205
Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication
Note:
If you use a custom logo with web authentication and it is stored on an external server, the port ACL must allow
access to the external server before authentication. You must either configure a static port ACL or change the
auth-default-ACL to provide appropriate access to the external server.
Cisco Secure ACS and Attribute-Value Pairs for
the
Redirect URL
The switch uses these
cisco-av-pair
VSAs:
url-redirect is the HTTP to HTTPS URL.
url-redirect-acl is the switch ACL name or number.
The switch uses the CiscoSecure-Defined-ACL
attribute value pair to intercept an HTTP or HTTPS request from the end
point device. The switch then forwards the client web browser to the specified redirect address. The url-redirect attribute
value pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The url-redirect-acl
attribute value pair contains the name or number of an ACL that specifies the HTTP or HTTPS traffic to redirect. Traffic
that matches a permit ACE in the ACL is redirected.
Note:
Define the URL redirect ACL and the default port ACL on the switch.
If a redirect URL is configured for a client on the authentication server, a default port ACL on the connected client switch
port must also be configured.
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs
You can set the CiscoSecure-Defined-ACL Attribute-Value pair on the Cisco Secure ACS with the RADIUS cisco-av-pair
vendor-specific attributes (VSAs). This pair specifies the names of the downloadable ACLs on the Cisco Secure ACS
with the #ACL#-IP-
name-number
attribute.
The
name
is the ACL name.
The
number
is the version number (for example, 3f783768).
If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the connected client
switch port must also be configured.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to the switch, it
applies the policy to traffic from the host connected to a switch port. If the policy does not apply, the switch applies the
default ACL. If the Cisco Secure ACS sends the switch a downloadable ACL, this ACL takes precedence over the default
ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure
ACS but the default ACL is not configured, the authorization failure is declared.
For configuration details, see
Authentication Manager, page 194
Configuring 802.1x Authentication with
Downloadable ACLs and Redirect URLs, page 231
VLAN ID-Based MAC Authentication
You can use VLAN ID-based MAC authentication if you want to authenticate hosts based on a static VLAN ID instead of
a downloadable VLAN. When you have a static VLAN policy configured on your switch, VLAN information is sent to an
IAS (Microsoft) RADIUS server along with the MAC address of each host for authentication. The VLAN ID configured on
the connected port is used for MAC authentication. By using VLAN ID-based MAC authentication with an IAS server, you
can have a fixed number of VLANs in the network.
The feature also limits the number of VLANs monitored and handled by STP. The network can be managed as a fixed
VLAN.
Note:
This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new hosts and
only authenticates based on the MAC address.)
Summary of Contents for IE 4000
Page 12: ...8 Configuration Overview Default Settings After Initial Switch Configuration ...
Page 52: ...48 Configuring Interfaces Monitoring and Maintaining the Interfaces ...
Page 108: ...104 Configuring Switch Clusters Additional References ...
Page 128: ...124 Performing Switch Administration Additional References ...
Page 130: ...126 Configuring PTP ...
Page 140: ...136 Configuring CIP Additional References ...
Page 146: ...142 Configuring SDM Templates Configuration Examples for Configuring SDM Templates ...
Page 192: ...188 Configuring Switch Based Authentication Additional References ...
Page 244: ...240 Configuring IEEE 802 1x Port Based Authentication Additional References ...
Page 298: ...294 Configuring VLANs Additional References ...
Page 336: ...332 Configuring STP Additional References ...
Page 408: ...404 Configuring DHCP Additional References ...
Page 450: ...446 Configuring IGMP Snooping and MVR Additional References ...
Page 490: ...486 Configuring SPAN and RSPAN Additional References ...
Page 502: ...498 Configuring Layer 2 NAT ...
Page 770: ...766 Configuring IPv6 MLD Snooping Related Documents ...
Page 930: ...926 Configuring IP Unicast Routing Related Documents ...
Page 976: ...972 Configuring Cisco IOS IP SLAs Operations Additional References ...
Page 978: ...974 Dying Gasp ...
Page 990: ...986 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...
Page 994: ...990 Configuring MODBUS TCP Displaying MODBUS TCP Information ...
Page 996: ...992 Ethernet CFM ...
Page 1066: ...1062 Using an SD Card SD Card Alarms ...