Cisco Systems IE3010 Network Admission Control Layer 2 802.1x Validation, Flexible Authentication Ordering, Open1x Authentication

10-29

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Network Admission Control Layer 2 802.1x Validation

The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks

the antivirus condition or posture of endpoint systems or clients before granting the devices network

access. With NAC Layer 2 802.1x validation, you can do these tasks:

• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action

RADIUS attribute (Attribute[29]) from the authentication server.

• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout

RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS

server.

• Set the action to be taken when the switch tries to re-authenticate the client by using the

Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the

session ends. If the value is RADIUS-Request, the re-authentication process starts.

• Set the list of VLAN number or name or VLAN group name as the value of the Tunnel Group Private

ID (Attribute[81]) and the preference for the VLAN number or name or VLAN group name as the

value of the Tunnel Preference (Attribute[83]). If you do n ot configure the Tunnel Preference, the

first Tunnel Group Private ID (Attribute[81]) attribute is picked up from the list.

• View the NAC posture token, which shows the posture of the client, by using the show

authentication or show dot1x privileged EXEC command.

• Configure secondary private VLANs as guest VLANs.

Configuring NAC Layer 2 802.1x validation is similar to configuring 802.1x port-based authentication

except that you must configure a posture token on the RADIUS server. For information about

configuring NAC Layer 2 802.1x validation, see the “Configuring NAC Layer 2 802.1x Validation”

section on page 10-59 and the “Configuring Periodic Re-Authentication” section on page 10-44.

For more information about NAC, see the Network Admission Control Software Configuration Guide.

For more configuration information, see the “Authentication Manager” section on page 10-7.

Flexible Authentication Ordering

You can use flexible authentication ordering to configure the order of methods that a port uses to

authenticate a new host. MAC authentication bypass and 802.1x can b e the primary or secondary

authentication methods, and web authentication can be the fallback method if either or both of those

authentication attempts fail. For more information see the “Configuring Flexible Authentication

Ordering” section on page 10-64.

Open1x Authentication

Open1x authentication allows a device access to a port before that device is authenticated. When open

authentication is configured, a new host on the port can only send traffic to the switch. Af ter the host is

authenticated, the policies configured on the RADIUS server are applied to that host.

You can configure open authentication with these scenarios:

• Single-host mode with open authentication–Only one user is allowed network access before and

after authentication.

• MDA mode with open authentication–Only one user in the voice domain and one user in the data

domain are allowed.