40-24
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 40 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
802.1X Supplicant and Authenticator Switches with Network Edge Access Topology
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet
(such as conference rooms).
You can enable any authentication host mode on the authenticator switch interface that connects to a
supplicant switch. Once the supplicant switch authenticates successfully, the port mode changes from
access to trunk. To ensure that NEAT works on all host modes, use the dot1x supplicant f orce-multicast
global configuration command on the supplicant switch. If the access VLAN is configured on the
authenticator switch, it becomes the native VLAN for the trunk port after successful authentication.
Note MAB is not supported or recommended for use with NEAT. Only use 802.1X to authenticate the
supplicant switch.
Note The Catalyst 4500 series switch only supports authenticator ports.

Deployment

NEAT is intended for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts
(PC or Cisco IP-phones) is placed in an unsecured location (outside wiring closet).
Because of this topology, the authenticator switch cannot always be trusted. For example, compact
switches (8-port Catalyst 3560 and Catalyst 2960) are generally deployed outside the wiring closet. This
enables hacker devices to swamp them to gain access to the network, compromising security. An edge
switch must be able to authenticate itself against another switch, referred to as Network Edge
Authentication Topology (NEAT).
Figure 40-8 illustrates a typical NEAT topology.
Figure 40-8 Typical NEAT Topology
NEAT facilitates the following functionality in such scenarios:

SSw

Supplicant to ASw-switch

Authenticator for clients

ASw

Authenticator

AAA
RADIUS
Server
ACS
Campus
LAN
Wiring closet
Switch
Wall jack
in
conference
room
Cisco Switch w
Supplicant (EAP-MD5)
Also acts as 802.1X
Authenticator to hosts
207274