From: iwan (iwan@i-lusion.nl)
Date: Tue Sep 09 2003 - 06:03:59 GMT-3
Hi CCIE2BE,
here is mine point of view about this:
We have the following devices:
CLIENT
CAT 3550
RADIUS or TACACS SERVER
The client and the Radius server are connected to the switch.
The meaning is that the client is authenticated by the Radius server (this can
be done by a key of a username in combination with a key)
The switch 802.1x authentication is purely passes the info in EAP frames to
the radius server.
You can configre the port of the switch where the client is connected to into
3 states:
Cat3550-1(config-if)#dot1x port-control ?
auto Authenticate automatically
force-authorized Force port to authorized state
force-unauthorized Force port to unauthorized state
If you put it on auto the data is passed to the switch the auto mode the
client will try to authenticate and the switch will pass the data to the
radius ...if te credentials ar right the the port will be open for data
transmitting.
If the credentials are not right the fort will be shut down.
If the port is in force-authorized than te port is always open even if the
credentials are wrong the switchport stays open.
If the port is in force-unauthorized the switchport will be closed and will
not even try to bother te radius server with information
This is what i am understanding of the whole dot1x story
Please let me know if i am right group...and CCIE2BE
Iwan Hoogendoorn
MCSA,MCSE, MCDBA, CCA, CCNA, CCIE (Written)
Tel : +31 6 47954616
E-mail : iwan@i-lusion.nl
________________________________
From: nobody@groupstudy.com on behalf of ccie2be
Sent: Tue 9/9/2003 2:23 AM
To: Group Study; Tim Ross
Subject: Re: 3550 - 802.1x Port based Authentication
Thanks, Tim for getting back to me. The link you included seems to be
essentially the same as the what's in the 3550 config guide. Unfortunately,
neither of these two documents addresses the question of what information
from
the device is used to verify the "identity" - all it says is. "When the
client
supplies its identity, the switch begins its role as the intermediary,
passing
EAP frames between the client and the authentication server until
authentication succeeds or fails."
I didn't see anything in the document that defines what is meant by
"identity". So, I don't know if identity means a username and password or a
mac address or something else altogether.
But, thanks just the same and if you happen to know more about this, I hope
you share.
dt
----- Original Message -----
From: Tim Ross
To: ccie2be ; Group Study
Sent: Monday, September 08, 2003 7:57 PM
Subject: Re: 3550 - 802.1x Port based Authentication
Take a look at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1216ea2b/scg/sw
g8021x.htm
You authenticate to a Radius server. Especially useful on wireless LANs and
public access areas.
Tim
----- Original Message -----
From: ccie2be
To: Group Study
Sent: Monday, September 08, 2003 2:42 PM
Subject: 3550 - 802.1x Port based Authentication
Hi,
I'd like to verify that I correctly understand what the 3550 config guide
is
saying regarding the above.
802.1x is used to authenticate the actual device (the client) as opposed
to
the user. As such the device can be any type of ethernet attached device
including printers. Also, it seems like no user input is needed when
using
802.1x authentication. Please let me know if all these statements are
True or
False.
Also, the config guide doesn't mention what information is used to
authenticate the client. My guess is that it's probably the device's mac
address, but really I have no idea. For all I know, it could be a
password
preconfigured on the device or maybe even some combo of different
parameters.
If someone knows how this works, please help me out.
Thanks very much, dt
_______________________________________________________________________
You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:25 GMT-3