Cisco WS-C6506 Software Manual page 1121

Chapter 44 Configuring Network Admission Control
To prevent all the HTTP packets from being redirected to software by the ACL on the interface, you must
ensure that packets destined to the redirected URL are not redirected to the software for URL redirection.
The ACL must have an ACE installed so that it occurs before the URL redirection ACE that permits
traffic to the redirected host. Installing the ACE in this position ensures that the redirected request will
encounter the prepositioned ACE and will not be intercepted by the supervisor engine.
A host can be added to URL redirection through the LAN port IP, web-based proxy authentication, and
LAN port 802.1X. Web-based proxy authentication is given the highest precedence, followed by LAN
port IP, and then LAN port 802.1X. The host port is opened only after a successful 802.1X
authentication. When the host tries to access the web, it has to be authenticated through web-based proxy
authentication, followed by posture validation by LAN port IP. The host is permitted to access the URL
that is received from the RADIUS server after a successful 802.1X authentication.
For URL redirection to work with LAN port 802.1X, there must be an ACL mapped to the VLAN of the
port that has DHCP snooping, ARP inspection, and the URL redirect ACE.
Enabling and Disabling the Session Timeout Override for LAN Port 802.1X
After a successful 802.1X authentication, and if reauthentication is enabled on a port,
802.1X authentication will reauthenticate the port when the reauthentication timer expires. The
reauthentication timer value can be configured through the CLI or can be sent from the RADIUS server.
The set port dot1x mod/port re-authperiod server {disable | enable} command allows you to specify
whether the reauthentication timer value from the RADIUS server will be used or whether the
CLI-configured value will be used. By default, the session timeout value that is received from the
RADIUS server takes precedence over the CLI-configured timeout value. See
session timeout override mapping values.
Table 44-1
Reauthorization
Enabled
No
Yes
Yes
Yes
Yes
If you enable 802.1X IAB on a port that is already authenticated, if the RADIUS server is not reachable
Note
during reauthentication, then the port remains in the authenticated state.
OL-8978-04
Session Timeout Override Mapping Values
Reauthorization
Period from Server
Enabled
Optional
No
Yes
Yes
Yes
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Network Admission Control with LAN Port 802.1X
Session Timeout
Received Termination Action NAS Action
n/a n/a
n/a n/a
No n/a
Yes Default or no
action
Yes RADIUS request
Table 44-1 for suggested
No reauthorization
Reauthorization
with local timer
No reauthorization
Termination with
RADIUS timer
Reauthorization
with RADIUS
timer
44-37