Home » HP Manuals » Servers » HP Cisco Catalyst Blade Switch 3020 » Manual Viewer

HP Cisco Catalyst Blade Switch 3020 Cisco Catalyst Blade Switch 3020 for HP So - Page 181

Using IEEE 802.1x Authentication with Per-User ACLs

View all HP Cisco Catalyst Blade Switch 3020 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 181 highlights

Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). To configure VLAN assignment you need to perform these tasks: • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable IEEE 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure IEEE 802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: - [64] Tunnel-Type = VLAN - [65] Tunnel-Medium-Type = 802 - [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. For examples of tunnel attributes, see the "Configuring the Switch to Use Vendor-Specific RADIUS Attributes" section on page 6-29. Using IEEE 802.1x Authentication with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the switch removes the ACL from the port. You can configure only port ACLS on the switch port.RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl# for the ingress direction and outacl# for the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see Chapter 26, "Configuring Network Security with ACLs." Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server. When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL. You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs). Only one IEEE 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port. OL-8915-01 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 7-11

Section	Page
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide	1
Contents	3
Preface	29
Audience	29
Purpose	29
Conventions	30
Related Publications	30
Obtaining Documentation	31
Cisco.com	31
Product Documentation DVD	31
Ordering Documentation	32
Documentation Feedback	32
Cisco Product Security Overview	32
Reporting Security Problems in Cisco Products	33
Obtaining Technical Assistance	33
Cisco Technical Support & Documentation Website	34
Submitting a Service Request	34
Definitions of Service Request Severity	35
Obtaining Additional Publications and Information	35
Overview	37
Features	37
Ease-of-Deployment and Ease-of-Use Features	38
Performance Features	38
Management Options	39
Manageability Features	39
Availability and Redundancy Features	40
VLAN Features	41
Security Features	41
QoS and CoS Features	43
Monitoring Features	44
Default Settings After Initial Switch Configuration	44
Design Concepts for Using the Switch	46
Where to Go Next	49
Using the Command-Line Interface	51
Understanding Command Modes	51
Understanding the Help System	53
Understanding Abbreviated Commands	54
Understanding no and default Forms of Commands	54
Understanding CLI Error Messages	55
Using Configuration Logging	55
Using Command History	56
Changing the Command History Buffer Size	56
Recalling Commands	56
Disabling the Command History Feature	57
Using Editing Features	57
Enabling and Disabling Editing Features	57
Editing Commands through Keystrokes	57
Editing Command Lines that Wrap	59
Searching and Filtering Output of show and more Commands	60
Accessing the CLI	60
Accessing the CLI through a Console Connection or through Telnet	60
Assigning the Switch IP Address and Default Gateway	63
Understanding the Boot Process	63
Assigning Switch Information	64
Default Switch Information	65
Understanding DHCP-Based Autoconfiguration	65
DHCP Client Request Process	66
Configuring DHCP-Based Autoconfiguration	67
DHCP Server Configuration Guidelines	67
Configuring the TFTP Server	68
Configuring the DNS	68
Configuring the Relay Device	68
Obtaining Configuration Files	69
Example Configuration	70
Manually Assigning IP Information	72
Checking and Saving the Running Configuration	72
Modifying the Startup Configuration	75
Default Boot Configuration	76
Automatically Downloading a Configuration File	76
Specifying the Filename to Read and Write the System Configuration	76
Booting Manually	77
Booting a Specific Software Image	78
Controlling Environment Variables	78
Scheduling a Reload of the Software Image	80
Configuring a Scheduled Reload	80
Displaying Scheduled Reload Information	81
Configuring Cisco IOS CNS Agents	83
Understanding Cisco Configuration Engine Software	83
Configuration Service	84
Event Service	85
NameSpace Mapper	85
What You Should Know About the CNS IDs and Device Hostnames	85
ConfigID	85
DeviceID	86
Hostname and DeviceID	86
Using Hostname, DeviceID, and ConfigID	86
Understanding Cisco IOS Agents	87
Initial Configuration	87
Incremental (Partial) Configuration	88
Synchronized Configuration	88
Configuring Cisco IOS Agents	88
Enabling Automated CNS Configuration	88
Enabling the CNS Event Agent	90
Enabling the Cisco IOS CNS Agent	91
Enabling an Initial Configuration	91
Enabling a Partial Configuration	93
Displaying CNS Configuration	94
Administering the Switch	95
Managing the System Time and Date	95
Understanding the System Clock	95
Understanding Network Time Protocol	96
Configuring NTP	97
Default NTP Configuration	98
Configuring NTP Authentication	98
