12-25
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Figure 12-6
Authenticator and Supplicant Switch using CISP
For more information, see the
“Configuring 802.1x Switch Supplicant with NEAT” section on
page 12-50
.
Web Authentication
You can use a web browser to authenticate a client that does not support 802.1x functionality. This
feature can authenticate up to eight users on the same shared port and apply the appropriate policies for
each end host on a shared port.
You can configure a port to use only web authentication. You can also configure the port to first try and
use 802.1x authentication and then to use web authorization if the client does not support 802.1x
authentication.
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
•
The first attribute,
priv-lvl=15
, must always be set to
15
. This sets the privilege level of the user
who is logging into the switch.
•
The second attribute is an access list to be applied for web-authenticated hosts. The syntax is similar
to 802.1x per-user access control lists (ACLs). However, instead of
ip:inacl
, this attribute must
begin with
proxyacl
, and the
source
field in each entry must be
any
. (After authentication, the
client IP address replaces the
any
field when the ACL is applied.)
For example:
proxyacl# 10=permit
ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit
ip any 11.1.0.0 255.255.0.0
proxyacl# 30=permit
udp any any eq syslog
proxyacl# 40=permit
udp any any eq tftp
Note
The
proxyacl
entry determines the type of allowed network access.
For more information, see the
“Authentication Manager” section on page 12-7
and the
“Configuring Web
Authentication” section on page 12-55
.
1
Workstations (clients)
2
Supplicant switch (outside wiring closet)
3
Authenticator switch
4
Access control server (ACS)
5
Trunk port
20571
8
1
2
3
5
4