Home » Cisco Manuals » Bridges & Routers » Cisco IE-3000-8TC » Manual Viewer

Cisco IE-3000-8TC Software Configuration Guide - Page 254

Open1x Authentication, 802.1x Switch Supplicant with Network Edge Access Topology (NEAT

Add to My Manuals
Save this manual to your list of manuals

Page 254 highlights

Understanding IEEE 802.1x Port-Based Authentication Chapter 12 Configuring IEEE 802.1x Port-Based Authentication Open1x Authentication Open1x authentication allows a device access to a port before that device is authenticated. When open authentication is configured, a new host on the port can only send traffic to the switch. After the host is authenticated, the policies configured on the RADIUS server are applied to that host. You can configure open authentication with these scenarios: • Single-host mode with open authentication-Only one user is allowed network access before and after authentication. • MDA mode with open authentication-Only one user in the voice domain and one user in the data domain are allowed. • Multiple-hosts mode with open authentication-Any host can access the network. • Multiple-authentication mode with open authentication-Similar to MDA, except multiple hosts can be authenticated. For more information see the "Configuring the Host Mode" section on page 12-35. 802.1x Switch Supplicant with Network Edge Access Topology (NEAT) NEAT extends identity to areas outside the wiring closet (such as conference rooms) through the following: • 802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using the 802.1x supplicant feature. This configuration is helpful in a scenario where, for example, a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity. Note You cannot enable MDA or multiauth mode on the authenticator switch interface that connects to one more supplicant switches. • Host Authorization: NEAT ensures that only traffic from authorized hosts (connecting to the switch with supplicant) is allowed on the network. The switches use Client Information Signalling Protocol (CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch, as shown in Figure 12-6. • Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs coming from supplicant switches. This can be achieved by configuring the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or user settings.) 12-24 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03

