46-47
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
The following example illustrates how to configure a switch for downloadable policy:
Switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# aaa new-model
Switch(config)# aaa authorization network default local
Switch(config)# ip device tracking
Switch(config)# ip access-list extended default_acl
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# radius-server vsa send authentication
Switch(config)# int fastEthernet 2/13
Switch(config-if)# ip access-group default_acl in
Switch(config-if)# exit
Configuring 802.1X Authentication with Per-User ACL and Filter-ID ACL
This section includes the following topics:
• Per-User ACL and Filter-ID ACL, page 46-47
• Configuring a Per-User ACL and Filter-ID ACL, page 46-54
Per-User ACL and Filter-ID ACL
Prior to Cisco IOS Release 12.2(52)SG, the Catalyst 4500 platform only supported downloadable ACLs,
which work with the Cisco ACS server but not with third-party AAA servers. With
Cisco IOS Release 12.2(52)SG, the Catalyst 4500 switch offers the Filter-ID/Per-user-acl enhancement,
which allows ACL policy enforcement using a third-party AAA server.
The Filter-ID feature provides the following capabilities:
Filter-ID option allows an administrator to define the ACL name on the AAA server using IETF
standard RADIUS attribute. The ACL itself must be preconfigured locally on the switch.
The Per-user-acl feature provides the following capabilities:
Per-user ACL allows an administrator to define the per-user ACL on the AAA server using Cisco
RADIUS AV pairs. This action allows a third-party AAA server to interoperate by loading the Cisco
RADIUS dictionary, which has Cisco Radius AV pairs configured as a VSA.
Note The RADIUS vendor-specific attributes (VSAs) allow vendors to support their own proprietary
RADIUS attributes that are not included in standard RADIUS attributes.
Step 11
Switch(config)# radius-server vsa
send authentication
Configures the network access server to recognize and use vendor-specific
attributes.
Note The downloadable ACL must be operational.
Step 12
Switch(config)# end
Returns to privileged EXEC mode.
Step 13
Switch# show ip device tracking
{all | interface interface-id | ip
ip-address | mac mac-address}
Displays information about the entries in the IP device tracking table.
Step 14
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
