Cisco Systems 3750E Manual De Usuario
10-11
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
If an IEEE 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to
the port access VLAN configuration does not take effect.
the port access VLAN configuration does not take effect.
The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
•
Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
RADIUS server.
•
Enable IEEE 802.1x authentication. (The VLAN assignment feature is automatically enabled when
you configure IEEE 802.1x authentication on an access port).
you configure IEEE 802.1x authentication on an access port).
•
Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return
these attributes to the switch:
these attributes to the switch:
–
[64] Tunnel-Type = VLAN
–
[65] Tunnel-Medium-Type = 802
–
[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the
IEEE 802.1x-authenticated user.
(type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the
IEEE 802.1x-authenticated user.
For examples of tunnel attributes, see the
Using IEEE 802.1x Authentication with Per-User ACLs
You can enable per-user access control lists (ACLs) to provide different levels of network access and
service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected
to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the
switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The
switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a
link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running
configuration. When the port is unauthorized, the switch removes the ACL from the port.
service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected
to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the
switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The
switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a
link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running
configuration. When the port is unauthorized, the switch removes the ACL from the port.
You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes
precedence over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the
port ACL takes precedence over an input router ACL applied to the VLAN interface. Incoming packets
received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed
packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by
the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored on
the RADIUS server.
precedence over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the
port ACL takes precedence over an input router ACL applied to the VLAN interface. Incoming packets
received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed
packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by
the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored on
the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific
attributes (VSAs) are in octet-string format and are passed to the switch during the authentication
process. The VSAs used for per-user ACLs are
attributes (VSAs) are in octet-string format and are passed to the switch during the authentication
process. The VSAs used for per-user ACLs are
inacl#<
n
>
for the ingress direction and
outacl#<
n
>
for
the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs
only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For
more information, see
only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For
more information, see
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS
server. When the definitions are passed from the RADIUS server, they are created by using the extended
naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
server. When the definitions are passed from the RADIUS server, they are created by using the extended
naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.