Section	Page
Cisco IE 3000 Switch Software Configuration Guide	1
Contents	3
Preface	33
Overview	37
Features	37
Ease-of-Deployment and Ease-of-Use Features	38
Performance Features	39
Management Options	40
Manageability Features	41
Availability and Redundancy Features	42
VLAN Features	43
Security Features	44
QoS and CoS Features	45
Monitoring Features	46
Default Settings After Initial Switch Configuration	47
Network Configuration Examples	49
Design Concepts for Using the Switch	49
Ethernet-to-the-Factory Architecture	50
Enterprise Zone	51
Demilitarized Zone	51
Manufacturing Zone	51
Topology Options	53
Where to Go Next	56
Using the Command-Line Interface	57
Understanding Command Modes	57
Understanding the Help System	59
Understanding Abbreviated Commands	60
Understanding no and default Forms of Commands	60
Understanding CLI Error Messages	61
Using Configuration Logging	61
Using Command History	62
Changing the Command History Buffer Size	62
Recalling Commands	62
Disabling the Command History Feature	63
Using Editing Features	63
Enabling and Disabling Editing Features	63
Editing Commands through Keystrokes	63
Editing Command Lines that Wrap	65
Searching and Filtering Output of show and more Commands	66
Accessing the CLI	66
Accessing the CLI through a Console Connection or through Telnet	66
Configuring Cisco IE 3000 Switch Alarms	67
Understanding IE 3000 Switch Alarms	67
Global Status Monitoring Alarms	68
FCS Error Hysteresis Threshold	68
Port Status Monitoring Alarms	68
Triggering Alarm Options	69
Configuring IE 3000 Switch Alarms	70
Default IE 3000 Switch Alarm Configuration	70
Configuring the Power Supply Alarm	71
Setting the Power Mode	71
Setting the Power Supply Alarm Options	71
Configuring the Switch Temperature Alarms	72
Setting the Primary Temperature Threshold for the Switch	72
Setting a Secondary Temperature Threshold for the Switch	73
Associating the Temperature Alarms to a Relay	73
Configuring the FCS Bit Error Rate Alarm	74
Setting the FCS Error Threshold	74
Setting the FCS Error Hysteresis Threshold	75
Configuring Alarm Profiles	75
Creating or Modifying an Alarm Profile	76
Attaching an Alarm Profile to a Specific Port	77
Enabling SNMP Traps	77
Displaying IE 3000 Switch Alarms Status	78
Assigning the Switch IP Address and Default Gateway	79
Understanding the Boot Process	79
Assigning Switch Information	80
Default Switch Information	81
Understanding DHCP-Based Autoconfiguration	81
DHCP Client Request Process	82
Understanding DHCP-based Autoconfiguration and Image Update	83
DHCP Autoconfiguration	83
DHCP Auto-Image Update	83
Limitations and Restrictions	83
Configuring DHCP-Based Autoconfiguration	84
DHCP Server Configuration Guidelines	84
Configuring the TFTP Server	85
Configuring the DNS	85
Configuring the Relay Device	86
Obtaining Configuration Files	86
Example Configuration	87
Configuring the DHCP Auto Configuration and Image Update Features	89
Configuring DHCP Autoconfiguration (Only Configuration File)	89
Configuring DHCP Auto-Image Update (Configuration File and Image)	90
Configuring the Client	91
Manually Assigning IP Information	92
Checking and Saving the Running Configuration	92
Modifying the Startup Configuration	93
Default Boot Configuration	94
Automatically Downloading a Configuration File	94
Specifying the Filename to Read and Write the System Configuration	94
Booting Manually	95
Booting a Specific Software Image	96
Controlling Environment Variables	96
Scheduling a Reload of the Software Image	98
Configuring a Scheduled Reload	98
Displaying Scheduled Reload Information	99
Configuring Cisco EnergyWise	101
Managing Single Entities	101
EnergyWise Entity	101
EnergyWise Domain	102
EnergyWise Network	102
Single PoE Switch Scenario	103
EnergyWise Power Level	104
EnergyWise Importance	105
EnergyWise Names, Roles, and Keywords	105
Configuration Guidelines	105
PoE and EnergyWise Interactions	105
Manually Managing Power	106
Powering the Entity	106
Configuring Entity Attributes	107
Powering the PoE Port	108
Configuring PoE-Port Attributes	108
Automatically Managing Power (Recurrence)	109
Examples	111
Setting Up the Domain	111
Manually Managing Power	112
Automatically Managing Power	112
Managing Multiple Entities	112
Multiple PoE Switch Scenario	113
EnergyWise Query	113
Using Queries to Manage Power in the Domain	114
Examples	115
Querying with the Name Attribute	115
Querying with Keywords	116
Querying to Set Power Levels	116
Troubleshooting EnergyWise	116
Using CLI Commands	117
Verifying the Power Usage	117
Additional Information	118
Managing Power in a LAN	118
Managing Power with IP Routing	118
Configuring Cisco IOS Configuration Engine	121
Understanding Cisco Configuration Engine Software	121
Configuration Service	122
Event Service	123
NameSpace Mapper	123
What You Should Know About the CNS IDs and Device Hostnames	123
ConfigID	123
DeviceID	124
Hostname and DeviceID	124
Using Hostname, DeviceID, and ConfigID	124
Understanding Cisco IOS Agents	125
Initial Configuration	125
Incremental (Partial) Configuration	126
Synchronized Configuration	126
Configuring Cisco IOS Agents	126
Enabling Automated CNS Configuration	126
Enabling the CNS Event Agent	127
Enabling the Cisco IOS CNS Agent	129
Enabling an Initial Configuration	129
Enabling a Partial Configuration	133
Displaying CNS Configuration	134
Clustering Switches	135
Understanding Switch Clusters	135
Cluster Command Switch Characteristics	137
Standby Cluster Command Switch Characteristics	137
Candidate Switch and Cluster Member Switch Characteristics	137
Planning a Switch Cluster	138
Automatic Discovery of Cluster Candidates and Members	138
Discovery Through CDP Hops	139
Discovery Through Non-CDP-Capable and Noncluster-Capable Devices	140
Discovery Through Different VLANs	140
Discovery Through Different Management VLANs	141
Discovery of Newly Installed Switches	142
HSRP and Standby Cluster Command Switches	143
Virtual IP Addresses	144
Other Considerations for Cluster Standby Groups	144
Automatic Recovery of Cluster Configuration	145
IP Addresses	146
Hostnames	146
Passwords	146
SNMP Community Strings	147
TACACS+ and RADIUS	147
LRE Profiles	147
Using the CLI to Manage Switch Clusters	148
