Lan Port 802.1X Enhancements In Software Release 8.6(1) And Later Releases - Cisco WS-C6506 Software Manual

Configuring Network Admission Control with LAN Port 802.1X

LAN Port 802.1X Enhancements in Software Release 8.6(1) and Later Releases

These sections describe the enhancements for configuring NAC with LAN port 802.1X in software
release 8.6(1) and later releases:
•
•
URL Redirection Support for LAN Port 802.1X
After a successful LAN port 802.1X authentication, you can redirect HTTP traffic to the supervisor
engine using URL redirection. URL redirection requires that you configure an ACL with an ACE that
will redirect all ingress traffic with destination TCP port 80 to the supervisor engine. Enter the set
security acl ip acl-name permit url-redirect command to create the ACE. Any ACL that is mapped to
a port/VLAN with this ACE redirects all HTTP traffic to the supervisor engine.
URL redirection requires that the IP address of an authenticated host appears in a URL redirect list. The
IP address of the host can be obtained in three ways:
•
•
•
DHCP snooping is given the highest precedence, followed by ARP inspection, and then framed IP. If the
IP address is received through a higher precedence mechanism than the current one and the previous IP
address differs from the current one, the installed policies are removed and updated with the latest IP
address. Also, the host IP address added to the URL redirect list is updated with the preferred IP address.
As a result of URL redirection, the NAD intercepts all HTTP traffic from the host that matches the URL
redirect match ACL (configured locally or downloaded from the ACS). The intercepted HTTP TCP
session is terminated at the NAD. The URL redirect feature then invokes the feature-specific handler that
posts an HTTP 302 redirect status code to the host over the terminated TCP session in the following
format:
HTTP/1.1 302 Page Moved
Location: <REDIRECT URL-ADDRESS>
Pragma: no-cache
Cache-Control: no-cache
The redirect URL address is sent from the RADIUS server. When the host browser receives the
302 status code, it initiates a new HTTP request to the provided redirected URL address and the
redirection occurs.
The redirect URL that is sent from the RADIUS server needs to be configured on the RADIUS server.
A typical URL redirect VSA would be as follows:
Url-redirect=<url-address>
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
44-36
these features, the switch requests that the LAN port IP (if configured) does the posture validation.
LAN port IP realizes that its Hello messages are not getting any response and does a clientless
authentication to retrieve the posture policy for nonresponsive hosts.
URL Redirection Support for LAN Port 802.1X, page 44-36
Enabling and Disabling the Session Timeout Override for LAN Port 802.1X, page 44-37
Framed IP address sent from the RADIUS server
DHCP snooping
ARP inspection
Chapter 44 Configuring Network Admission Control
OL-8978-04