49-20
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device and forward the client web
browser to the specified redirect address from which the latest antivirus files can be downloaded. The url-redirect AV pair on
the Cisco Secure ACS contains the URL to which the web browser is redirected. The url-redirect-acl AV pair contains the name
or number of an ACL that specifies the HTTP or HTTPS traffic to be redirected. Traffic that matches a permit entry in the
redirect ACL is redirected.
Note The redirect or default ACL must be defined on the switch.
ACLs
If downloadable ACL is configured for a particular client on the authentication server, you must configure a default port ACL
on a client-facing switch port.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch, it applies
the policy to traffic from the host connected to a switch port. If the policy does not apply, the switch applies the default ACL.
If the Cisco Secure ACS sends the switch a downloadable ACL, this ACL takes precedence over the default ACL already
configured on the switch port. However, if the switch receives a host access policy from the Cisco Secure ACS, but the default
ACL is not configured, the authorization failure is declared.
For details on how to configure a downloadable policy, refer to the “Configuring a Downloadable Policy” section on
page 49-44.
Using 802.1X with RADIUS-Provided Session Timeouts
You can specify whether a switch uses a locally configured or a RADIUS-provided reauthentication timeout. If the switch is
configured to use the local timeout, it reauthenticates the host when the timer expires.
If the switch is configured to use the RADIUS-provided timeout, it scans the RADIUS Access-Accept message for the
Session-Timeout and optional Termination-Action attributes. The switch uses the value of the Session-Timeout attribute to
determine the duration of the session, and it uses the value of the Termination-Action attribute to determine the switch action
when the session's timer expires.
If the Termination-Action attribute is present and its value is RADIUS-Request, the switch reauthenticates the host. If the
Termination-Action attribute is not present, or its value is Default, the switch terminates the session.
Note The supplicant on the port detects that its session was terminated and attempts to initiate a new session.
Unless the authentication server treats this new session differently, the client may see only a brief
interruption in network connectivity as the switch sets up a new session.
If the switch is configured to use the RADIUS-supplied timeout, but the Access-Accept message does not include a
Session-Timeout attribute, the switch never reauthenticates the supplicant. This behavior is consistent with Cisco's wireless
access points.
For details on how to configure RADIUS-provided session timeouts, see the “Configuring RADIUS-Provided Session
Timeouts” section on page 49-53.
To Next Page
Loading...
Need help?
General
