Cisco Systems 3560 사용자 설명서

Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing 
user traffic from multiple VLANs coming from supplicant switches. This can be achieved by 
configuring the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this 
under the group or user setttings.)

For more information, see the 

You can use a web browser to authenticate a client that does not support 802.1x functionality. This 
feature can authenticate up to eight users on the same shared port and apply the appropriate policies for 
each end host on a shared port.

You can configure a port to use only web authentication. You can also configure the port to first try and 
use 802.1x authentication and then to use web authorization if the client does not support 802.1x 
authentication. 

Web authentication requires two Cisco Attribute-Value (AV) pair attributes:

The first attribute, 

priv-lvl=15

, must always be set to 15. This sets the privilege level of the user 

who is logging into the switch.

The second attribute is an access list to be applied for web-authenticated hosts. The syntax is similar 
to 802.1x per-user access control lists (ACLs). However, instead of 

ip:inacl

, this attribute must 

begin with 

proxyacl

, and the 

source

 field in each entry must be 

any

.   (After authentication, the 

client IP address replaces the 

any

 field when the ACL is applied.)

For example:

proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0

proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0

proxyacl# 30=permit udp any any eq syslog

proxyacl# 40=permit udp any any eq tftp

The proxyacl entry determines the type of allowed network access.

Workstations (clients)

Supplicant switch (outside wiring closet)

Authenticator switch 

Access control server (ACS)

Trunk port

20571

8