Cisco WS-C6506 Software Manual page 1021

Chapter 40 Configuring 802.1X Authentication
•
•
Overview
When you configure 802.1X with ACL assignments, the identity-based ACLs are used to dynamically
assign an access control policy to an interface that is based on the user's 802.1X authentication. This
feature restricts the users to certain network segments, limits the access to the sensitive servers, and
restricts the protocols and applications that may be used. This feature also allows you to provide very
specific identity-based security without compromising user mobility or significantly increasing the
administrative overhead.
When you configure 802.1X with ACL assignments, you eliminate the problem of creating, modifying,
and removing the access control policies that are based on the IP/MAC addresses whenever the user's
physical location changes in the network. This feature allows you to create the identity-based security
access policies rather than the VLAN-based policies (VACLs) or the port-based policies (PACLs)
without compromising user mobility. With this feature, the user does not have to rely on the network
administrator to enforce the access policy changes whenever the user's physical location and/or
connection to the network changes.
The new group group_name keyword is used to classify the policy as a group. A group is a set of users
(their IP addresses) to which the policy applies. Prior to this feature, if you wanted to permit the IP access
to a set of users, you had to specify each user's IP address in the ACL ACE and there could only be one
IP address per ACE. With this new feature, you specify a group_name in the ACE, such as set security
acl ip grpacl permit ip group ip-permit-group any, where the ip-permit-group is a group and all the
users that are part of that group are authenticated. After a successful user authentication and after the
user's IP address is obtained, if the user is part of the group, the user's IP address is added to the group
and a new ACE is created and installed in the hardware (PFC). The ACL grows and shrinks dynamically
upon user authentication and logoff; the ACL is dynamic and the policy is installed only for the
authenticated and valid users.
When you configure 802.1X with ACL assignments, you can automatically configure the QoS ACLs and
VACLs to a user once the user is authenticated. The RADIUS server sends a QoS VLAN-based ACL,
QoS port-based ACL, or VACL policy name with the authentication success packet. The policy that is
associated with the policy name is already configured on the switch through the CLI. The policy is
converted into a set of ACEs and then installed on the switch.
You can apply the ACLs to an IP address. Because the 802.1X authentication is done on a username and
can be tied to a MAC address—but the IP address is not known at the time of authentication (DHCP is
started by the host only after a successful authentication)—the ACE installation occurs only after the IP
address is known either through DHCP snooping or dynamic ARP inspection.
When you configure 802.1X with ACL assignments, you perform these two main configuration tasks:
•
•
After you configure the 802.1X ACL assignments, the switch does the following:
•
•
•
OL-8978-04
Using the CLI to Configure 802.1X with ACL Assignments, page 40-28
Configuring 802.1X with QoS ACLs, page 40-29
Associate and configure the group names for the users in the RADIUS server
Configure, commit, and map the ACLs on the switch for the groups using the switch CLI
Authenticates the user(s)
Uses DHCP snooping or dynamic ARP inspection to obtain the IP address of the user(s)
Expands the ACL using the IP address(es) and programs the PFC
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring 802.1X Authentication on the Switch
40-27