Home » Cisco Manuals » Hubs & Switches » Cisco 3560G 48TS » Manual Viewer

Cisco 3560G 48TS Software Configuration Guide - Page 204

Using 802.1X with Guest VLAN, Using 802.1X with Per-User ACLs

UPC - 746320942568

Add to My Manuals
Save this manual to your list of manuals

Page 204 highlights

Understanding 802.1X Port-Based Authentication Chapter 9 Configuring 802.1X Port-Based Authentication Using 802.1X with Guest VLAN You can configure a guest VLAN for each 802.1X port on the switch to provide limited services to clients (for example, how to download the 802.1X client). These clients might be upgrading their system for 802.1X authentication, and some hosts, such as Windows 98 systems, might not be 802.1X-capable. When the authentication server does not receive a response to its EAPOL request/identity frame, clients that are not 802.1X-capable are put into the guest VLAN for the port, if one is configured. However, the server does not grant 802.1X-capable clients that fail authentication access to the network. Any number of hosts are allowed access when the switch port is moved to the guest VLAN. If an 802.1X-capable host joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802.1X guest VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports. For more information, see the "Configuring a Guest VLAN" section on page 9-18. Using 802.1X with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an 802.1X-authenticated user. When the RADIUS server authenticates a user connected to an 802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the 802.1X port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the switch removes the ACL from the port. You can configure router ACLs and input port ACLs on the same Catalyst 3560 switch. However, a port ACL takes precedence over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the port ACL takes precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored on the RADIUS server. RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl# for the ingress direction and outacl# for the egress direction. MAC ACLs are supported only in the ingress direction. The Catalyst 3560 switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see Chapter 27, "Configuring Network Security with ACLs." Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server. When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL. You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs). Catalyst 3560 Switch Software Configuration Guide 9-8 78-16156-01

