RE: wireless port and 802.1x

From: Scott Morris (swm@emanon.com)
Date: Fri Dec 08 2006 - 09:09:31 ART

• Next message: Scott Morris: "RE: R & S or Security"
• Previous message: Haloween Boy: "R & S or Security"
• Maybe in reply to: Raj Bansal: "wireless port and 802.1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You're looking at a scenario where the switch is doing the port-based
authentication. In that case, the wireless AP looks like a client (although
may be configured in bridge-mode and passthrough). In that example, they
may be correct that one authentication opens up the port for multiple hosts.
Just depends on your config.

In real life, however, it's better to have the AP actually do the 802.1X
authentication because it handles it within the association side and will
determine on a per-client basis who gets in and who does not.

The doc you were reading was a Cat6000 deployment doc, so their perspective
will always be the switch and not an "actual" or "good" deployment model for
wireless.

In wireless deployments I've done, there's always been the AP doing the
authentication and communicating directly with the RADIUS server. The
switch has not been a part of that.

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Raj
Bansal
Sent: Friday, December 08, 2006 1:18 AM
To: ccielab@groupstudy.com
Subject: wireless port and 802.1x

Buenas Dias..
   
  1. Reading the documentation on cco on Access Points and dot1x
authentication, it says one of the clients authenticates and gets authorized
and rest of the clients flow through.
   
  *********
  Something sounds broken here. If I one client connects and rest of the
clients flow through, isn't this a bad design or option? Ie..why even do
this?
   
   
  2. When a client logs off, port becomes unauthorized. Then it says the
access points manages the authentication of its clients.
   
  ***
  So little lost here. In 1, we use a client that gets authorized and gets
connected and open the path for rest. Where does the Access Point comes in
this?
   
  If client 1 disconnects, AP now starts authenticating.
   
  Appreciate any feedback I can get. This is the doc i was reading
   
 
http://cio.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/dot1x
.htm
   
  thanks.
   
  Raj
   

 
---------------------------------
Want to start your own business? Learn how on Yahoo! Small Business.

• Next message: Scott Morris: "RE: R & S or Security"
• Previous message: Haloween Boy: "R & S or Security"
• Maybe in reply to: Raj Bansal: "wireless port and 802.1x"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART