44-34
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 44 Configuring Network Admission Control
Configuring Network Admission Control with LAN Port 802.1X
This example shows how to clear the URL redirect string associated with the policy name:
Console> (enable)
clear policy name exception_policy url-redirect
Cleared url-redirect for the policy exception_policy
Console> (enable)
Configuring LAN Port IP on Private VLAN Ports
Note
For detailed information on private VLANs, see the
“Configuring Private VLANs on the Switch” section
on page 11-19
.
A private VLAN port is associated with two VLANs, the primary VLAN and the secondary VLAN.
Traffic coming from the host (ingress traffic) is tagged with the secondary VLAN and traffic coming
from the router port is tagged with the primary VLAN. To trigger EOU on a port, an ARP inspection or
DHCP snooping ACL must be mapped to the port VLAN. To trigger EOU on a port in a private VLAN,
you must map an ARP inspection or DHCP snooping ACL explicitly to the secondary VLAN as it is the
VLAN that is associated with the ingress traffic.
Different PBACLs can be mapped to the primary and secondary VLANs. After a successful posture
validation, if the PBACL that is mapped to the primary and secondary VLAN have groups where the host
is a member, they are expanded to accommodate the IP address of the host.
Configuring Network Admission Control with LAN Port 802.1X
These sections describe how to configure NAC with LAN port 802.1X:
•
Understanding How Network Admission Control with LAN Port 802.1X Works, page 44-34
•
LAN Port 802.1X Enhancements in Software Release 8.6(1) and Later Releases, page 44-36
Understanding How Network Admission Control with LAN Port 802.1X Works
Note
There are no LAN port 802.1X-specific CLI commands. Posture validation and authentication occur
seamlessly inside a single EAP tunnel through standard 802.1X authentication. For information on
configuring IEEE 802.1X authentication, see
Chapter 40, “Configuring 802.1X Authentication.”
Note
The restrictions that apply to LAN port IP also apply to LAN port 802.1X. For LAN port IP restrictions,
see the
“LAN Port IP Configuration Guidelines and Restrictions” section on page 44-6
.
LAN port 802.1X combined with standard 802.1X authentication provides a unified authentication and
posture validation mechanism at the Layer 2 network edge. LAN port 802.1X acts at the same point in
the network as LAN port IP but uses different mechanisms to initiate posture validation, to carry the
communication between host and authentication server, and to enforce the resulting access limitations.
Posture validation in LAN port 802.1X is triggered by the standard 802.1X mechanisms (either the
supplicant sends an EAPOL-Start message to the NAD, or the NAD probes the supplicant with an
EAP-Request/Identity message); the posture information may be sent with the user identity credentials