Section	Page
Catalyst 3560 Switch SoftwareConfigurationGuide	1
Contents	3
Preface	33
Audience	33
Purpose	33
Conventions	34
Related Publications	35
Obtaining Documentation	35
Cisco.com	35
Documentation CD-ROM	36
Ordering Documentation	36
Documentation Feedback	36
Obtaining Technical Assistance	36
Cisco TAC Website	37
Opening a TAC Case	37
TAC Case Priority Definitions	37
Obtaining Additional Publications and Information	38
Overview	39
Features	39
Default Settings After Initial Switch Configuration	47
Network Configuration Examples	49
Design Concepts for Using the Switch	49
Small to Medium-Sized Network Using Catalyst 3560 Switches	51
Large Network Using Catalyst 3560 Switches	52
Long-Distance, High-Bandwidth Transport Configuration	54
Where to Go Next	54
Using the Command-Line Interface	55
Understanding Command Modes	55
Understanding the Help System	57
Understanding Abbreviated Commands	57
Understanding no and default Forms of Commands	58
Understanding CLI Error Messages	58
Using Command History	58
Changing the Command History Buffer Size	59
Recalling Commands	59
Disabling the Command History Feature	59
Using Editing Features	60
Enabling and Disabling Editing Features	60
Editing Commands through Keystrokes	60
Editing Command Lines that Wrap	62
Searching and Filtering Output of show and more Commands	62
Accessing the CLI	63
Accessing the CLI through a Console Connection or through Telnet	63
Accessing the CLI from a Browser	63
Getting Started with CMS	65
Understanding CMS	65
Front Panel View	66
Topology View	66
CMS Menu Bar, Toolbar, and Feature Bar	66
Online Help	69
Configuration Modes	69
Guide Mode	69
Expert Mode	70
Wizards	70
Privilege Levels	71
Access to Older Switches In a Cluster	71
Configuring CMS	72
CMS Requirements	72
Minimum Hardware Configuration	72
Operating System and Browser Support	73
CMS Plug-In Requirements	73
Cross-Platform Considerations	74
HTTP Access to CMS	74
Specifying an HTTP Port (Nondefault Configuration Only)	74
Configuring an Authentication Method (Nondefault Configuration Only)	74
Displaying CMS	75
Launching CMS	75
Front Panel View	78
Topology View	79
CMS Icons	80
Where to Go Next	80
Assigning the Switch IP Address and Default Gateway	81
Understanding the Boot Process	81
Assigning Switch Information	82
Default Switch Information	83
Understanding DHCP-Based Autoconfiguration	83
DHCP Client Request Process	84
Configuring DHCP-Based Autoconfiguration	84
Configuring the DHCP Server	85
Configuring the TFTP Server	85
Configuring the DNS	86
Configuring the Relay Device	86
Obtaining Configuration Files	87
Example Configuration	88
Manually Assigning IP Information	89
Checking and Saving the Running Configuration	90
Modifying the Startup Configuration	91
Default Boot Configuration	92
Automatically Downloading a Configuration File	92
Specifying the Filename to Read and Write the System Configuration	92
Booting Manually	93
Booting a Specific Software Image	93
Controlling Environment Variables	94
Scheduling a Reload of the Software Image	96
Configuring a Scheduled Reload	96
Displaying Scheduled Reload Information	97
Clustering Switches	99
Understanding Switch Clusters	100
Cluster Command Switch Characteristics	101
Standby Cluster Command Switch Characteristics	101
Candidate Switch and Cluster Member Switch Characteristics	102
Planning a Switch Cluster	102
Automatic Discovery of Cluster Candidates and Members	103
Discovery Through CDP Hops	103
Discovery Through Non-CDP-Capable and Noncluster-Capable Devices	104
Discovery Through Different VLANs	105
Discovery Through Different Management VLANs	105
Discovery Through Routed Ports	106
Discovery of Newly Installed Switches	107
HSRP and Standby Cluster Command Switches	108
Virtual IP Addresses	109
Other Considerations for Cluster Standby Groups	109
Automatic Recovery of Cluster Configuration	110
IP Addresses	111
Host Names	111
Passwords	112
SNMP Community Strings	112
TACACS+ and RADIUS	112
Access Modes in CMS	113
LRE Profiles	113
Availability of Switch-Specific Features in Switch Clusters	113
Creating a Switch Cluster	114
Enabling a Cluster Command Switch	114
Adding Cluster Member Switches	115
Creating a Cluster Standby Group	117
Verifying a Switch Cluster	118
Using the CLI to Manage Switch Clusters	119
Catalyst1900 and Catalyst2820 CLI Considerations	120
Using SNMP to Manage Switch Clusters	120
Administering the Switch	123
Managing the System Time and Date	123
Understanding the System Clock	124
Understanding Network Time Protocol	124