Catalyst 1900 and Catalyst 2820 CLI Considerations	148
Using SNMP to Manage Switch Clusters	148
Administering the Switch	151
Managing the System Time and Date	151
Understanding the System Clock	151
Understanding Network Time Protocol	152
Configuring NTP	153
Default NTP Configuration	154
Configuring NTP Authentication	154
Configuring NTP Associations	155
Configuring NTP Broadcast Service	156
Configuring NTP Access Restrictions	158
Configuring the Source IP Address for NTP Packets	160
Displaying the NTP Configuration	161
Configuring Time and Date Manually	161
Setting the System Clock	161
Displaying the Time and Date Configuration	162
Configuring the Time Zone	162
Configuring Summer Time (Daylight Saving Time)	163
Configuring a System Name and Prompt	164
Default System Name and Prompt Configuration	165
Configuring a System Name	165
Understanding DNS	165
Default DNS Configuration	166
Setting Up DNS	166
Displaying the DNS Configuration	167
Creating a Banner	167
Default Banner Configuration	167
Configuring a Message-of-the-Day Login Banner	168
Configuring a Login Banner	168
Managing the MAC Address Table	169
Building the Address Table	170
MAC Addresses and VLANs	170
Default MAC Address Table Configuration	170
Changing the Address Aging Time	171
Removing Dynamic Address Entries	171
Configuring MAC Address Notification Traps	171
Adding and Removing Static Address Entries	173
Configuring Unicast MAC Address Filtering	174
Disabling MAC Address Learning on a VLAN	175
Displaying Address Table Entries	177
Managing the ARP Table	177
Configuring PTP	179
Understanding PTP	179
Configuring PTP	179
Default Configuration	180
Setting Up PTP	181
Displaying the PTP Configuration	182
Configuring SDM Templates	183
Understanding the SDM Templates	183
Configuring the Switch SDM Template	184
Default SDM Template	184
SDM Template Configuration Guidelines	184
Setting the SDM Template	185
.Displaying the SDM Templates	185
Configuring Switch-Based Authentication	187
Preventing Unauthorized Access to Your Switch	187
Protecting Access to Privileged EXEC Commands	188
Default Password and Privilege Level Configuration	188
Setting or Changing a Static Enable Password	189
Protecting Enable and Enable Secret Passwords with Encryption	189
Disabling Password Recovery	191
Setting a Telnet Password for a Terminal Line	192
Configuring Username and Password Pairs	192
Configuring Multiple Privilege Levels	193
Setting the Privilege Level for a Command	194
Changing the Default Privilege Level for Lines	195
Logging into and Exiting a Privilege Level	195
Controlling Switch Access with TACACS+	196
Understanding TACACS+	196
TACACS+ Operation	198
Configuring TACACS+	198
Default TACACS+ Configuration	199
Identifying the TACACS+ Server Host and Setting the Authentication Key	199
Configuring TACACS+ Login Authentication	200
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	202
Starting TACACS+ Accounting	203
Displaying the TACACS+ Configuration	203
Controlling Switch Access with RADIUS	203
Understanding RADIUS	204
RADIUS Operation	205
Configuring RADIUS	205
Default RADIUS Configuration	206
Identifying the RADIUS Server Host	206
Configuring RADIUS Login Authentication	209
Defining AAA Server Groups	211
Configuring RADIUS Authorization for User Privileged Access and Network Services	213
Starting RADIUS Accounting	214
Configuring Settings for All RADIUS Servers	215
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	215
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	217
Configuring RADIUS Server Load Balancing	217
Displaying the RADIUS Configuration	218
Configuring the Switch for Local Authentication and Authorization	218
Configuring the Switch for Secure Shell	219
Understanding SSH	219
SSH Servers, Integrated Clients, and Supported Versions	219
Limitations	220
Configuring SSH	220
Configuration Guidelines	220
Setting Up the Switch to Run SSH	221
Configuring the SSH Server	222
Displaying the SSH Configuration and Status	223
Configuring the Switch for Secure Socket Layer HTTP	223
Understanding Secure HTTP Servers and Clients	223
Certificate Authority Trustpoints	224
CipherSuites	225
Configuring Secure HTTP Servers and Clients	226
Default SSL Configuration	226
SSL Configuration Guidelines	226
Configuring a CA Trustpoint	226
Configuring the Secure HTTP Server	227
Configuring the Secure HTTP Client	229
Displaying Secure HTTP Server and Client Status	229
Configuring the Switch for Secure Copy Protocol	230
Information About Secure Copy	230
Configuring IEEE 802.1x Port-Based Authentication	231
Understanding IEEE 802.1x Port-Based Authentication	231
Device Roles	232
Authentication Process	233
Authentication Initiation and Message Exchange	235
Authentication Manager	237
Port-Based Authentication Methods	237
Per-User ACLs and Filter-Ids	238
Authentication Manager CLI Commands	238
Ports in Authorized and Unauthorized States	239
802.1x Host Mode	240
Multidomain Authentication	241
802.1x Multiple Authentication Mode	242
802.1x Accounting	242
802.1x Accounting Attribute-Value Pairs	243
802.1x Readiness Check	244
802.1x Authentication with VLAN Assignment	244
802.1x Authentication with Downloadable ACLs and Redirect URLs	245
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL	246
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs	246
802.1x Authentication with Guest VLAN	247
802.1x Authentication with Restricted VLAN	248
802.1x Authentication with Inaccessible Authentication Bypass	249
802.1x Authentication with Voice VLAN Ports	250
802.1x Authentication with Port Security	250
802.1x Authentication with Wake-on-LAN	251
802.1x Authentication with MAC Authentication Bypass	252
Network Admission Control Layer 2 802.1x Validation	253
Flexible Authentication Ordering	253
Open1x Authentication	254
802.1x Switch Supplicant with Network Edge Access Topology (NEAT)	254
Web Authentication	255
Web Authentication with Automatic MAC Check	256
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute	256
Configuring 802.1x Authentication	256
Default 802.1x Authentication Configuration	257
802.1x Authentication Configuration Guidelines	258
802.1x Authentication	259
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass	259
