214
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
For more information, see Configuring an Authenticator, page 230.
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id
Attribute
The switch supports both IP standard and IP extended port access control lists (ACLs) applied to ingress ports.
ACLs that you configure
ACLs from the Access Control Server (ACS)
An IEEE 802.1x port in single-host mode uses ACLs from the ACS to provide different levels of service to an IEEE
802.1x-authenticated user. When the RADIUS server authenticates this type of user and port, it sends ACL attributes
based on the user identity to the switch. The switch applies the attributes to the port for the duration of the user session.
If the session is over, authentication fails, or a link fails, the port becomes unauthorized, and the switch removes the ACL
from the port.
Only IP standard and IP extended port ACLs from the ACS support the Filter-Id attribute. It specifies the name or number
of an ACL. The Filter-id attribute can also specify the direction (inbound or outbound) and a user or a group to which the
user belongs.
The Filter-Id attribute for the user takes precedence over that for the group.
If a Filter-Id attribute from the ACS specifies an ACL that is already configured, it takes precedence over a
user-configured ACL.
If the RADIUS server sends more than one Filter-Id attribute, only the last attribute is applied.
If the Filter-Id attribute is not defined on the switch, authentication fails, and the port returns to the unauthorized state.
Authentication Manager Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no matter which
authentication method is used. This ID is used for all reporting purposes, such as the show commands and MIBs. The
session ID appears with all per-session syslog messages.
The session ID includes:
The IP address of the Network Access Device (NAD)
A monotonically increasing unique 32-bit integer
The session start time stamp (a 32-bit integer)
Default 802.1x Authentication Settings
Table 30 on page 214 shows the default 802.1x authentication settings.
Table 30 Default 802.1x Authentication Settings
Feature Default Setting
Switch 802.1x enable state Disabled.
Per-port 802.1x enable state Disabled (force-authorized).
The port sends and receives normal traffic without 802.1x-based
authentication of the client.
AAA Disabled.
To Next Page
Loading...
Need help?
General
