Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server.
When the definitions are passed from the RADIUS server, they are created by using the extended naming
convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the
switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering.
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by
default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported
only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Only one 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port,
the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
To configure per-user ACLs:
•
Enable AAA authentication.
•
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
•
Enable 802.1x authentication.
•
Configure the user profile and VSAs on the RADIUS server.
•
Configure the 802.1x port for single-host mode.
Per-user ACLs are supported only in single-host mode.Note
802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x authentication
or MAC authentication bypass of the host. You can also download ACLs during web authentication.
A downloadable ACL is also referred to as a dACL.
Note
If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication mode,
the switch changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on the
port to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies the ACL
only to the phone as part of the authorization policies.
Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default
ACL is created, and policies are enforced before dACLs are downloaded and applied.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
OL-29434-01 229
Configuring IEEE 802.1x Port-Based Authentication
802.1x Authentication with Downloadable ACLs and Redirect URLs
To Next Page
Loading...
Need help?
General