Cisco Systems OL-8550-09 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL

10-22

Catalyst 3750 SwitchSoftware Configuration Guide

OL-8550-09

Chapter10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

If there is no static ACL on a port in open authentication mode:

•An auth-default-ACL-OPEN is created and allows all traffic.

•Policies are enforced with IP address insertion to prevent security breaches.

•Web authentication is subject to the auth-default-ACL-OPEN.

To control access for hosts with no authorization policy, you can configure a directive. The supported

values for the directive are open and default. When you configure the open directive, all traffic is

allowed. The default directive subjects traffic to the access provided by the port. You can configure the

directive either in the user profile on the AAA server or on the switch. To configure the directive on the

AAA server, use the authz-directive =<open/default> global command. To configure the directive on

the switch, use the epm access-control open global configuration command.

Note The default value of the directive is default.

If a host falls back to web authentication on a port without a configured ACL:

•If the port is in open authentication mode, the auth-default-ACL-OPEN is created.

•If the port is in closed authentication mode, the auth-default-ACL is created.

The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured

fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated

with the port.

Note If you use a custom logo with web authentication and it is stored on an external server, the port ACL

must allow access to the external server before authentication. You must either configure a static port

ACL or change the auth-default-ACL to provide appropriate access to the external server.

Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL

The switch uses these cisco-av-pair VSAs:

•url-redirect is the HTTP or HTTPS URL.

•url-redirect-acl is the switch ACL name or number.

The switch uses the CiscoSecure-Defined-ACL attribute value pair to intercept an HTTP or HTTPS

request from the end point device. The switch then forwards the client web browser to the specified

redirect address. The url-redirect attribute value pair on the Cisco Secure ACS contains the URL to

which the web browser is redirected. The url-redirect-acl attribute value pair contains the name or

number of an ACL that specifies the HTTP or HTTPS traffic to redirect.

Note • Traffic that matches a permit ACE in the ACL is redirected.

•Define the URL redirect ACL and the default port ACL on the switch.

If a redirect URL is configured for a client on the authentication server, a default port ACL on the

connected client switch port must also be configured.