Cisco Catalyst 3560-X Software Configuration Manual page 308

Understanding IEEE 802.1x Port-Based Authentication
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL
The switch uses these cisco-av-pair VSAs:
•
•
The switch uses the CiscoSecure-defined-ACL attribute value pair to intercept an HTTP or HTTPS
request from the end point. The switch then forwards the client web browser to the specified redirect
address. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser
is redirected. The url-redirect-acl attribute value pair contains the name or number of an ACL that
specifies the HTTP or HTTPS traffic to redirect. Traffic that matches a permit ACE in the ACL is
redirected.
Define the URL redirect ACL and the default port ACL on the switch.
Note
If a redirect URL is configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs
You can set the CiscoSecure-Defined-ACL Attribute-Value (AV) pair on the Cisco Secure ACS with the
RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the
downloadable ACLs on the Cisco Secure ACS with the #ACL#-IP-name-number attribute.
•
•
If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to
the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not
apply, the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However,
if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not
configured, the authorization failure is declared.
For configuration details, see the
802.1x Authentication with Downloadable ACLs and Redirect URLs" section on page
VLAN ID-based MAC Authentication
You can use VLAN ID-based MAC authentication if you wish to authenticate hosts based on a static
VLAN ID instead of a downloadable VLAN. When you have a static VLAN policy configured on your
switch, VLAN information is sent to an IAS (Microsoft) RADIUS server along with the MAC address
of each host for authentication. The VLAN ID configured on the connected port is used for MAC
authentication. By using VLAN ID-based MAC authentication with an IAS server, you can have a fixed
number of VLANs in the network.
The feature also limits the number of VLANs monitored and handled by STP.The network can be
managed as a fixed VLAN.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-20
url-redirect is the HTTP to HTTPS URL.
url-redirect-acl is the switch ACL name or number.
The name is the ACL name.
The number is the version number (for example, 3f783768).
Chapter 1
"Authentication Manager" section on page 1-7
Configuring IEEE 802.1x Port-Based Authentication
and the
1-71.
"Configuring
OL-25303-03