CCNA: Sec 8021x question
mikearama
Member Posts: 749
in CCNA & CCENT
Hey techies. This was covered in the Security+ material, but I still don't quite get it.
The 8021x port-control command on Cat's has three options:
Force-authorized - (default) Causes the port to instantly go into an authorized state without participating in 8021x
Force-unauthorized - Causes the port to stay unauthorized, regardless of the actions of the supplicant
Auto - What you'd expect from 8021x... start unauthorized, pass credentials between supplicant and Tacacs/Radius, and if successful, transition to authorized state.
Okay, so... why would anyone use the first two? Since the 8021x port-control command is an interface command, why would anyone enable 8021x, just to a) bypass it completely and make everything authorized, or b) make the port stay unauthorized.
If I was going to allow everything anyway, why not just enter "no 8021x port-control" rather than force-authorized?
And if I was going to disallow everything... well, that's the same as shutting down the port, isn't it?
Does anyone ever use anything but AUTO?
Preciate the insights,
Mike
The 8021x port-control command on Cat's has three options:
Force-authorized - (default) Causes the port to instantly go into an authorized state without participating in 8021x
Force-unauthorized - Causes the port to stay unauthorized, regardless of the actions of the supplicant
Auto - What you'd expect from 8021x... start unauthorized, pass credentials between supplicant and Tacacs/Radius, and if successful, transition to authorized state.
Okay, so... why would anyone use the first two? Since the 8021x port-control command is an interface command, why would anyone enable 8021x, just to a) bypass it completely and make everything authorized, or b) make the port stay unauthorized.
If I was going to allow everything anyway, why not just enter "no 8021x port-control" rather than force-authorized?
And if I was going to disallow everything... well, that's the same as shutting down the port, isn't it?
Does anyone ever use anything but AUTO?
Preciate the insights,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Well you may want force authorized on an interface with a server or something like that, or in a case of a host that does not have a supplicant but don't want them in a guest VLAN. I haven't seen a case where I needed force unauthorized as it would cause the interface to effectively be disabled.The only easy day was yesterday! -
jezg76
Member Posts: 97 ■■□□□□□□□□
NSA seems to find a way to use it.
That is some hardcore "UNUSED PORT" configuration. I don't think Jesus could get network connectivity with that config.interface FastEthernet0/6 description *** UNUSED Port *** switchport access vlan 999 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan none switchport mode access switchport nonegotiate switchport block multicast switchport block unicast switchport port-security switchport port-security aging time 10 switchport port-security aging type inactivity no ip address ip access-group ip-device-list in shutdown mls qos cos override storm-control broadcast level 0.00 storm-control multicast level 0.00 storm-control unicast level 0.00 dot1x port-control force-unauthorized dot1x guest-vlan 999 dot1x host-mode multi-host mac access-group mac-device-list in no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard root
http://www.nsa.gov/snac/downloads_switches.cfm?MenuID=scg10.3.1policy-map type inspect TACO
class type inspect BELL
drop log -
networker050184
Mod Posts: 11,962 Mod
I guess you can never bee too secure.An expert is a man who has made all the mistakes which can be made. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
hmm, might make sense in an environment where you are using command authorization with different privilege level for all those commands, otherwise "shutdown" will suffice.The only easy day was yesterday!
-
tiersten
Member Posts: 4,505
Sort of. Shutting down the port would cause the line to show as down. Forcing that port to be unauthorised would be ignoring anything that appears on the port.mikearama wrote:And if I was going to disallow everything... well, that's the same as shutting down the port, isn't it?