Acls - Cisco Catalyst 4500 Series Configuration Manual

Chapter 44 Configuring 802.1X Port-Based Authentication
These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device and
forward the client web browser to the specified redirect address from which the latest antivirus files can
be downloaded. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web
browser is redirected. The url-redirect-acl AV pair contains the name or number of an ACL that specifies
the HTTP or HTTPS traffic to be redirected. Traffic that matches a permit entry in the redirect ACL is
redirected.
The redirect or default ACL must be defined on the switch.
Note

ACLs

If downloadable ACL is configured for a particular client on the authentication server, you must
configure a default port ACL on a client-facing switch port.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to
the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not
apply, the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable
ACL, this ACL takes precedence over the default ACL already configured on the switch port. However,
if the switch receives a host access policy from the Cisco Secure ACS, but the default ACL is not
configured, the authorization failure is declared.
For details on how to configure a downloadable policy, refer to the
section on page
Using 802.1X with RADIUS-Provided Session Timeouts
You can specify whether a switch uses a locally configured or a RADIUS-provided reauthentication
timeout. If the switch is configured to use the local timeout, it reauthenticates the host when the timer
expires.
If the switch is configured to use the RADIUS-provided timeout, it scans the RADIUS Access-Accept
message for the Session-Timeout and optional Termination-Action attributes. The switch uses the value
of the Session-Timeout attribute to determine the duration of the session, and it uses the value of the
Termination-Action attribute to determine the switch action when the session's timer expires.
If the Termination-Action attribute is present and its value is RADIUS-Request, the switch
reauthenticates the host. If the Termination-Action attribute is not present, or its value is Default, the
switch terminates the session.
The supplicant on the port detects that its session was terminated and attempts to initiate a new session.
Note
Unless the authentication server treats this new session differently, the client may see only a brief
interruption in network connectivity as the switch sets up a new session.
If the switch is configured to use the RADIUS-supplied timeout, but the Access-Accept message does
not include a Session-Timeout attribute, the switch never reauthenticates the supplicant. This behavior
is consistent with Cisco's wireless access points.
For details on how to configure RADIUS-provided session timeouts, see the
RADIUS-Provided Session Timeouts" section on page
OL-25340-01
url-redirect = <HTTP or HTTPS URL>
–
url-redirect-acl = switch ACL name or number
–
44-43.
44-51.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
About 802.1X Port-Based Authentication
"Configuring a Downloadable Policy"
"Configuring
44-21