Security Features Overview
OL-29048-01
◦ IP phone detection enhancement to detect and recognize a Cisco IP phone.
◦ Guest VLAN to provide limited services to non-802.1x-compliant users.
◦ Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes.
Note
To use authentication with restricted VLANs, the switch must be running the LAN Base
image.
◦ 802.1x accounting to track network usage.
◦ 802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a specific
Ethernet frame.
◦ 802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE
802.1x on the switch.
To use 802.1x readiness check, the switch must be running the LAN Base image.
Note
◦ Voice aware 802.1x security to apply traffic violation actions only on the VLAN on which a security
violation occurs.
To use voice aware 802.1x authentication, the switch must be running the LAN Base
Note
image.
◦ MAC authentication bypass (MAB) to authorize clients based on the client MAC address.
To use MAC authentication bypass, the switch must be running the LAN Base image.
Note
◦ Network Admission Control (NAC) Layer 2 802.1x validation of the antivirus condition or posture
of endpoint systems or clients before granting the devices network access.
Note
To use NAC, the switch must be running the LAN Base image.
◦ Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization with
CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to another
switch.
◦ IEEE 802.1x with open access to allow a host to access the network before being authenticated.
◦ IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL
downloads from a Cisco Secure ACS server to an authenticated switch.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Security Features Overview
15