40-11
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 40 Configuring 802.1X Authentication
Default Authentication Configuration
Understanding How 802.1X Authentication with ARP Traffic Inspection Works
Note This feature is available only with Supervisor Engine 2 with PFC2, Supervisor Engine 720 with
PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.
ARP traffic inspection allows you to configure a set of order-dependent rules within the security ACL
(VACL) framework to prevent ARP table attacks. ARP traffic inspection complements the 802.1X port
authentication protocol, which first binds the MAC address of the authenticated client to the port,
eliminating the possibility of spoofing additional MAC addresses by adding an IP to MAC address
binding for additional spoof proofing.
You can use 802.1X authentication with ARP traffic inspection to provide an additional layer of port and
user security by eliminating the possibility of malicious users/hosts corrupting the ARP tables of the
other hosts. After a successful 802.1X supplicant authentication, ARP traffic inspection, which binds the
supplicant’s IP address and MAC address, is invoked and eliminates the spoofing possibility.
ARP is a simple protocol that does not have an authentication mechanism so there is no means to ensure
that the ARP requests and replies are genuine. Without an authentication mechanism, a malicious
user/host can corrupt the ARP tables of the other hosts on the same VLAN in a Layer 2 network or bridge
domain.
For example, user/Host A (the malicious user) can send the unsolicited ARP replies (or the gratuitous
ARP packets) to the other hosts on the subnet with the IP address of the default router and the MAC
address of Host A.With some earlier operating systems, even if a host already has a static ARP entry for
the default router, the newly advertised binding from Host A is learned. If Host A enables IP forwarding
and forwards all packets from the “spoofed” hosts to the router and vice versa, then Host A can carry out
a man-in-the-middle attack (for example, using the program dsniff) without the spoofed hosts realizing
that all of their traffic is being sniffed.
In addition, ARP inspection can drop the packets where the source Ethernet MAC address (in the
Ethernet header) does not match the source MAC address in the ARP header. You can enable (or disable)
this feature through the CLI by entering the set security acl arp-inspection match-mac {enable [drop
[log]] | disable} command.
To configure ARP traffic inspection, see the “Inspecting ARP Traffic” section on page 15-30.
Default Authentication Configuration
Table 40-2 shows the default 802.1X authentication configuration.
Table 40-2 802.1X Authentication Default Configuration
Feature Default Value
PAE Capability Authenticator only
Protocol Version 1
802.1X port control Force-authorized
802.1X multiple hosts Disabled
802.1X system authentication control Enabled
802.1X quiet period time 60 seconds
To Next Page
Loading...
Need help?
General