SNAC LAN Enforcement: Prerequisites for Configuring IEEE 802.1X Port-Based Authentication in NON-TRANSPARENT MODE
Cisco mandated tasks
The following Cisco mandated tasks must be completed before implementing the IEEE 802.1X Port-Based Authentication feature: IEEE 802.1X must be enabled on the device port. The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). EAP support must be enabled on the RADIUS server. You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off. If you do not configure the IEEE 802.1X supplicant, an EAP-logoff message is not sent to the switch and the accompanying accounting Stop message is not sent to the authentication server. See the Microsoft Knowledge Base article at the location http://support.microsoft.com and set the SupplicantMode registry to 3 and the AuthMode registry to 1. Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests. The authentication method list must be enabled and specified. A method list describes the sequence and authentication method to be queried to authenticate a user. See the IEEE 802.1X Authenticator feature module for information. The port must be successfully authenticated.
The following Cisco mandated tasks must be completed before implementing the IEEE 802.1X Port-Based Authentication feature:
The IEEE 802.1X Port-Based Authentication feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.
Note: Optimal performance is obtained with a connection that has a maximum of eight hosts per port.
The following Cisco ISR-G2 routers are supported:
The following cards or modules support switch ports:
Note: Module Compatibility with a Specific Router Platform see: Cisco EtherSwitch Modules Comparison http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd802a9470.shtml
To determine whether your router has switch ports that can be configured with the IEEE 802.1X Port-Based Authentication feature, use the show interfaces switchport command.
Restrictions for IEEE 802.1X Port-Based Authentication
IEEE 802.1X Port-Based Authentication Configuration Restrictions The IEEE 802.1X Port-Based Authentication feature is available only on a switch port If the VLAN to which an IEEE 802.1X port is assigned is shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed. When IEEE 802.1X authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled. Changes to a VLAN to which an IEEE 802.1X-enabled port is assigned are transparent and do not affect the switch port. For example, a change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after reauthentication. When IEEE 802.1X authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. This feature does not support standard ACLs on the switch port. The IEEE 802.1X protocol is supported only on Layer 2 static-access ports, Layer 2 static-trunk ports, voice VLAN-enabled ports, and Layer 3 routed ports. The IEEE 802.1X protocol is not supported on the following port types: Dynamic-access ports—If you try to enable IEEE 802.1X authentication on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and IEEE 802.1X authentication is not enabled. If you try to change an IEEE 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed. Dynamic ports—If you try to enable IEEE 802.1X authentication on a dynamic port, an error message appears, and IEEE 802.1X authentication is not enabled. If you try to change the mode of an IEEE 802.1X-enabled port to dynamic, an error message appears, and the port mode is not changed. Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable IEEE 802.1X authentication on a port that is a SPAN or RSPAN destination port. However, IEEE 802.1X authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You can enable IEEE 802.1X authentication on a SPAN or RSPAN source port. Configuring the same VLAN ID for both access and voice traffic (using the switchport access vlan vlan-id and the switchport voice vlan vlan-id commands) fails if authentication has already been configured on the port. Configuring authentication on a port on which you have already configured switchport access vlan vlan-id and switchport voice vlan vlan-id fails if the access VLAN and voice VLAN have been configured with the same VLAN ID. By default, authentication system messages, MAC authentication by-pass system messages and 802.1x system messages are not displayed. If you need to see these system messages, turn on the logging manually, using the following commands: authentication logging verbose dot1x logging verbose mab logging verbose
IEEE 802.1X Port-Based Authentication Configuration Restrictions
For more/specific details pertaining to Cisco pre-requisites (to be able to integrate SNAC with Cisco devices), please refer to the link below:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html#GUID-B1C1F75B-45CF-4CA3-A833-43D7C6986249