10-22
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
If there is no static ACL on a port in open authentication mode:
An auth-default-ACL-OPEN is created and allows all traffic.
Policies are enforced with IP address insertion to prevent security breaches.
Web authentication is subject to the auth-default-ACL-OPEN.
To control access for hosts with no authorization policy, you can configure a directive. The supported
values for the directive are open and default. When you configure the open directive, all traffic is
allowed. The default directive subjects traffic to the access provided by the port. You can configure the
directive either in the user profile on the AAA server or on the switch. To configure the directive on the
AAA server, use the authz-directive =<open/default> global command. To configure the directive on
the switch, use the epm access-control open global configuration command.
Note The default value of the directive is default.
If a host falls back to web authentication on a port without a configured ACL:
If the port is in open authentication mode, the auth-default-ACL-OPEN is created.
If the port is in closed authentication mode, the auth-default-ACL is created.
The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured
fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated
with the port.
Note If you use a custom logo with web authentication and it is stored on an external server, the port ACL
must allow access to the external server before authentication. You must either configure a static port
ACL or change the auth-default-ACL to provide appropriate access to the external server.
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL
The switch uses these cisco-av-pair VSAs:
url-redirect is the HTTP or HTTPS URL.
url-redirect-acl is the switch ACL name or number.
The switch uses the CiscoSecure-Defined-ACL attribute value pair to intercept an HTTP or HTTPS
request from the end point device. The switch then forwards the client web browser to the specified
redirect address. The url-redirect attribute value pair on the Cisco Secure ACS contains the URL to
which the web browser is redirected. The url-redirect-acl attribute value pair contains the name or
number of an ACL that specifies the HTTP or HTTPS traffic to redirect.
Note Traffic that matches a permit ACE in the ACL is redirected.
Define the URL redirect ACL and the default port ACL on the switch.
If a redirect URL is configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured.