Network Admission Control Layer 2 802.1X Validation; Flexible Authentication Ordering; Open1X Authentication - Cisco Catalyst 2960 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
Network Admission Control Layer 2 802.1x Validation
To use Network Admission Control, the switch must be running the LAN base image.
Note
The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks
the antivirus condition or posture of endpoint systems or clients before granting the devices network
access. With NAC Layer 2 802.1x validation, you can do these tasks:
•
•
•
•
•
•
Configuring NAC Layer 2 802.1x validation is similar to configuring 802.1x port-based authentication
except that you must configure a posture token on the RADIUS server. For information about
configuring NAC Layer 2 802.1x validation, see the
section on page 10-60
For more information about NAC, see the Network Admission Control Software Configuration Guide.
For more configuration information, see the
Flexible Authentication Ordering
You can use flexible authentication ordering to configure the order of methods that a port uses to
authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary
authentication methods, and web authentication can be the fallback method if either or both of those
authentication attempts fail. For more information see the
Ordering" section on page
Open1x Authentication
Open1x authentication allows a device to access a port before that device is authenticated. When open
authentication is configured, a new host can pass traffic according to the access control list (ACL)
defined on the port. After the host is authenticated, the policies configured on the RADIUS server are
applied to that host.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-32
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
Set the list of VLAN number or name or VLAN group name as the value of the Tunnel Group Private
ID (Attribute[81]) and the preference for the VLAN number or name or VLAN group name as the
value of the Tunnel Preference (Attribute[83]). If you do not configure the Tunnel Preference, the
first Tunnel Group Private ID (Attribute[81]) attribute is picked up from the list.
View the NAC posture token, which shows the posture of the client, by using the show
authentication or show dot1x privileged EXEC command.
Configure secondary private VLANs as guest VLANs.
and the
10-66.
Chapter 10
"Configuring NAC Layer 2 802.1x Validation"
"Configuring Periodic Re-Authentication" section on page
"Authentication Manager" section on page
Configuring IEEE 802.1x Port-Based Authentication
"Configuring Flexible Authentication
10-48.
10-7.
OL-26520-01
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
