10-21
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the
Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and
IP extended ACLs).
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific
RADIUS Attributes” section on page 9-36. For more information about configuring ACLs, see
Chapter 31, “Configuring Network Security with ACLs.”
Note Per-user ACLs are supported only in single-host mode.
To configure per-user ACLs, you need to perform these tasks:
Enable AAA authentication.
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
Enable 802.1x authentication.
Configure the user profile and VSAs on the RADIUS server.
Configure the 802.1x port for single-host mode.
For more configuration information, see the Authentication Manager” section on page 10-8.
802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.
Note A downloadable ACL is also referred to as a dACL.
If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication
mode, the switch changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on
the port to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies
the ACL only to the phone as part of the authorization pol icies.
Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic
auth-default ACL is created, and policies are enforced before dACLs are downloaded and applied.
Note The auth-default-ACL is created only when the switch is running the LAN base image.
Note The auth-default-ACL does not appear in the running configuration.