Enhancements in Release F.05.05 through F.05.70

Enhancements in Release F.05.05 through F.05.60

General Features802.1X on the Series 2500 switches includes the following:

Switch operation as both an authenticator (for supplicants having a point-to-point connec- tion to the switch) and as a supplicant for point-to-point connections to other 802.1X-aware switches.

Authentication of 802.1X clients using a RADIUS server and either the EAP or CHAP protocol.

Provision for enabling clients that do not have 802.1 supplicant software to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode).

Supplicant implementation using CHAP authentication and independent username and password configuration on each port.

Prevention of traffic flow in either direction on unauthorized ports.

Local authentication of 802.1X clients using the switch’s local username and password (as an alternative to RADIUS authentication).

Temporary on-demand change of a port’s VLAN membership status to support a current client’s session. (This does not include ports that are members of a trunk.)

Session accounting with a RADIUS server, including the accounting update interval.

Use of Show commands to display session counters.

With port-security enabled for port-access control, limit a port to one 802.1X client session at a given time.

Authenticating Users. Port-Based Access Control (802.1X) provides switch-level security that allows LAN access only to users who enter the authorized RADIUS username and password on 802.1X-capable clients (supplicants). This simplifies security management by allowing you to control access from a master database in a single server (although you can use up to three RADIUS servers to provide backups in case access to the primary server fails). It also means a user can enter the same username and password pair for authentication, regardless of which switch is the access point into the LAN. Note that you can also configure 802.1X for authentication through the switch’s local username and password instead of a RADIUS server, but doing so increases the administrative burden, decentralizes username/password administration, and reduces security by limiting authentication to one Operator/Manager password set for all users.

Providing a Path for Downloading 802.1X Supplicant Software. For clients that do not have the necessary 802.1X supplicant software, there is also the option to configure the 802.1X Open VLAN mode. This mode allows you to assign such clients to an isolated VLAN through which you can provide the necessary supplicant software these clients need to begin the authentication process. (Refer to “802.1X Open VLAN Mode” on page -44.)

30