Cisco Catalyst 2960-XR Security Configuration Manual page 38

Security Features Overview
• TACACS+, a proprietary feature for managing network security through a TACACS server for both
IPv4 and IPv6.
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through
authentication, authorization, and accounting (AAA) services for both IPv4 and IPv6.
• Enhancements to RADIUS, TACACS+, and SSH to function over IPv6.
• Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption, and
message integrity and HTTP client authentication to allow secure HTTP communications (requires the
cryptographic version of the software).
• IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute.
• Support for IP source guard on static hosts.
• RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it is
authenticated. When there is a change in policy for a user or user group in AAA, administrators can send
the RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco Secure
ACS to reinitialize authentication, and apply to the new policies.
• IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to
improve scalability of the network by load balancing users across different VLANs. Authorized users
are assigned to the least populated VLAN in the group, assigned by RADIUS server.
• Support for critical VLAN with multiple-host authentication so that when a port is configured for
multi-auth, and an AAA server becomes unreachable, the port is placed in a critical VLAN in order to
still permit access to critical resources.
• Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply a
standard port configuration on the authenticator switch port.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
16
To use NAC, the switch must be running the LAN Base image.
Note
◦ Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization with
CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to another
switch.
◦ IEEE 802.1x with open access to allow a host to access the network before being authenticated.
◦ IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL
downloads from a Cisco Secure ACS server to an authenticated switch.
◦ Support for dynamic creation or attachment of an auth-default ACL on a port that has no configured
static ACLs.
Note To use this feature, the switch must be running the LAN Base image.
◦ Flexible-authentication sequencing to configure the order of the authentication methods that a port
tries when authenticating a new host.
◦ Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled
port.
Security Features Overview
OL-29434-01