Cisco Catalyst 4500 Series Configuration Manual page 1013

Chapter 44 Configuring 802.1X Port-Based Authentication
Configuring the Switch
To configure the switch for per-user ACL and filter-ID ACL:
Configure the IP device tracking table.
Step 1
Switch(config)# ip device tracking
Configure static ACL for the interface.
Step 2
Switch(config)# int g2/9
Switch(config-if)# ip access-group pacl-4 in
Interface Configuration Example
Switch# show running-configuration interface g2/9
Building configuration...
Current configuration : 617 bytes
!
interface GigabitEthernet2/9
switchport
switchport access vlan 29
switchport mode access
switchport voice vlan 1234
access-group mode prefer port
ip access-group pacl-4 in
speed 100
duplex full
authentication event fail action authorize vlan 111
authentication event server dead action authorize vlan 333
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x
authentication port-control auto
authentication timer restart 100
authentication timer reauthenticate 20
authentication timer inactivity 200
mab eap
dot1x pae authenticator
end
Switch#
Switch# show ip access-list pacl-4
Switch#
Per-User ACL Configuration in ACS
In the Group/User Setting page, scroll down to the Cisco IOS/PIX 6.x RADIUS Attributes section. Select
the box next to [009\001 cisco-av-pair] and enter the elements of the per-user ACL. Per-user ACLS take
this format:
protocol_#:inacl# sequence number=ACE
protocol Either
OL-25340-01
10 permit ip host 1.1.1.1 host 2.2.2.2
20 permit icmp host 1.1.1.1 host 2.2.2.2
ip (for IP-based ACLs) or mac (for MAC-based ACLs)
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Configuring 802.1X Port-Based Authentication
44-45