Wednesday, January 2, 2019

More questions about 802.1x/RADIUS

I'm hoping to just get some clarification about how the authentication process works. The documentation I'm reading from Cisco (found here page 4) states that if the client is "802.1x capable" then it starts the 802.1x port-based authentication and if the client identity is valid then it assigns the port to a VLAN. I'm a little confused about what it means by "802.1x capable". In the event that the client has not been configured for 802.1x but is capable of sending 802.1x EAPOL messages does that it'll still go down the path of 802.1x authentication or will it instead go down the path of MAC based authentication?

In my limited understanding, this means to me that if the client is capable of sending EAPOL messages but has not been configured to do so it still means it's "802.1x capable" and that the authentication process will not attempt to authenticate based on MAC address.

In the end we're really trying to avoid having to fully implement 802.1x. In other words, we're not interested in setting up a Certificate Authority and implementing PEAP or EAP-TLS or even integrating with Active Directory. We'd like to simply define a pool of MAC addresses and corresponding VLAN numbers. When a machine gets plugged into the switch the port will be configured for the VLAN defined for the MAC address of the machine. If a machine gets plugged in that has a MAC address that is not found in the pool then the port goes into err-disable state. I've been trying to get this working in Microsoft Network Policy Server but it seems way overkill for what we're trying to achieve.

Is this possible?



No comments:

Post a Comment