Table of Contents
Advertisement
Supporting 802.1X Authentication on Cisco Cius
802.1X authenticator in the LAN switch. This mechanism prevents Cisco Cius from having to act as the
authenticator, yet allows the LAN switch to authenticate a data endpoint before accessing the network.
In conjunction with the EAPOL pass-through mechanism, Cisco Cius provides a proxy EAPOL-Logoff
mechanism. If the locally attached PC disconnects from Cisco Cius, the LAN switch does not detect the
physical link fail, because the link between the LAN switch and Cisco Cius is maintained. To avoid
compromising network integrity, Cisco Cius sends an EAPOL-Logoff message to the switch on behalf of the
downstream PC, and this action triggers the LAN switch to clear the authentication entry for the downstream
PC.
Cisco Cius contains an 802.1X supplicant in addition to the EAPOL pass-through mechanism. This supplicant
allows network administrators to control the connectivity of Cisco Cius to the LAN switch ports. The current
release of the 802.1X supplicant uses the EAP-FAST and EAP-TLS options for network authentication.
Required Network Components
Support for 802.1X authentication on Cisco Cius requires several components, including the following:
• Cisco Cius - Cisco Cius acts as the 802.1X supplicant, which initiates the request to access the network.
• Cisco Catalyst Switch (or other third-party switch) - The switch must support 802.1X, so that it can act
as the authenticator and pass the messages between Cisco Cius and the authentication server. When the
exchange is completed, the switch grants or denies access to the network to the device.
Requirements and Recommendations
The requirements and recommendations for 802.1X authentication on Cisco Cius include the following:
• Enable 802.1X Authentication - If you want to use the 802.1X standard to authenticate Cisco Cius, be
sure that you properly configure the other components before enabling 802.1X authentication on the
device. See the
• Configure PC Port on Media Station - The 802.1X standard does not take into account the use of VLANs
and thus recommends that only a single device be authenticated to a specific switch port. However, some
switches (including Cisco Catalyst switches) support multidomain authentication. The switch configuration
determines whether you can connect a PC to a Cisco Cius media station PC port.
• Configure Voice VLAN - Because the 802.1X standard does not account for VLANs, configure this
setting based on the switch support.
Cisco Cius Administration Guide, Release 9.2(3)
20
Enterprise Security Settings
◦ Enabled - If you are using a switch that supports multidomain authentication, you can enable the
media station PC port and connect a PC to it. In this case, Cisco Cius supports proxy EAPOL-Logoff
to monitor the authentication exchanges between the switch and the attached PC. For more
information about IEEE 802.1X support on the Cisco Catalyst switches, see the Cisco Catalyst
switch configuration guides at:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
◦ Disabled - If the switch does not support multiple 802.1X-compliant devices on the same port,
disable the media station PC Port when 802.1X authentication is enabled. See the
Menu
for more information. If you do not disable this port and subsequently attempt to attach a
PC to it, the switch denies network access to both the device and the PC.
for more information.
Overview of Cisco Cius
Ethernet Settings
OL-26938-01
Advertisement
Table of Contents