MAC Authentication Bypass	260
Maximum Number of Allowed Devices Per Port	260
Configuring 802.1x Readiness Check	261
Configuring 802.1x Violation Modes	262
Configuring 802.1x Authentication	262
Configuring the Switch-to-RADIUS-Server Communication	264
Configuring the Host Mode	265
Configuring Periodic Re-Authentication	267
Manually Re-Authenticating a Client Connected to a Port	268
Changing the Quiet Period	268
Changing the Switch-to-Client Retransmission Time	269
Setting the Switch-to-Client Frame-Retransmission Number	269
Setting the Re-Authentication Number	270
Configuring 802.1x Accounting	271
Configuring a Guest VLAN	272
Configuring a Restricted VLAN	273
Configuring the Inaccessible Authentication Bypass Feature	275
Configuring 802.1x Authentication with WoL	277
Configuring MAC Authentication Bypass	278
Configuring NAC Layer 2 802.1x Validation	279
Configuring 802.1x Switch Supplicant with NEAT	280
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs	282
Configuring Downloadable ACLs	282
Configuring a Downloadable Policy	283
Configuring Flexible Authentication Ordering	284
Configuring Open1x	285
Configuring Web Authentication	285
Disabling 802.1x Authentication on the Port	288
Resetting the 802.1x Authentication Configuration to the Default Values	289
Displaying 802.1x Statistics and Status	289
Configuring Interface Characteristics	291
Understanding Interface Types	291
Port-Based VLANs	292
Switch Ports	292
Access Ports	292
Trunk Ports	293
EtherChannel Port Groups	293
Dual-Purpose Uplink Ports	294
Connecting Interfaces	294
Using Interface Configuration Mode	294
Procedures for Configuring Interfaces	296
Configuring a Range of Interfaces	296
Configuring and Using Interface Range Macros	298
Configuring Ethernet Interfaces	300
Default Ethernet Interface Configuration	300
Setting the Type of a Dual-Purpose Uplink Port	301
Configuring Interface Speed and Duplex Mode	303
Speed and Duplex Configuration Guidelines	303
Setting the Interface Speed and Duplex Parameters	304
Configuring IEEE 802.3x Flow Control	305
Configuring Auto-MDIX on an Interface	306
Adding a Description for an Interface	307
Configuring the System MTU	307
Monitoring and Maintaining the Interfaces	308
Monitoring Interface Status	309
Clearing and Resetting Interfaces and Counters	309
Shutting Down and Restarting the Interface	310
Configuring Smartports Macros	311
Understanding Smartports Macros	311
Configuring Smartports Macros	311
Default Smartports Configuration	311
Smartports Configuration Guidelines	312
Applying Smartports Macros	313
Displaying Smartports Macros	315
Configuring VLANs	317
Understanding VLANs	317
Supported VLANs	318
VLAN Port Membership Modes	319
Configuring Normal-Range VLANs	320
Token Ring VLANs	321
Normal-Range VLAN Configuration Guidelines	321
VLAN Configuration Mode Options	322
VLAN Configuration in config-vlan Mode	322
VLAN Configuration in VLAN Database Configuration Mode	322
Saving VLAN Configuration	322
Default Ethernet VLAN Configuration	323
Creating or Modifying an Ethernet VLAN	324
Deleting a VLAN	325
Assigning Static-Access Ports to a VLAN	326
Configuring Extended-Range VLANs	327
Default VLAN Configuration	327
Extended-Range VLAN Configuration Guidelines	328
Creating an Extended-Range VLAN	328
Displaying VLANs	329
Configuring VLAN Trunks	330
Trunking Overview	330
IEEE 802.1Q Configuration Considerations	331
Default Layer 2 Ethernet Interface VLAN Configuration	332
Configuring an Ethernet Interface as a Trunk Port	332
Interaction with Other Features	332
Configuring a Trunk Port	333
Defining the Allowed VLANs on a Trunk	334
Changing the Pruning-Eligible List	335
Configuring the Native VLAN for Untagged Traffic	335
Configuring Trunk Ports for Load Sharing	336
Load Sharing Using STP Port Priorities	336
Load Sharing Using STP Path Cost	338
Configuring VMPS	339
Understanding VMPS	340
Dynamic-Access Port VLAN Membership	340
Default VMPS Client Configuration	341
VMPS Configuration Guidelines	341
Configuring the VMPS Client	341
Entering the IP Address of the VMPS	342
Configuring Dynamic-Access Ports on VMPS Clients	342
Reconfirming VLAN Memberships	343
Changing the Reconfirmation Interval	343
Changing the Retry Count	344
Monitoring the VMPS	344
Troubleshooting Dynamic-Access Port VLAN Membership	345
VMPS Configuration Example	345
Configuring VTP	347
Understanding VTP	347
The VTP Domain	348
VTP Modes	349
VTP Advertisements	349
VTP Version 2	350
VTP Pruning	350
Configuring VTP	352
Default VTP Configuration	352
VTP Configuration Options	352
VTP Configuration in Global Configuration Mode	353
VTP Configuration in VLAN Database Configuration Mode	353
VTP Configuration Guidelines	353
Domain Names	353
Passwords	354
VTP Version	354
Configuration Requirements	354
Configuring a VTP Server	355
Configuring a VTP Client	357
Disabling VTP (VTP Transparent Mode)	358
Enabling VTP Version 2	359
Enabling VTP Pruning	360
Adding a VTP Client Switch to a VTP Domain	360
Monitoring VTP	362
Configuring Voice VLAN	363
Understanding Voice VLAN	363
Cisco IP Phone Voice Traffic	364
Cisco IP Phone Data Traffic	364
Configuring Voice VLAN	365
Default Voice VLAN Configuration	365
Voice VLAN Configuration Guidelines	365
Configuring a Port Connected to a Cisco 7960 IP Phone	366
Configuring Cisco IP Phone Voice Traffic	366
Configuring the Priority of Incoming Data Frames	368
Displaying Voice VLAN	368
Configuring STP	369
Understanding Spanning-Tree Features	369
STP Overview	370
Spanning-Tree Topology and BPDUs	371
Bridge ID, Switch Priority, and Extended System ID	372
Spanning-Tree Interface States	372
Blocking State	373
Listening State	374
Learning State	374
Forwarding State	374
Disabled State	375
How a Switch or Port Becomes the Root Switch or Root Port	375
Spanning Tree and Redundant Connectivity	376
Spanning-Tree Address Management	376
Accelerated Aging to Retain Connectivity	376
Spanning-Tree Modes and Protocols	377
Supported Spanning-Tree Instances	377
Spanning-Tree Interoperability and Backward Compatibility	378
STP and IEEE 802.1Q Trunks	378
Configuring Spanning-Tree Features	379
Default Spanning-Tree Configuration	379
Spanning-Tree Configuration Guidelines	380
Changing the Spanning-Tree Mode.	381

