11-17
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication
Only one 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the
port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific
RADIUS Attributes” section on page 10-35. For more information about configuring ACLs, see
Chapter 37, “Configuring Network Security with ACLs.”
To configure per-user ACLs, you need to perform these tasks:
Enable AAA authentication.
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
Enable 802.1x authentication.
Configure the user profile and VSAs on the RADIUS server.
Configure the 802.1x port for single-host mode.
Note Per-user ACLs are supported only in single-host mode.
802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.
Note A downloadable ACL is also referred to as a dACL.
If the host mode is single-host, MDA, or multiple-authentication mode, the switch modifies the source
address of the ACL to be the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on
the port to the host. On a voice VLAN port, the switch applies the ACL only to the phone.
Note If a downloadable ACL or redirect URL is configured for a client on the authentication server, a default
port ACL on the connected client switch port must also be configured.

Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL

The switch uses these cisco-av-pair VSAs:
url-redirect is the HTTP to HTTPS URL.
url-redirect-acl is the switch ACL name or number.