Suppose you have a network like this:
+-------------------------+ +---------------------------+
| | | |
| | | |
+--------+ | core |---------| core |
| radius |---------| switch #1 |---------| switch #2 |
| server | | | | |
+--------+ | | | |
+-------------------------+ +---------------------------+
| | | |
+-----------+ +-----------+ +-------------+ +-----------+
| access | | access | | access | | access |
| switch #1 | | switch #2 | | switch #N-1 | | switch #N |
+-----------+ +-----------+ +-------------+ +-----------+
I want to make sure that it is not possible to connect a device (pc or another switch) to the network that is not allowed. Therefore I am thinking about using 802.1x to authenticate the switches. My plan is to follow the best practices as explained in slides 79 and 80 of this presentation.
The problem raises when I need to connect the two core switches with multiple ethernet cables because 1Gbps is not enough but using a fiber is too expensive.
I am reading this document from HP where they say
To help maintain security, the switch does not allow 802.1X and LACP to both be enabled at the same time on the same port.
So I am wondering if this limitation is due to the HP products or by the design of the protocols.
My main doubt is that an attacker unplugs one of the ethernet cables between the core switches and attaches another switch, which can intercept the traffic since the switch is not using 802.1x on the trunk ports.
It it possile to use 802.1x with trunk ports?
bypass 802.1X
. You can buy an inexpensive Raspberry Pi, download some software, and off you go. What you are really asking is it possible for a switch to be an 802.1X client, and that is going to depend on the switch make and model. If HP says it can't be done on its switches, then I would have to assume it can't be done on HP switches. If you disconnect on port in a channel, you probably can't use that port with a different device anyway, you would need to disconnect both to use one.