Configuring Port-Based and Client-Based Access Control (802.1X)
Overview
Authentication features covered in chapter 4.)
• On the 3400cl and 6400cl switches (running software version M.08.6x
or greater), port-based access control supporting one authenticated
client per port.
• Supplicant implementation using CHAP authentication and indepen-
dent username and password configuration on each port.
■ Local authentication of 802.1X clients using the switch’s local username
and password (as an alternative to RADIUS authentication).
■ On-demand change of a port’s configured VLAN membership status to
support the current client session.
■ Session accounting with a RADIUS server, including the accounting
update interval.
■ Use of Show commands to display session counters.
■ 5300xl switches, running software release E.09.xx or greater, support
concurrent use of 802.1X port-access and either Web authentication or
MAC authentication on the same port.
■ For unauthenticated clients that do not have the necessary 802.1X suppli-
cant software (or for other reasons related to unauthenticated clients),
there is the option to configure an Unauthorized-Client VLAN. This mode
allows you to assign unauthenticated clients to an isolated VLAN through
which you can provide the necessary supplicant software and/or other
services you want to extend to these clients.
User Authentication Methods
802.1X Port-Based Access Control on 3400cl/6400cl Switches, and
5300xl Switches (with Software Release E.08.xx and Earlier).
802.1X port-based access control provides port-level security that allows LAN
access only on ports where an 802.1X-capable client (supplicant) enters an
authorized RADIUS username and password. Because this operation
unblocks the port while an authenticated client session is in progress, using
the switch’s port-security
feature (chapter
11) is recommended for topologies
where simultaneous, multiple client access is possible (to prevent unautho-
rized access by a second client while another, authenticated client is using the
port). For more information, refer to
“Option For Authenticator Ports: Con-
figure Port-Security To Allow Only 802.1X-Authenticated Devices” on page 10-
36.
5300xl Switches (with Software Release E.09.xx or Greater). 802.1X
operation with access control extended to a per-client basis provides client-
level security that allows LAN access to individual 802.1X clients (up to 32 per
10-4
To Next Page
Loading...
Need help?
General