Table of Contents
Advertisement
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Set the action to be taken when the switch tries to reauthenticate the client by using the Termination-Action RADIUS
attribute (Attribute[29]). If the value is the DEFAULT or is not set, the session ends. If the value is RADIUS-Request,
the reauthentication process starts.
Set the list of VLAN number or name or VLAN group name as the value of the Tunnel Group Private ID (Attribute[81])
and the preference for the VLAN number or name or VLAN group name as the value of the Tunnel Preference
(Attribute[83]). If you do not configure the Tunnel Preference, the first Tunnel Group Private ID (Attribute[81])
attribute is picked up from the list.
View the NAC posture token, which shows the posture of the client, by using the show authentication privileged
EXEC command.
Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 802.1x validation is similar to configuring 802.1x port-based authentication except that you
must configure a posture token on the RADIUS server. For information about configuring NAC Layer 2 802.1x validation,
see
Configuring NAC Layer 2 802.1x Validation, page 229
For more information about NAC, see the Network Admission Control Software Configuration Guide.
For more configuration information, see
Flexible Authentication Ordering
You can use flexible authentication ordering to configure the order of methods that a port uses to authenticate a new
host. MAC authentication bypass and 802.1x can be the primary or secondary authentication methods, and web
authentication can be the fallback method if either or both of those authentication attempts fail. For the configuration
commands, see
Configuring Optional 802.1x Authentication Features, page 224
Open1x Authentication
Open1x authentication allows a device access to a port before that device is authenticated. When open authentication
is configured, a new host can pass traffic according to the access control list (ACL) defined on the port. After the host
is authenticated, the policies configured on the RADIUS server are applied to that host.
You can configure open authentication with these scenarios:
Single-host mode with open authentication—Only one user is allowed network access before and after
authentication.
MDA mode with open authentication—Only one user in the voice domain and one user in the data domain are allowed.
Multiple-hosts mode with open authentication—Any host can access the network.
Multiple-authentication mode with open authentication—Similar to MDA, except multiple hosts can be authenticated.
For more information see
Note:
If open authentication is configured, it takes precedence over other authentication controls. This means that if you
use the authentication open interface configuration command, the port will grant access to the host irrespective of the
authentication port-control interface configuration command.
802.1x Supplicant and Authenticator Switches with Network Edge Access
Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such as
conference rooms). This allows any type of device to authenticate on the port.
Authentication Manager, page
Configuring the Host Mode, page 222.
and the
Configuring Periodic Reauthentication, page
194.
212
223.
- Quick Links:
- Configuration Overview
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
