X Supplicant And Authenticator Switches With Network Edge Access Topology - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
About 802.1X Port-Based Authentication
802.1X Supplicant and Authenticator Switches with Network Edge Access
Topology
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet
(such as conference rooms).
You can enable any authentication host mode on the authenticator switch interface that connects to a
supplicant switch. Once the supplicant switch authenticates successfully, the port mode changes from
access to trunk. To ensure that NEAT works on all host modes, use the dot1x supplicant force-multicast
global configuration command on the supplicant switch. If the access VLAN is configured on the
authenticator switch, it becomes the native VLAN for the trunk port after successful authentication.
Note
MAB is not supported or recommended for use with NEAT. Only use 802.1X to authenticate the
supplicant switch.
Note
The Catalyst 4500 series switch only supports authenticator ports.
Deployment
NEAT is intended for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts
(PC or Cisco IP-phones) is placed in an unsecured location (outside wiring closet).
Because of this topology, the authenticator switch cannot always be trusted. For example, compact
switches (8-port Catalyst 3560 and Catalyst 2960) are generally deployed outside the wiring closet. This
enables hacker devices to swamp them to gain access to the network, compromising security. An edge
switch must be able to authenticate itself against another switch, referred to as Network Edge
Authentication Topology (NEAT).
Figure 44-8
Figure 44-8
NEAT facilitates the following functionality in such scenarios:
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-24
illustrates a typical NEAT topology.
Typical NEAT Topology
Cisco Switch w
Supplicant (EAP-MD5)
Also acts as 802.1X
Authenticator to hosts
SSw
Supplicant to ASw-switch
Authenticator for clients
Chapter 44
Wall jack
in
conference
room
Wiring closet
Switch
ASw
Authenticator
Configuring 802.1X Port-Based Authentication
Campus
LAN
RADIUS
Server
ACS
AAA
OL-25340-01
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
