X Identity-Based Network Security - Cisco Catalyst 4500 Series Configuration Manual

Chapter 1 Product Overview
•
•
•
•
•
•

802.1X Identity-Based Network Security

This security feature consists of the following:
•
•
•
•
•
•
•
•
•
•
•
OL-25340-01
Port Security, page 1-36
PPPoE Intermediate Agent, page 1-36
Storm Control, page 1-36
uRPF Strict Mode, page 1-37
Utilities, page 1-37
Web-based Authentication, page 1-38
802.1X Authentication for Guest VLANs—Allows you to use VLAN assignment to limit network
access for certain users.
802.1X Authentication Failed Open Assignment—Allows you to configure a switch to handle the
case when a device fails to authenticate itself correctly through 802.1X (for example, not providing
the correct password).
802.1X Authentication with ACL Assignment—Downloads per-host policies such as ACLs and
redirect URLs to the switch from the RADIUS server during 802.1X or MAB authentication of the
host.
802.1X Authentication with Per-User ACL and Filter-ID ACL—Allows ACL policy enforcement
using a third-party AAA server.
802.1X Convergence—Provides consistency between the switching business units in 802.1X
configuration and implementation.
802.1X Protocol—Provides a means for a host that is connected to a switch port to be authenticated
before it is given access to the switch services.
802.1X RADIUS accounting—Allows you to track the use of network devices.
802.1X Supplicant and Authenticator Switches with Network Edge Access Topology
(NEAT)—Extends identity to areas outside the wiring closet (such as conference rooms). NEAT is
designed for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts (PC
or Cisco IP-phones) is placed in an unsecured location (outside wiring closet); the authenticator
switch cannot always be trusted.
802.1X with Authentication Failed VLAN Assignment—Allows you to provide access for
authentication failed users on a per-port basis. Authentication failed users are end hosts that are
802.1X-capable but do not have valid credentials in an authentication server or end hosts that do not
give any username and password combination in the authentication pop-up window on the user side.
802.1X with Inaccessible Authentication Bypass—Applies when the AAA servers are unreachable
or nonresponsive. In this situation, 802.1X user authentication typically fails with the port closed,
and the user is denied access. Inaccessible Authentication Bypass provides a configurable
alternative on the Catalyst 4500 series switch to grant a critical port network access in a locally
specified VLAN.
802.1X with Port Security—Allows port security on an 802.1X port in either single- or multiple-host
mode. When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port
security manages the number of MAC addresses allowed on that port, including that of the client.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Security Features
1-31