Using Ieee 802.1X Authentication With Acls And The Radius Filter-Id Attribute; Common Session Id - Cisco Catalyst 2960 Software Configuration Manual
Hide thumbs
Also See for Catalyst 2960:
- Configuration manual (2288 pages) ,
- Command reference manual (800 pages) ,
- Hardware installation manual (108 pages)
Table of Contents
Advertisement
Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
Guidelines
•
•
•
For more information, see the
section on page
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute
To use IEEE 802.1x authentication with ACLs and the Filter-Id attribute, the switch must be running the
Note
LAN base image.
The switch supports both IP standard and IP extended port access control lists (ACLs) applied to ingress
ports.
•
•
An IEEE 802.1x port in single-host mode uses ACLs from the ACS to provide different levels of service
to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates this type of user and port,
it sends ACL attributes based on the user identity to the switch. The switch applies the attributes to the
port for the duration of the user session. If the session is over, authentication fails, or a link fails, the port
becomes unauthorized, and the switch removes the ACL from the port.
Only IP standard and IP extended port ACLs from the ACS support the Filter-Id attribute. It specifies the
name or number of an ACL. The Filter-id attribute can also specify the direction (inbound or outbound)
and a user or a group to which the user belongs.
•
•
•
If the Filter-Id attribute is not defined on the switch, authentication fails, and the port returns to the
unauthorized state.
Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no
matter which authentication method is used. This ID is used for all reporting purposes, such as the show
commands and MIBs. The session ID appears with all per-session syslog messages.
OL-26520-01
You can configure NEAT ports with the same configurations as the other authentication ports. When
the supplicant switch authenticates, the port mode is changed from access to trunk based on the
switch vendor-specific attributes (VSAs). (device-traffic-class=switch).
The VSA changes the authenticator switch port mode from access to trunk and enables 802.1x trunk
encapsulation and the access VLAN if any would be converted to a native trunk VLAN. VSA does
not change any of the port configurations on the supplicant
To change the host mode and the apply a standard port configuration on the authenticator switch
port, you can also use Auto Smartports user-defined macros, instead of the switch VSA. This allows
you to remove unsupported configurations on the authenticator switch port and to change the port
mode from access to trunk. For information, see the AutoSmartports Configuration Guide.
10-61.
ACLs that you configure
ACLs from the Access Control Server (ACS)
The Filter-Id attribute for the user takes precedence over that for the group.
If a Filter-Id attribute from the ACS specifies an ACL that is already configure, it takes precedence
over a user-configured ACL.
If the RADIUS server sends more than one Filter-Id attribute, only the last attribute is applied.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
"Configuring an Authenticator and a Supplicant Switch with NEAT"
Understanding IEEE 802.1x Port-Based Authentication
10-35
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
