Configuration Guide
Page 11
...-17 Using IEEE 802.1x Authentication with Wake-on-LAN 10-18 Using IEEE 802.1x Authentication with MAC Authentication Bypass 10-18 Using Network Admission Control Layer 2 IEEE 802.1x Validation 10-19 Using Multidomain Authentication 10-20 Using Web Authentication 10-21 Configuring IEEE 802.1x Authentication 10-21 Default IEEE 802.1x Authentication Configuration 10-22 IEEE 802.1x Authentication Configuration...
...-17 Using IEEE 802.1x Authentication with Wake-on-LAN 10-18 Using IEEE 802.1x Authentication with MAC Authentication Bypass 10-18 Using Network Admission Control Layer 2 IEEE 802.1x Validation 10-19 Using Multidomain Authentication 10-20 Using Web Authentication 10-21 Configuring IEEE 802.1x Authentication 10-21 Default IEEE 802.1x Authentication Configuration 10-22 IEEE 802.1x Authentication Configuration...
Configuration Guide
Page 12
...-to-Client Retransmission Time 10-31 Setting the Switch-to-Client Frame-Retransmission Number 10-32 Setting the Re-Authentication Number 10-32 Configuring IEEE 802.1x Accounting 10-33 Configuring a Guest VLAN 10-34 Configuring a Restricted VLAN 10-35 Configuring the Inaccessible Authentication Bypass Feature 10-37 Configuring IEEE...-6 Power over Ethernet Ports 11-6 Supported Protocols and Standards 11-7 Powered-Device Detection and Initial Power Allocation 11-7 Power Management Modes 11-8 Connecting Interfaces 11-9 Catalyst 3750 Switch Software Configuration Guide xii OL-8550-02
...-to-Client Retransmission Time 10-31 Setting the Switch-to-Client Frame-Retransmission Number 10-32 Setting the Re-Authentication Number 10-32 Configuring IEEE 802.1x Accounting 10-33 Configuring a Guest VLAN 10-34 Configuring a Restricted VLAN 10-35 Configuring the Inaccessible Authentication Bypass Feature 10-37 Configuring IEEE...-6 Power over Ethernet Ports 11-6 Supported Protocols and Standards 11-7 Powered-Device Detection and Initial Power Allocation 11-7 Power Management Modes 11-8 Connecting Interfaces 11-9 Catalyst 3750 Switch Software Configuration Guide xii OL-8550-02
Configuration Guide
Page 60
... supported: - Port security for controlling access to a specified VLAN - Multidomain authentication (MDA) to allow a supplicant (client) that does not support IEEE 802.1x functionality to be applied to interfaces...headers • Source and destination MAC-based ACLs for restricting IEEE 802.1x-authenticated users to IEEE 802.1x ports Catalyst 3750 Switch Software Configuration Guide 1-8 OL-8550-02 VLAN assignment ...both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to independently authenticate on the switch by filtering traffic based on the DHCP ...
... supported: - Port security for controlling access to a specified VLAN - Multidomain authentication (MDA) to allow a supplicant (client) that does not support IEEE 802.1x functionality to be applied to interfaces...headers • Source and destination MAC-based ACLs for restricting IEEE 802.1x-authenticated users to IEEE 802.1x ports Catalyst 3750 Switch Software Configuration Guide 1-8 OL-8550-02 VLAN assignment ...both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to independently authenticate on the switch by filtering traffic based on the DHCP ...
Configuration Guide
Page 61
...-8550-02 Catalyst 3750 Switch Software Configuration Guide 1-9 For information about configuring this feature, see the Network Admission Control Software Configuration Guide. - Voice VLAN to permit a Cisco IP Phone to all switches in a switch stack rather than on the receipt of endpoint systems or clients before granting the devices network access. IEEE 802.1x accounting...
...-8550-02 Catalyst 3750 Switch Software Configuration Guide 1-9 For information about configuring this feature, see the Network Admission Control Software Configuration Guide. - Voice VLAN to permit a Cisco IP Phone to all switches in a switch stack rather than on the receipt of endpoint systems or clients before granting the devices network access. IEEE 802.1x accounting...