Configuring NTP	126
Default NTP Configuration	126
Configuring NTP Authentication	127
Configuring NTP Associations	128
Configuring NTP Broadcast Service	129
Configuring NTP Access Restrictions	130
Configuring the Source IP Address for NTP Packets	132
Displaying the NTP Configuration	133
Configuring Time and Date Manually	133
Setting the System Clock	133
Displaying the Time and Date Configuration	134
Configuring the Time Zone	134
Configuring Summer Time (Daylight Saving Time)	135
Configuring a System Name and Prompt	137
Default System Name and Prompt Configuration	137
Configuring a System Name	137
Configuring a System Prompt	138
Understanding DNS	138
Default DNS Configuration	139
Setting Up DNS	139
Displaying the DNS Configuration	140
Creating a Banner	140
Default Banner Configuration	140
Configuring a Message-of-the-Day Login Banner	141
Configuring a Login Banner	142
Managing the MAC Address Table	143
Building the Address Table	143
MAC Addresses and VLANs	144
Default MAC Address Table Configuration	144
Changing the Address Aging Time	144
Removing Dynamic Address Entries	145
Configuring MAC Address Notification Traps	145
Adding and Removing Static Address Entries	147
Configuring Unicast MAC Address Filtering	148
Displaying Address Table Entries	150
Managing the ARP Table	150
Configuring SDM Templates	151
Understanding the SDM Templates	151
Configuring the Switch SDM Template	152
Default SDM Template	152
SDM Template Configuration Guidelines	152
Setting the SDM Template	153
Displaying the SDM Templates	154
Configuring Switch-Based Authentication	155
Preventing Unauthorized Access to Your Switch	155
Protecting Access to Privileged EXEC Commands	156
Default Password and Privilege Level Configuration	156
Setting or Changing a Static Enable Password	157
Protecting Enable and Enable Secret Passwords with Encryption	158
Disabling Password Recovery	159
Setting a Telnet Password for a Terminal Line	160
Configuring Username and Password Pairs	161
Configuring Multiple Privilege Levels	162
Setting the Privilege Level for a Command	162
Changing the Default Privilege Level for Lines	163
Logging into and Exiting a Privilege Level	164
Controlling Switch Access with TACACS+	164
Understanding TACACS+	164
TACACS+ Operation	166
Configuring TACACS+	167
Default TACACS+ Configuration	167
Identifying the TACACS+ Server Host and Setting the Authentication Key	167
Configuring TACACS+ Login Authentication	168
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	170
Starting TACACS+ Accounting	171
Displaying the TACACS+ Configuration	171
Controlling Switch Access with RADIUS	172
Understanding RADIUS	172
RADIUS Operation	173
Configuring RADIUS	174
Default RADIUS Configuration	174
Identifying the RADIUS Server Host	175
Configuring RADIUS Login Authentication	177
Defining AAA Server Groups	179
Configuring RADIUS Authorization for User Privileged Access and Network Services	181
Starting RADIUS Accounting	182
Configuring Settings for All RADIUS Servers	183
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	183
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	185
Displaying the RADIUS Configuration	185
Controlling Switch Access with Kerberos	186
Understanding Kerberos	186
Kerberos Operation	188
Authenticating to a Boundary Switch	189
Obtaining a TGT from a KDC	189
Authenticating to Network Services	189
Configuring Kerberos	190
Configuring the Switch for Local Authentication and Authorization	190
Configuring the Switch for Secure Shell	191
Understanding SSH	192
SSH Servers, Integrated Clients, and Supported Versions	192
Limitations	192
Configuring SSH	193
Configuration Guidelines	193
Setting Up the Switch to Run SSH	193
Configuring the SSH Server	194
Displaying the SSH Configuration and Status	195
Configuring 802.1X Port-Based Authentication	197
Understanding 802.1X Port-Based Authentication	197
Device Roles	198
Authentication Initiation and Message Exchange	199
Ports in Authorized and Unauthorized States	200
Supported Topologies	200
Using 802.1X with Port Security	201
Using 802.1X with Voice VLAN Ports	202
Using 802.1X with VLAN Assignment	202
Using 802.1X with Guest VLAN	204
Using 802.1X with Per-User ACLs	204
Configuring 802.1X Authentication	205
Default 802.1X Configuration	206
802.1X Configuration Guidelines	207
Configuring 802.1X Authentication	207
Configuring the Switch-to-RADIUS-Server Communication	209
Configuring Periodic Re-Authentication	210
Manually Re-Authenticating a Client Connected to a Port	210
