Cisco WS-C6506 Software Manual page 1024

Configuring 802.1X Authentication on the Switch
•
Be careful when you name the QoS ACL. The QoS ACL name must match the policy name specified on
Note
the RADIUS server.
802.1X with QoS ACLs Configuration Example
In the following example, QoS is enabled and an 802.1X QoS policy (Dot1xDscp5Policy) is created. The
policy is then committed. The same policy name (Dot1xDscp5Policy) is then configured on the RADIUS
server. After a period of time, you can see that the policy is applied to port 3/1 after 802.1X has
authenticated a client and applied the policy. You can see that the policy mapping is not found in the
configuration (config) display of the mapping command: it is found only in the run-time configuration.
The AV-pairs at the RADIUS server require the following input—qos:inpacl=Dot1xDscp5Policy. After
supplicant authentication on port 3/1, the QoS run-time mapping to port 3/1 occurs.
The other options for the AV-pairs are as follows—qos:invacl=<policy-name> and
qos:outpacl=<policy-name>.
If the policy name in the AV-pairs does not match a policy name in the switch, the supplicant is not
authenticated.
Console> (enable) set qos enable
QoS is enabled.
Console> (enable) set qos acl ip Dot1xDscp5Policy dscp 5 any
Dot1xDscp5Policy editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit qos acl all
QoS ACL 'Dot1xDscp5Policy' successfully committed.
Console> (enable) show qos acl map config Dot1xDscp5Policy
QoS ACL mappings on input side:
ACL name
-------------------------------- ---- ---------------------------------
Dot1xDscp5Policy
ACL name
-------------------------------- ---- ---------------------------------
Dot1xDscp5Policy
QoS ACL mappings on output side:
ACL name
-------------------------------- ---- ---------------------------------
Dot1xDscp5Policy
Console> (enable)
<<< Dot1x Authenticates a client on 3/1 and applies Dot1xDscp5Policy >>>
Console> (enable) show qos acl map runtime Dot1xDscp5Policy
QoS ACL mappings on input side:
ACL name
-------------------------------- ---- ---------------------------------
Dot1xDscp5Policy
ACL name
-------------------------------- ---- ---------------------------------
Dot1xDscp5Policy
QoS ACL mappings on output side:
ACL name
-------------------------------- ---- ---------------------------------
Dot1xDscp5Policy
Console> (enable) show qos acl map config Dot1xDscp5Policy
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-30
After you define a QoS policy on the switch, you should map the policy to a VLAN or port (using
the set qos acl map command) and verify that the policy mapping succeeds. After verification, clear
the ACL mapping and configure 802.1X on the interface.
Type Vlans
IP
Type Ports
IP
Type Vlans
IP
Type Vlans
IP
Type Ports
IP 3/1
Type Vlans
IP
Chapter 40 Configuring 802.1X Authentication
OL-8978-04