Cisco Catalyst 3560-X Software Configuration Manual page 321

Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
802.1x Supplicant and Authenticator Switches with Network Edge Access
Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet
(such as conference rooms). This allows any type of device to authenticate on the port.
•
•
NEAT can control traffic exiting the supplicant switch port during the authentication period. In the
default state, when you connect a supplicant switch to an authenticator switch that has BPDU guard
enabled, the authenticator port could be error-disabled if it receives Spanning Tree Protocol (STP) bridge
protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco
IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication
period. Entering the dot1x supplicant controlled transient global configuration command temporarily
blocks the supplicant port during authentication to ensure that the authenticator port does not shut down
before authentication completes. If authentication fails, the supplicant port opens. Entering the no dot1x
supplicant controlled transient global configuration command opens the supplicant port during the
authentication period. This is the default behavior.
We strongly recommend using the dot1x supplicant controlled transient command on a supplicant
switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree
bpduguard enable interface configuration command.
Note If you globally enable BPDU guard on the authenticator switch by using the spanning-tree portfast
bpduguard default global configuration command, entering the dot1x supplicant controlled transient
command does not prevent the BPDU violation.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to a
supplicant switch. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for
Network Edge Access Topology (NEAT) to work in all host modes.
•
•
OL-25303-03
802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by
using the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example,
a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A
switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch
for secure connectivity. Once the supplicant switch authenticates successfully the authenticator
switch port mode changes from access to trunk.
If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the
trunk port after successful authentication.
Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch,
as shown in Figure 1-6.
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Understanding IEEE 802.1x Port-Based Authentication
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-33