Cisco Systems IE 2000 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL, Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs

13-19

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 13 Configuring IEEE 802.1x Port-Based Authentication

Information About Configuring IEEE 802.1x Port-Based Authentication

If a host falls back to web authentication on a port without a configured ACL:

• If the port is in open authentication mode, the auth-default-ACL-OPEN is created.

• If the port is in closed authentication mode, the auth-default-ACL is created.

The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured

fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated

with the port.

Note If you use a custom logo with web authentication an d it is stored on an external server, the port ACL

must allow access to the external server before authentication. You must either configure a static port

ACL or change the auth-default-ACL to provide appropriate access to the external server.

Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL

The switch uses these cisco-av-pair VSAs:

• url-redirect is the HTTP to HTTPS URL.

• url-redirect-acl is the switch ACL name or number.

The switch uses the CiscoSecure-Defined-ACL attribute value pair to intercept an HTTP or HTTPS

request from the end point device. The switch then forwards the client web browser to the specified

redirect address. The url-redirect attribute value pair on the Cisco Secure ACS contains the URL to

which the web browser is redirected. The url-redirect-acl attribute value pair contains the name or

number of an ACL that specifies the HTTP or HTTPS traffic to redirect. Traffic that matches a permit

ACE in the ACL is redirected.

Note Define the URL redirect ACL and the default port ACL on the switch.

If a redirect URL is configured for a client on the authentication server, a default port ACL on the

connected client switch port must also be configured.

Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs

You can set the CiscoSecure-Defined-ACL Attribute-Value pair on the Cisco Secure ACS with the

RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the

downloadable ACLs on the Cisco Secure ACS with the #ACL#-IP-na me-number attribute.

• The name is the ACL name.

• The number is the version number (for example, 3f783768).

If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the

connected client switch port must also be configured.

If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to

the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not

apply, the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable

ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However,

if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not

configured, the authorization failure is declared.

For configuration details, see the “Authentication Manager” section on page 13-6 and the “Configuring

802.1x Authentication with Downloadable ACLs and Redirect URL s” section on page 13-48.