Changing the Quiet Period	211
Changing the Switch-to-Client Retransmission Time	211
Setting the Switch-to-Client Frame-Retransmission Number	212
Configuring the Host Mode	213
Configuring a Guest VLAN	214
Resetting the 802.1X Configuration to the Default Values	214
Displaying 802.1X Statistics and Status	215
Configuring Interface Characteristics	217
Understanding Interface Types	217
Port-Based VLANs	218
Switch Ports	218
Access Ports	218
Trunk Ports	219
Routed Ports	219
Switch Virtual Interfaces	220
EtherChannel Port Groups	221
Connecting Interfaces	221
Using Interface Configuration Mode	222
Procedures for Configuring Interfaces	223
Configuring a Range of Interfaces	224
Configuring and Using Interface Range Macros	225
Configuring Ethernet Interfaces	227
Default Ethernet Interface Configuration	227
Configuring Interface Speed and Duplex Mode	228
Configuration Guidelines	229
Setting the Interface Speed and Duplex Parameters	229
Configuring IEEE 802.3X Flow Control	230
Configuring Auto-MDIX on an Interface	231
Configuring Power over Ethernet on an Interface	232
Adding a Description for an Interface	234
Configuring Layer 3 Interfaces	235
Configuring the System MTU	236
Monitoring and Maintaining the Interfaces	238
Monitoring Interface Status	238
Clearing and Resetting Interfaces and Counters	239
Shutting Down and Restarting the Interface	239
Configuring SmartPort Macros	241
Understanding SmartPort Macros	241
Configuring Smart-Port Macros	242
Default SmartPort Macro Configuration	242
SmartPort Macro Configuration Guidelines	242
Creating and Applying SmartPort Macros	243
Displaying SmartPort Macros	244
Configuring VLANs	245
Understanding VLANs	245
Supported VLANs	247
VLAN Port Membership Modes	247
Configuring Normal-Range VLANs	248
Token Ring VLANs	249
Normal-Range VLAN Configuration Guidelines	250
VLAN Configuration Mode Options	250
VLAN Configuration in config-vlan Mode	251
VLAN Configuration in VLAN Database Configuration Mode	251
Saving VLAN Configuration	251
Default Ethernet VLAN Configuration	252
Creating or Modifying an Ethernet VLAN	252
Deleting a VLAN	254
Assigning Static-Access Ports to a VLAN	255
Configuring Extended-Range VLANs	256
Default VLAN Configuration	256
Extended-Range VLAN Configuration Guidelines	257
Creating an Extended-Range VLAN	258
Creating an Extended-Range VLAN with an Internal VLAN ID	259
Displaying VLANs	260
Configuring VLAN Trunks	260
Trunking Overview	260
Encapsulation Types	262
802.1Q Configuration Considerations	262
Default Layer 2 Ethernet Interface VLAN Configuration	263
Configuring an Ethernet Interface as a Trunk Port	263
Interaction with Other Features	264
Configuring a Trunk Port	264
Defining the Allowed VLANs on a Trunk	265
Changing the Pruning-Eligible List	266
Configuring the Native VLAN for Untagged Traffic	267
Configuring Trunk Ports for Load Sharing	268
Load Sharing Using STP Port Priorities	268
Load Sharing Using STP Path Cost	270
Configuring VMPS	271
Understanding VMPS	271
Dynamic-Access Port VLAN Membership	272
Default VMPS Client Configuration	273
VMPS Configuration Guidelines	273
Configuring the VMPS Client	273
Entering the IP Address of the VMPS	274
Configuring Dynamic-Access Ports on VMPS Clients	274
Reconfirming VLAN Memberships	275
Changing the Reconfirmation Interval	275
Changing the Retry Count	276
Monitoring the VMPS	276
Troubleshooting Dynamic-Access Port VLAN Membership	277
VMPS Configuration Example	277
Configuring VTP	279
Understanding VTP	279
The VTP Domain	280
VTP Modes	281
VTP Advertisements	281
VTP Version 2	282
VTP Pruning	282
Configuring VTP	284
Default VTP Configuration	284
VTP Configuration Options	285
VTP Configuration in Global Configuration Mode	285
VTP Configuration in VLAN Database Configuration Mode	285
VTP Configuration Guidelines	286
Domain Names	286
Passwords	286
VTP Version	287
Configuration Requirements	287
Configuring a VTP Server	287
Configuring a VTP Client	289
Disabling VTP (VTP Transparent Mode)	290
Enabling VTP Version 2	291
Enabling VTP Pruning	291
Adding a VTP Client Switch to a VTP Domain	292
Monitoring VTP	293
Configuring Voice VLAN	295
Understanding Voice VLAN	295
Cisco IP Phone Voice Traffic	296
Cisco IP Phone Data Traffic	296
Configuring Voice VLAN	297
Default Voice VLAN Configuration	297
Voice VLAN Configuration Guidelines	297
Configuring a Port Connected to a Cisco7960 IP Phone	298
Configuring IP Phone Voice Traffic	298
Configuring the Priority of Incoming Data Frames	299
