12-26
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
Web Authentication with Automatic MAC Check
You can use web authentication with automatic MAC check to authenticate a client that does not
support 802.1x or web-browser functionality. End hosts, such as printers, can automatically authenticate
by using the MAC address without any other requirements.
Web authentication with automatic MAC check only works in web authentication standalone mode. You
cannot use this if web authentication is configured as a fallback to 802.1x authentication.
The MAC address of the device must be configured in the Access Control Server (ACS) for the automatic
MAC check to succeed. The automatic MAC check allows managed devices, such as printers, to skip
web authentication.
Note
The interoperability of web authentication (with automatic MAC check) and 802.1x MAC authentication
configured on different ports of the same switch is not supported.
Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute
The switch supports only IP standard and IP extended port access control lists (ACLs) applied to ingress
ports.
•
ACLs that you configure
•
ACLs from the Access Control Server (ACS)
An IEEE 802.1x port in single-host mode uses ACLs from the ACS to provide different levels of service
to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates this type of user and port,
it sends ACL attributes based on the user identity to the switch. The switch applies the attributes to the
port for the duration of the user session. If the session is over, authentication fails, or a link fails, the port
becomes unauthorized, and the switch removes the ACL on the port.
Only IP standard and IP extended port ACLs from the ACS support the Filter-Id attribute. It specifies the
name or number of an ACL. The Filter-id attribute can also specify the direction (inbound or outbound)
and a user or a group to which the user belongs.
•
The Filter-Id attribute for the user takes precedence over that for the group.
•
If a Filter-Id attribute from the ACS specifies an ACL that is already configure, it takes precedence
over a user-configured ACL.
•
If the RADIUS server sends more than one Filter-Id attribute, only the last attribute is applied.
If the Filter-Id attribute is not defined on the switch, authentication fails, and the port returns to the
unauthorized state.
Configuring 802.1x Authentication
These sections contain this configuration information:
•
Default 802.1x Authentication Configuration, page 12-27
•
802.1x Authentication Configuration Guidelines, page 12-28
•
Configuring 802.1x Readiness Check, page 12-31
(optional)