Cisco Systems IE3010 802.1x Authentication with Downloadable ACLs and Redirect URLs

10-18

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific

attributes (VSAs) are in octet-string format and are passed to the switch during the authentication

process. The VSAs used for per-user ACLs are inacl#<

> for the ingress direction and outacl#<

> for

the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports V SAs

only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For

more information, see Chapter 32, “Configuring Network Security with ACLs.”

Use only the extended ACL syntax style to define the per-user configuration sto red on the RADIUS

server. When the definitions are passed from the RADIUS server, they are created by using the extended

naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.

You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on

the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress

filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the

outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the

Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and

IP extended ACLs).

The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of

RADIUS-server per-user ACLs.

For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific

RADIUS Attributes” section on page 9-36. For more information about configuring ACLs, see

Chapter 32, “Configuring Network Security with ACLs.”

Note Per-user ACLs are supported only in single-host mode.

To configure per-user ACLs, you need to perform these tasks:

• Enable AAA authentication.

• Enable AAA authorization by using the network keyword to allow interface configuration from the

RADIUS server.

• Enable 802.1x authentication.

• Configure the user profile and VSAs on the RADIUS server.

• Configure the 802.1x port for single-host mode.

For more configuration information, see the “Authentication Manager” section on page 10-7.

802.1x Authentication with Downloadable ACLs and Redirect URLs

You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x

authentication or MAC authentication bypass of the host. You can also download ACLs during web

authentication.

Note A downloadable ACL is also referred to as a dACL.

If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication

mode, the switch changes the source address of the ACL to the host IP address.

You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.