Hi everyone,
I’m starting to deploy some CRS326 with dot1x and mab authentication and I realized when I connect a dumb switch (with some hosts on it) to one port configured with dot1x/mab auth, only the first host is authenticated so the others hosts don’t get authenticated and they enter the network without the switch asking the RADIUS server.
Is there any plan to add this functionality in the future?
Not sure if this feature was already asked, didn’t find anything about this.
Thanks
I don’t this is even possible. While I never used it myself, from what I know Dot1x uses MAC address to authenticate clients. This means that your MT sees traffic from all clients connected to a port under a MAC of the dumb switch. The moment a single client behind that switch passes authentication process the port is considered authorized.
Are you sure the MT only gets the dumb switch MAC address instead of real devices MAC addresses (do dumb switches even have MAC addresses at all ?) ?
Thinking about IP phones which somehow incorporate a 3 ports switch (one for the LAN, one the phone and one for PC or anything else), I thought you would get proper MAC addresses provided the IP phone was properly configured.
I already asked this feature in list here.
You wrong. It is possible and many smart and managed switches have this possibility. Dumb switch hasn’t MAC.
On Mikrotik you mean ? 
This function exist already very long time on eg. Cisco Catalyst , on a certain port you punch in authentication host-mode multi-auth
Sure there are restrictions, but I have it deployed on a project.