203
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
You can reenable individual VLANs by using the clear errdisable interface interface-id vlan [vlan-list] privileged
EXEC command. If you do not specify a range, all VLANs on the port are enabled.
802.1x Authentication with Per-User ACLs
You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an
802.1x-authenticated user. When the RADIUS server authenticates a user connected to an 802.1x port, it retrieves the
ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the 802.1x
port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over,
if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running
configuration. When the port is unauthorized, the switch removes the ACL from the port.
You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes precedence over a
router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the port ACL takes precedence over an
input router ACL applied to the VLAN interface. Incoming packets received on the port to which a port ACL is applied are
filtered by the port ACL. Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed
packets are filtered by the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored
on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are
in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs
are
inacl#<n> for the ingress direction and outacl#<n> for the egress direction. MAC ACLs are supported only in the
ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress
direction on Layer 2 ports. For more information, see Configuring Network Security with ACLs, page 545
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server. When the
definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if
you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the switch. The
attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server
does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support
of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300
to 2699 (IP standard and IP extended ACLs).
The maximum size of the per-user ACL is
4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs.
For examples of vendor-specific attributes, see Configuring Vendor-Specific RADIUS Attributes: Examples, page 185.
For more information about configuring ACLs, see Configuring Network Security with ACLs, page 545
Note: Per-user ACLs are supported only in single-host mode.
To configure per-user ACLs, you need to perform these tasks:
Enable AAA authentication.
Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server.
Enable 802.1x authentication.
Configure the user profile and VSAs on the RADIUS server.
Configure the 802.1x port for single-host mode.
For more configuration information, see Authentication Manager, page 194.
To Next Page
Loading...
Need help?
General