•
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a per-user
ACL policy might impact traffic on both the voice and data VLANs of the port. If used, only one device
on the port should enforce per-user ACLs.
Limiting Login for Users
The Limiting Login feature helps Network administrators to limit the login attempt of users to a network.
When a user fails to successfully login to a network within a configurable number of attempts within a
configurable time limit, the user can be blocked. This feature is enabled only for local users and not for remote
users. You need to configure the aaa authentication rejected command in global configuration mode to
enable this feature.
802.1x Supplicant and Authenticator Switches with Network Edge Access
Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such
as conference rooms). This allows any type of device to authenticate on the port.
•
802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using
the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example, a switch
is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured
with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity.
Once the supplicant switch authenticates successfully the port mode changes from access to trunk.
•
If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the trunk
port after successful authentication.
In the default state, when you connect a supplicant switch to an authenticator switch that has BPDU guard
enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge
protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS
Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering
the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant
port during authentication to ensure that the authenticator port does not shut down before authentication
completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled
transient global configuration command opens the supplicant port during the authentication period. This is
the default behavior.
We strongly recommend using the dot1x supplicant controlled transientcommand on a supplicant switch
when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable
interface configuration command.
If you globally enable BPDU guard on the authenticator switch by using the spanning-tree portfast
bpduguard default global configuration command, entering the dot1x supplicant controlled transient
command does not prevent the BPDU violation.
Note
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
294 OL-29048-01
Configuring IEEE 802.1x Port-Based Authentication
Limiting Login for Users
To Next Page
Loading...
Need help?
General
Weight and Dimensions
