Cisco Catalyst 2960-X Security Configuration Manual page 40

Security Features Overview
• TACACS+, a proprietary feature for managing network security through a TACACS server for both
IPv4 and IPv6.
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through
authentication, authorization, and accounting (AAA) services for both IPv4 and IPv6.
• Enhancements to RADIUS, TACACS+, and SSH to function over IPv6.
• Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption, and
message integrity and HTTP client authentication to allow secure HTTP communications (requires the
cryptographic version of the software).
• IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute.
• Support for IP source guard on static hosts.
• RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it is
authenticated. When there is a change in policy for a user or user group in AAA, administrators can send
the RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco Secure
ACS to reinitialize authentication, and apply to the new policies.
• IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to
improve scalability of the network by load balancing users across different VLANs. Authorized users
are assigned to the least populated VLAN in the group, assigned by RADIUS server.
• Support for critical VLAN with multiple-host authentication so that when a port is configured for
multi-auth, and an AAA server becomes unreachable, the port is placed in a critical VLAN in order to
still permit access to critical resources.
• Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply a
standard port configuration on the authenticator switch port.
• VLAN-ID based MAC authentication to use the combined VLAN and MAC address information for
user authentication to prevent network access from unauthorized VLANs.
• MAC move to allow hosts (including the hosts connected behind an IP phone) to move across ports
within the same switch without any restrictions to enable mobility. With MAC move, the switch treats
the reappearance of the same MAC address on another port in the same way as a completely new MAC
address.
• Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3).
This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit,
192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3.
• Support for Cisco TrustSec SXP protocol in LAN Base image only.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
16
◦ Support for dynamic creation or attachment of an auth-default ACL on a port that has no configured
static ACLs.
To use this feature, the switch must be running the LAN Base image.
Note
◦ Flexible-authentication sequencing to configure the order of the authentication methods that a port
tries when authenticating a new host.
◦ Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled
port.
Security Features Overview
OL-29048-01