Priscilla,
Cisco has had a proprietary product for doing just what 802.1x standardizes.
This would be URT
http://www.cisco.com/warp/public/cc/pd/wr2k/urto/
David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com
----- Original Message -----
From: "Priscilla Oppenheimer"
To:
Sent: Tuesday, April 17, 2001 6:15 PM
Subject: RE: Windows XP and Catalyst 5000 Issues ... [7:911]
> Taking a step back, she asked, "so what's with this 802.1x standard,
> anyway?" Is anyone actually using it?
>
> Data-link-layer security definitely makes sense for 802.11 wireless
> networks. Does it really make sense for wired networks? Is the bug
> happening with wired or wireless networks? It sounds like it's happening
> with wired networks since the bug is with the Catalyst 5000 EARL, though
> some of the reports have called 802.1x a wireless standard. That's pretty
> bad that the switches forward the multicasts out blocked ports. How could
> that have happened? Just a bug I guess.
>
> Back to my original question. Does security at the data-link-layer make
> sense for wired networks? I guess there could be cases where a person has
> physical access to an Ethernet port but is not supposed to be able to use
> the network. Maybe in a conference room or lobby. How does the
> authentication actually take place? Do you need to use Radius or TACACS
also?
>
> And one more question, is anyone actually using Windows XP yet? I guess
> people must be for this bug to have been found.
>
> Interesting thread. Would anyone care to share some "big picture" comments
> on the subject?
>
> Priscilla
>
> At 11:10 AM 4/17/01, Hornbeck, Timothy wrote:
> > > Possible solution?
> > >
> > > * Operating systems, such as Windows XP, will attempt 802.1X
> > > authentication by sending frames to the Authenticator PAE on the
> > > destination multicast address 01-80-c2-00-00-0f and 01-80-c2-00-00-03.
On
> > > Catalyst 5000 family switches with EARL1, EARL1+, EARL1++, or EARL1.1,
> > > these frames will be forwarded on all ports including spanning tree
> > > blocking ports. Because these frames are forwarded on blocked ports,
the
> > > network will experience a Layer 2 multicast storm.
> > > Workaround 1: Enter the following commands to configure a permanent
CAM
> > > entry for 01-80-c2-00-00-0f and 01-80-c2-00-00-03 to be directed out
an
> > > unused port.
> > > * set cam permanent 01-80-c2-00-00-0f mod/port
> > > * set cam permanent 01-80-c2-00-00-03 mod/port
> > > Workaround 2: Follow this procedure to configure Windows XP to not
send
> > > these frames:
> > > a. Cick on the associated Local Area Connection under Network
> > > Connections.
> > > b. Click on the Authentication Tab.
> > > c. Uncheck "Network Access Control using IEEE 802.1x."
> > > This problem is resolved in software release 6.2(1). (CSCdt62732)
> > >
> >Timothy J. Hornbeck
> >Technical Analyst III
> >Infrastructure Implementation - LAN/WAN
> >"6EQUJ5" - By Unknown
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1007&t=911
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
