Table of Contents
Advertisement
Chapter 44
Configuring Network Admission Control
802.1X—802.1X authentication may apply a Layer 2 policy, such as a VLAN assignment, and can
•
also bring Layer 3 policy attributes, such as policy-based ACLs (PBACLs), to a port. A LAN port
IP policy consists only of the policy-group membership that is downloaded from the RADIUS
server.
•
Multihost and multiauthentication modes are not supported—802.1X with LAN port IP is supported
only in single-host mode.
Auxiliary VLANs—LAN port IP is supported on multi-VLAN access ports.
•
•
Guest VLANs and the authentication failure VLAN—When LAN port IP is configured with these
two features, the LAN port IP operation differs only in that the IP address that it gets for posture
validation is from the guest VLAN or authentication failure VLAN.
DHCP snooping and/or ARP inspection—IP learning is through ARP inspection or DHCP snooping.
•
You must enable at least one of these features for LAN port IP to work. These features are required to
trigger LAN port IP (you must map a PBACL containing the ACEs of these features to the VLAN that
the LAN port IP port resides in). If you do not enable one of these features, a Layer 2 switch cannot learn
new IP addresses that appear on a port.
Note
Note
Port security—LAN port IP works with port security. Only port security-validated MAC addresses
•
are allowed to go through posture validation. If a port security violation occurs and results in a port
shutdown, the LAN port IP state of the port is also cleared. When you configure an authentication
feature, the authenticating feature gives the MAC address to port security to secure if it has been
successfully authenticated and then LAN port IP is initialized.
•
Security ACLs (VACLs)—Security ACLs are used as PBACLs and PBACLs are supported in VACL
mode only with LAN port IP.
MAC authentication bypass—LAN port IP is initialized only after a successful authentication using
•
MAC authentication bypass, 802.1X, or web-based proxy authentication.
Web-based proxy authentication—LAN port IP is initialized only after web-based proxy
•
authentication completes verifying identity credentials. In the web-based proxy authentication state,
a port waits indefinitely for authentication to complete. In this stage, only DHCP and DNS are
allowed to go through. The ACL configured on the interface handles the redirecting of HTTP traffic.
The PBACL configured on the interface should ensure that any other traffic is not allowed.
OL-8978-04
If you use DHCP triggering for posture validation, you must also enable ARP inspection. If
ARP inspection is not enabled, the posture validation completes but the session is torn down
within a few minutes because the ARP probe replies from the client are not seen by the EOU
state machinery.
Supervisor Engine 1 does not support ARP inspection. With a Supervisor Engine 1, you
must enable DHCP snooping.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Network Admission Control with LAN Port IP
44-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
