Per-User ACLs and Filter-Ids
You can only set any as the source in the ACL.Note
For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example,
permit icmp any host 10.10.1.1.)
Note
You must specify any in the source ports of any defined ACL. Otherwise, the ACL cannot be applied and
authorization fails. Single host is the only exception to support backward compatibility.
More than one host can be authenticated on MDA-enabled and multiauth ports. The ACL policy applied for
one host does not effect the traffic of another host. If only one host is authenticated on a multi-host port, and
the other hosts gain network access without authentication, the ACL policy for the first host can be applied
to the other connected hosts by specifying any in the source address.
Port-Based Authentication Manager CLI Commands
The authentication-manager interface-configuration commands control all the authentication methods, such
as 802.1x, MAC authentication bypass, and web authentication. The authentication manager commands
determine the priority and order of authentication methods applied to a connected host.
The authentication manager commands control generic authentication features, such as host-mode, violation
mode, and the authentication timer. Generic authentication commands include the authentication host-mode,
authentication violation, and authentication timer interface configuration commands.
802.1x-specific commands begin with the dot1x keyword. For example, the authentication port-control
auto interface configuration command enables authentication on an interface. However, the dot1x
system-authentication control global configuration command only globally enables or disables 802.1x
authentication.
If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port,
such as web authentication.
Note
The authentication manager commands provide the same functionality as earlier 802.1x commands.
When filtering out verbose system messages generated by the authentication manager, the filtered content
typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and
MAB authentication. There is a separate command for each authentication method:
•
The no authentication logging verbose global configuration command filters verbose messages from
the authentication manager.
•
The no dot1x logging verbose global configuration command filters 802.1x authentication verbose
messages.
•
The no mab logging verbose global configuration command filters MAC authentication bypass (MAB)
verbose messages
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 269
Configuring IEEE 802.1x Port-Based Authentication
Authentication Manager for Port-Based Authentication
To Next Page
Loading...
Need help?
General