switch, that doesn't matter. Once the port is authenticated, it's authenticated for anything with physical access to that port. What happens at layer 2 is irrelevant.

But, EXOS has "enhanced" this to track authentication on a per-MAC basis. It maintains a list of all the MACs seen on the port (from the FDB, I imagine), and for each one, tracks if it's authenticated or not. Frames from an unauthenticated MAC are dropped.

What if I want to disable this "enhancement"? Is there a way to behave according to the 802.1x standard, and enable the *whole* port once it's authenticated?configure netlogin ports (portlist) mode mac-based-vlans for the enhanced per-MAC authentication
configure netlogin ports (portlist) mode port-based-vlans for the original 802.1x physical layer authentication.

Does this work for you? I might have misunderstood the question.

(from Luis_Coelho)