10-33
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Open1x Authentication
Open1x authentication allows a device access to a port before that device is authenticated. When open
authentication is configured, a new host on the port can only send traffic to the switch. Af ter the host is
authenticated, the policies configured on the RADIUS server are applied to that host.
You can configure open authentication with these scenarios:
Single-host mode with open authentication–Only one user is allowed network access before and
after authentication.
MDA mode with open authentication–Only one user in the voice domain and one user in the data
domain are allowed.
Multiple-hosts mode with open authentication–Any host can access the network.
Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can
be authenticated.
For more information see the “Configuring the Host Mode” section on page 10-46.
Using Voice Aware 802.1x Security
Note To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.
You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on
which a security violation occurs, whether it is a data or voice VLAN. When an attempt to authenticate
the data client caused a security violation in previous releases, the entire port shut down, resulting in a
complete loss of connectivity.
You can use this feature where a PC is connected to the IP phone. A security viola tion found on the data
VLAN shuts down only the data VLAN. The traffic on the voice VLAN continues without interruption.
For information on configuring voice aware 802.1x security, see the “Configuring Voice Aware 802.1x
Security” section on page 10-41.
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet
(such as conference rooms). This allows any type of device to authenticate on the port.
802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by
using the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example,
a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A
switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch
for secure connectivity.
Once the supplicant switch authenticates successfully the port mode changes from access to trunk.
If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the
trunk port after successful authentication.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.