62-33
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring PACLs
Configuration Restrictions
The following restrictions apply:
• Starting with Cisco IOS Release 12.2(54)SG, the port ACL does not require configuration; the
default ACL is created automatically.
• Even if AUTH-DEFAULT-ACL is modified, it is not nvgened.
Debugging Considerations
Syslog messages appear when AUTH-DEFAULT-ACL is attached or detached from an interface
provided you enter the epm logging command in configuration mode.
The following syslog displays when the default ACL is attached:
%EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT CREATE-ATTACH-SUCCESS
The following syslog displays when the ACL is detached:
%EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT DETACH-SUCCESS
%EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT DELETE-SUCCESS
Webauth Fallback
Many authentication methods require specific capabilities on the end-point device to respond to the
network authenticating device with its identity or credentials. If the end-point lacks the required
capability, the authenticator must fallback to alternative methods to gather host or user credentials. If the
802.1X/MAB authentication mechanism fails, a fallback to webauth might occur.
Prior to Cisco IOS Release 12.2(54)SG, webauth fallback implementation required a fallback profile
configured on the authenticating device. As part of this profile, an admission rule must be configured
along with the access policies (the fallback ACL).
Consider a situation where no port ACL is configured on a port. The first few hosts authenticated through
802.1X/MAB do not download any ACLs. All traffic from these hosts is allowed through. Now, suppose
a host connects to the port, and there is a fallback to webauth to authenticate the host. The fallback ACL
will be installed on the port, and traffic from previously authenticated hosts will also be restricted by this
fallback ACL.
Starting with Cisco IOS Release 12.2(54)SG, Cisco uses a different approach to address this issue. When
a host falls back to webauth for authentication, the ACE entries in the fallback ACL are converted into
entries with Host IP insertion for a host that has fallen back and will be applied until the host
authenticates. Once the host successfully authenticates, the fallback ACL is removed. The resultant host
ACLS will be: dynamic ACLs and Port ACL/AUTH-DEFAULT-ACL. Refer to the previous section for
an explanation of AUTH-DEFAULT -ACL.
Configuring IPv4, IPv6, and MAC ACLs on a Layer 2 Interface
Note Only IPv4, IPv6 and MAC ACLs can be applied to Layer 2 physical interfaces.
Standard (numbered, named), Extended (numbered, named) IP ACLs, and Extended Named MAC ACLs
are also supported.
To Next Page
Loading...
Need help?
General
