Developing Mixed Environments Of 802.1x And Non 802.1x...

More commonly, switches from different manufacturers are inconsistent in the way they must be configured to support 802.1X, particularly in how they handle mixed environments of 802.1X and non-802.1X endpoints. This and other factors make initial configuration and ongoing management of 802.1X in wired LANs very resource intensive — and therefore expensive. Wired LANs also tend to support a greater variety of legacy endpoints, many of which do not support 802.1X supplicant software. The number of non-802.1X endpoints in wired LANs often exceeds 802.1X-capable ones. As mentioned above, it is challenging to configure different switches (particularly in multivendor networks) to handle a mix of both 802.1X and non- 802.1X endpoints. The†¦show more content†¦Examples include devices such as those used for physical security in many facilities, including surveillance cameras, ID card readers, entry keypads and the like. Various industries such as manufacturing, retail, healthcare, energy and many others support unique types of endpoints in their networks for which 802.1X supplicant software is not available. In many environments, non-802.1X endpoints can far outnumber 802.1X-capable ones. As a result, a significant challenge for implementing 802.1X in many networks involves what to do about all the non-802.1X endpoints and how to handle network connectivity for those devices. There are options and workarounds, but each one involves compromise in terms of network security and/or management complexity. [callout box]  » OPTIONS FOR HANDLING NON-802.1X ENDPOINTS †¢ Deny All (not realistic!) †¢ Whitelist All (not secure!) †¢ MAC Authentication Bypass (doable, but manually intensive) [end of callout box] One option (though seldom feasible) is to simply deny network access to all non-802.1X endpoints. For most organizations this is really not an option since many of the non-802.1X endpoints are critical to business operations. Machines on a manufacturing floor, cash registers in a retail store, heart monitors and other patient care devices in a hospital all must be allowed on the network. So denying access