30
Enhancements in Release F.05.05 through F.05.70
Enhancements in Release F.05.05 through F.05.60
General Features
802.1X on the Series 2500 switches includes the following:
■ Switch operation as both an authenticator (for supplicants having a point-to-point connec-
tion to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware
switches.
• Authentication of 802.1X clients using a RADIUS server and either the EAP or CHAP
protocol.
• Provision for enabling clients that do not have 802.1 supplicant software to use the
switch as a path for downloading the software and initiating the authentication process
(802.1X Open VLAN mode).
• Supplicant implementation using CHAP authentication and independent username and
password configuration on each port.
■ Prevention of traffic flow in either direction on unauthorized ports.
■ Local authentication of 802.1X clients using the switch’s local username and password (as
an alternative to RADIUS authentication).
■ Temporary on-demand change of a port’s VLAN membership status to support a current
client’s session. (This does not include ports that are members of a trunk.)
■ Session accounting with a RADIUS server, including the accounting update interval.
■ Use of Show commands to display session counters.
■ With port-security enabled for port-access control, limit a port to one 802.1X client session
at a given time.
Authenticating Users. Port-Based Access Control (802.1X) provides switch-level security that
allows LAN access only to users who enter the authorized RADIUS username and password on
802.1X-capable clients (supplicants). This simplifies security management by allowing you to control
access from a master database in a single server (although you can use up to three RADIUS servers
to provide backups in case access to the primary server fails). It also means a user can enter the same
username and password pair for authentication, regardless of which switch is the access point into
the LAN. Note that you can also configure 802.1X for authentication through the switch’s local
username and password instead of a RADIUS server, but doing so increases the administrative
burden, decentralizes username/password administration, and reduces security by limiting authen-
tication to one Operator/Manager password set for all users.
Providing a Path for Downloading 802.1X Supplicant Software. For clients that do not have
the necessary 802.1X supplicant software, there is also the option to configure the 802.1X Open VLAN
mode. This mode allows you to assign such clients to an isolated VLAN through which you can provide
the necessary supplicant software these clients need to begin the authentication process. (Refer to
“802.1X Open VLAN Mode” on page -44.)