Cisco WS-C6506 Software Manual page 1022

Configuring 802.1X Authentication on the Switch
802.1X with ACL Assignments Configuration Guidelines
This section provides the guidelines for configuring 802.1X with ACL assignments:
•
•
•
•
•
•
Using the CLI to Configure 802.1X with ACL Assignments
This section describes the CLI introduced in software release 8.3(1), which is used to configure 802.1X
Note
with ACL assignments. For more information on configuring the ACLs, see
Access Control."
To configure 802.1X with ACL assignments, perform this task in privileged mode:
Task
Configure 802.1X with ACL assignments.
This example shows how to specify a group name for an 802.1X group and verify that the group was
configured:
Console> (enable) set security acl ip grpacl permit ip group ip-permit-group any
grpacl editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl grpacl
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-28
The port mode (single-authentication mode, multiple-host mode, or multiple-authentication mode) for
a port that is configured for 802.1X with ACL assignments must be single-authentication mode (the
default port mode).
Dynamically learned IP addresses (obtained through DHCP snooping or dynamic ARP inspection)
are used to expand the group name. 802.1X with ACL assignments is also supported with static IP
addresses (the static IP address should also be configured in the RADIUS server).
The groups are policy groups. An example of a policy group would be a policy such as "deny http
access" that applies to a set of IP addresses.
The user is never permanently tied to a group, and a user can be part of multiple policy groups
simultaneously. If you want to define more than one policy, for example, if you want both "deny http
access" and "deny ftp access," you can define two policy groups—one policy group as "http deny"
and another policy group as "ftp deny."
The RADIUS server can send all the policies that have to be applied to a particular user in the
authentication success packet, and the user can be added to all those groups on the switch. If a policy
group sent by the RADIUS server is not configured on the switch, the policy is either ignored or the
port goes into the unauthorized state. If the RADIUS server sends a group ID that is not present in
any ACL on the switch, authentication fails.
With software release 8.3(1) and later releases, you can load balance the 802.1X-authenticated users
that are configured under one group name by distributing them evenly between the VLANs. For
more configuration information, see the
page 40-32.
Chapter 40
"Configuring 802.1X User Distribution" section on
Command
set security acl ip {acl_name} {permit | deny |
redirect {mod_num/port_num}} [ip]
{src_ip_spec | [group {group_name}}
{dest_ip_spec | [group} [precedence
{precedence}] [tos {tos}] [fragment] [capture]
[log] [before {editbuffer_index} | modify
{editbuffer_index}]
Configuring 802.1X Authentication
Chapter 15, "Configuring
OL-8978-04