Cisco SG 300-10 - Page 223

To Next Page

To Previous Page

Configuring Security

802.1X

Cisco Small Business 300 Series Managed Switch Administration Guide 212

The 802.1x is an IEEE standard for port based network access control. The 802.1x

framework enables a device (the supplicant) to request port access from a remote

device (authenticator) to which it is connected. Only when the supplicant

requesting port access is authenticated and authorized is the supplicant

permitted to send data to the port. Otherwise, the authenticator discards the

supplicant data unless the data is sent to a Guest VLAN and/or non-authenticated

VLANs.

Authentication of the supplicant is performed by an external RADIUS server

through the authenticator. The authenticator monitors the result of the

authentication.

In the 802.1x standard, a device can be a supplicant and an authenticator at a port

simultaneously, requesting port access and granting port access. However, this

device is only the authenticator, and does not take on the role of a supplicant.

The following varieties of 802.1X exist:

• Single session 802.1X:

- A1 —Single-session/single host. In this mode, the switch, as an

authenticator supports one 802.1x session and grants permission to use

the port to the authorized supplicant at a port. All the access by the

other devices received from the same port are denied until the

authorized supplicant is no longer using the port or the access is to the

unauthenticated VLAN or guest VLAN.

- Single session/multiple hosts—This follows the 802.1x standard. In this

mode, the switch as an authenticator allows any device to use a port as

long as it has been granted permission to a supplicant at the port.

• Multi-Session 802.1X—Every device (supplicant) connecting to a port

must be authenticated and authorized by the switch (authenticator)

separately in a different 802.1x session. This is the only mode that supports

Dynamic VLAN Assignment (DVA).

Dynamic VLAN Assignment (DVA)

Dynamic VLAN Assignment (DVA) is also referred as RADIUS VLAN Assignment in

this guide. When a port is in Multiple Session mode and is DVA-enabled, the switch

automatically adds the port as an untagged member of the VLAN that is assigned

by the RADIUS server during the authentication process. The switch classifies

untagged packets to the assigned VLAN if the packets are originated from the

devices or ports that are authenticated and authorized.

Other manuals for Cisco SG 300-10