Cisco Systems IE 2000

1-9

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 1 Configuration Overview

Feature Software Licensing

For information about configuring NAC Layer 2 802.1x validation, see the “Configuring NAC

Layer 2 802.1x Validation” section on page 13-46

–

NAC Layer 2 IP validation of the posture of endpoint systems or clients before granting the

devices network access

For information about configuring NAC Layer 2 IP validation, see the Network Admission

Control Software Configuration Guide

–

IEEE 802.1x inaccessible authentication bypass

For information about configuring this feature, see the “Configuring Inaccessible

Authentication Bypass” section on page 13-44

–

Authentication, authorization, and accounting (AAA) down policy for a NAC Layer 2 IP

validation of a host if the AAA server is not available when the posture validation occurs

For information about this feature, see the Network Admission Control Software Configuration

Guide.

• TACACS+, a proprietary feature for managing network security through a TACACS server

• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users

through AAA services

• Enhancements to RADIUS, TACACS+, and SSH to function over IPv6

• Kerberos security system to authenticate requests for network resources by using a trusted third

party (requires the cryptographic versions of the software)

• Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption,

and message integrity and HTTP client authentication to allow secure HTTP communications

(requires the cryptographic version of the software)

• Voice-aware IEEE 802.1x and MAC authentication bypass (MAB) security violation to shut down

only the data VLAN on a port when a security viol ation occurs

• Support for IP source guard on static hosts

• RADIUS change of authorization (CoA) to change the attributes of a certain session after it is

authenticated. When there is a change in policy for a user or user group in AAA, administrators can

send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize

authentication, and apply to the new policies.

• IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to

improve scalability of the network by load balancing users across different VLANs. Authorized

users are assigned to the least populated VLAN in the group, assigned by RADIUS server.

• Support for critical VLAN with multiple-host authentication so that when a port is configured for

multi-authentication, and an AAA server becomes unreachable, the port is placed in a critical VLAN

in order to still permit access to critical resources

• Customizable web authentication enhancement to allow the creation of user-defined login, success,

failure and expire web pages for local web authentication

• Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply a

standard port configuration on the authenticator switch port

• VLAN-ID based MAC authentication to use the combined VLAN and MAC address information for

user authentication to prevent network access from unauthorized VLAN s

• MAC move to allow hosts (including the hosts connected behind an IP phone) to move across ports

within the same switch without any restrictions to enable mobility. With MAC move, the switch

treats the reappearance of the same MAC address on another port in the same way as a completely

new MAC address.