[c-nsp] 802.1x - clients that go to sleep
Phil Mayers
p.mayers at imperial.ac.uk
Tue Feb 7 08:19:01 EST 2012
On 07/02/12 11:54, Aaron Riemer wrote:
> Hey guys,
>
>
>
> Has anyone out there come across a condition where switch ports secured with
> 802.1x have issues with clients/supplicants that go into hibernate / sleep
> mode?
Well, such a machine will stop authenticating.
> We have some clients that are hibernating and as a result the switch is
> filling the logs with failed 802.1x authorization attempts. The switch looks
> to be trying to authenticate the supplicant but the supplicant is not
> responding due to the hibernation status.
So what's the issue? The cosmetic filling-of-logs (which is annoying) or
something else?
> Is there any way around this other than configuring a hardware supplicant
Around what?
If you mean "filling of logs" then ESM (Embedded Syslog Manager) and log
content filters might help. Or use a syslog server with filtering, and
throw the re-auth messages away / into a separate file.
"Hardware supplicant" sounds nebulous to me. I guess in theory you could
run an 802.1x module inside AMT/vPro-enabled chipsets that works while
the host is down, but I don't know if one actually exists.
> that is not reliant on the client OS? Doing some reading around I haven't
> much info other than the allowing of magic packets out the switch port for
> the purpose of WOL.
It's not very secure, but you could set the reauth time really, really high.
More information about the cisco-nsp
mailing list