The auth-default-ACL does not appear in the running configuration.Note
The auth-default ACL is created when at least one host with an authorization policy is detected on the port.
The auth-default ACL is removed from the port when the last authenticated session ends. You can configure
the auth-default ACL by using the ip access-list extended auth-default-acl global configuration command.
The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode.
You must configure a static ACL on the interface to support CDP bypass.
Note
The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is
no static ACL on a port in closed authentication mode:
•
An auth-default-ACL is created.
•
The auth-default-ACL allows only DHCP traffic until policies are enforced.
•
When the first host authenticates, the authorization policy is applied without IP address insertion.
•
When a second host is detected, the policies for the first host are refreshed, and policies for the first and
subsequent sessions are enforced with IP address insertion.
If there is no static ACL on a port in open authentication mode:
•
An auth-default-ACL-OPEN is created and allows all traffic.
•
Policies are enforced with IP address insertion to prevent security breaches.
•
Web authentication is subject to the auth-default-ACL-OPEN.
To control access for hosts with no authorization policy, you can configure a directive. The supported values
for the directive are open and default. When you configure the open directive, all traffic is allowed. The default
directive subjects traffic to the access provided by the port. You can configure the directive either in the user
profile on the AAA server or on the switch. To configure the directive on the AAA server, use the
authz-directive =<open/default> global command. To configure the directive on the switch, use the epm
access-control open global configuration command.
The default value of the directive is default.
Note
If a host falls back to web authentication on a port without a configured ACL:
•
If the port is in open authentication mode, the auth-default-ACL-OPEN is created.
•
If the port is in closed authentication mode, the auth-default-ACL is created.
The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured
fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated with
the port.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
230 OL-29434-01
Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with Downloadable ACLs and Redirect URLs
To Next Page
Loading...
Need help?
General
