Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
68
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
To provide secure access to your wired switch network, we recommend that you first provision your
common wired security features. Provision security modes in phased deployments (monitor mode to
high-security mode) of IEEE 802.1x authentication along with MAC Authentication Bypass (MAB),
which uses the MAC address of the end device (or supplicant) to make decisions about access.
Note Each phased deployment should occur over time after ensuring that your network is ready to transition
to the next security mode.
Table 8 describes the recommended IEEE 802.1x deployment scenarios that will have limited impact on
network access. Test your network infrastructure while in monitor mode. If you are satisfied, then
transition to low-impact mode and allow a subset of network traffic to pass through. Finally, transition
to high-security mode, requiring authorization from all end devices.
Reference
For detailed information about wired mode deployments, see the TrustSec Phased Deployment
Configuration Guide.
For basic information about IEEE 802.1x protocols, see the “8021X Protocols” section of the Wired
802.1X Deployment Guide.
Provision Common Wired Security Access
IEEE 802.1x port host modes determine whether more than one client can be authenticated on the port
and how authentications is enforced:
Unless otherwise noted, we recommend that multiple-authentication mode be configured instead of
single-host mode, for increased security:
Table 8 IEEE 802.1x Deployment Modes
Monitor Mode Low-Impact Mode High-Security Mode (Closed)
• Open access for
unauthorized supplicants.
• Limited access for
unauthorized supplicants.
• No access for unauthorized
supplicants.
• Extensive network
visibility.
• Differentiated access control
using dynamic ACLs.
• Heavily impacts supplicants.
• Monitor the network. • Limited impact to end
devices.
• No impact to end devices.
Table 9 Types of IEEE 802.1x Port Host Modes
Single-Host Multi-Host Multi-Domain Multi-Authentication
Allows only one end
device to the IEEE 802.1x
enabled switch port.
Authenticates the first
MAC address and then
allows an unlimited
number of other MAC
addresses.
Allows two
endpoints on the
port: one data
endpoint and one
voice endpoint.
Allows only one voice
end device, but allows
multiple data end
devices. In this mode,
all devices are
authenticated.
To Next Page
Loading...
Need help?
General