Manualshelf

Design Guide

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3750-48PS Switch
11121314151617181920
13
LAN Baseline Architecture Overview—Branch Office Network
OL-11333-01
Multilayered Branch Architecture
Figure 8 Authenticating the End User using 802.1x
The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages
between the supplicant and the authentication server. The authenticator (Cisco switch) relays the
exchange between the server and the client transparently.
Note For extensive information about IBNS and 802.1x, see the following URL: http://identity.cisco.com.
The switch can also enforce a policy dynamically, provided by the RADIUS server based on client
credentials during the authentication phase. This policy dictates how the user accesses the network.
Policies that can be enforced include putting the client into a specific VLAN and applying ACLs on the
specific port.
By providing flexible port-based access control and policy enforcement capabilities at the network edge,
this solution provides an important addition to the tools available for securing your network.
To deploy these solutions, it is important that end user machines have supplicants. Without the
supplicants on the user machine, the user can be placed in a VLAN with very limited access. Microsoft
provides these supplicants on some operating systems by default; on others, it must be downloaded and
configured. Other third-party vendors also provide supplicants to various operating systems.
Network Admission Control
NAC preserves enterprise resilience by auditing and enforcing adherence to corporate endpoint security
policies when accessing the network. While most users are authenticated, their endpoint devices
(laptops, PCs, PDAs, etc.) are not checked for security policy compliance. NAC helps ensure the health
of endpoints before they are granted network access. NAC works with software installed on workstations
wishing to access the network to assess their condition (including operating system version, security
patches, anti-virus, CSA, and other installed software), called the posture, of a client prior before
allowing it to access the network. NAC also ensures that a network client has an up-to-date virus
1. End User with a supplicant
2. Access Point
3. Authenticator
Voice VLAN
Data VLAN
Authentication Request
Authentication Request
Authentication Response
180061
IP
RADIUS
server
1
1
2
2
3
4 2
Authentication Response
RADIUS
server
1
2
3
4 2