Flexible Authentication Ordering; Open1X Authentication - Cisco Catalyst 3750-E Software Configuration Manual

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
•
For more configuration information, see the
Cisco IOS Release 12.2(55)SE and later supports filtering of MAB system messages. See the
"Authentication Manager CLI Commands" section on page
Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
•
•
•
•
•
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the
Validation" section on page 10-59
page
For more information about NAC, see the Network Admission Control Software Configuration Guide.
For more configuration information, see the

Flexible Authentication Ordering

You can use flexible authentication ordering to configure the order of methods that a port uses to
authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary
authentication methods, and web authentication can be the fallback method if either or both of those
authentication attempts fail. For more information see the
Ordering" section on page

Open1x Authentication

Open1x authentication allows a device access to a port before that device is authenticated. When open
authentication is configured, a new host on the port can only send traffic to the switch. After the host is
authenticated, the policies configured on the RADIUS server are applied to that host.
OL-9775-08
Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an
IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception
list.
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
Configure secondary private VLANs as guest VLANs.
10-45.
10-65.
Understanding IEEE 802.1x Port-Based Authentication
"Authentication Manager" section on page
10-9.
and the "Configuring Periodic Re-Authentication" section on
"Authentication Manager" section on page
"Configuring Flexible Authentication
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
10-8.
"Configuring NAC Layer 2 IEEE 802.1x
10-8.
10-29