EasyManua.ls Logo

Cisco Catalyst 4500 Series - How 802.1 X Fails on a Port

Cisco Catalyst 4500 Series
1814 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
46-27
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
Note The Catalyst 4500 series switch only supports authenticator ports.
Deployment
NEAT is intended for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts
(PC or Cisco IP-phones) is placed in an unsecured location (outside wiring closet).
Because of this topology, the authenticator switch cannot always be trusted. For example, compact
switches (8-port Catalyst 3560 and Catalyst 2960) are generally deployed outside the wiring closet. This
enables hacker devices to swamp them to gain access to the network, compromising security. An edge
switch must be able to authenticate itself against another switch, referred to as Network Edge
Authentication Topology (NEAT).
Figure 46-8 illustrates a typical NEAT topology.
Figure 46-8 Typical NEAT Topology
NEAT facilitates the following functionality in such scenarios:
Host Authorization— Ensures that only traffic from authorized hosts (connecting to the switch with
a supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting the supplicant switch to the authenticator switch.
Auto enablement—Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs arising from supplicant switches. At the ACS, you must configure
the Cisco AV pair as device-traffic-class=switch. For details on how to do this, see the “Configuring
an Authenticator and a Supplicant Switch with NEAT” section on page 46-89.
How 802.1X Fails on a Port
802.1X may fail on a port in three ways: timeout, explicit failure, and protocol timeout.
SSw
Supplicant to ASw-switch
Authenticator for clients
ASw
Authenticator
AAA
RADIUS
Server
ACS
Campus
LAN
Wiring closet
Switch
Wall jack
in
conference
room
Cisco Switch w
Supplicant (EAP-MD5)
Also acts as 802.1X
Authenticator to hosts
207274

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Preview: Manual
Manual19 pages
Preview: Software Configuration Guide
Software Configuration Guide2086 pages
Preview: Configuration Guide
Configuration Guide1610 pages
Preview: Command Reference Guide
Command Reference Guide1230 pages
Preview: System Message Guide
System Message Guide150 pages
Preview: Message Guide
Message Guide146 pages
Preview: Quick Reference Guide
Quick Reference Guide59 pages
Preview: Datasheet
Datasheet11 pages
Preview: Installation Guide
Installation Guide194 pages
Preview: Overview
Overview46 pages

Related product manuals