Configuring Security
802.1X
Cisco Small Business 300 Series Managed Switch Administration Guide 212
16
The 802.1x is an IEEE standard for port based network access control. The 802.1x
framework enables a device (the supplicant) to request port access from a remote
device (authenticator) to which it is connected. Only when the supplicant
requesting port access is authenticated and authorized is the supplicant
permitted to send data to the port. Otherwise, the authenticator discards the
supplicant data unless the data is sent to a Guest VLAN and/or non-authenticated
VLANs.
Authentication of the supplicant is performed by an external RADIUS server
through the authenticator. The authenticator monitors the result of the
authentication.
In the 802.1x standard, a device can be a supplicant and an authenticator at a port
simultaneously, requesting port access and granting port access. However, this
device is only the authenticator, and does not take on the role of a supplicant.
The following varieties of 802.1X exist:
• Single session 802.1X:
- A1 —Single-session/single host. In this mode, the switch, as an
authenticator supports one 802.1x session and grants permission to use
the port to the authorized supplicant at a port. All the access by the
other devices received from the same port are denied until the
authorized supplicant is no longer using the port or the access is to the
unauthenticated VLAN or guest VLAN.
- Single session/multiple hosts—This follows the 802.1x standard. In this
mode, the switch as an authenticator allows any device to use a port as
long as it has been granted permission to a supplicant at the port.
• Multi-Session 802.1X—Every device (supplicant) connecting to a port
must be authenticated and authorized by the switch (authenticator)
separately in a different 802.1x session. This is the only mode that supports
Dynamic VLAN Assignment (DVA).
Dynamic VLAN Assignment (DVA)
Dynamic VLAN Assignment (DVA) is also referred as RADIUS VLAN Assignment in
this guide. When a port is in Multiple Session mode and is DVA-enabled, the switch
automatically adds the port as an untagged member of the VLAN that is assigned
by the RADIUS server during the authentication process. The switch classifies
untagged packets to the assigned VLAN if the packets are originated from the
devices or ports that are authenticated and authorized.
To Next Page
Loading...
Need help?
General
