46-95
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
• You can configure NEAT ports and non-NEAT ports with the same configuration. When the
supplicant switch authenticates, the port mode is changed from access to trunk based on the switch
vendor-specific attributes (device-traffic-class=switch).
• To enable NEAT, you must configure the vendor-specific attributes (VSA) attribute as switch.
Configuring the trunk with an 802.1X configuration and enabling CISP globally will not enable
NEAT.
• VSA device-traffic-class=switch assists the authenticator switch in identifying the supplicant as a
switch-device. This identification changes the authenticator switch port mode from access to trunk
and enables 802.1X trunk encapsulation. The access VLAN, if any, is converted to a native trunk
VLAN. VSA does not change any of the port configurations on the supplicant.
• Although modified trunk parameters are retained, when the trunk link is down or authentication is
cleared, the interface is reconfigured to the following:
–
spanning-tree portfast
–
switchport mode access
–
switchport access vlan access-vlan-id
Note access-vlan-id is derived from the switchport trunk native vlan x command entered on the
interface. If you have modified the trunk native VLAN, the configured native VLAN is used
as the access-vlan-id when the port returns to access mode.
• We recommend using 802.1X authentication mode single-host for NEAT configuration on the
interface.
• The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS. This sets the
interface as a trunk after the supplicant is successfully authenticated.
• You should not modify the trunk mode configurations that are based on device-traffic-class either
manually or through features such as AutoSmart Ports. it is because 802.1X configuration is not
supported for trunk ports.
• To change the host mode and apply a standard port configuration on the authenticator switch port,
you can also use AutoSmart ports user-defined macros rather than the switch VSA. Doing this
allows you to remove unsupported configurations on the authenticator switch port and to change the
port mode from access to trunk. For details, see Chapter 21, “Configuring Cisco IOS Auto Smartport
Macros.”
Note Configuring only the Auto SmartPorts macro does not identify the end host as a supplicant
switch. The switch VSA is required to identify the supplicant switch. However, when Auto
Smartports macro is configured, the internal macro that reconfigures the port from access to
trunk is not executed and the Auto Smartports macro should ensure that the port reconfigures as
a trunk port.
To Next Page
Loading...
