Access Control on the Wired Network
Securing Access Using 802.1x on a wired LAN
72
Best Practice User Guide for the Catalyst 3850 and Catalyst 3650 Switch Series
Provision in Low-Impact Mode
The next deployment phase in securing your network is to provision in low impact mode, which allows
differentiated network access to authenticated users while permitting basic network services for all
users.
Note For information about configuration of multiple-authentication mode on IEEE 802.1x ports, see
“Provision Common Wired Security Access”.
Minimize the impact to your initial network access settings and add differentiated network access to
authenticated users with low-impact mode provisioning. In low-impact mode, authentication is open and
network access is contained using less restrictive port ACLs. After authentication, dACLs are used to
allow full network access to end devices.
Step 10 configure multi-domain mode to prevent unauthorized users from accessing an interface after an
authorized user has been authenticated.
Step 11 Add a static ACL to allow basic network access.
Configure a restrictive port ACL that allows access for configuration and a Configured Trust List (CTL).
Begin in global configuration mode.
authentication host-mode multi-domain
ip access-list extended LowImpactSecurity-acl
permit tcp any any established
permit udp any any eq bootps
permit udp any any eq tftp
permit udp any any eq domain
exit
interface GigabitEthernet1/0/1
ip access-group LowImpactSecurity-acl in
To Next Page
Loading...
Need help?
General