Deployment - Cisco Catalyst 4500 series Administration Manual

About 802.1X Port-Based Authentication
Scenario Three
When a hub is connected to an access port in open mode, and the port is configured with an access VLAN
(V0).
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed
to V1. When a second host (H2) is connected and remains unauthorized, it still has access to operational
VLAN (V1) due to open mode.
If host H1 is logged out or the session is removed due to some reason, VLAN (V1) is removed from the
port and host (H2) gets assigned to VLAN (V0).
The combination of Open mode and VLAN assignment has an adverse affect on host (H2) because it has
Note
an IP address in the subnet that corresponds to VLAN (V1).
Limitation in Multi-Authentication Per User VLAN Assignment
In the Multi-Auth Per User VLAN Assignment feature, egress traffic from multiple VLANs are untagged
on a port where the hosts receive traffic that is not meant for them. This can be a problem with broadcast
and multicast traffic.
•
•
•
802.1X Supplicant and Authenticator Switches with Network Edge Access
Topology
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet
(such as conference rooms).
You can enable any authentication host mode on the authenticator switch interface that connects to a
supplicant switch. Once the supplicant switch authenticates successfully, the port mode changes from
access to trunk. To ensure that NEAT works on all host modes, use the dot1x supplicant force-multicast
global configuration command on the supplicant switch. If the access VLAN is configured on the
authenticator switch, it becomes the native VLAN for the trunk port after successful authentication.
Note MAB is not supported or recommended for use with NEAT. Only use 802.1X to authenticate the
supplicant switch.
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
46-26
IPv4 ARPs: Hosts receive Address Resolution Protocol (ARP) packets from other subnets. This is a
problem if two subnets in different Virtual Routing and Forwarding (VRF) tables with overlapping
IP address range are active on the port. The host ARP cache may get invalid entries.
IPv6 Control Packets: In IPv6 deployments, Router Advertisements (RA) are processed by hosts that
are not supposed to receive them. When a host from one VLAN receives RA from a different VLAN,
the host assign incorrect IPv6 address to itself. Such a host is unable to get access to the network.
The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are
converted to unicast and sent out from multi-auth enabled ports.. The packet is replicated for each
client in multi-auth port belonging to the VLAN and the destination MAC is set to an individual
client. Ports having one VLAN, ICMPv6 packets broadcast normally.
IP Multicast: Multicast traffic destined to a multicast group gets replicated for different VLANs if
the hosts on those VLANs join the multicast group. When two hosts in different VLANs join a
multicast group (on the same multi-auth port), two copies of each multicast packet are sent out from
that port.
Chapter 46 Configuring 802.1X Port-Based Authentication
OL_28731-01