1-31
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server. For information
about configuring NAC Layer 2 IEEE 802.1x validation, see the “Configuring NAC Layer 2 802.1x
Validation” section on page 1-68 and the “Configuring Periodic Re-Authentication” section on
page 1-48.
For more information about NAC, see the Network Admission Control Software Configuration Guide.
For more configuration information, see the “Authentication Manager” section on page 1-7.
Flexible Authentication Ordering
You can use flexible authentication ordering to configure the order of methods that a port uses to
authenticate a new host. MAC authentication bypass and 802.1x can be the primary or secondary
authentication methods, and web authentication can be the fallback method if either or both of those
authentication attempts fail. For more information see the “Configuring Flexible Authentication
Ordering” section on page 1-74.
Open1x Authentication
Open1x authentication allows a device access to a port before that device is authenticated. When open
authentication is configured, a new host can pass traffic according to the access control list (ACL)
defined on the port. After the host is authenticated, the policies configured on the RADIUS server are
applied to that host.
You can configure open authentication with these scenarios:
• Single-host mode with open authentication–Only one user is allowed network access before and
after authentication.
• MDA mode with open authentication–Only one user in the voice domain and one user in the data
domain are allowed.
• Multiple-hosts mode with open authentication–Any host can access the network.
• Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can
be authenticated.
For more information see the “Configuring the Host Mode” section on page 1-47.
Note If open authentication is configured, it takes precedence over other authentication controls. This means
that if you use the authentication open interface configuration command, the port will grant access to
the host irrespective of the authentication port-control interface configuration command.
Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice
device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is
divided into a data domain and a voice domain.
MDA does not enforce the order of device authentication. However, for best results, we recommend that
a voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
• To configure a switch port for MDA, see the “Configuring the Host Mode” section on page 1-47.
To Next Page
Loading...
Need help?
General
