•
Port security
•
Voice VLAN
• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
• Private VLAN—You can assign a client to a private VLAN.
• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an IEEE 802.1x
port is authenticated with MAC authentication bypass, including hosts in the exception list.
• Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot enable
MAB when NEAT is enabled on an interface, and you cannot enable NEAT when MAB is enabled on
an interface.
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks
the antivirus condition or posture of endpoint systems or clients before granting the devices network access.
With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
•
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute[29]) from the authentication server.
•
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS server.
•
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
•
View the NAC posture token, which shows the posture of the client, by using the show authentication
privileged EXEC command.
•
Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server.
Flexible Authentication Ordering
You can use flexible authentication ordering to configure the order of methods that a port uses to authenticate
a new host. MAC authentication bypass and 802.1x can be the primary or secondary authentication methods,
and web authentication can be the fallback method if either or both of those authentication attempts fail.
Related Topics
Configuring Flexible Authentication Ordering, on page 294
Open1x Authentication
Open1x authentication allows a device access to a port before that device is authenticated. When open
authentication is configured, a new host can pass traffic according to the access control list (ACL) defined on
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
OL-29434-01 239
Configuring IEEE 802.1x Port-Based Authentication
Network Admission Control Layer 2 IEEE 802.1x Validation
To Next Page
Loading...
Need help?
General
