10-34
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for
Network Edge Access Topology (NEAT) to work in all host modes.
Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol
(CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch,
as shown in Figure10 -6.
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing
user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Figure10-6 Authenticator and Supplicant Switch using CISP

Guidelines

You can configure NEAT ports with the same configurations as the other authentication ports. When
the supplicant switch authenticates, the port mode is changed from access to trunk based on the
switch vendor-specific attributes (VSAs). (device-traffic-class=switch).
The VSA changes the authenticator switch port mode from access to trunk and enables 802.1x trunk
encapsulation and the access VLAN if any would be converted to a native trunk VLAN. VSA does
not change any of the port configurations on the supplicant
To change the host mode and the apply a standard port configuration on the authenticator switch
port, you can also use Auto Smartports user-defined macros, instead of the switch VSA. This allows
you to remove unsupported configurations on the authenticator switch port and to change the port
mode from access to trunk. For information, see the AutoSmartports Configuration Guide.
For more information, see the “Configuring an Authenticator and a Supplicant Switch with NEAT”
section on page 10-63.
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute
The switch supports both IP standard and IP extended port access control lists (ACLs) applied to ingress
ports.
1Workstations (clients) 2Supplicant switch (outside wiring closet)
3Authenticator switch 4Access control server (ACS)
5Trunk port
205718

1

2 3

5

4