Configuration Guide
Page 65
... information, see Chapter 11, "Configuring Interface Characteristics." Note In releases earlier than Cisco IOS Release 12.2(18)SE, the default setting for auto-MDIX is autonegotiate. For...Chapter 5, "Managing Switch Stacks." • Switch cluster is disabled. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 1-13 For more information, see Chapter 11, "Configuring Interface...stack is enabled. For more information about switch clusters, see Chapter 10, "Configuring IEEE 802.1x Port-Based Authentication." • Port parameters - For more information, see Chapter 6, ...
... information, see Chapter 11, "Configuring Interface Characteristics." Note In releases earlier than Cisco IOS Release 12.2(18)SE, the default setting for auto-MDIX is autonegotiate. For...Chapter 5, "Managing Switch Stacks." • Switch cluster is disabled. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 1-13 For more information, see Chapter 11, "Configuring Interface...stack is enabled. For more information about switch clusters, see Chapter 10, "Configuring IEEE 802.1x Port-Based Authentication." • Port parameters - For more information, see Chapter 6, ...
Configuration Guide
Page 137
...already used by another member in the Getting Started with Cisco Network Assistant, available on Cisco.com • "MAC Addresses and Switch Stacks" section on page 7-21 • "Setting the SDM Template" section on page 8-6 • "IEEE 802.1x Authentication and Switch Stacks" section on page 10-8 ...; "ACLs and Switch Stacks" section on page 32-6 • "EtherChannel and Switch Stacks" section on page 34-10 OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 5-15 If a switch is moved to a different switch stack, that switch loses its default interface-specific configuration....
...already used by another member in the Getting Started with Cisco Network Assistant, available on Cisco.com • "MAC Addresses and Switch Stacks" section on page 7-21 • "Setting the SDM Template" section on page 8-6 • "IEEE 802.1x Authentication and Switch Stacks" section on page 10-8 ...; "ACLs and Switch Stacks" section on page 32-6 • "EtherChannel and Switch Stacks" section on page 34-10 OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 5-15 If a switch is moved to a different switch stack, that switch loses its default interface-specific configuration....
Configuration Guide
Page 222
...the network. RADIUS can add a Cisco switch containing a RADIUS client to authenticate from one of services. For more information, see Chapter 10, "Configuring IEEE 802.1x Port-Based Authentication." • Networks that uses a smart card access control system. The RADIUS accounting functions ...example, access servers from several vendors use RADIUS accounting independently of RADIUS access control and accounting software to -router situations. In one service model. 9-18 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 An Internet service provider might be...
...the network. RADIUS can add a Cisco switch containing a RADIUS client to authenticate from one of services. For more information, see Chapter 10, "Configuring IEEE 802.1x Port-Based Authentication." • Networks that uses a smart card access control system. The RADIUS accounting functions ...example, access servers from several vendors use RADIUS accounting independently of RADIUS access control and accounting software to -router situations. In one service model. 9-18 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 An Internet service provider might be...
Configuration Guide
Page 255
...-8 OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-1 After authentication, normal traffic can pass through the port to a switch stack. Unless otherwise noted, the term switch refers to a standalone switch and to which the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP...
...-8 OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-1 After authentication, normal traffic can pass through the port to a switch stack. Unless otherwise noted, the term switch refers to a standalone switch and to which the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP...
Configuration Guide
Page 256
Because the switch acts as the proxy, the authentication service 10-2 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Figure 10-1 IEEE 802.1x Device Roles Workstations (clients) Authentication server (RADIUS) 101229 • Client-the device (workstation) that offered...• Using IEEE 802.1x Authentication with Port Security, page 10-17 • Using IEEE 802.1x Authentication with Wake-on-LAN, page 10-18 • Using IEEE 802.1x Authentication with MAC Authentication Bypass, page 10-18 • Using Network Admission Control Layer 2 IEEE 802.1x Validation, page 10-19...