Displaying Voice VLAN	300
Configuring STP	301
Understanding Spanning-Tree Features	301
STP Overview	302
Spanning-Tree Topology and BPDUs	303
Bridge ID, Switch Priority, and Extended System ID	304
Spanning-Tree Interface States	304
Blocking State	306
Listening State	306
Learning State	306
Forwarding State	306
Disabled State	307
How a Switch or Port Becomes the Root Switch or Root Port	307
Spanning Tree and Redundant Connectivity	308
Spanning-Tree Address Management	308
Accelerated Aging to Retain Connectivity	308
Spanning-Tree Modes and Protocols	309
Supported Spanning-Tree Instances	309
Spanning-Tree Interoperability and Backward Compatibility	310
STP and IEEE 802.1Q Trunks	310
VLAN-Bridge Spanning Tree	311
Configuring Spanning-Tree Features	311
Default Spanning-Tree Configuration	311
Spanning-Tree Configuration Guidelines	312
Changing the Spanning-Tree Mode	313
Disabling Spanning Tree	314
Configuring the Root Switch	314
Configuring a Secondary Root Switch	316
Configuring Port Priority	317
Configuring Path Cost	318
Configuring the Switch Priority of a VLAN	319
Configuring Spanning-Tree Timers	320
Configuring the Hello Time	320
Configuring the Forwarding-Delay Time for a VLAN	321
Configuring the Maximum-Aging Time for a VLAN	321
Displaying the Spanning-Tree Status	322
Configuring MSTP	323
Understanding MSTP	324
Multiple Spanning-Tree Regions	324
IST, CIST, and CST	325
Operations Within an MST Region	325
Operations Between MST Regions	326
Hop Count	327
Boundary Ports	327
Interoperability with 802.1D STP	327
Understanding RSTP	328
Port Roles and the Active Topology	328
Rapid Convergence	329
Synchronization of Port Roles	330
Bridge Protocol Data Unit Format and Processing	331
Processing Superior BPDU Information	332
Processing Inferior BPDU Information	332
Topology Changes	332
Configuring MSTP Features	333
Default MSTP Configuration	334
MSTP Configuration Guidelines	334
Specifying the MST Region Configuration and Enabling MSTP	335
Configuring the Root Switch	336
Configuring a Secondary Root Switch	338
Configuring Port Priority	339
Configuring Path Cost	340
Configuring the Switch Priority	341
Configuring the Hello Time	341
Configuring the Forwarding-Delay Time	342
Configuring the Maximum-Aging Time	343
Configuring the Maximum-Hop Count	343
Specifying the Link Type to Ensure Rapid Transitions	344
Restarting the Protocol Migration Process	344
Displaying the MST Configuration and Status	345
Configuring Optional Spanning-Tree Features	347
Understanding Optional Spanning-Tree Features	347
Understanding Port Fast	348
Understanding BPDU Guard	349
Understanding BPDU Filtering	349
Understanding UplinkFast	350
Understanding BackboneFast	351
Understanding Root Guard	353
Understanding Loop Guard	354
Configuring Optional Spanning-Tree Features	355
Default Optional Spanning-Tree Configuration	355
Optional Spanning-Tree Configuration Guidelines	355
Enabling Port Fast	356
Enabling BPDU Guard	357
Enabling BPDU Filtering	358
Enabling UplinkFast for Use with Redundant Links	359
Enabling BackboneFast	359
Enabling Root Guard	360
Enabling Loop Guard	361
Displaying the Spanning-Tree Status	361
Configuring DHCP Features	363
Understanding DHCP Features	363
DHCP Snooping	363
Option-82 Data Insertion	364
Configuring DHCP Features	365
Default DHCP Configuration	365
DHCP Snooping Configuration Guidelines	365
Enabling DHCP Snooping and Option 82	366
Displaying DHCP Information	367
Displaying a Binding Table	367
Displaying the DHCP Snooping Configuration	368
Configuring IGMP Snooping and MVR	369
Understanding IGMP Snooping	370
IGMP Versions	371
Joining a Multicast Group	371
Leaving a Multicast Group	373
Immediate-Leave Processing	374
IGMP Report Suppression	374
Configuring IGMP Snooping	374
Default IGMP Snooping Configuration	375
Enabling or Disabling IGMP Snooping	375
Setting the Snooping Method	376
Configuring a Multicast Router Port	377
Configuring a Host Statically to Join a Group	378
Enabling IGMP Immediate-Leave Processing	378
Disabling IGMP Report Suppression	379
Displaying IGMP Snooping Information	380
Understanding Multicast VLAN Registration	381
Using MVR in a Multicast Television Application	382
Configuring MVR	383
Default MVR Configuration	384
MVR Configuration Guidelines and Limitations	384
Configuring MVR Global Parameters	385
Configuring MVR Interfaces	386
Displaying MVR Information	388
Configuring IGMP Filtering and Throttling	388
Default IGMP Filtering and Throttling Configuration	389

