Cisco Catalyst 2960 Software Configuration Manual page 302
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Understanding IEEE 802.1x Port-Based Authentication
In the default state, when you connect a supplicant switch to an authenticator switch that has BPDU
guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol
(STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated.
Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during
the authentication period. Entering the dot1x supplicant controlled transient global configuration
command temporarily blocks the supplicant port during authentication to ensure that the authenticator
port does not shut down before authentication completes. If authentication fails, the supplicant port
opens. Entering the no dot1x supplicant controlled transient global configuration command opens the
supplicant port during the authentication period. This is the default behavior.
We strongly recommend using the dot1x supplicant controlled transient command on a supplicant
switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree
bpduguard enable interface onfiguration command.
If you globally enable BPDU guard on the authenticator switch by using the spanning-tree portfast
Note
bpduguard default global configuration command, entering the dot1x supplicant controlled transient
command does not prevent the BPDU violation.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for
Network Edge Access Topology (NEAT) to work in all host modes.
•
Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch,
as shown in
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing
•
user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Figure 10-6
1
1
Workstations (clients)
3
Authenticator switch
5
Trunk port
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
10-34
Figure
10-6.
Authenticator and Supplicant Switch using CISP
2
5
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
4
3
2
Supplicant switch (outside wiring closet)
4
Access control server (ACS)
OL-26520-01
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