Match case Limit results 1 per page

12-24

Cisco IE 3000 Switch Software Configuration Guide

OL-13018-03

Chapter 12

Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Open1x Authentication

Open1x authentication allows a device access to a port before that device is authenticated. When open

authentication is configured, a new host on the port can only send traffic to the switch. After the host is

authenticated, the policies configured on the RADIUS server are applied to that host.

You can configure open authentication with these scenarios:

•

Single-host mode with open authentication–Only one user is allowed network access before and

after authentication.

•

MDA mode with open authentication–Only one user in the voice domain and one user in the data

domain are allowed.

•

Multiple-hosts mode with open authentication–Any host can access the network.

•

Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can

be authenticated.

For more information see the

“Configuring the Host Mode” section on page 12-35.

802.1x Switch Supplicant with Network Edge Access Topology (NEAT)

NEAT extends identity to areas outside the wiring closet (such as conference rooms) through the

following:

•

802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by

using the 802.1x supplicant feature. This configuration is helpful in a scenario where, for example,

a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A

switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch

for secure connectivity.

Note

You cannot enable MDA or multiauth mode on the authenticator switch interface that connects

to one more supplicant switches.

•

Host Authorization: NEAT ensures that only traffic from authorized hosts (connecting to the switch

with supplicant) is allowed on the network. The switches use Client Information Signalling Protocol

(CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch,

as shown in

Figure 12-6

•

Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing

user traffic from multiple VLANs coming from supplicant switches. This can be achieved by

configuring the cisco-av-pair as

device-traffic-class=switch

at the ACS. (You can configure this

under the

group

user

settings.)