Using 802.1X Authentication With Acl Assignments And Redirect Urls - Cisco Catalyst 4500 Series Configuration Manual

About 802.1X Port-Based Authentication
•
•

Using 802.1X Authentication with ACL Assignments and Redirect URLs

Beginning with Cisco IOS Release 12.2(50)SG, you can download per-host policies such as ACLs and
redirect URLs to the switch from the RADIUS server during 802.1X or MAB authentication of the host.
ACL download is also supported with web authentication after a fallback from 802.1X or MAB.
When the 802.1X host mode of the port is either single-host, MDA, or multiple authentication, the
downloaded ACLs (DACLs) are modified to use the authenticated hosts' IP address as the source
address. When the host mode is multiple-hosts, the source address is configured as ANY, and the
downloaded ACLs or redirects apply to all devices on the port.
If no ACLs are provided during the authentication of a host, the static default ACL configured on the
port is applied to the host. On a voice VLAN port, only the static default ACL of the port is applied to
the phone.
This section includes these topics:
•
•
For details on how to configure downloadable ACL and URL redirect, refer to the
Authentication with ACL Assignments and Redirect URLs" section on page
Cisco Secure ACS and AV Pairs for URL-Redirect
When downloadable ACL is enabled, Cisco Secure ACS provides AAA services through RADIUS.
You can set these Attribute-Value (AV) pairs on the Cisco Secure ACS with RADIUS cisco-av-pair
vendor-specific attributes (VSAs):
•
•
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-20
Whenever port security ages out a 802.1X client's MAC address, 802.1X attempts to reauthenticate
the client. Only if the reauthentication succeeds is the client's MAC address be retained in the port
security table.
All of the 802.1X client's MAC addresses are tagged with (dot1x) when you display the port security
table by using CLI.
Cisco Secure ACS and AV Pairs for URL-Redirect, page 44-20
ACLs, page 44-21
CiscoSecure-Defined-ACL specifies the names of the DACLs on the Cisco Secure ACS. The switch
receives the ACL name using the CiscoSecure-Defined-ACL AV pair in the format:
#ACL#-IP-name-number
name is the ACL name and number is the version number (similar to 3f783768).
The Auth-Manager code verifies whether the access control entries (ACEs) of the specified
downloadable ACL were previously downloaded. If not, the Auth-Manager code sends an AAA
request with the downloadable ACL name as the username so that the ACEs are downloaded. The
downloadable ACL is then created as a named ACL on the switch. This ACL has ACEs with a source
address of any and does not have an implicit deny statement at the end. When the downloadable ACL
is applied to an interface after authentication completes, the source address changes from any to the
host source IP address depending on the host mode of the interface. The ACEs are prepended to the
downloadable ACL applied to the switch interface to which the endpoint device is connected. If
traffic matches the CiscoSecure-Defined-ACL ACEs, the appropriate actions are taken.
url-redirect and url-redirect-acl specify the local URL policy on the switch. The switches use these
cisco-av-pair VSAs as follows:
Chapter 44 Configuring 802.1X Port-Based Authentication
44-38.
"Configuring 802.1X
OL-25340-01