Network Admission Control Layer 2 Ieee 802.1X Validation; Flexible Authentication Ordering - Cisco Catalyst 2960-X Security Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
• Private VLAN—You can assign a client to a private VLAN.
• Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot enable
Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages

Network Admission Control Layer 2 IEEE 802.1x Validation

The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks
the antivirus condition or posture of endpoint systems or clients before granting the devices network access.
With NAC Layer 2 IEEE 802.1x validation, you can do these tasks:
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
• Set the action to be taken when the switch tries to re-authenticate the client by using the
• Set the list of VLAN number or name or VLAN group name as the value of the Tunnel Group Private
• View the NAC posture token, which shows the posture of the client, by using the show authentication
• Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server.

Flexible Authentication Ordering

You can use flexible authentication ordering to configure the order of methods that a port uses to authenticate
a new host. The IEEE 802.1X Flexible Authentication feature supports three authentication methods:
• dot1X—IEEE 802.1X authentication is a Layer 2 authentication method.
• mab—MAC-Authentication Bypass is a Layer 2 authentication method.
• webauth—Web authentication is a Layer 3 authentication method.
Using this feature, you can control which ports use which authentication methods, and you can control the
failover sequencing of methods on those ports. For example, MAC authentication bypass and 802.1x can be
the primary or secondary authentication methods, and web authentication can be the fallback method if either
or both of those authentication attempts fail.
The IEEE 802.1X Flexible Authentication feature supports the following host modes:
OL-29048-01
MAB when NEAT is enabled on an interface, and you cannot enable NEAT when MAB is enabled on
an interface.
attribute (Attribute[29]) from the authentication server.
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS server.
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
ID (Attribute[81]) and the preference for the VLAN number or name or VLAN group name as the value
of the Tunnel Preference (Attribute[83]). If you do not configure the Tunnel Preference, the first Tunnel
Group Private ID (Attribute[81]) attribute is picked up from the list.
privileged EXEC command.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Network Admission Control Layer 2 IEEE 802.1x Validation
291