Connecting the world…

Inaccessible

Wired 802.1X

The session about wired 802.1X deployment was really interesting. I was stunned about the information I already knew after my testing with MAC Authentication Bypass last week. Of course the speaker had more configuration options when configuring the switch ports.

Important for me to hear where the ways for deploying 802.1X in environments. It isn’t a good idea to just implement 802.1X with some kind of big-bang scenario. Important when implementing 802.1X is choosing the correct identity for authentication and which identity repository you are going to use.

Also good to know is that the actual authentication conversation is between the client and the authentication server using EAP; the switch is an EAP conduit, but aware of what’s going on. In normal 802.1X implementation all traffic is blocked on the port ingress and egress. This can give problems with features like DHCP, BootP, Wake on LAN and so one, like I already posted in my post about MAB.

One thing I learned from the session is using the VLAN name instead of the VLAN ID, when using RADIUS to assign the VLAN. This is because you can have a VLAN with the name Marketing, but the VLAN ID can differ per branch office. The Inaccessible Authentication Bypass feature is also useful for branch offices. IAB assigns the port to a statically configured VLAN when the RADIUS server cannot be reached. After IAB detects that the RADIUS server is online again, it starts authenticating all the ports that weren’t authenticated before.

Summarizing I guess that 802.1X will be the new authentication standard and when implementing 802.1X MAB is a good alternative for non-compliant 802.1X stations.