Configuring 802.1X Authentication With Per-User Acl And Filter-Id Acl - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 46
Configuring 802.1X Port-Based Authentication
Command
Step 11
Switch(config)# radius-server vsa
send authentication
Step 12
Switch(config)# end
Step 13
Switch# show ip device tracking
{all | interface interface-id | ip
ip-address | mac mac-address}
Step 14
Switch# copy running-config
startup-config
The following example illustrates how to configure a switch for downloadable policy:
Switch# config terminal
Enter configuration commands, one per line.
Switch(config)# aaa new-model
Switch(config)# aaa authorization network default local
Switch(config)# ip device tracking
Switch(config)# ip access-list extended default_acl
Switch(config-ext-nacl)# permit ip any any
Switch(config-ext-nacl)# exit
Switch(config)# radius-server vsa send authentication
Switch(config)# int fastEthernet 2/13
Switch(config-if)# ip access-group default_acl in
Switch(config-if)# exit
Configuring 802.1X Authentication with Per-User ACL and Filter-ID ACL
This section includes the following topics:
•
•
Per-User ACL and Filter-ID ACL
Prior to Cisco IOS Release 12.2(52)SG, the Catalyst 4500 platform only supported downloadable ACLs,
which work with the Cisco ACS server but not with third-party AAA servers. With
Cisco IOS Release 12.2(52)SG, the Catalyst 4500 switch offers the Filter-ID/Per-user-acl enhancement,
which allows ACL policy enforcement using a third-party AAA server.
The Filter-ID feature provides the following capabilities:
The Per-user-acl feature provides the following capabilities:
Note
OL_28731-01
Purpose
Configures the network access server to recognize and use vendor-specific
attributes.
Note
Returns to privileged EXEC mode.
Displays information about the entries in the IP device tracking table.
(Optional) Saves your entries in the configuration file.
Per-User ACL and Filter-ID ACL, page 46-47
Configuring a Per-User ACL and Filter-ID ACL, page 46-54
Filter-ID option allows an administrator to define the ACL name on the AAA server using IETF
standard RADIUS attribute. The ACL itself must be preconfigured locally on the switch.
Per-user ACL allows an administrator to define the per-user ACL on the AAA server using Cisco
RADIUS AV pairs. This action allows a third-party AAA server to interoperate by loading the Cisco
RADIUS dictionary, which has Cisco Radius AV pairs configured as a VSA.
The RADIUS vendor-specific attributes (VSAs) allow vendors to support their own proprietary
RADIUS attributes that are not included in standard RADIUS attributes.
The downloadable ACL must be operational.
End with CNTL/Z.
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Configuring 802.1X Port-Based Authentication
46-47
Advertisement
Chapters
Table of Contents
Troubleshooting
