10-34
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
In the default state, when you connect a supplicant switch to an authenticator switch that has BPDU
guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol
(STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated.
Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during
the authentication period. Entering the dot1x supplicant controlled transient global configuration
command temporarily blocks the supplicant port during authentication to ensure that the authenticator
port does not shut down before authentication completes. If authentication fails, the supplicant port
opens. Entering the no dot1x supplicant controlled transient global configuration command opens the
supplicant port during the authentication period. This is the default behavior.
We strongly recommend using the dot1x supplicant controlled transient command on a supplicant
switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree
bpduguard enable interface onfiguration command.
Note If you globally enable BPDU guard on the authenticator switch by using the spanning-tree portfast
bpduguard default global configuration command, entering the dot1x supplicant controlled transient
command does not prevent the BPDU violation.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for
Network Edge Access Topology (NEAT) to work in all host modes.
• Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch,
as shown in Figure 10-6.
• Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Figure 10-6 Authenticator and Supplicant Switch using CISP
1 Workstations (clients) 2 Supplicant switch (outside wiring closet)
3 Authenticator switch 4 Access control server (ACS)
5 Trunk port
205718
1
2 3
5
4
To Next Page
Loading...
Need help?
General
