Thanks to Steve Riley for pointing out some of the vulnerabilities about my post with using 802.1x to secure wired networks: (The whitepaper from this post does address these concerns)
Essentially, the vulnerability is a weakness in the 802.1x protocol — it authenticates only upon connection establishment and assumes all traffic after authentication is legitimate. So if an attacker had physical access to your network, they could unplug an authenticated machine from the switch port and plug it an an ‘attack’ computer and the authenticated computer into a hub that is then connected back to the switch port. A little IP and MAC spoofing……and bingo. (There is a little more to it than that – but you get the gist)
NET/NET – For the highest level of security when using 802.1x for wired networks – use additional defense in depth strategies…..like IPSec.
You can read the more on this here: http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx or in Steve’s Blog.
– Ward Ralston