Does any of the security gurus out here know how secure is the CDP based
recognition ? Because I would presume CDP is not based on any
security token, so impersonation of a "cisco phone" would be a rather
trivial task for an attacker... hence CDP bypass would be, well, just
for the photo as we say.
Also, Sadiq, why do you say "MAB will not exclude the phone from
authenticating" ? In all respects, MAB does static exclusions from the
authenticating process, hence its name.
The phone does not do anything to aithenticate with MAB, it's all static
configuration elsewhere.
-Carlos
Radioactive Frog @ 28/04/2012 21:57 -0300 dixit:
> rigth on Sadiq.. but AFAIK this feature is not available in newer code (52
> or above) anymore :(
>
> MAB is common and very practical practice for production. Otherwise why
> would you go for dot1x, that defeats the purpose of of dot1x implementation.
>
> Other simple one without creating a username/password in radius:
> keep all port configs identical for dot1x or non-dot1x supplicants. If you
> want to exclude a port from dot1x auth process, just use a command "dot1x
> authentication open". This works on newer and older codes. So basically you
> are keeping configs identical, except this one command. This command
> suppose to meant for troubleshooting but I have to implement it in some
> instances.
>
> HTH.
>
>
> On Sun, Apr 29, 2012 at 8:58 AM, Sadiq Yakasai<sadiqtanko_at_gmail.com> wrote:
>
>> MAB will not exclude the IP phone from authenticating; it would
>> authenticate the IP phone using its MAC address; hence MAC auth bypass.
>>
>> If you configure the host mode as single, then if the IP phone is a Cisco
>> one, its excluded from authentication. This is called CDP Bypass.
>>
>> HTH,
>>
>> Sadiq
>>
>>
>> On Sat, Apr 28, 2012 at 10:35 AM, Radioactive Frog<pbhatkoti_at_gmail.com>wrote:
>>
>>> MAB
>>>
>>> On Sat, Apr 28, 2012 at 4:16 PM, amin<amin_at_axizo.com> wrote:
>>>
>>>> Hi Experts,
>>>>
>>>> How to configure 802.1x for the PC that is connected to a switch port
>>> and
>>>> exclude the IP phone?
>>>>
>>>> Regards,
>>>>
>>>> Amin
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Sun Apr 29 2012 - 08:42:24 ART
This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 08:20:46 ART