Cisco WS-X6416-GE-MT - Interface Module - Expansion Instrukcja Użytkownika Pobierz pdf (Strona 31)

White Paper

●

802.1x authentication with port security: 802.1x is compatible with the port security

feature to define the number of MAC addresses to authenticate on a specific port. Users

connected through all other MAC addresses are denied access.

However some 802.1x feature extensions remain unique to the Cisco Catalyst OS Software

including:

●

802.1x multiauthentication mode: Administrators can specify multiple authentications to

help ensure that more than one host can gain access to an 802.1x port; every host is

authenticated separately.

Example:

Set port dot1x mod/port multiple-authentication enable

●

802.1x with ACL assignment: This extension allows an ACL policy to be dynamically

applied to a port based on the user and the user’s successful authentication to the RADIUS

server.

●

802.1x user distribution: This allows the even distribution of authenticated users within

the same “group name” to be assigned into different VLANs for load balancing. 802.1x

authenticated identity-to-port description mapping: By enabling this feature, the

administrator can assign a port description to the port that a user is authenticated to. The

description is seen after “sh port” is executed. This is configured on the RADIUS server.

●

DNS resolution for RADIUS: Allows the administrator to configure a server DNS name in

addition to or instead of an IP address. In the event of a RADIUS server moving subnets,

there is no reconfiguration required for the switches.

A RADIUS server must be specified prior to enabling 802.1x on the switch. 802.1x is then enabled

globally, and finally enabled from the console for individual ports, as seen below. Also described

below is the syntax for multiple host configurations:

Cisco Catalyst OS Cisco IOS Software

Globally:

Set dot1x system-auth-control enable

Per Port:

Set port dot1x mod/port port-control auto

Multiple Host:

Set port dot1x mod/port multiple-host enable

Globally:

Router(config)# dot1x system-auth-control

Router(config)# interface type1 <slot/port>

Interface Commands:

Router(config-if)# dot1x port-control auto

Router(config-if)# dot1x host-mode multi-host

For more information relating to the configuration of IEEE 802.1x on the Cisco Catalyst 6500, see

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/dot1x.htm.

Cisco Security Toolkit Features

Supported in both Cisco Catalyst OS and fully supported in Cisco IOS Software Release

12.2(33)SXH, the Cisco Security toolkit features assist in mitigating denial-of-service (DoS) and

man-in-the-middle (MiM) attacks. The Security Toolkit consists of three features: DHCP Snooping,

and Dynamic ARP Inspection and IP Source Guard

DHCP Snooping provides security against certain DoS attacks, namely, DHCP rogue server

attacks. In such attacks, rogue servers are able to insert themselves into the network and respond

to DHCP discovers and requests for IP addresses. DHCP Snooping prevents this kind of attack by

setting ports as trusted or untrusted. All untrusted ports can only send discovers and requests for

1 2 ... 26 27 28 29 30 31 32 33 34 35 36 ... 50 51

Komentarze do niniejszej Instrukcji

Brak uwag

Cisco WS-X6416-GE-MT - Interface Module - Expansion Instrukcja Użytkownika Strona 31

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Networking Cisco WS-X6416-GE-MT - Interface Module - Expansion