12-15
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
–
If the VLAN configuration change of one device results in matching the other device configured
or assigned VLAN, then authorization of all devices on the port is terminated and multidomain
host mode is disabled until a valid configuration is restored where data and voice device
configured VLANs no longer match.
–
If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice
VLAN configuration, or modifying the configuration value to
dot1p
or
untagged
results in voice
device un-authorization and the disablement of multi-domain host mode.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put
into the configured access VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
•
Enable AAA authorization by using the
network
keyword to allow interface configuration from the
RADIUS server.
•
Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you
configure 802.1x authentication on an access port).
•
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
–
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = 802
–
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value
VLAN
(type 13). Attribute [65] must contain the value
802
(type 6). Attribute [81] specifies the
VLAN name
or
VLAN ID
assigned to the 802.1x-authenticated
user.
For examples of tunnel attributes, see the
“Configuring the Switch to Use Vendor-Specific RADIUS
Attributes” section on page 11-29
.
For more configuration information, see the
“Authentication Manager” section on page 12-7
.
802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.
Note
A downloadable ACL is also referred to as a
dACL
.
If the host mode is single-host, MDA, or multiple-authentication mode, the switch modifies the source
address of the ACL to be the host IP address.
Note
A port in multiple-host mode does not support the downloadable ACL and redirect URL feature.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on
the port to the host. On a voice VLAN port, the switch applies the ACL only to the phone.