We are planning to implement 802.1X. What is not clear is whether a switch supporting 802.1X can successfully and correctly authenticate multiple devices connected to the same switch port (e.g. if we have a department using a hub with a bunch of computers to "share" the port)? If so, how does the protocol validate the source of packets?
Or does implementing 802.1X will require us to purchase huge expensive 802.1X supporting switches, for one port per device?
You will still be able to do port-based 802.1x authentication but only for the entire hub. As far as the 802.1x authenticator is concerned it is just able to allow or disallow (or assign to different VLANs) that one port that the hub is attached to. Imagine what will happen with a client authenticates this port to a trusted VLAN but then another client authenticates this port to an untrusted VLAN. From the perspective of the authenticator you will not be able to
"validate the source of packets"
only the port that your hub is attached too (and hence everything that is attached to it).If you require port-based authentication on a switch or need to authenticate a device that doesn't support 802.1x you can rely on MAC Authentication Bypass, which is essentially just whitelisting MAC addresses or port as required.
To really take advantage of 802.1x you need a switching infrastructure that fully supports 802.1x (luckily it's pretty common on mid-range enterprise grade switches).
Mutli-auth does exactly this. Multi-host is an older mode that allows several devices to share the port but once one is authenticated, they all are authenticated. Multi-auth is a newer mode that forces each unique mac address on a port to authenticate individually. However, some features are disabled when you use it such as different radius assigned vlans, guest vlan and auth fail vlan since you cannot assign a vlan per mac address.
Update - Be advised that there is currently a bug in IOS 12.2(54)SG1 with multi-auth and multi-domain where authorized ports do not pass traffic.
Details