Cisco IE-4000 Software Configuration Manual page 209

Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Note: If you use a custom logo with web authentication and it is stored on an external server, the port ACL must allow
access to the external server before authentication. You must either configure a static port ACL or change the
auth-default-ACL to provide appropriate access to the external server.
Cisco Secure ACS and Attribute-Value Pairs for
The switch uses these cisco-av-pair VSAs:

url-redirect is the HTTP to HTTPS URL.

url-redirect-acl is the switch ACL name or number.
The switch uses the CiscoSecure-Defined-ACL attribute value pair to intercept an HTTP or HTTPS request from the end
point device. The switch then forwards the client web browser to the specified redirect address. The url-redirect attribute
value pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The url-redirect-acl
attribute value pair contains the name or number of an ACL that specifies the HTTP or HTTPS traffic to redirect. Traffic
that matches a permit ACE in the ACL is redirected.
Note: Define the URL redirect ACL and the default port ACL on the switch.
If a redirect URL is configured for a client on the authentication server, a default port ACL on the connected client switch
port must also be configured.
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs
You can set the CiscoSecure-Defined-ACL Attribute-Value pair on the Cisco Secure ACS with the RADIUS cisco-av-pair
vendor-specific attributes (VSAs). This pair specifies the names of the downloadable ACLs on the Cisco Secure ACS
with the #ACL#-IP-name-number attribute.

The name is the ACL name.

The number is the version number (for example, 3f783768).
If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the connected client
switch port must also be configured.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to the switch, it
applies the policy to traffic from the host connected to a switch port. If the policy does not apply, the switch applies the
default ACL. If the Cisco Secure ACS sends the switch a downloadable ACL, this ACL takes precedence over the default
ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure
ACS but the default ACL is not configured, the authorization failure is declared.
For configuration details, see
Downloadable ACLs and Redirect URLs, page
VLAN ID-Based MAC Authentication
You can use VLAN ID-based MAC authentication if you want to authenticate hosts based on a static VLAN ID instead of
a downloadable VLAN. When you have a static VLAN policy configured on your switch, VLAN information is sent to an
IAS (Microsoft) RADIUS server along with the MAC address of each host for authentication. The VLAN ID configured on
the connected port is used for MAC authentication. By using VLAN ID-based MAC authentication with an IAS server, you
can have a fixed number of VLANs in the network.
The feature also limits the number of VLANs monitored and handled by STP. The network can be managed as a fixed
VLAN.
Note: This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new hosts and
only authenticates based on the MAC address.)
Authentication Manager, page 194
231.
205
the Redirect URL
and Configuring 802.1x Authentication with