Cisco Catalyst 3560-X Software Configuration Manual page 318
Hide thumbs
Also See for Catalyst 3560-X:
- Command reference manual (1188 pages) ,
- Software configuration manual (1438 pages) ,
- Manual (276 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass
session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled
and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to
initiate re-authorization. For more information about these AV pairs, see RFC 3580, "IEEE 802.1X
Remote Authentication Dial In User Service (RADIUS) Usage Guidelines."
MAC authentication bypass interacts with the features:
•
•
•
•
•
•
•
•
•
For more configuration information, see the
Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the
"Authentication Manager CLI Commands" section on page
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
•
•
•
•
•
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-30
IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x
authentication is enabled on the port.
Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a
guest VLAN if one is configured.
Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port
is authenticated with MAC authentication bypass.
Port security—See the
"IEEE 802.1x Authentication with Port Security" section on page
Voice VLAN—See the
"IEEE 802.1x Authentication with Voice VLAN Ports" section on page
VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
Private VLAN—You can assign a client to a private VLAN.
Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an
IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception
list.
Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot
enable MAB when NEAT is enabled on an interface, and you cannot enable NEAT when MAB is
enabled on an interface.
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
View the NAC posture token, which shows the posture of the client, by using the show
authentication privileged EXEC command.
Configure secondary private VLANs as guest VLANs.
Chapter 1
Configuring IEEE 802.1x Port-Based Authentication
"Authentication Manager" section on page
1-9.
1-28.
1-28.
1-7.
OL-25303-03
Advertisement
Table of Contents
Troubleshooting
