X Authentication With Downloadable Acls And Redirect Urls - Cisco IE-4000 Software Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
Information About Configuring IEEE 802.1x Port-Based Authentication

802.1x Authentication with Downloadable ACLs and Redirect URLs

You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x authentication or MAC
authentication bypass of the host. You can also download ACLs during web authentication.
Note: A downloadable ACL is also referred to as a dACL.
If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication mode, the switch
changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on the port to the host.
On a voice VLAN port configured in multi-auth or MDA mode, the switch applies the ACL only to the phone as part of
the authorization policies.
Note: The auth-default ACL does not appear in the running configuration.
The auth-default ACL is created when at least one host with an authorization policy is detected on the port. The
auth-default ACL is removed from the port when the last authenticated session ends. You can configure the auth-default
ACL by using the ip access-list extended auth-default-acl global configuration command.
Note: The auth-default ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You must
configure a static ACL on the interface to support CDP bypass.
The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is no static
ACL on a port in closed authentication mode:

An auth-default-ACL is created.

The auth-default-ACL allows only DHCP traffic until policies are enforced.

When the first host authenticates, the authorization policy is applied without IP address insertion.

When a second host is detected, the policies for the first host are refreshed, and policies for the first and subsequent
sessions are enforced with IP address insertion.
If there is no static ACL on a port in open authentication mode:

An auth-default-ACL-OPEN is created and allows all traffic.

Policies are enforced with IP address insertion to prevent security breaches.

Web authentication is subject to the auth-default-ACL-OPEN.
To control access for hosts with no authorization policy, you can configure a directive. The supported values for the
directive are open and default. When you configure the open directive, all traffic is allowed. The default directive subjects
traffic to the access provided by the port. You can configure the directive either in the user profile on the AAA server or
on the switch. To configure the directive on the AAA server, use the authz-directive = open/default global command. To
configure the directive on the switch, use the epm access-control open global configuration command.
Note: The default value of the directive is default.
If a host falls back to web authentication on a port without a configured ACL:

If the port is in open authentication mode, the auth-default-ACL-OPEN is created.

If the port is in closed authentication mode, the auth-default-ACL is created.
The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured fallback profile
does not include a fallback ACL, the host is subject to the auth-default-ACL associated with the port.
204