RE: 3550 - 802.1x Port based Authentication

From: Jonathan V Hays (jhays@jtan.com)
Date: Tue Sep 09 2003 - 12:30:24 GMT-3

• Next message: Kenneth Wygand: "RE: Does ACL Number/Name matter in Grading"
• Previous message: Chen Kwong Wai William: "Does ACL Number/Name matter in Grading"
• Maybe in reply to: ccie2be: "3550 - 802.1x Port based Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

For groupstudy members without a customer account, here is a public URL
to the same article.

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_online_exclusiv
e09186a00800a5cab.html

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
McClure, Allen
Sent: Tuesday, September 09, 2003 10:58 AM
To: Group Study
Subject: RE: 3550 - 802.1x Port based Authentication

Daniel nailed it, but here's a good brief doc on it.

http://www.cisco.com/en/US/customer/about/ac123/ac114/about_cisco_online
_exclusive09186a00800a5cab.html

Allen G. McClure
CCNP/CCDP/MCSE
Yum! Brands, Inc.
Sr. Network Analyst
allen.mcclure@yum.com
 
 

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Tuesday, September 09, 2003 9:02 AM
To: Group Study; Daniel Sheedy
Subject: Re: 3550 - 802.1x Port based Authentication

Hi Daniel,

Thanks for your response and thanks to the others who also provided help
on those questions about 802.1x. I'm glad to finally understand what's
going on with this. It would have been nice if the 3550 documentation
explained this more thoroughly, but fortunately, there are people like
you and group study to fill in the blanks when the documentation is a
little light.

dt

----- Original Message -----
From: "Daniel Sheedy" <dansheedy@gmx.net>
To: <ccielab@groupstudy.com>
Cc: "ccie2be" <ccie2be@nyc.rr.com>
Sent: Tuesday, September 09, 2003 4:43 AM
Subject: Re: 3550 - 802.1x Port based Authentication

> Hi dt,
>
> We've played around with it a little in our test labs here, and though

> I would not say I am an expert by any means, here is what I have
> understood
to
> be happening with dot1x.
>
> The client computer connects to the switch. The switch is configured
> with 802.1x configuration and notices that someone is trying to attach

> to a secure port. It asks the laptop who it is, issueing a challenge
> to the machine.
>
> Now, at this point, it depends on how the machine is actually setup.
> It
can
> use two ways to authenticate. It can use a certificate that is stored

> on the machine, or it can login name and password to authenticate the
> actual user. Depending on which way you go, you will need to set up
> on your
Radius
> Server either a machine account or a user account, plus add in the
> certificates in the Active Directory.. blah blah blah... Windows 2K
> and XP both have available a dot1x client and I couldnt really comment

> on *nix, though I am sure they have something available. You will
> need this client if you want to actually authenticate the user.
>
> The switch gets the details from the client/machine, passes them to
> the Radius Server, which checks it all out and then sends back a yes
> or a no answer, plus some other configuration details. These details
> can include which vlan the user will be put into and either delightful

> stuff. So, two different users authenticating into the same port, can

> effectiely be put into different Vlans, depending on which group they
> belong to.
>
> The switch passes the config information to the client, opens the port

> and everything is happy for the enduser.
>
> If anyone could clear up any points that I am not to concise on, or
> just plain wrong, please feel free. :)
>
> Daniel Sheedy
>
>
> ----- Original Message -----
> From: "ccie2be" <ccie2be@nyc.rr.com>
> To: "Group Study" <ccielab@groupstudy.com>; "Tim Ross"
> <ross2k@pclv.com>
> Sent: Tuesday, September 09, 2003 2:23 AM
> Subject: Re: 3550 - 802.1x Port based Authentication
>
>
> > Thanks, Tim for getting back to me. The link you included seems to
> > be essentially the same as the what's in the 3550 config guide.
> Unfortunately,
> > neither of these two documents addresses the question of what
information
> from
> > the device is used to verify the "identity" - all it says is. "When
> > the
> client
> > supplies its identity, the switch begins its role as the
> > intermediary,
> passing
> > EAP frames between the client and the authentication server until
> > authentication succeeds or fails."
> >
> > I didn't see anything in the document that defines what is meant by
> > "identity". So, I don't know if identity means a username and
> > password
or
> a
> > mac address or something else altogether.
> >
> > But, thanks just the same and if you happen to know more about this,

> > I
> hope
> > you share.
> >
> > dt

• Next message: Kenneth Wygand: "RE: Does ACL Number/Name matter in Grading"
• Previous message: Chen Kwong Wai William: "Does ACL Number/Name matter in Grading"
• Maybe in reply to: ccie2be: "3550 - 802.1x Port based Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:25 GMT-3