Supplicant And Authenticator Switches With Network Edge Access Topology; (Neat) - Cisco Catalyst 2960-XR Security Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV)
• The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled port.
• If more than one device attempts authorization on either the voice or the data domain of a port, it is error
• Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed
• A voice device MAC address that is binding on the data VLAN is not counted towards the port security
• You can use dynamic VLAN assignment from a RADIUS server only for data devices.
• MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect
• When a data or a voice device is detected on a port, its MAC address is blocked until authorization
• If more than five devices are detected on the data VLAN or more than one voice device is detected on
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized data
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized
• If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a per-user
802.1x Supplicant and Authenticator Switches with Network Edge Access
Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such
as conference rooms). This allows any type of device to authenticate on the port.
• 802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using
OL-29434-01
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)
pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats the voice
device as a data device.
The switch treats a voice device that fails authorization as a data device.
disabled.
into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server
to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending
on the voice VLAN, its access to the data VLAN is blocked.
MAC address limit.
to devices that do not support IEEE 802.1x authentication.
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
the voice VLAN while a port is unauthorized, the port is error disabled.
device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port
voice VLAN is automatically removed and must be reauthenticated on that port.
changes from single- or multihost mode to multidomain mode.
devices from the port.
devices need to tag their packets on the voice VLAN to trigger authentication.
ACL policy might impact traffic on both the voice and data VLANs of the port. If used, only one device
on the port should enforce per-user ACLs.
the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example, a switch
is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
241