9-8
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-09
Chapter9 Configuring 802.1X Port-Based Authentication
Understanding 802.1X Port-Based Authentication
Using 802.1X with Per-User ACLs
You can enable per-user access control lists (ACLs) to provide different levels of network access and
service to an 802.1X-authenticated user. When the RADIUS server authenticates a user connected to an
802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The
switch applies the attributes to the 802.1X port for the duration of the user session. The switch removes
the per-user ACL configuration when the session is over, if authentication fails, or if a link-down
condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When
the port is unauthorized, the switch removes the ACL from the port.
You can configure only one type of per-user ACLs on a switch port: router ACLs or port ACLs. Router
ACLs apply to Layer 3 interfaces, and port ACLs apply to Layer 2 interfaces. If a port is configured with
a port-based ACL, the switch rejects any attempt to configure a router-based ACL on the same port.
However, if a port is configured with a router-based ACL and then a port-based ACL, the port-based ACL
overwrites the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles
stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific
attributes (VSAs) are in octet-string format and are passed to the switch during the authentication
process. The VSAs used for per-user ACLs are
inacl#<n> for ingress direction and outacl#<n> for
egress direction. MAC ACLs are only supported in the ingress direction.
Use only extended ACL syntax style to define the per-user configuration stored on the RADIUS server.
When the definitions are passed from the RADIUS server, they are created by using the extended naming
convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on
the switch. The attribute contains the ACL number followed by .in or .out for ingress filtering or egress
filtering. If the RADIUS server does not allow .in or .out syntax, the access list is applied to the outbound
ACL by default. Because of limited support of IOS access lists on the switch, the Filter-Id attribute is
supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Only one 802.1X-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the
port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ACSII characters.
For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific
RADIUS Attributes” section on page 8-29. For more information about configuring ACLs, see
Chapter 28, “Configuring Network Security with ACLs.”
To configure per-user ACLs, you need to perform these tasks:
• Enable AAA authentication
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server
• Enable 802.1X
• Configure the user profile and VSAs on the RADIUS server
• Configure the 802.1X port for single-host mode
To Next Page
Loading...
Need help?
General
