Using 802.1X Authentication With Acl Assignments And Redirect Urls - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 49 Configuring 802.1X Port-Based Authentication
Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate the client. Only if the
•
reauthentication succeeds is the client's MAC address be retained in the port security table.
• All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security table by using CLI.

Using 802.1X Authentication with ACL Assignments and Redirect URLs

Beginning with Cisco IOS Release 12.2(50)SG, you can download per-host policies such as ACLs and redirect URLs to the
switch from the RADIUS server during 802.1X or MAB authentication of the host. ACL download is also supported with web
authentication after a fallback from 802.1X or MAB.
When the 802.1X host mode of the port is either single-host, MDA, or multiple authentication, the downloaded ACLs (DACLs)
are modified to use the authenticated hosts' IP address as the source address. When the host mode is multiple-hosts, the source
address is configured as ANY, and the downloaded ACLs or redirects apply to all devices on the port.
If no ACLs are provided during the authentication of a host, the static default ACL configured on the port is applied to the host.
On a voice VLAN port, only the static default ACL of the port is applied to the phone.
This section includes these topics:
Cisco Secure ACS and AV Pairs for URL-Redirect, page 49-19
•
ACLs, page 49-20
•
For details on how to configure downloadable ACL and URL redirect, refer to the
ACL Assignments and Redirect URLs" section on page
Cisco Secure ACS and AV Pairs for URL-Redirect
When downloadable ACL is enabled, Cisco Secure ACS provides AAA services through RADIUS.
You can set these Attribute-Value (AV) pairs on the Cisco Secure ACS with RADIUS cisco-av-pair vendor-specific attributes
(VSAs):
CiscoSecure-Defined-ACL specifies the names of the DACLs on the Cisco Secure ACS. The switch receives the ACL name
•
using the CiscoSecure-Defined-ACL AV pair in the format:
#ACL#-IP-name-number
name is the ACL name and number is the version number (similar to 3f783768).
The Auth-Manager code verifies whether the access control entries (ACEs) of the specified downloadable ACL were
previously downloaded. If not, the Auth-Manager code sends an AAA request with the downloadable ACL name as the
username so that the ACEs are downloaded. The downloadable ACL is then created as a named ACL on the switch. This
ACL has ACEs with a source address of any and does not have an implicit deny statement at the end. When the
downloadable ACL is applied to an interface after authentication completes, the source address changes from any to the
host source IP address depending on the host mode of the interface. The ACEs are prepended to the downloadable ACL
applied to the switch interface to which the endpoint device is connected. If traffic matches the CiscoSecure-Defined-ACL
ACEs, the appropriate actions are taken.
url-redirect and url-redirect-acl specify the local URL policy on the switch. The switches use these cisco-av-pair VSAs as
•
follows:
– url-redirect = <HTTP or HTTPS URL>
url-redirect-acl = switch ACL name or number
–
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-38.
About 802.1X Port-Based Authentication
"Configuring 802.1X Authentication with
49-19