Match case Limit results 1 per page

9-8

Catalyst 3560 Switch Software Configuration Guide

78-16156-01

Chapter 9

Configuring 802.1X Port-Based Authentication

Understanding 802.1X Port-Based Authentication

Using 802.1X with Guest VLAN

You can configure a guest VLAN for each 802.1X port on the switch to provide limited services to clients

(for example, how to download the 802.1X client). These clients might be upgrading their system for

802.1X authentication, and some hosts, such as Windows 98 systems, might not be 802.1X-capable.

When the authentication server does not receive a response to its EAPOL request/identity frame, clients

that are not 802.1X-capable are put into the guest VLAN for the port, if one is configured. However, the

server does not grant 802.1X-capable clients that fail authentication access to the network. Any number

of hosts are allowed access when the switch port is moved to the guest VLAN. If an 802.1X-capable host

joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state

in the user-configured access VLAN, and authentication is restarted.

Guest VLANs are supported on 802.1X ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an 802.1X guest

VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports.

For more information, see the

“Configuring a Guest VLAN” section on page 9-18

Using 802.1X with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and

service to an 802.1X-authenticated user. When the RADIUS server authenticates a user connected to an

802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The

switch applies the attributes to the 802.1X port for the duration of the user session. The switch removes

the per-user ACL configuration when the session is over, if authentication fails, or if a link-down

condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When

the port is unauthorized, the switch removes the ACL from the port.

You can configure router ACLs and input port ACLs on the same Catalyst 3560 switch. However, a port

ACL takes precedence over a router ACL. If you apply input port ACL to an interface that belongs to a

VLAN, the port ACL takes precedence over an input router ACL applied to the VLAN interface.

Incoming packets received on the port to which a port ACL is applied are filtered by the port ACL.

Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed packets

are filtered by the router ACL. To avoid configuration conflicts, you should carefully plan the user

profiles stored on the RADIUS server.

RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific

attributes (VSAs) are in octet-string format and are passed to the switch during the authentication

process. The VSAs used for per-user ACLs are

inacl#<

for the ingress direction and

outacl#<

for

the egress direction. MAC ACLs are supported only in the ingress direction. The Catalyst 3560 switch

supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on

Layer 2 ports. For more information, see

Chapter 27, “Configuring Network Security with ACLs.”

Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS

server. When the definitions are passed from the RADIUS server, they are created by using the extended

naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.

You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on

the switch. The attribute contains the ACL number followed by

.in

for ingress filtering or

.out

for egress

filtering. If the RADIUS server does not allow the

.in

.out

syntax, the access list is applied to the

outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the

Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and

IP extended ACLs).