I want to implement a Network Access Control ( NAC ) infrastructure in my LAN.
My topology is something like:
PC -> ( Untagged Port – PVID 100 – Non 802.1x capable smart switch ) -> ( Hybrid port – 802.1x Dynamic VLAN capable managed switch ) -> PacketFence
So, PCs and other devices arenĀ“t connected directly to the 802.1x Dynamic VLAN capable switch ( HP 1920G ) but to a smart switch ( TP-Link TL-1016DE ). This switch tag frames coming into the untagged port with VLAN ID 100 and send them tagged to the 1920.
My question is: a tagged frame could be subject of 802.1x authentication and dynamic VLAN assigment by the 1920? or that just work for untagged frames?
Thanks in advance
Manuel
Best Answer
Unfortunately, 802.1X uses link-local frames. An 802.1D compliant bridge (switch) does not forward these types of frames (multicast OUI 01:80:C2). You should not be able to do 802.1X authentication across an intervening bridge or switch, so what you propose should not be possible.
Basically, you need to run 802.1X on the access ports of the access switch. Switches should be configured to trust on switch-to-switch links.