Configuring Authentication Server DiffServ Filter Assignments
To enable DiffServ filter assignment by an external server, the following
conditions must be true:
•
The port that the host is connected to must be enabled for MAC-based
port access control by using the following command in Interface Config
mode:
dot1x port-control mac-based
•
The RADIUS or 802.1X server must specify the policy to assign.
For example, if the DiffServ policy to assign is named internet_access,
include the following attribute in the RADIUS or 802.1X server
configuration:
Filter-id = "internet_access"
•
The DiffServ policy specified in the attribute must already be configured
on the switch, and the policy names must be identical.
For information about configuring a DiffServ policy, see "DiffServ
Configuration Examples" on page 1098. The example "Providing Subnets
Equal Access to External Network" on page 1098, describes how to
configure a policy named internet_access.
If you use an authentication server to assign DiffServ policies to an
authenticated user, note the following guidelines:
•
If the policy specified within the server attribute does not exist on the
switch, authentication will fail.
•
Do not delete policies used as the filter ID in the RADIUS server while
802.1X is enabled.
Do not use the DiffServ service-policy command to apply the filter to an
•
interface if you configure the RADIUS server or 802.1X authenticator to
assign the DiffServ filter.
In the following example, Company XYZ uses IEEE 802.1X to authenticate
all users. Contractors and temporary employees at Company XYZ are not
permitted to have access to SSH ports, and data rates for Web traffic is
limited. When a contractor is authenticated by the RADIUS server, the server
assigns a DiffServ policy to control the traffic restrictions.
520
Configuring 802.1X and Port-Based Security