Using Network Admission Control Layer 2 Ieee 802.1X Validation; Using Web Authentication - Cisco IE 3000 Software Configuration Manual
Hide thumbs
Also See for IE 3000:
- Hardware installation manual (186 pages) ,
- Getting started manual (32 pages) ,
- Software configuration manual (874 pages)
Table of Contents
Advertisement
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
MAC authentication bypass interacts with the features:
•
•
•
•
•
•
•
Using Network Admission Control Layer 2 IEEE 802.1x Validation
The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which
checks the antivirus condition or posture of endpoint systems or clients before granting the devices
network access. With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
•
•
•
•
•
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the
Validation" section on page 10-38
page
For more information about NAC, see the Network Admission Control Software Configuration Guide.
Using Web Authentication
You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality. This
feature can authenticate up to eight users on the same shared port and apply the appropriate policies for
each end host on a shared port.
OL-13018-01
IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x
authentication is enabled on the port.
Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a
guest VLAN if one is configured.
Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port
is authenticated with MAC authentication bypass.
Port security—See the
"Using IEEE 802.1x Authentication with Port Security" section on
page
10-15.
Voice VLAN—See the
"Using IEEE 802.1x Authentication with Voice VLAN Ports" section on
page
10-14.
VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
Private VLAN—You can assign a client to a private VLAN.
Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action
RADIUS attribute (Attribute[29]) from the authentication server.
Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS
server.
Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
View the NAC posture token, which shows the posture of the client, by using the show dot1x
privileged EXEC command.
Configure secondary private VLANs as guest VLANs.
10-26.
Understanding IEEE 802.1x Port-Based Authentication
and the
"Configuring Periodic Re-Authentication" section on
Cisco IE 3000 Switch Software Configuration Guide
"Configuring NAC Layer 2 IEEE 802.1x
10-17
Advertisement
Chapters
Table of Contents
Troubleshooting
