This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Can 802.1x multiple supplicant support be disabled...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can 802.1x multiple supplicant support be disabled?
Can 802.1x multiple supplicant support be disabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:02 PM
Create Date: May 31 2013 2:05PM
The EXOS 15.3 concepts guide says:
"An important enhancement over the IEEE 802.1x standard is that ExtremeXOS supports multiple clients(supplicants) to be individually authenticated on the same port.
As I understand it, 802.1x says that what's controlled is the physical layer. The port is either authenticated, or not. If there's another switch attached to that port, and there are a dozen clients connected through that switch, that doesn't matter. Once the port is authenticated, it's authenticated for anything with physical access to that port. What happens at layer 2 is irrelevant.
But, EXOS has "enhanced" this to track authentication on a per-MAC basis. It maintains a list of all the MACs seen on the port (from the FDB, I imagine), and for each one, tracks if it's authenticated or not. Frames from an unauthenticated MAC are dropped.
What if I want to disable this "enhancement"? Is there a way to behave according to the 802.1x standard, and enable the *whole* port once it's authenticated? (from Phil_Frost)
The EXOS 15.3 concepts guide says:
"An important enhancement over the IEEE 802.1x standard is that ExtremeXOS supports multiple clients(supplicants) to be individually authenticated on the same port.
As I understand it, 802.1x says that what's controlled is the physical layer. The port is either authenticated, or not. If there's another switch attached to that port, and there are a dozen clients connected through that switch, that doesn't matter. Once the port is authenticated, it's authenticated for anything with physical access to that port. What happens at layer 2 is irrelevant.
But, EXOS has "enhanced" this to track authentication on a per-MAC basis. It maintains a list of all the MACs seen on the port (from the FDB, I imagine), and for each one, tracks if it's authenticated or not. Frames from an unauthenticated MAC are dropped.
What if I want to disable this "enhancement"? Is there a way to behave according to the 802.1x standard, and enable the *whole* port once it's authenticated? (from Phil_Frost)
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:03 PM
Create Date: Jun 11 2013 4:30PM
bitglue wrote:
The EXOS 15.3 concepts guide says:
"An important enhancement over the IEEE 802.1x standard is that ExtremeXOS supports multiple clients(supplicants) to be individually authenticated on the same port.
As I understand it, 802.1x says that what's controlled is the physical layer. The port is either authenticated, or not. If there's another switch attached to that port, and there are a dozen clients connected through that switch, that doesn't matter. Once the port is authenticated, it's authenticated for anything with physical access to that port. What happens at layer 2 is irrelevant.
But, EXOS has "enhanced" this to track authentication on a per-MAC basis. It maintains a list of all the MACs seen on the port (from the FDB, I imagine), and for each one, tracks if it's authenticated or not. Frames from an unauthenticated MAC are dropped.
What if I want to disable this "enhancement"? Is there a way to behave according to the 802.1x standard, and enable the *whole* port once it's authenticated?configure netlogin ports (portlist) mode mac-based-vlans for the enhanced per-MAC authentication
configure netlogin ports (portlist) mode port-based-vlans for the original 802.1x physical layer authentication.
Does this work for you? I might have misunderstood the question.
(from Luis_Coelho)
bitglue wrote:
The EXOS 15.3 concepts guide says:
"An important enhancement over the IEEE 802.1x standard is that ExtremeXOS supports multiple clients(supplicants) to be individually authenticated on the same port.
As I understand it, 802.1x says that what's controlled is the physical layer. The port is either authenticated, or not. If there's another switch attached to that port, and there are a dozen clients connected through that switch, that doesn't matter. Once the port is authenticated, it's authenticated for anything with physical access to that port. What happens at layer 2 is irrelevant.
But, EXOS has "enhanced" this to track authentication on a per-MAC basis. It maintains a list of all the MACs seen on the port (from the FDB, I imagine), and for each one, tracks if it's authenticated or not. Frames from an unauthenticated MAC are dropped.
What if I want to disable this "enhancement"? Is there a way to behave according to the 802.1x standard, and enable the *whole* port once it's authenticated?configure netlogin ports (portlist) mode mac-based-vlans for the enhanced per-MAC authentication
configure netlogin ports (portlist) mode port-based-vlans for the original 802.1x physical layer authentication.
Does this work for you? I might have misunderstood the question.
(from Luis_Coelho)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:03 PM
Create Date: Jun 10 2013 3:51PM
I am using ISP mode. Are you saying that in campus mode, I get the behavior specified by 802.1X?I'd be reluctant to rely on a script to disable/enable 802.1X to work around this. That seems likely to open the network security to a huge, new class of attacks and failures. (from Phil_Frost)
I am using ISP mode. Are you saying that in campus mode, I get the behavior specified by 802.1X?I'd be reluctant to rely on a script to disable/enable 802.1X to work around this. That seems likely to open the network security to a huge, new class of attacks and failures. (from Phil_Frost)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:03 PM
Create Date: Jun 6 2013 11:00PM
Hey bitglue
can you tell me if you are using isp mode or campus mode? ISP mode is where the port stays in a VLAN and the user is just authenticated. Campus mode is where we send VSAs to move the user to another VLAN once authenticated
The concepts guides states "Multiple supplicants are supported in ISP mode for web-based, 802.1x, and MAC-based authentication."
"In addition, multiple supplicants are supported in Campus mode if you configure and enable network"
"login MAC-based VLANs. For more information, see Configuring Network Login MAC-Based VLANs."
You may be able to do this in campus mode. If not a colleague of mine wrote a script that would essentially disable .1x after a user gets authenticated allowing other devices to just come on board. once there is a link failure the script re-enables .1x so the next user would get authenticated.
Let me know your thoughts.
P
(from Paul_Russo)
Hey bitglue
can you tell me if you are using isp mode or campus mode? ISP mode is where the port stays in a VLAN and the user is just authenticated. Campus mode is where we send VSAs to move the user to another VLAN once authenticated
The concepts guides states "Multiple supplicants are supported in ISP mode for web-based, 802.1x, and MAC-based authentication."
"In addition, multiple supplicants are supported in Campus mode if you configure and enable network"
"login MAC-based VLANs. For more information, see Configuring Network Login MAC-Based VLANs."
You may be able to do this in campus mode. If not a colleague of mine wrote a script that would essentially disable .1x after a user gets authenticated allowing other devices to just come on board. once there is a link failure the script re-enables .1x so the next user would get authenticated.
Let me know your thoughts.
P
(from Paul_Russo)
