Filter
Top Products
10-19
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
• Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set,
the session ends. If the value is RADIUS-Request, the re-authentication process starts.
• View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
• Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the “Configuring NAC Layer 2 IEEE
802.1x Validation” section on page 10-40 and the “Configuring Periodic Re-Authentication” section on
page 10-29.
For more information about NAC, see the Network Admission Control Software Configuration Guide.
Using Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that
a voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
• To configure a switch port for MDA, see the “Configuring the Host Mode” section on page 10-28.
• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
For more information, see Chapter 15, “Configuring Voice VLAN.”
Note If you use a dynamic VLAN to assign a voice VLAN on an MDA-enabled switch port, the voice
device fails authorization.
• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value
(AV) pair attribute with a value of
device-traffic-class=voice. Without this value, the switch
treats the voice device as a data device.
• The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled
port. The switch treats a voice device that fails authorization as a data device.
• If more than one device attempts authorization on either the voice or the data domain of a port, it is
error disabled.