Because the switch acts as the proxy, the authentication service 10-2 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Figure 10-1 IEEE 802.1x Device Roles Workstations (clients) Authentication server (RADIUS) 101229 • Client-the device (workstation) that offered...• Using IEEE 802.1x Authentication with Port Security, page 10-17 • Using IEEE 802.1x Authentication with Wake-on-LAN, page 10-18 • Using IEEE 802.1x Authentication with MAC Authentication Bypass, page 10-18 • Using Network Admission Control Layer 2 IEEE 802.1x Validation, page 10-19...
Configuration Guide
Page 257
... the network by putting the port in the critical-authentication state in Cisco Secure Access Control Server Version 3.0 or later. Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication is the only supported authentication server. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-3 The switch includes the RADIUS...
... the network by putting the port in the critical-authentication state in Cisco Secure Access Control Server Version 3.0 or later. Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication is the only supported authentication server. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-3 The switch includes the RADIUS...
Configuration Guide
Page 258
...Multidomain Authentication" section on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). 10-4 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 The switch gets an EAPOL message, and the EAPOL message exchange begins. Use MAC...address identity is invalid. Use inaccessible authentication bypass (critical authentication) to assign the critical port to a restricted VLAN. After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers based on page 10-20. Assign the port to a VLAN....
...Multidomain Authentication" section on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). 10-4 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 The switch gets an EAPOL message, and the EAPOL message exchange begins. Use MAC...address identity is invalid. Use inaccessible authentication bypass (critical authentication) to assign the critical port to a restricted VLAN. After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers based on page 10-20. Assign the port to a VLAN....
Configuration Guide
Page 259
... and Message Exchange During IEEE 802.1x authentication, the switch or the client can be retried, the port might be assigned to a VLAN that the client has been successfully authenticated. A port in the authorized state. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide ...control auto interface configuration command, the switch initiates authentication when the link state changes from the client are Initialize and ReAuthenticate. If you enable authentication on the network access device, any EAPOL frames from down to up and unauthenticated. Note If IEEE 802.1x...
... and Message Exchange During IEEE 802.1x authentication, the switch or the client can be retried, the port might be assigned to a VLAN that the client has been successfully authenticated. A port in the authorized state. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide ...control auto interface configuration command, the switch initiates authentication when the link state changes from the client are Initialize and ReAuthenticate. If you enable authentication on the network access device, any EAPOL frames from down to up and unauthenticated. Note If IEEE 802.1x...
Configuration Guide
Page 260
... switch stops the MAC authentication bypass process and stops IEEE 802.1x authentication. Figure 10-4 shows the message exchange during MAC authentication bypass. 10-6 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Understanding IEEE 802.1x Port-Based Authentication Chapter 10 Configuring IEEE 802.1x Port-Based Authentication The specific exchange of the client as its...
... switch stops the MAC authentication bypass process and stops IEEE 802.1x authentication. Figure 10-4 shows the message exchange during MAC authentication bypass. 10-6 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Understanding IEEE 802.1x Port-Based Authentication Chapter 10 Configuring IEEE 802.1x Port-Based Authentication The specific exchange of the client as its...
Configuration Guide
Page 261
... down to up or when an EAPOL-start frame. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-7 You control the port authorization state by using the dot1x port-control interface configuration command and these keywords: • force-authorized-disables IEEE 802.1x authentication and causes the port to change to authenticate. Chapter 10...
... down to up or when an EAPOL-start frame. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-7 You control the port authorization state by using the dot1x port-control interface configuration command and these keywords: • force-authorized-disables IEEE 802.1x authentication and causes the port to change to authenticate. Chapter 10...
Configuration Guide
Page 262
... authenticated state. If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the IEEE 802.1x-enabled switch port. For an ongoing authentication, the authentication fails immediately because there is successfully authenticated (receives an Accept frame... during the re-authentication process. If the port becomes 10-8 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 If the authentication server cannot be retried. IEEE 802.1x Host Mode You can resend the request. If the authentication fails, the port remains in a wireless LAN.
... authenticated state. If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the IEEE 802.1x-enabled switch port. For an ongoing authentication, the authentication fails immediately because there is successfully authenticated (receives an Accept frame... during the re-authentication process. If the port becomes 10-8 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 If the authentication server cannot be retried. IEEE 802.1x Host Mode You can resend the request. If the authentication fails, the port remains in a wireless LAN.
