CCNA: Sec 8021x question

Hey techies. This was covered in the Security+ material, but I still don't quite get it.

The 8021x port-control command on Cat's has three options:

Force-authorized - (default) Causes the port to instantly go into an authorized state without participating in 8021x

Force-unauthorized - Causes the port to stay unauthorized, regardless of the actions of the supplicant

Auto - What you'd expect from 8021x... start unauthorized, pass credentials between supplicant and Tacacs/Radius, and if successful, transition to authorized state.

Okay, so... why would anyone use the first two? Since the 8021x port-control command is an interface command, why would anyone enable 8021x, just to a) bypass it completely and make everything authorized, or b) make the port stay unauthorized.

If I was going to allow everything anyway, why not just enter "no 8021x port-control" rather than force-authorized?

And if I was going to disallow everything... well, that's the same as shutting down the port, isn't it?

Does anyone ever use anything but AUTO?

Preciate the insights,
Mike

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dtlokee

Well you may want force authorized on an interface with a server or something like that, or in a case of a host that does not have a supplicant but don't want them in a guest VLAN. I haven't seen a case where I needed force unauthorized as it would cause the interface to effectively be disabled.

jezg76

NSA seems to find a way to use it.

That is some hardcore "UNUSED PORT" configuration. I don't think Jesus could get network connectivity with that config.

interface FastEthernet0/6
description *** UNUSED Port ***
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
shutdown
mls qos cos override
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root

http://www.nsa.gov/snac/downloads_switches.cfm?MenuID=scg10.3.1

networker050184

I guess you can never bee too secure.

dtlokee

hmm, might make sense in an environment where you are using command authorization with different privilege level for all those commands, otherwise "shutdown" will suffice.

tiersten

mikearama wrote:

And if I was going to disallow everything... well, that's the same as shutting down the port, isn't it?

Sort of. Shutting down the port would cause the line to show as down. Forcing that port to be unauthorised would be ignoring anything that appears on the port.