802.1x port configuration uplink (supplicant for another switch)
Hi, i need to secure my network but in other configuration then the provided examples.
I have succesfully configured one switch and the clients are connecting using 802.1x succesfully.
The problem is that i need to secure a diffrent room at he office and the only way i could connect the second switch is behind the first one, and i can not phisically secure it.
So, how can i put the uplink port of the second switch to authenticate in a port of the first one?
This is an example that i could find:
I think i need to do something like this ..but how...
https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s08.html
Thank you very much.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
In your topology, you should disable 802.1x for port A1 and port B5. Because your switch A need to communicate with radius server.
You can enable 802.1x for other ports on switch A, the clients connected to those ports need to be authorized.
- Copy Link
- Report Inappropriate Content
@Andone Yes, this is my real problem because switch A is not in a secure space...I need to authenticate port B5 with A1..is this possible with Tplink switches? On other brands you can designate a port to be supplicant for anoter 8201.x NAS client...
- Copy Link
- Report Inappropriate Content
@mdalacu So, no other ideeas for how can i achive this?
Thanks
- Copy Link
- Report Inappropriate Content
I remember that Cisco also recommend to disable 802.1x for the port which connected to anoter 8201.x NAS client.
And when you disable 802.1x for Port B5 and Port A1, and enable 802.1x for other ports, your network is still working safely. Because all devices connected to switch A need to be authorized. Disable 802.1x for Port B5 and Port A1 just for let the 802.1x authentication information can pass switch A and switch B to radius server, otherwise, the authentication data will be blocked.
Actually I think there are two ways, you can disable 802.1x for Port B5 and Port A1, you also can enable 802.1x for Port B5 and disable 802.1x for all ports of switch A. But switch B need to support 802.1x authentication based MAC address, then every devices connected to switch A need to be authorized as well.
- Copy Link
- Report Inappropriate Content
@Andone Yes, this could be a solution "But switch B need to support 802.1x authentication based MAC address, then every devices connected to switch A need to be authorized as well"
The problem is that FreeRadius implementation in pfSense is expecting MAC password and username to be in format xx-xx-xx-xx-xx-xx and TPLink Switches sent this like XXXXXXXXXXXX. I need to find the right file to patch this..:/
Thanks for your answer...still digging!
- Copy Link
- Report Inappropriate Content
If you use MAB, then you need to set MAC password and username to be in format xx-xx-xx-xx-xx-xx. MAB is usually used for the device which do not support 802.1x client.
If you set port method as MAC based, then all the clients connected to this switch port need to pass authentication. The clients still need to use 802.1x client to login.
So MAB(MAC authentication bypass) is different from MAC Based port method. Just choose the feature which can meet your demand.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2631
Replies: 6
Voters 0
No one has voted for it yet.