Dell POWEREDGE M1000E User Manual

10-17

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

To configure per-user ACLs, you need to perform these tasks:

•

Enable AAA authentication.

•

Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.

•

Enable IEEE 802.1x authentication.

•

Configure the user profile and VSAs on the RADIUS server.

•

Configure the IEEE 802.1x port for single-host mode.

802.1x Authentication with Downloadable ACLs and Redirect URLs

You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x
authentication or MAC authentication bypass of the host. You can also download ACLs during web
authentication.

Note

A downloadable ACL is also referred to as a dACL.

If the host mode is single-host, MDA, or multiple-authentication mode, the switch modifies the source
address of the ACL to be the host IP address.

Note

A port in multiple-host mode does not support the downloadable ACL and redirect URL feature.

You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.

If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on
the port to the host. On a voice VLAN port, the switch applies the ACL only to the phone.

Note

If a downloadable ACL or redirect URL is configured for a client on the authentication server, a default
port ACL on the connected client switch port must also be configured.

Cisco Secure ACS and Attribute-Value Pairs for the

Redirect URL

The switch uses these cisco-av-pair VSAs:

•

url-redirect is the HTTP to HTTPS URL.

•

url-redirect-acl is the switch ACL name or number.

The switch uses the CiscoSecure-Defined-ACL AV pair to intercept an HTTP or HTTPS request from
the endpoint device. The switch then forwards the client web browser to the specified redirect address.
The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is
redirected. The url-redirect-acl AV pair contains the name or number of an ACL that specifies the HTTP
or HTTPS traffic to redirect. Traffic that matches a permit ACE in the ACL is redirected.

Note

Define the URL redirect ACL and the default port ACL on the switch.

If a redirect URL configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured.