Configure NEAT on CATALYST Switches

JUANNN · ‎05-03-2025

Hello,

I am doing a lab with 2 devices acting as switches, running

SUPPLICANT: IOS XE ESS3x00 Switch Software (ESS3x00-UNIVERSALK9-M), Version 17.9.5

AUTHENTICATOR: IOS XE Software Bengaluru, ISR Software, (ARMV8EL_LINUX_IOSD-UNIVERSALK9_IOT-M), Version 17.6.8

The lab consists of a switch acting as a supplicant in order to authenticate with a RADIUS server connected to the authenticator switch. The goal is to use NEAT between the switches to achieve this.

I used the following configs on the Supplicant:

dot1x system-auth-control

!

interface G 2/14

sw mode tr

dot1x pae supplicant

dot1x credentials LAB

dot1x supplicant eap profile LAB

spanning-tree portfast trunk

!

and for the AUTHENTICATOR:

dot1x system-auth-control

!

aaa authentication dot1x default group radius

!

int G 0/1/0

sw mode tr

spanning-tree portfast trunk

dot1x pae authenticator

authentication port-control auto

authentication violation restrict

authentication timer restart 10

!

I ommitted the radius server configuration because the server is receiving and processing succesfully the Access-Requests.

The authentication succeeds, and when I do the show authentication sessions on the AUTHENTICATOR SW I can see that the supplicant is successfully authenticated. The only problem is on the supplicant side:

the interface comes up, but the line protocol says down (not connected), and a log message pops saying:

control access not enabled or transient not configured

Then I use dot1x supplicant controlled transient and the line protocol comes up and life is good. But why? I read Cisco Security Guide and it says that that command is useful when the authenticator switch is configured with BPDU Guard for example... which is not my case.

Any help is appreciated thanks!

Juan

M02@rt37 · ‎05-04-2025

Hello @JUANNN

NEAT implementation assume that a NEAT suplicant is connected to an access port, not a trunk. On access port, this transition is typically automatic. On trunk ports, the NEAT suplicant must be explicitly told to transition its port state after authentication, or else it stays in a passive state.

Cisco docs mention BPDU guard because it’s a common enterprise control measure, but it’s not a requirement for needing controlled transient...BPDU guard is just one example of where this transition matters.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

JUANNN · ‎05-04-2025

Hello,

I tried configuring the authenticator port as access, but then I run into an inconsistency because I have to define an unconditional mode for both switchports to be able to use 802.1x authentication and if I put trunk on the supplicant and access on the authenticator the port comes up, authentication succeeds, but no data is passed through. I cannot ping from SVI to SVI. I read that when using ISE then you can have trunks on both ends and ISE takes care of pretty much everything, but here I am using just FREERADIUS. The only solution I have achieved is having trunks on both ends and using dot1x supplicant controlled transient on the supplicant. Do you know how the access port is supposed to work?

Also, if I enable BPDUGuard on the authenticator, will I need to filter BPDUs out of the supplicant to avoid errdisable on the authenticator port? Not because of 802.1x since the command mentioned above takes care of that, but for after the trunk is established and up.

Thanks for your help