We are planning to implement 802.1X. What is not clear is whether a switch supporting 802.1X can successfully and correctly authenticate multiple devices connected to the same switch port (e.g. if we have a department using a hub with a bunch of computers to "share" the port)? If so, how does the protocol validate the source of packets?
Or does implementing 802.1X will require us to purchase huge expensive 802.1X supporting switches, for one port per device?
Security – 802.1X needs single port per device
802.1local-area-networknetworkingSecurity
Best Answer
You will still be able to do port-based 802.1x authentication but only for the entire hub. As far as the 802.1x authenticator is concerned it is just able to allow or disallow (or assign to different VLANs) that one port that the hub is attached to. Imagine what will happen with a client authenticates this port to a trusted VLAN but then another client authenticates this port to an untrusted VLAN. From the perspective of the authenticator you will not be able to
"validate the source of packets"only the port that your hub is attached too (and hence everything that is attached to it).If you require port-based authentication on a switch or need to authenticate a device that doesn't support 802.1x you can rely on MAC Authentication Bypass, which is essentially just whitelisting MAC addresses or port as required.
To really take advantage of 802.1x you need a switching infrastructure that fully supports 802.1x (luckily it's pretty common on mid-range enterprise grade switches).