Cisco Catalyst 2960 Software Configuration Manual page 289
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
The auth-default-ACL does not appear in the running configuration.
Note
The auth-default ACL is created when at least one host with an authorization policy is detected on the
port. The auth-default ACL is removed from the port when the last authenticated session ends. You can
configure the auth-default ACL by using the ip access-list extended auth-default-acl global
configuration command.
Note
The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode.
You must configure a static ACL on the interface to support CDP bypass.
The 802.1x and MAB authentication methods support two authentication modes, open and closed. If
there is no static ACL on a port in closed authentication mode:
An auth-default-ACL is created.
•
The auth-default-ACL allows only DHCP traffic until policies are enforced.
•
When the first host authenticates, the authorization policy is applied without IP address insertion.
•
When a second host is detected, the policies for the first host are refreshed, and policies for the first
•
and subsequent sessions are enforced with IP address insertion.
If there is no static ACL on a port in open authentication mode:
An auth-default-ACL-OPEN is created and allows all traffic.
•
Policies are enforced with IP address insertion to prevent security breaches.
•
Web authentication is subject to the auth-default-ACL-OPEN.
•
To control access for hosts with no authorization policy, you can configure a directive. The supported
values for the directive are open and default. When you configure the open directive, all traffic is
allowed. The default directive subjects traffic to the access provided by the port. You can configure the
directive either in the user profile on the AAA server or on the switch. To configure the directive on the
AAA server, use the authz-directive =<open/default> global command. To configure the directive on
the switch, use the epm access-control open global configuration command.
The default value of the directive is default.
Note
If a host falls back to web authentication on a port without a configured ACL:
If the port is in open authentication mode, the auth-default-ACL-OPEN is created.
•
If the port is in closed authentication mode, the auth-default-ACL is created.
•
The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured
fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated
with the port.
If you use a custom logo with web authentication and it is stored on an external server, the port ACL
Note
must allow access to the external server before authentication. You must either configure a static port
ACL or change the auth-default-ACL to provide appropriate access to the external server.
OL-26520-01
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Understanding IEEE 802.1x Port-Based Authentication
10-21
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
