10-21
Catalyst 3750 Switch Software Configuration Guide
OL-8550-02
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring IEEE 802.1x Authentication
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized
data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the
port voice VLAN is automatically removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a
port changes from single- or multihost mode to multidomain mode.
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.
• If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
Using Web Authentication
You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality.
You can configure a port to use only web authentication. You can also configure the port to first try and
use IEEE 802.1x authentication and then to use web authorization if the client does not support
IEEE 802.1x authentication.
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
• The first attribute, priv-lvl=15, must always be set to 15. This sets the privilege level of the user
who is logging into the switch.
• The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar
to IEEE 802.1X per-user ACLs. However, instead of
ip:inacl, this attribute must begin with
proxyacl, and the source field in each entry must be any. (After authentication, the client IP
address replaces the
any field when the ACL is applied .)
For example:
proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0
proxyacl# 30=permit udp any any eq syslog
proxyacl# 40=permit udp any any eq tftp
Note The proxyacl entry determines the type of allowed network access .
For more information, see the “Configuring Web Authentication” section on page 10-41.
Configuring IEEE 802.1x Authentication
These sections contain this configuration information:
• Default IEEE 802.1x Authentication Configuration, page 10-22
• IEEE 802.1x Authentication Configuration Guidelines, page 10-23
• Upgrading from a Previous Software Release, page 10-26
• Configuring IEEE 802.1x Authentication, page 10-26 (required)
• Configuring the Switch-to-RADIUS-Server Communication, page 10-27 (required)