802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x authentication
or MAC authentication bypass of the host. You can also download ACLs during web authentication.
A downloadable ACL is also referred to as a dACL.
Note
If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication mode,
the switch changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on the
port to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies the ACL
only to the phone as part of the authorization policies.
Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default
ACL is created, and policies are enforced before dACLs are downloaded and applied.
The auth-default-ACL does not appear in the running configuration.Note
The auth-default ACL is created when at least one host with an authorization policy is detected on the port.
The auth-default ACL is removed from the port when the last authenticated session ends. You can configure
the auth-default ACL by using the ip access-list extended auth-default-acl global configuration command.
The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode.
You must configure a static ACL on the interface to support CDP bypass.
Note
The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is
no static ACL on a port in closed authentication mode:
•
An auth-default-ACL is created.
•
The auth-default-ACL allows only DHCP traffic until policies are enforced.
•
When the first host authenticates, the authorization policy is applied without IP address insertion.
•
When a second host is detected, the policies for the first host are refreshed, and policies for the first and
subsequent sessions are enforced with IP address insertion.
If there is no static ACL on a port in open authentication mode:
•
An auth-default-ACL-OPEN is created and allows all traffic.
•
Policies are enforced with IP address insertion to prevent security breaches.
•
Web authentication is subject to the auth-default-ACL-OPEN.
To control access for hosts with no authorization policy, you can configure a directive. The supported values
for the directive are open and default. When you configure the open directive, all traffic is allowed. The default
directive subjects traffic to the access provided by the port. You can configure the directive either in the user
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
OL-29048-01 281
Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with Downloadable ACLs and Redirect URLs
To Next Page
Loading...
Need help?
General
Weight and Dimensions
