Re: [PacketFence-users] doc1x MAB/Isolation with multiple MACs on a port

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Rich,

> So, in a couple of months, PF 3.3+ will be taking over my wired network with (nearly) 100% Cisco 3560's (various models), all running IOS 12.2(55) or later.
Very cool!

>
> Most of the docs advise 802.1X/MAB. Fine.
Yes, the new trend is to use AAA based authentication rather than 
port-security.

>
> How do state changes happen when devices need to go in/out of registration/isolation? Is it CoA (I thought that was only supported on wireless)? SNMP? Scripted CLI?
With MAB, we just bounce the port (ifdown/ifup) using SNMP.  With 
802.1X, we force a reauth using the PAE mib.  We could potentially use 
CoA as well, but the code for it is not there yet (although we tested it 
working with our test 2960).

>
> [How] could I support multiple MACs per switch port? Some of our buildings have inadequate copper plant, so hubs are legitimately in use. I'd be OK with a model that allowed all access to normalVlan if one connected device is registered, and isolated the port if one connected device is in violation. Does this require port security or link trap instead? (I guess buying a bunch of cheap manageable switches as "roaming devices" is a possibility, with each roaming device itself becoming PF-managed, but this requires boots on the ground...)
I will assume you don't have VoIP on your network where your hubs are.

Normally, we recommend the usage of the host-mode multi-domain on the 
Cisco for MAB/802.1X to allow VOIP + Data on the same port.  However, 
nothing refrain you to use another host-mode, such as multi-host.  That 
would have for effect to authenticate the first user to connect to the 
port, and allow blindly every other host that would connect afterward. 
This might be something to look at for your hubs.  Note that all other 
nodes will depend on the status of the first one, and reg/isolation 
features won't work very well.

I hope it helps!

-- 
Francois Gaudreault, ing. jr
fga...@in...  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)