From: Daniel Sheedy (dansheedy@gmx.net)
Date: Tue Sep 09 2003 - 05:43:24 GMT-3
Hi dt,
We've played around with it a little in our test labs here, and though I
would not say I am an expert by any means, here is what I have understood to
be happening with dot1x.
The client computer connects to the switch. The switch is configured with
802.1x configuration and notices that someone is trying to attach to a
secure port. It asks the laptop who it is, issueing a challenge to the
machine.
Now, at this point, it depends on how the machine is actually setup. It can
use two ways to authenticate. It can use a certificate that is stored on
the machine, or it can login name and password to authenticate the actual
user. Depending on which way you go, you will need to set up on your Radius
Server either a machine account or a user account, plus add in the
certificates in the Active Directory.. blah blah blah...
Windows 2K and XP both have available a dot1x client and I couldnt really
comment on *nix, though I am sure they have something available. You will
need this client if you want to actually authenticate the user.
The switch gets the details from the client/machine, passes them to the
Radius Server, which checks it all out and then sends back a yes or a no
answer, plus some other configuration details. These details can include
which vlan the user will be put into and either delightful stuff. So, two
different users authenticating into the same port, can effectiely be put
into different Vlans, depending on which group they belong to.
The switch passes the config information to the client, opens the port and
everything is happy for the enduser.
If anyone could clear up any points that I am not to concise on, or just
plain wrong, please feel free. :)
Daniel Sheedy
----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Group Study" <ccielab@groupstudy.com>; "Tim Ross" <ross2k@pclv.com>
Sent: Tuesday, September 09, 2003 2:23 AM
Subject: Re: 3550 - 802.1x Port based Authentication
> Thanks, Tim for getting back to me. The link you included seems to be
> essentially the same as the what's in the 3550 config guide.
Unfortunately,
> neither of these two documents addresses the question of what information
from
> the device is used to verify the "identity" - all it says is. "When the
client
> supplies its identity, the switch begins its role as the intermediary,
passing
> EAP frames between the client and the authentication server until
> authentication succeeds or fails."
>
> I didn't see anything in the document that defines what is meant by
> "identity". So, I don't know if identity means a username and password or
a
> mac address or something else altogether.
>
> But, thanks just the same and if you happen to know more about this, I
hope
> you share.
>
> dt
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:25 GMT-3