04-11-2016 02:05 AM
i'm checking for some real life experience here in setting up 802.1x in a wired and wireless production environment. The goal anyway here is to segment the network by splitting it up in seperate vlans. One of the nice things is that you can 'steer' a device into a certain vlan.
The problem in our environment is that we have a history of wired networking. In practice this means that due to lack of utp connections in offices we have a lot of soho switches in offices to bypass this issue. These switches are not managed and thus not capable of 802.1x. There are basically no soho switches which are capable of doing 802.1x. So one thing we've learned is that 802.1x is a 'datacenter' setup. If you want this for wired networking you need switches in the rack which support this, and endpoints need to be connected to these switches. In our environment this would mean additional wired networking. There's also the issue with printers etc... where 802.1x is not really an option (keep those in one single printer vlan i suppose).
Ofcourse then you think about wireless networking. Haven't tested yet but i'm pretty sure 802.1x will work in our environment. This would involve extra investments in wireless (no open landscape offices in a lot of buildings so extra ap's needed).
But there is also an alternative, just introduce seperate vlans in seperate buildings (wired and wireless). On the wireless level use vlan steering, wlan roaming and vlan mobility.
Anyone having experience? What did you choose? Full 802.1x?
02-19-2017 05:13 AM
it would not call dot1x a datacenter technology. for me the datacenter is where your servers and such are but not clients, dot1x is mainly a client technology.
like you say it does mean your switches have to support it. with most enterprise switches this is the case. if you are using soho switches in an enterprise setting then not doing dot1x is probably not your only issue, think loops, oversubscription, ...
it comes down on your requirements and budget. if you can go with enterprise switches and enterprise APs. if you can't then determine what is most important for your company.
05-12-2017 06:40 AM
In real production environments SOHO switches aren't the best-practice solution. Aruba entry models like the 2530 are already capable of doing 802.1X.
It is a good begin to start with 802.1X on wireless. For me this is standard solution because WPA2 is way to static and unsecure (you could pass trough the password).
Of course if you enable 802.1X on Wireless, the step isn't to big to implement it also on wired. For printers you could use sticky MAC.
4 weeks ago
you can enable 802.1X for multiple users on one port. Originally this configuration is for phones with connected PCs, but it should also work with SOHO switches.
Depending on what switch&firmware you are running in you distribution, you can authenticate multiple clients.
F.e. my 8-port 2530 (J9298A) can have 2 different authentications on one port:
2530-8G (config)# aaa port-access auth 5 client-limit ? <1-2> Set the maximum number of clients to allow on the port.
A 5406zl can have up to 32 different authentications per port:
5046zl(config)# aaa port-access authenticator a16 client-limit ? <1-32> Set the maximum number of clients to allow on the port. client-based mode.
I only used this with phones and 2 clients so far, but I don't see a problem why it shouldn't work.