Table of Contents
Advertisement
Chapter 44
Configuring Network Admission Control
for validation by the back-end server. The authentication exchange between the supplicant and the NAD
is over EAPOL. Policy enforcement is done by assigning the authenticated port to a specified VLAN to
provide segmentation and quarantine of poorly postured hosts at Layer 2.
LAN port 802.1X restricts non-IPv4 traffic from nonpostured hosts. LAN port 802.1X is preferred for
Note
deployments where such a restriction is a requirement.
The LAN port 802.1X policy enforcements include the following (which are already supported with
standard 802.1X authentication):
VLAN assignment—Normal native VLAN assignment (private VLAN assignment is not supported
•
with LAN port 802.1X).
Security ACL assignment—A PBACL name comes from the RADIUS server, it is assigned to the
•
port interface, and it could be a PACL or VACL.
Policy groups—PBACL policy groups can be sent down from the ACS server.
•
For LAN port 802.1X, the policy enforcement uses a VLAN/PBACL combination where LAN port IP
uses only PBACLs.
Reauthentication works the same way as in standard 802.1X authentication which makes use of the
RADIUS server-sent session timeout and termination action attributes or the local CLI-configured
attributes. These attributes are not received as part of the Access-Accept message from the RADIUS
server.
With LAN port 802.1X, hosts are classified into one of the following categories:
Enhanced CTA—This CTA can send both authentication and posture TLVs in a single EAP tunnel
•
and the policy enforcement that comes from the RADIUS server has both the VLAN assignment and
the PBACL groups.
Legacy supplicants and legacy CTA—These hosts do not have the enhanced CTA; they have the
•
standard 802.1X supplicant that cannot connect to CTA and they also have the legacy CTA that can
do posture validation using EAPoUDP. With these hosts, after LAN port 802.1X completes, the
switch checks for posture validation results. If the posture results are not received, it is assumed that
the host does not have enhanced CTA. If LAN port IP is configured on the port, it is triggered to do
the posture validation. This category is a combination of LAN port IP and 802.1X authentication.
•
Legacy supplicant and no CTA—These 802.1X-capable hosts do not have CTA. After 802.1X
authentication completes, the switch realizes that posture validation has not occurred and if LAN
port IP is enabled on the port, the switch directs LAN port IP to carry out the posture validation.
When LAN port IP runs, it realizes that the host is not responding to its EoU packets and downloads
the clientless posture policy for the host. In contrast, 802.1X authentication would have an enforced
policy based on the authentication result.
No supplicant and legacy CTA—When the host does not have an 802.1X-capable supplicant, 802.1X
•
times out and moves the port into the guest VLAN or if MAC authentication bypass is configured,
MAC authentication bypass is requested to authenticate the host's MAC address. After authorizing
the port (through MAC authentication bypass or the guest VLAN), if LAN port IP is configured,
LAN port IP does the posture validation and retrieves the posture policy.
No supplicant and no CTA—When a dumb host is connected to a switch port that is not
•
802.1X-capable or does not have a CTA installed, the switch initially tries EAPOL exchanges. When
it fails to get a response, the switch moves the port into the guest VLAN state or requests that MAC
address bypass (if configured) authenticate the MAC address. Once the port is authorized by one of
OL-8978-04
Configuring Network Admission Control with LAN Port 802.1X
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
44-35
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
