Cisco Systems 3130 User Manual
9-20
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
•
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
RADIUS attribute (Attribute[29]) from the authentication server.
•
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
•
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
•
View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
privileged EXEC command.
•
Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the
and the
.
For more information about NAC, see the Network Admission Control Software Configuration Guide.
Using Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that
a voice device is authenticated before a data device on an MDA-enabled port.
a voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
•
To configure a switch port for MDA, see the
.
•
You must configure the voice VLAN for the IP phone when the host mode is set to multidomain. For
more information, see
more information, see
•
Voice VLAN assignment on an MDA-enabled port is supported.
Note
If you use a dynamic VLAN to assign a voice VLAN on an MDA-enabled switch port, the voice
device fails authorization.
device fails authorization.
•
To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value
(AV) pair attribute with a value of
(AV) pair attribute with a value of
device-traffic-class=voice
. Without this value, the switch
treats the voice device as a data device.
•
The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled
port. The switch treats a voice device that fails authorization as a data device.
port. The switch treats a voice device that fails authorization as a data device.