Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can NEXUS 7000 serve 802.1x?

Hi Experts,

I subject to propose N7K as a new D/C Ccore. In the same time its another VDC will running as campus switching.

I need campus running with 802.1x dynamic vlan assignment & acl assignmnet

PC Clinet --- 2960x --- N7K --- RADIUS(e.g ISE)

Question is, Can N7K act as intermediaries?

for ref, from 2960s configure guide they said,

The devices that can act as intermediaries include the Catalyst 3750-E, Catalyst 3560-E,
Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.

Thank you in advance,

Nipat.p

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Super Bronze

Can NEXUS 7000 serve 802.1x?

Hi,

The 7K support dot1x with Radius.

The RADIUS distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco NX-OS devices and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dot1x.html

HTH

Hall of Fame Super Silver

Re: Can NEXUS 7000 serve 802.1x?

I believe you are misinterpreting the configuration guide. The statement about intermediaries is meant to refer to the device (i.e. your 2960S switch) between the client (user with PC) and the RADIUS server. As long as the supplicant (client) is presenting authentication credentials correctly to the RADIUS server via the properly configured local switch, the 802.1X authentication will occur as designed.

Upstream switches only need to pass the traffic to and from the RADIUS server - they are not involved in the client's-local switch authentication process other than to transport the traffic to the configured server.

If you are trying to implement other identity-based security features (such as security group access tagging and MACSEC) then you have dependencies on remote switches' capabilities, but not for basic 802.1x authentication.

See the Trustsec matrix here for a good overview of what features are supported on which platforms.

4 REPLIES
VIP Super Bronze

Can NEXUS 7000 serve 802.1x?

Hi,

The 7K support dot1x with Radius.

The RADIUS distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco NX-OS devices and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dot1x.html

HTH

New Member

Can NEXUS 7000 serve 802.1x?

Hi Reza,

Yah N7K support 802.1x BUT from

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dot1x.html

there is no a single word saying that they're support ' dynamic vlan assignment ' & ' dynamic ACL ' which is my policy from RADIUS.

From this point, we don't plug-in PC to N7K as it's core not an access. But we need to plug RADIUS in @ N7K. I'm not quit sure that N7K can pass RADIUS attributes (' dynamic vlan assignment ' & ' dynamic ACL ') from RADIUS to 2960s's client.

I compared CAT6500 vs N7K on featue navigator, they said CAT6500 has

' dynamic vlan assignment ' & ' dynamic ACL ' WHICH N7K NOT as pict1_feature_only_on_6500 (attached).

And pict2_common_feature (attached)

Please help suggest whether N7K can pass RADIUS attribute or not?

Nipat.p

New Member

Can NEXUS 7000 serve 802.1x?

Please help suggest.

Hall of Fame Super Silver

Re: Can NEXUS 7000 serve 802.1x?

I believe you are misinterpreting the configuration guide. The statement about intermediaries is meant to refer to the device (i.e. your 2960S switch) between the client (user with PC) and the RADIUS server. As long as the supplicant (client) is presenting authentication credentials correctly to the RADIUS server via the properly configured local switch, the 802.1X authentication will occur as designed.

Upstream switches only need to pass the traffic to and from the RADIUS server - they are not involved in the client's-local switch authentication process other than to transport the traffic to the configured server.

If you are trying to implement other identity-based security features (such as security group access tagging and MACSEC) then you have dependencies on remote switches' capabilities, but not for basic 802.1x authentication.

See the Trustsec matrix here for a good overview of what features are supported on which platforms.

709
Views
0
Helpful
4
Replies