IEEE 802.1X: Practical Port Control for Switches
- The Problem with Ports
- The IEEE 802.1X Standard
- Configuring 802.1X on the Switch
- Summary
No matter how much time is spent preparing and securing networks, there is one vital component of a campus network that often goes unnoticed or unchecked. Many hours are spent deciding how to implement the switches, how to utilize VLANs, where to perform Layer 3 functionality, how to implement redundancy, how to implement a management scheme, which trunking (tagging) protocol to use, how to configure spanning-tree options such as portfast, and even whether to use 802.1u auto sensing for port speed and duplex or to manually set those parameters. In many networks, however, little time is spent deciding how to control what devices have access to the ports. Whether there are 500 or 50,000 access (user) ports, it's just not practical to think about how to control what or who can or cannot use a port. The IEEE 802.1X standard might just change that line of thinking.
The Problem with Ports
One of the most vulnerable components in the network is the wall outlet. Anyone who has access to the outlet can plug into that wall jack and, with the introduction of wireless networking, unauthorized users can access the network without even having to bring along their own cable. Several solutions exist to this problem, but few are manageable and easy to implement.
First, one could simply disable all the unused ports in the network. If there is a wall outlet that will not be used, it should simply be disabled. This is accomplished on a Catalyst switch by issuing the command set port disable mod/port for devices running the Catalyst Operating System (COS), or by accessing interface configuration mode on a Catalyst switch running Cisco IOS and issuing the command shutdown. Now, the port is completely secure. If someone wants to use the port, however, they must contact the administrator and have it turned back on. This solution can be a management nightmare, especially if there are many mobile users in your network. Plus, this does not prevent anyone from unplugging a device that is already connected to a working port and gaining access by using that port.
Another possible solution is to set up port security on all the ports. This involves registering the MAC address of the device(s) that will be using the port with the switch so that, if any unregistered MAC addresses were to plug into the port, the port would be unusable. Depending on the type of hardware and software, configuring the port to become suspended (unusable until the bad MAC address goes away), or disabled (unusable until the administrator re-enables the port) could be a possibility. This solution seems promising until you start registering MAC addresses. Each port on each switch must be configured to know which MAC addresses are allowed. This might involve manually entering the addresses or allowing them to be learned by the switch. In either case, if the MAC address changes or is moved to a different port, the administrator must reconfigure the switch.
Some of the other methods of controlling access include assigning any unused port to a VLAN that has been configured to be disabled or placing the port in a VLAN that does not have an IP address structure (no DHCP/BOOTP server or gateway). Although all these methods are effective, they lack the scalability or manageability needed in the modern campus network.