Community discussions

MikroTik App
 
LordOfDarkness
just joined
Topic Author
Posts: 1
Joined: Mon Jan 24, 2022 4:40 pm

[Feature Request] Dot1x Multiple Host Auth in a single port

Mon Jan 24, 2022 4:54 pm

Hi everyone,

I'm starting to deploy some CRS326 with dot1x and mab authentication and I realized when I connect a dumb switch (with some hosts on it) to one port configured with dot1x/mab auth, only the first host is authenticated so the others hosts don't get authenticated and they enter the network without the switch asking the RADIUS server.

Is there any plan to add this functionality in the future?

Not sure if this feature was already asked, didn't find anything about this.

Thanks
 
User avatar
kiler129
Member
Member
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: [Feature Request] Dot1x Multiple Host Auth in a single port

Wed Jan 26, 2022 2:50 am

I don't this is even possible. While I never used it myself, from what I know Dot1x uses MAC address to authenticate clients. This means that your MT sees traffic from all clients connected to a port under a MAC of the dumb switch. The moment a single client behind that switch passes authentication process the port is considered authorized.
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: [Feature Request] Dot1x Multiple Host Auth in a single port

Wed Jan 26, 2022 10:26 am

I don't this is even possible. While I never used it myself, from what I know Dot1x uses MAC address to authenticate clients. This means that your MT sees traffic from all clients connected to a port under a MAC of the dumb switch. The moment a single client behind that switch passes authentication process the port is considered authorized.
Are you sure the MT only gets the dumb switch MAC address instead of real devices MAC addresses (do dumb switches even have MAC addresses at all ?) ?
Thinking about IP phones which somehow incorporate a 3 ports switch (one for the LAN, one the phone and one for PC or anything else), I thought you would get proper MAC addresses provided the IP phone was properly configured.
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: [Feature Request] Dot1x Multiple Host Auth in a single port

Wed Jan 26, 2022 1:47 pm

Not sure if this feature was already asked, didn't find anything about this.
I already asked this feature in list here.

I don't this is even possible. While I never used it myself, from what I know Dot1x uses MAC address to authenticate clients. This means that your MT sees traffic from all clients connected to a port under a MAC of the dumb switch. The moment a single client behind that switch passes authentication process the port is considered authorized.
You wrong. It is possible and many smart and managed switches have this possibility. Dumb switch hasn't MAC.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: [Feature Request] Dot1x Multiple Host Auth in a single port

Wed Jan 26, 2022 2:05 pm

I don't this is even possible. While I never used it myself, from what I know Dot1x uses MAC address to authenticate clients. This means that your MT sees traffic from all clients connected to a port under a MAC of the dumb switch. The moment a single client behind that switch passes authentication process the port is considered authorized.
On Mikrotik you mean ? ;-)
This function exist already very long time on eg. Cisco Catalyst , on a certain port you punch in authentication host-mode multi-auth
Sure there are restrictions, but I have it deployed on a project.

Who is online

Users browsing this forum: YourWordIsTruth and 3 guests