12-16
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
Note
If a downloadable ACL or redirect URL is configured for a client on the authentication server, a default
port ACL on the connected client switch port must also be configured.
Cisco Secure ACS and Attribute-Value Pairs for the
Redirect URL
The switch uses these
cisco-av-pair
VSAs:
•
url-redirect is the HTTP to HTTPS URL.
•
url-redirect-acl is the switch ACL name or number.
The switch uses the CiscoSecure-Defined-ACL
AV pair to intercept an HTTP or HTTPS request from
the endpoint device. The switch then forwards the client web browser to the specified redirect address.
The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is
redirected. The url-redirect-acl AV pair contains the name or number of an ACL that specifies the HTTP
or HTTPS traffic to redirect. Traffic that matches a permit ACE in the ACL is redirected.
Note
Define the URL redirect ACL and the default port ACL on the switch.
If a redirect URL configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs
You can set the CiscoSecure-Defined-ACL Attribute-Value (AV) pair on the Cisco Secure ACS with the
RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the
downloadable ACLs on the Cisco Secure ACS with the #ACL#-IP-name-number attribute.
•
The
name
is the ACL name.
•
The
number
is the version number (for example, 3f783768).
If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to
the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not
apply, the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However,
if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not
configured, the authorization failure is declared.
For configuration details, see the “
“Authentication Manager” section on page 12-7
and the
“Configuring
802.1x Authentication with Downloadable ACLs and Redirect URLs” section on page 12-52
.
Содержание IE 3000
Страница 36: ...xxxiv Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Preface ...
Страница 784: ...39 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 39 Troubleshooting Troubleshooting Tables ...
Страница 874: ...Index IN 42 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 ...