Network Admission Control Layer 2 Ieee 802.1X Validation - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Information About 802.1x Port-Based Authentication
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the
device connected to that interface is an 802.1x-capable supplicant and uses 802.1x authentication (not MAC
authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes
down.
If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802.1x
supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs,
the switch uses the authentication or re-authentication methods configured on the port, if the previous session
ended because the Termination-Action RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication
process is the same as that for clients that were authenticated with IEEE 802.1x. During re-authentication, the
port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port
in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured.
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session
ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled and the IEEE
802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate
re-authorization. For more information about these AV pairs, see RFC 3580, "IEEE 802.1X Remote
Authentication Dial In User Service (RADIUS) Usage Guidelines."
MAC authentication bypass interacts with the features:
• IEEE 802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication
is enabled on the port .
• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest
VLAN if one is configured.
• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is
authenticated with MAC authentication bypass.
• Port security
• Voice VLAN
• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
• Private VLAN—You can assign a client to a private VLAN.
• Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot enable
MAB when NEAT is enabled on an interface, and you cannot enable NEAT when MAB is enabled on
an interface.
Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks
the antivirus condition or posture of endpoint systems or clients before granting the devices network access.
With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute[29]) from the authentication server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1346
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
