9-30
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-12247-04
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
If a data domain is authorized first and placed in the guest VLAN, non-802.1x-capable voice devices
need to tag their packets on the voice VLAN to trigger authentication.
•
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
Voice Aware 802.1x Security
You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on
which a security violation occurs, whether it is a data or voice VLAN. In previous releases, when an
attempt to authenticate the data client caused a security violation, the entire port shut down, resulting in
a complete loss of connectivity.
You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security
violation found on the data VLAN results in the shutdown of only the data VLAN. The traffic on the
voice VLAN flows through the switch without interruption.
For information on configuring voice aware 802.1x security, see the
“Configuring Voice Aware 802.1x
Security” section on page 9-40
.
802.1x Supplicant and Authenticator Switches with Network Edge Access
Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet
(such as conference rooms). This allows any type of device to authenticate on the port.
•
802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by
using the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example,
a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A
switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch
for secure connectivity.
Once the supplicant switch authenticates successfully the port mode changes from access to trunk.
•
If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the
trunk port after successful authentication.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the
dot1x supplicant force-multicast
global configuration command on the supplicant switch for
Network Edge Access Topology (NEAT) to work in all host modes.
•
Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch,
as shown in
.
•
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch
at the ACS. (You can configure this under the
group
or the
user
settings.)