Cisco Catalyst 4500 series Administration Manual page 103

Chapter 1 Product Overview
802.1X Supplicant and Authenticator Switches with Network Edge Access Topology
•
(NEAT)—Extends identity to areas outside the wiring closet (such as conference rooms). NEAT is
designed for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts (PC
or Cisco IP-phones) is placed in an unsecured location (outside wiring closet); the authenticator
switch cannot always be trusted.
802.1X with Authentication Failed VLAN Assignment—Allows you to provide access for
•
authentication failed users on a per-port basis. Authentication failed users are end hosts that are
802.1X-capable but do not have valid credentials in an authentication server or end hosts that do not
give any username and password combination in the authentication pop-up window on the user side.
• 802.1X with Inaccessible Authentication Bypass—Applies when the AAA servers are unreachable
or nonresponsive. In this situation, 802.1X user authentication typically fails with the port closed,
and the user is denied access. Inaccessible Authentication Bypass provides a configurable
alternative on the Catalyst 4500 series switch to grant a critical port network access in a locally
specified VLAN.
802.1X with Port Security—Allows port security on an 802.1X port in either single- or multiple-host
•
mode. When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port
security manages the number of MAC addresses allowed on that port, including that of the client.
• 802.1X with MAC Authentication Bypass—Provides network access to agentless devices without
802.1X supplicant capabilities, such as printers. Upon detecting a new MAC address on a switch
port, the Catalyst 4500 series switch will proxy an 802.1X authentication request based on the
device's MAC address.
802.1X with RADIUS-Provided Session Timeouts—Allows you to specify whether a switch uses a
•
locally configured or a RADIUS-provided reauthentication timeout.
802.1X with Unidirectional Controlled Port—Allows the Wake-on-LAN (WoL) magic packets to
•
reach a workstation attached to an unauthorized 802.1X switch port. Unidirectional Controlled Port
is typically used to send operating systems or software updates from a central server to workstations
at night.
• 802.1X with Violation Mode—This feature allows you to configure 802.1X security violation
behavior as either shutdown, restrict, or replace mode, based on the response to the violation.
• 802.1X with VLAN assignment—This feature allows you to enable non-802.1X-capable hosts to
access networks that use 802.1X authentication.
802.1X with VLAN user distribution—An alternative to dynamically assigning a VLAN ID or a
•
VLAN name, this feature assign a VLAN Group name. It enables you to distribute users belonging
to the same group (and characterized by a common VLAN Group name) across multiple VLANs.
Ordinarily, you do this to avoid creating an overly large broadcast domain.
802.1X with Voice VLAN—This feature allows you to use 802.1X security on a port while enabling
•
it to be used by both Cisco IP phones and devices with 802.1X supplicant support.
Multi-Domain Authentication—This feature allows both a data device and a voice device, such as
•
an IP phone (Cisco or non-Cisco), to authenticate on the same switch port, which is divided into a
data domain and a voice domain.
• RADIUS Change of Authorization—This feature employs Change of Authorization (CoA)
extensions defined in RFC 5176 in a push model to allow for the dynamic reconfiguring of sessions
from external authentication, authorization, and accounting (AAA) or policy servers.
For more information on 802.1X identity-based network security, see
Port-Based Authentication."
OL-30933-01
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Security Features
Chapter 46, "Configuring 802.1X
1-35