Cisco Systems 3560 Using 802.1x Authentication with Per-User ACLs

10-15

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

–

If the VLAN configuration change of one device results in matching the other device configured

or assigned VLAN, then authorization of all devices on the port is terminated and multidomain

host mode is disabled until a valid configuration is restored where data and voice device

configured VLANs no longer match.

–

If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice

VLAN configuration, or modifying the configuration value to dot1p or untagged results in voice

device un-authorization and the disablement of multi-domain host mode.

When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put

into the configured access VLAN.

The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic

ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).

To configure VLAN assignment you need to perform these tasks:

• Enable AAA authorization by using the network keyword to allow interface configuration from the

RADIUS server.

• Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you

configure 802.1x authentication on an access port).

• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return

these attributes to the switch:

–

[64] Tunnel-Type = VLAN

–

[65] Tunnel-Medium-Type = 802

–

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802

(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1x-authenticated

user.

For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS

Attributes” section on page 9-29.

Using 802.1x Authentication with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and

service to an 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an

802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The

switch applies the attributes to the 802.1x port for the duration of the user session. The switch removes

the per-user ACL configuration when the session is over, if authentication fails, or if a link-down

condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When

the port is unauthorized, the switch removes the ACL from the port.

You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes

precedence over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the

port ACL takes precedence over an input router ACL applied to the VLAN interface. Incoming packets

received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets

received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router

ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored on the RADIUS

server.

RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific

attributes (VSAs) are in octet-string format and are passed to the switch during the authentication

process. The VSAs used for per-user ACLs are inacl#<n> for the ingress direction and outacl#<n> for