Cisco Systems 3560

1-10

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 1 Overview

Features

–

Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization

with CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant

to another switch.

–

IEEE 802.1x with open access to allow a host to access the network before being authenticated.

–

IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL

downloads from a Cisco Secure ACS server to an authenticated switch.

–

Flexible-authentication sequencing to configure the order of the authentication methods that a

port tries when authenticating a new host.

–

Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled

port.

• Network Admission Control (NAC) features:

–

NAC Layer 2 802.1x validation of the antivirus condition or posture of endpoint systems or

clients before granting the devices network access.

For information about configuring NAC Layer 2 802.1x validation, see the “Configuring NAC

Layer 2 802.1x Validation” section on page 10-54.

–

NAC Layer 2 IP validation of the posture of endpoint systems or clients before granting the

devices network access.

For information about configuring NAC Layer 2 IP validation, see the Network Admission

Control Software Configuration Guide.

–

IEEE 802.1x inaccessible authentication bypass.

For information about configuring this feature, see the “Configuring the Inaccessible

Authentication Bypass Feature” section on page 10-49.

–

Authentication, authorization, and accounting (AAA) down policy for a NAC Layer 2 IP

validation of a host if the AAA server is not available when the posture validation occurs.

For information about this feature, see the Network Admission Control Software Configuration

Guide.

• TACACS+, a proprietary feature for managing network security through a TACACS server

• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users

through AAA services

• Kerberos security system to authenticate requests for network resources by using a trusted third

party (requires the cryptographic versions of the software (IP base and IP services images)

• Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption,

and message integrity and HTTP client authentication to allow secure HTTP communications

(requires the cryptographic versions of the software IP base and IP services images)

• Voice aware IEEE 802.1x and mac authentication bypass (MAB) security violation to shut down

only the data VLAN on a port when a security violation occurs