10-35
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Guidelines
• You can configure NEAT ports with the same configurations as the other authentication ports. When
the supplicant switch authenticates, the port mode is changed from access to trunk based on the
switch vendor-specific attributes (VSAs). (device-traffic-class=switch).
• The VSA changes the authenticator switch port mode from access to trunk and enables 802.1x trunk
encapsulation and the access VLAN if any would be converted to a native trunk VLAN. VSA does
not change any of the port configurations on the supplicant
• To change the host mode and the apply a standard port configuration on the authenticator switch
port, you can also use Auto Smartports user-defined macros, instead of the switch VSA. This allows
you to remove unsupported configurations on the authenticator switch port and to change the port
mode from access to trunk. For information, see the AutoSmartports Configuration Guide.
For more information, see the “Configuring an Authenticator and a Supplicant Switch with NEAT”
section on page 10-61.
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute
Note To use IEEE 802.1x authentication with ACLs and the Filter-Id attribute, the switch must be running the
LAN base image.
The switch supports both IP standard and IP extended port access control lists (ACLs) applied to ingress
ports.
• ACLs that you configure
• ACLs from the Access Control Server (ACS)
An IEEE 802.1x port in single-host mode uses ACLs from the ACS to provide different levels of service
to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates this type of user and port,
it sends ACL attributes based on the user identity to the switch. The switch applies the attributes to the
port for the duration of the user session. If the session is over, authentication fails, or a link fails, the port
becomes unauthorized, and the switch removes the ACL from the port.
Only IP standard and IP extended port ACLs from the ACS support the Filter-Id attribute. It specifies the
name or number of an ACL. The Filter-id attribute can also specify the direction (inbound or outbound)
and a user or a group to which the user belongs.
• The Filter-Id attribute for the user takes precedence over that for the group.
• If a Filter-Id attribute from the ACS specifies an ACL that is already configure, it takes precedence
over a user-configured ACL.
• If the RADIUS server sends more than one Filter-Id attribute, only the last attribute is applied.
If the Filter-Id attribute is not defined on the switch, authentication fails, and the port returns to the
unauthorized state.
Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no
matter which authentication method is used. This ID is used for all reporting purposes, such as the show
commands and MIBs. The session ID appears with all per-session syslog messages.
To Next Page
Loading...
Need help?
General
