Security

Hello,
We have a situation where across multiple sites for a big customer ,on access switches some servers are also connected . Currently there is no dot1x /man on any port . For servers , we know trunk,lacp,nic teaming will be issue . What is the risk of using dot1x from system account of server perspective if we use eap tls . Each Server must have a common or unique system account for dot1x (if they use dot1x). I know dot1x is not for servers . But from system account perspective what would be the drawbacks ? I want to give more explanation to customer from user I'd / system account perspective . If anyone can give some pointers that will be great . I know Aruba or any other vendor never recommend s dot1x but I want to list the reasons or disadvantages of dot1x for servers

If you use EAP-TLS with computer (machine) certificates then there is no reason why you couldn't use dot1x for servers connected to a network switch.

Authentication should take place on boot up so nobody needs to be logged on to the server for dot1x to allow network access.

Hello Dave

Thanks

 

So this means we cant use MSCHAP ? and if yes which user id is needed to login because we cant allow administrator id to login ?

 

What are the challenges for using non EAP-TLS  methods ?

Philosophically, server switchports should be secured so that 802.1x should not be necessary.  If your radius server is down for any reason and the switch reboots or forces the server to reauthenticate, you cannot get into any of your servers remotely.  That to many is an unacceptable risk.