Cisco Systems 3560 Manual De Usuario
10-24
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
Private VLAN—You can assign a client to a private VLAN.
•
Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1x
port is authenticated with MAC authentication bypass, including hosts in the exception list.
port is authenticated with MAC authentication bypass, including hosts in the exception list.
For more configuration information, see the
.
Network Admission Control Layer 2 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks
the antivirus condition or posture of endpoint systems or clients before granting the devices network
access. With NAC Layer 2 802.1x validation, you can do these tasks:
the antivirus condition or posture of endpoint systems or clients before granting the devices network
access. With NAC Layer 2 802.1x validation, you can do these tasks:
•
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
RADIUS attribute (Attribute[29]) from the authentication server.
•
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
•
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
•
View the NAC posture token, which shows the posture of the client, by using the show
authentication or show dot1x privileged EXEC command.
authentication or show dot1x privileged EXEC command.
•
Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 802.1x validation is similar to configuring 802.1x port-based authentication
except that you must configure a posture token on the RADIUS server. For information about
configuring NAC Layer 2 802.1x validation, see the
except that you must configure a posture token on the RADIUS server. For information about
configuring NAC Layer 2 802.1x validation, see the
and the
.
For more information about NAC, see the Network Admission Control Software Configuration Guide.
For more configuration information, see the
.
Flexible Authentication Ordering
You can use flexible authentication ordering to configure the order of methods that a port uses to
authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary
authentication methods, and web authentication can be the fallback method if either or both of those
authentication attempts fail. For more information see the
authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary
authentication methods, and web authentication can be the fallback method if either or both of those
authentication attempts fail. For more information see the
.