Using Ieee 802.1X Authentication With Per-User Acls - Cisco 3020 - Catalyst Blade Switch Configuration Manual

Chapter 7 Configuring IEEE 802.1x Port-Based Authentication
The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
•
•
•
For examples of tunnel attributes, see the
Attributes" section on page

Using IEEE 802.1x Authentication with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and
service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected
to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the
switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The
switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a
link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running
configuration. When the port is unauthorized, the switch removes the ACL from the port.
You can configure only port ACLS on the switch port.RADIUS supports per-user attributes, including
vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are
passed to the switch during the authentication process. The VSAs used for per-user ACLs are
for the ingress direction and
ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs
in the egress direction on Layer 2 ports. For more information, see
Security with ACLs."
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS
server. When the definitions are passed from the RADIUS server, they are created by using the extended
naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on
the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress
filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the
outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the
Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and
IP extended ACLs).
Only one IEEE 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled
on the port, the per-user ACL attribute is disabled for the associated port.
OL-8915-01
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
Enable IEEE 802.1x authentication. (The VLAN assignment feature is automatically enabled when
you configure IEEE 802.1x authentication on an access port).
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = 802
–
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
–
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the
IEEE 802.1x-authenticated user.
6-29.
outacl#< n >
Understanding IEEE 802.1x Port-Based Authentication
"Configuring the Switch to Use Vendor-Specific RADIUS
for the egress direction. MAC ACLs are supported only in the
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
inacl#< n >
Chapter 26, "Configuring Network
7-11