Cisco Systems 4500 Manual

A SERVICE OF

next previous

1-24

Software Configuration Guide—Release 15.0(2)SG

OL-23818-01

Chapter 1 Product Overview

Security Features

• Hardware-Based Control Plane Policing, page 1-26

• IP Source Guard for Static Hosts, page 1-27

• IP Source Guard, page 1-27

• Local Authentication, RADIUS, and TACACS+ Authentication, page 1-27

• Network Admission Control, page 1-27

• Network Security with ACLs, page 1-28

• Port Security, page 1-28

• PPPoE Intermediate Agent, page 1-29

• Storm Control, page 1-29

• uRPF Strict Mode, page 1-29

• Utilities, page 1-30

• Web-based Authentication, page 1-30

802.1X Identity-Based Network Security

This security feature consists of the following:

• 802.1X Authentication for Guest VLANs—Allows you to use VLAN assignment to limit network

access for certain users.

• 802.1X Authentication Failed Open Assignment—Allows you to configure a switch to handle the

case when a device fails to authenticate itself correctly through 802.1X (for example, not providing

the correct password).

• 802.1X Authentication with ACL Assignment—Downloads per-host policies such as ACLs and

redirect URLs to the switch from the RADIUS server during 802.1X or MAB authentication of the

host.

• 802.1X Authentication with Per-User ACL and Filter-ID ACL—Allows ACL policy enforcement

using a third-party AAA server.

• 802.1X Convergence—Provides consistency between the switching business units in 802.1X

configuration and implementation.

• 802.1X Protocol—Provides a means for a host that is connected to a switch port to be authenticated

before it is given access to the switch services.

• 802.1X RADIUS accounting—Allows you to track the use of network devices.

• 802.1X Supplicant and Authenticator Switches with Network Edge Access Topology

(NEAT)—Extends identity to areas outside the wiring closet (such as conference rooms). NEAT is

designed for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts (PC

or Cisco IP-phones) is placed in an unsecured location (outside wiring closet); the authenticator

switch cannot always be trusted.

• 802.1X with Authentication Failed VLAN Assignment—Allows you to provide access for

authentication failed users on a per-port basis. Authentication failed users are end hosts that are

802.1X-capable but do not have valid credentials in an authentication server or end hosts that do not

give any username and password combination in the authentication pop-up window on the user side.