10-19
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-08
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
To configure per-user ACLs, you need to perform these tasks:
• Enable AAA authentication.
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable 802.1x authentication.
• Configure the user profile and VSAs on the RADIUS server.
• Configure the 802.1x port for single-host mode.
Note Per-user ACLs are supported only in single-host mode.
802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.
Note A downloadable ACL is also referred to as a dACL.
If more than one host is authenticated and the host mode is in single-host, MDA, or
m
ultiple-authentication mode, the switch modifies the source address of the ACL to be the host IP
address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on
t
he port to the host. On a voice VLAN port, the switch applies the ACL only to the phone.
Beginning with Cisco IOS Release 12.2(55)SE, if you do not configure a static ACL on a port, a dynamic
Au
th-Default-ACL is created and its policies are enforced. The Auth-Default-ACL is not stored in
NVRAM and cannot be retrieved by the nonvolatile generation (NVGEN) process. The
Auth-Default-ACL is removed from the port when the last authenticated session is terminated. You can
configure the Auth-Default-ACL by using the ip access-list extended auth-default-acl global
configuration command.
You can control access for hosts with no authorization policy by using either the authz-directive on the
AA
A server or the epm access-control open global configuration command on the switch. When the
open directive is configured, all traffic is allowed. The default directive subjects traffic to the access
provided by the port.
Note The default directive is default.
The 802.1x and MAB authentication methods support two modes: open and closed. In either mode, the
Au
th-Default-ACL is created when you do not configure a static ACL on a port. For closed
authentication mode, when the first host authenticates, the authorization policy is applied without IP
address insertion. The policy is refreshed when a subsequent host is detected on the port.
When you do not configure a static ACL on the port, either the ope
n or default directive allows all traffic.
When you configure a static ACL, the default directive applies that ACL to traffic that has no user
profile.
To Next Page
Loading...
