Silent devices keepalive with 802.1X authentication
Posted: 13 Jun 2023 06:17
Hi all,
We are trying to implement a standard configuration on all interfaces of our switches with 802.1X authentication falling back to MAC authentication. All of our ports are configured with an unused vlan in access, needing authentication to assign the correct vlan via UNP profiles. However, we are facing issues with 802.1X/MAC authentication expiration with silent devices (printers and industrial devices) that do not emit traffic and expire from the authentication / MAC address table.
The situation is the following, taking the example of a printer:
1. The printer boots up, generates traffic requesting an IP via DHCP.
2. The switch authenticates the printer via MAC after falling back from 802.1X.
3. The printer is associated to the correct vlan and can then communicate and be reached from the network.
4. If no further request is made to the printer, the authentication expires and the mac ages out from the table.
5. If a device is trying to reach the printer, as the vlan is no longer assigned to the port, the ARP never reaches the device and the device is not reachable anymore from the network.
To work around that, we are aware of the "unp vlan" command, that we can use either in our UNP template or directly on the port:
unp port-template ###UNP_TEMPLATE_NAME### vlan ###SILENT_VLAN_ID###
unp port ###PORT_ID### vlan ###SILENT_VLAN_ID###
However, this is:
1. Less secure: as traffic is passed in egress to the port, meaning unauthenticated devices can gather information about internal network communications
2. Not scalable: that might work with one or a few vlans, but if silent devices are scattered across numerous vlans, this sends egress traffic of all these vlans on all ports configured with the unp template.
At the moment we have implemented this solution and have developed additional configuration with QoS filtering on the broadcast and multicast traffic to restrict what is being sent on all ports, but we would like to find a more secure and scalable solution.
In Cisco we use the SISF device tracking functionality, which allows the switch to trigger an ARP request to devices that are close to expire from the table, maintaining those devices alive as there is active communication. More information about that functionality can be found here : https://www.cisco.com/c/en/us/td/docs/s ... cking.html
Is anyone here aware of any mechanism that would be close to what we use in Cisco on AOS 8 ? Or other configuration in AOS8 that could be more secure and scalable ?
Thank you for your attention!
We are trying to implement a standard configuration on all interfaces of our switches with 802.1X authentication falling back to MAC authentication. All of our ports are configured with an unused vlan in access, needing authentication to assign the correct vlan via UNP profiles. However, we are facing issues with 802.1X/MAC authentication expiration with silent devices (printers and industrial devices) that do not emit traffic and expire from the authentication / MAC address table.
The situation is the following, taking the example of a printer:
1. The printer boots up, generates traffic requesting an IP via DHCP.
2. The switch authenticates the printer via MAC after falling back from 802.1X.
3. The printer is associated to the correct vlan and can then communicate and be reached from the network.
4. If no further request is made to the printer, the authentication expires and the mac ages out from the table.
5. If a device is trying to reach the printer, as the vlan is no longer assigned to the port, the ARP never reaches the device and the device is not reachable anymore from the network.
To work around that, we are aware of the "unp vlan" command, that we can use either in our UNP template or directly on the port:
unp port-template ###UNP_TEMPLATE_NAME### vlan ###SILENT_VLAN_ID###
unp port ###PORT_ID### vlan ###SILENT_VLAN_ID###
However, this is:
1. Less secure: as traffic is passed in egress to the port, meaning unauthenticated devices can gather information about internal network communications
2. Not scalable: that might work with one or a few vlans, but if silent devices are scattered across numerous vlans, this sends egress traffic of all these vlans on all ports configured with the unp template.
At the moment we have implemented this solution and have developed additional configuration with QoS filtering on the broadcast and multicast traffic to restrict what is being sent on all ports, but we would like to find a more secure and scalable solution.
In Cisco we use the SISF device tracking functionality, which allows the switch to trigger an ARP request to devices that are close to expire from the table, maintaining those devices alive as there is active communication. More information about that functionality can be found here : https://www.cisco.com/c/en/us/td/docs/s ... cking.html
Is anyone here aware of any mechanism that would be close to what we use in Cisco on AOS 8 ? Or other configuration in AOS8 that could be more secure and scalable ?
Thank you for your attention!
