Cisco Systems 3560 Manual De Usuario
10-16
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs
only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For
more information, see
only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For
more information, see
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS
server. When the definitions are passed from the RADIUS server, they are created by using the extended
naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
server. When the definitions are passed from the RADIUS server, they are created by using the extended
naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on
the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress
filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the
outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the
Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and
IP extended ACLs).
the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress
filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the
outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the
Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and
IP extended ACLs).
Only one 802.1x-authenticated user is supported on a port. If multiple-hosts mode is enabled on the port,
the per-user ACL attribute is disabled for the associated port.
the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
RADIUS-server per-user ACLs.
. For more information about configuring ACLs, see
To configure per-user ACLs, you need to perform these tasks:
•
Enable AAA authentication.
•
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
RADIUS server.
•
Enable 802.1x authentication.
•
Configure the user profile and VSAs on the RADIUS server.
•
Configure the 802.1x port for single-host mode.
For more configuration information, see the
.
802.1x Authentication with Downloadable ACLs and Redirect URLs
You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.
Note
A downloadable ACL is also referred to as a dACL.
If the host mode is single-host, MDA, or multiple-authentication mode, the switch modifies the source
address of the ACL to be the host IP address.
address of the ACL to be the host IP address.
Note
A port in multiple-host mode does not support the downloadable ACL and redirect URL feature.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on
the port to the host. On a voice VLAN port, the switch applies the ACL only to the phone.
the port to the host. On a voice VLAN port, the switch applies the ACL only to the phone.