Voice Aware 802.1X Security - Cisco Catalyst 2960-X Security Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for Network
Edge Access Topology (NEAT) to work in all host modes.
• Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
• Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user
1
3
5
The switchport nonegotiate command is not supported on supplicant and authenticator switches with
Note
NEAT. This command should not be configured at the supplicant side of the topology. If configured on
the authenticator side, the internal macros will automatically remove this command from the port.

Voice Aware 802.1x Security

To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.
Note
You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on which
a security violation occurs, whether it is a data or voice VLAN. In previous releases, when an attempt to
authenticate the data client caused a security violation, the entire port shut down, resulting in a complete loss
of connectivity.
OL-29048-01
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol (CISP)
to send the MAC addresses connecting to the supplicant switch to the authenticator switch.
traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Figure 22: Authenticator and Supplicant Switch using CISP
Workstations (clients)
Authenticator switch
Trunk port
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Voice Aware 802.1x Security
2 Supplicant switch (outside
wiring closet)
4 Access control server (ACS)
295