NAP 802.1x deploy on thousand of hosts, not enough vlan switching switches... RRS feed

  • General discussion

  • so for the ideal nap 802.1x environment, on the switch hardware side, a single port is needed for each host and a direct cable/port from host to vlan switching switch (since dot1x HostMode MULTI_HOST on switch will not work due to vlan switching, when 1 host is non-compliant, port will switch to non-compliant vlan or if 1 host authentication failed, port is unauthorized for all hosts), anyway to make NAP 802.1x solution possible (more affordable) with less vlan switching switches that brances out to normal switch or hub?
    Friday, May 15, 2009 11:19 PM

All replies

  • Hi,

    You are correct that multiple hosts on a single port can result in problems with 802.1X. You might be interested to look at 802.1X-REV, which will have better support for multiple users on the same port. Another possibility is per-user ACLs.

    Monday, May 18, 2009 9:52 PM
  • What I would recommend is looking into HP Procurve 2910AL(s) which allow 8 multiple 802.1x authentications per port. I have tested this and it works great! I plugged in a DLINK unmanged switch into port 4 which is set to have a limit of 8 dot1.x client. All clients HAVE to authenticate and users can't piggy back off the first users connection.

    I am also aware that the Cisco 2960 and 3560 series has the same feature but I prefer the HP since it is cheaper. The only problem is all users have to be on the same VLAN since an unmanaged switch doesn't handle VLAN tagging.
    Tuesday, May 19, 2009 10:46 PM
  • 802.1X-REV is currently not a public release product, is it? Is this is something that only switches hardware vendor would need to implement on the switch; does 802.1x software solution developers have to do anything to support this?

    I'll look into per-user ACLs...
    Thursday, May 21, 2009 9:04 PM
  • i'm working with 3550 and 3750...
    surprised to hear that multiple authentications per port on 2910AL works for you; the port doesn't locked up when 1 of the users failed authentication? i'll give this a try on the 3550 without vlan and see how it goes; it didn't work in vlan case, i've tried this.

    i guess not having vlans really defeats the purpose of NAP, how will non-compliant clients be quarantine into restricted networks, to get updates, etc...?
    Thursday, May 21, 2009 9:12 PM
  • Is the multiport authentication issue true as of today (2011) with latest NPS (2008 R2) and CISCO 2960 switches IOS versions?


    (our PCs are networked directly into CISCO IP Phones (7942)....and indeed the Switch ports become locked when a second authentication is made)

    Thursday, June 23, 2011 7:16 AM
  • I had to do some 802.1x related task few weeks back, so just had some info to share

    I don't have a 2960, so don't know about this model, but for cisco: 3550, sg-200, 2950, I've downloaded and loaded the latest ios (version listed below), and multiple client per port is still not working. I also had difficult finding dot1x switch models with 802.1x-2010 or 802.1x-REV support.

    The netgear fsm726v1 is interesting, it dot1x port control have a "Auto (per mac)" and "Auto (per port)" settings. I couldn't find in documentation what "Auto (per mac)" does, but at this setting, client are authenticated but traffic would not flow thru. I've wasted 2 weeks waiting for support but they still didn't answer my question on this topic: "Auto (per mac)" .

    --- latest ios / firmware version as of march 2012 ---
    Cisco3550#show version
    Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(44)SE6

    cisco sg-200-08
    Firmware Version:

    cisco2950#show version
    IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWA                                                                                    RE (fc1)

    netgear fsm726v1

    Thursday, April 19, 2012 4:52 PM