CHAPT ER
10-1
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
10
Configuring IEEE 802.1x Port-Based Authentication
IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to
the network. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
The Catalyst 3750 switch command reference and the “RADIUS Commands” section in the Cisco IOS
Security Command Reference, Release 12.2, have command syntax and usage information.
The switch also supports Cisco TrustSec Security Group Tag (SCT) Exchange Protocol (SXP). This
feature supports security group access control lists (SGACLs), which define ACL policies for a group of
devices instead of an IP address. The SXP control protocol allows tagging packets with SCTs without a
hardware upgrade, and runs between access layer devices at the Cisco TrustSec domain edge and
distribution layer devices within the Cisco TrustSec domain. The Catalyst 3750-X and 3560-X switches
operate as access layer switches in the Cisco TrustSec network.
For more information about Cisco TrustSec, see the Cisco TrustSec Switch Configuration Guide:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
The sections on SXP define the capabilities supported on the Catalyst 3750 switch.
This chapter includes these sections:
Understanding IEEE 802.1x Port-Based Authentication, page 10-1
Configuring 802.1x Authentication, page10-36
Displaying 802.1x Statistics and Status, page10-70

Understanding IEEE 802.1x Port-Based Authentication

The standard defines a client-server-based access control and authentication protocol to prevent
unauthorized clients from connecting to a LAN through publicly accessible ports.The authentication
server authenticates each client connected to a switch port before making available any switch or LAN
services.
Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication
Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP)
traffic through the port to which the client is connected. After authentication, normal traffic passes
through the port.
Device Roles, page10-3
Authentication Process, page 10-4
Authentication Initiation and Message Exchange, page10-6