Taking a step back, she asked, "so what's with this 802.1x standard,
anyway?" Is anyone actually using it?
Data-link-layer security definitely makes sense for 802.11 wireless
networks. Does it really make sense for wired networks? Is the bug
happening with wired or wireless networks? It sounds like it's happening
with wired networks since the bug is with the Catalyst 5000 EARL, though
some of the reports have called 802.1x a wireless standard. That's pretty
bad that the switches forward the multicasts out blocked ports. How could
that have happened? Just a bug I guess.
Back to my original question. Does security at the data-link-layer make
sense for wired networks? I guess there could be cases where a person has
physical access to an Ethernet port but is not supposed to be able to use
the network. Maybe in a conference room or lobby. How does the
authentication actually take place? Do you need to use Radius or TACACS also?
And one more question, is anyone actually using Windows XP yet? I guess
people must be for this bug to have been found.
Interesting thread. Would anyone care to share some "big picture" comments
on the subject?
Priscilla
At 11:10 AM 4/17/01, Hornbeck, Timothy wrote:
> > Possible solution?
> >
> > * Operating systems, such as Windows XP, will attempt 802.1X
> > authentication by sending frames to the Authenticator PAE on the
> > destination multicast address 01-80-c2-00-00-0f and 01-80-c2-00-00-03. On
> > Catalyst 5000 family switches with EARL1, EARL1+, EARL1++, or EARL1.1,
> > these frames will be forwarded on all ports including spanning tree
> > blocking ports. Because these frames are forwarded on blocked ports, the
> > network will experience a Layer 2 multicast storm.
> > Workaround 1: Enter the following commands to configure a permanent CAM
> > entry for 01-80-c2-00-00-0f and 01-80-c2-00-00-03 to be directed out an
> > unused port.
> > * set cam permanent 01-80-c2-00-00-0f mod/port
> > * set cam permanent 01-80-c2-00-00-03 mod/port
> > Workaround 2: Follow this procedure to configure Windows XP to not send
> > these frames:
> > a. Cick on the associated Local Area Connection under Network
> > Connections.
> > b. Click on the Authentication Tab.
> > c. Uncheck "Network Access Control using IEEE 802.1x."
> > This problem is resolved in software release 6.2(1). (CSCdt62732)
> >
>Timothy J. Hornbeck
>Technical Analyst III
>Infrastructure Implementation - LAN/WAN
>"6EQUJ5" - By Unknown
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=995&t=911
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
