802.1X Authentication With Per-User Acls - Cisco Catalyst 2960-XR Security Configuration Manual

802.1x Authentication with Per-User ACLs

• If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice VLAN
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or
with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
• Enable AAA authorization by using the network keyword to allow interface configuration from the
• Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you
• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these
802.1x Authentication with Per-User ACLs
You can enable per-user access control lists (ACLs) to provide different levels of network access and service
to an 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an 802.1x port,
it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the
attributes to the 802.1x port for the duration of the user session. The switch removes the per-user ACL
configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch
does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the
switch removes the ACL from the port.
You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes precedence
over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the port ACL takes
precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the port
to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports
are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration
conflicts, you should carefully plan the user profiles stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes
(VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs
used for per-user ACLs are inacl#<n> for the ingress direction and outacl#<n> for the egress direction. MAC
ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It
does not support port ACLs in the egress direction on Layer 2 ports.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
228
disabled until a valid configuration is restored where data and voice device configured VLANs no longer
match.
configuration, or modifying the configuration value to dot1p or untagged results in voice device
un-authorization and the disablement of multi-domain host mode.
RADIUS server.
configure 802.1x authentication on an access port).
attributes to the switch:
◦ [64] Tunnel-Type = VLAN
◦ [65] Tunnel-Medium-Type = 802
◦ [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type
6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user.
Configuring IEEE 802.1x Port-Based Authentication
OL-29434-01