Configuration Guide
Page 263
...wireless access point is in the form of the client. Instead, it also acts as an IP Phone (Cisco or non-Cisco), to connect to monitor this activity on page 10-20. These AV pairs provide data for updates • STOP-sent when a session terminates OL-8550-02 Catalyst ... sent to manage network access for IEEE 802.1x accounting. With the multiple-hosts mode enabled, you can enable IEEE 802.1x accounting to the same switch port. Figure 10-5 Multiple Host Mode Example Wireless clients Access point Authentication server (RADIUS) 101227 Cisco IOS Release 12.2(35)SE and later ...
...wireless access point is in the form of the client. Instead, it also acts as an IP Phone (Cisco or non-Cisco), to connect to monitor this activity on page 10-20. These AV pairs provide data for updates • STOP-sent when a session terminates OL-8550-02 Catalyst ... sent to manage network access for IEEE 802.1x accounting. With the multiple-hosts mode enabled, you can enable IEEE 802.1x accounting to the same switch port. Figure 10-5 Multiple Host Mode Example Wireless clients Access point Authentication server (RADIUS) 101227 Cisco IOS Release 12.2(35)SE and later ...
Configuration Guide
Page 264
...Guidelines." Using IEEE 802.1x Authentication with VLAN assignment. All packets sent from its database. You can view the AV pairs that an access VLAN is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for certain users. 10-10 Catalyst 3750 Switch Software Configuration...debug radius accounting privileged EXEC command. However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports IEEE 802.1x authentication with VLAN Assignment Before Cisco IOS Release 12.1(14)EA1, when an IEEE 802.1x port was authenticated, it was authorized to limit ...
...Guidelines." Using IEEE 802.1x Authentication with VLAN assignment. All packets sent from its database. You can view the AV pairs that an access VLAN is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for certain users. 10-10 Catalyst 3750 Switch Software Configuration...debug radius accounting privileged EXEC command. However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports IEEE 802.1x authentication with VLAN Assignment Before Cisco IOS Release 12.1(14)EA1, when an IEEE 802.1x port was authenticated, it was authorized to limit ...
Configuration Guide
Page 265
... with VLAN assignment feature is authenticated and put into the configured access VLAN. Using IEEE 802.1x Authentication with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of tunnel attributes, see the "Configuring the Switch to Use Vendor-Specific ...the ACL attributes based on the user identity and sends them to the OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-11 To configure VLAN assignment you configure IEEE 802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server...
... with VLAN assignment feature is authenticated and put into the configured access VLAN. Using IEEE 802.1x Authentication with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of tunnel attributes, see the "Configuring the Switch to Use Vendor-Specific ...the ACL attributes based on the user identity and sends them to the OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-11 To configure VLAN assignment you configure IEEE 802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server...
Configuration Guide
Page 266
... attributes (VSAs) are filtered by the router ACL. It does not support port ACLs in the running configuration. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported on Layer 2 ports. The switch does not save RADIUS-specified ACLs ...-user ACLs. When the port is disabled for single-host mode. 10-12 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Incoming routed packets received on the RADIUS server. • Configure the IEEE 802.1x port for the associated port. Outgoing routed packets are inacl# for the ingress direction...
... attributes (VSAs) are filtered by the router ACL. It does not support port ACLs in the running configuration. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported on Layer 2 ports. The switch does not save RADIUS-specified ACLs ...-user ACLs. When the port is disabled for single-host mode. 10-12 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Incoming routed packets received on the RADIUS server. • Configure the IEEE 802.1x port for the associated port. Outgoing routed packets are inacl# for the ingress direction...
Configuration Guide
Page 267
...Catalyst 3750 Switch Software Configuration Guide 10-13 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Guest VLAN You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. Before Cisco... enable a guest VLAN on the switch to provide limited services to an unauthorized state, and IEEE 802.1x authentication restarts. With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. You can authorize...
...Catalyst 3750 Switch Software Configuration Guide 10-13 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Guest VLAN You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. Before Cisco... enable a guest VLAN on the switch to provide limited services to an unauthorized state, and IEEE 802.1x authentication restarts. With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. You can authorize...