>> How do state changes happen when devices need to go in/out of
>> registration/isolation? Is it CoA (I thought that was only
>> supported on wireless)? SNMP? Scripted CLI?
> With MAB, we just bounce the port (ifdown/ifup) using SNMP. With
> 802.1X, we force a reauth using the PAE mib.
OK. I could try CoA, but there seems little benefit right now. One
packet instead of two.
>> [How] could I support multiple MACs per switch port?
> Normally, we recommend the usage of the host-mode multi-domain on
> the Cisco for MAB/802.1X to allow VOIP + Data on the same port.
> However, nothing refrain you to use another host-mode, such as
> multi-host. That would have for effect to authenticate the first
> user to connect to the port, and allow blindly every other host
> that would connect afterward. This might be something to look at
> for your hubs. Note that all other nodes will depend on the
> status of the first one, and reg/isolation features won't work
OK, this model is probably good enough for us, except when it's not.
I could have 802.1X reauth kick in periodically -- so the switch
would act blindly, but open its eyes for a peek every few hours,
and if multiple devices with different registration status are
connected, behavior would be random. Well, that's not good. So I
guess it would be safer to turn reauth off, right? It "should" not
really be necessary, right?
The main risk would be that nodes plugged into hub ports cannot be
isolated or even located with PF, but CDP/CAM tables are still
Does the PF port security model support multiple MACs any better?
Alternatively, can someone recommend a cheap smart switch that plays
well with PacketFence? Netgear GS108T is the cheapest I found that
claims 802.1X and VLAN support, but it would also need to support
802.1X+MAB, and I don't see evidence of that.