Configuring NTP Associations	99
Configuring NTP Broadcast Service	100
Configuring NTP Access Restrictions	102
Configuring the Source IP Address for NTP Packets	104
Displaying the NTP Configuration	105
Configuring Time and Date Manually	105
Setting the System Clock	105
Displaying the Time and Date Configuration	106
Configuring the Time Zone	106
Configuring Summer Time (Daylight Saving Time)	107
Configuring a System Name and Prompt	108
Default System Name and Prompt Configuration	109
Configuring a System Name	109
Understanding DNS	109
Default DNS Configuration	110
Setting Up DNS	110
Displaying the DNS Configuration	111
Creating a Banner	111
Default Banner Configuration	111
Configuring a Message-of-the-Day Login Banner	112
Configuring a Login Banner	113
Managing the MAC Address Table	113
Building the Address Table	114
MAC Addresses and VLANs	114
Default MAC Address Table Configuration	115
Changing the Address Aging Time	115
Removing Dynamic Address Entries	116
Configuring MAC Address Notification Traps	116
Adding and Removing Static Address Entries	118
Configuring Unicast MAC Address Filtering	119
Displaying Address Table Entries	120
Managing the ARP Table	120
Configuring Switch-Based Authentication	121
Preventing Unauthorized Access to Your Switch	121
Protecting Access to Privileged EXEC Commands	122
Default Password and Privilege Level Configuration	122
Setting or Changing a Static Enable Password	123
Protecting Enable and Enable Secret Passwords with Encryption	123
Disabling Password Recovery	125
Setting a Telnet Password for a Terminal Line	126
Configuring Username and Password Pairs	126
Configuring Multiple Privilege Levels	127
Setting the Privilege Level for a Command	128
Changing the Default Privilege Level for Lines	129
Logging into and Exiting a Privilege Level	129
Controlling Switch Access with TACACS+	130
Understanding TACACS+	130
TACACS+ Operation	132
Configuring TACACS+	132
Default TACACS+ Configuration	133
Identifying the TACACS+ Server Host and Setting the Authentication Key	133
Configuring TACACS+ Login Authentication	134
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	136
Starting TACACS+ Accounting	137
Displaying the TACACS+ Configuration	137
Controlling Switch Access with RADIUS	137
Understanding RADIUS	138
RADIUS Operation	139
Configuring RADIUS	140
Default RADIUS Configuration	140
Identifying the RADIUS Server Host	140
Configuring RADIUS Login Authentication	143
Defining AAA Server Groups	145
Configuring RADIUS Authorization for User Privileged Access and Network Services	147
Starting RADIUS Accounting	148
Configuring Settings for All RADIUS Servers	149
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	149
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	151
Displaying the RADIUS Configuration	151
Controlling Switch Access with Kerberos	152
Understanding Kerberos	152
Kerberos Operation	154
Authenticating to a Boundary Switch	154
Obtaining a TGT from a KDC	155
Authenticating to Network Services	155
Configuring Kerberos	155
Configuring the Switch for Local Authentication and Authorization	156
Configuring the Switch for Secure Shell	157
Understanding SSH	158
SSH Servers, Integrated Clients, and Supported Versions	158
Limitations	159
Configuring SSH	159
Configuration Guidelines	159
Setting Up the Switch to Run SSH	159
Configuring the SSH Server	161
Displaying the SSH Configuration and Status	161
Configuring the Switch for Secure Socket Layer HTTP	162
Understanding Secure HTTP Servers and Clients	162
Certificate Authority Trustpoints	162
CipherSuites	164
Configuring Secure HTTP Servers and Clients	164
Default SSL Configuration	164
SSL Configuration Guidelines	165
Configuring a CA Trustpoint	165
Configuring the Secure HTTP Server	166
Configuring the Secure HTTP Client	167
Displaying Secure HTTP Server and Client Status	168
Configuring the Switch for Secure Copy Protocol	168
Information About Secure Copy	169
Configuring IEEE 802.1x Port-Based Authentication	171
Understanding IEEE 802.1x Port-Based Authentication	171
Device Roles	172
Authentication Process	173
Authentication Initiation and Message Exchange	175
Ports in Authorized and Unauthorized States	177
IEEE 802.1x Host Mode	178
IEEE 802.1x Accounting	179
IEEE 802.1x Accounting Attribute-Value Pairs	179
Using IEEE 802.1x Authentication with VLAN Assignment	180
Using IEEE 802.1x Authentication with Per-User ACLs	181
Using IEEE 802.1x Authentication with Guest VLAN	182
Using IEEE 802.1x Authentication with Restricted VLAN	183
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass	184
Using IEEE 802.1x Authentication with Voice VLAN Ports	185
Using IEEE 802.1x Authentication with Port Security	185
Using IEEE 802.1x Authentication with Wake-on-LAN	186
Using IEEE 802.1x Authentication with MAC Authentication Bypass	187
Configuring IEEE 802.1x Authentication	188
Default IEEE 802.1x Authentication Configuration	189
IEEE 802.1x Authentication Configuration Guidelines	190
IEEE 802.1x Authentication	190
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass	191
MAC Authentication Bypass	192
Configuring IEEE 802.1x Authentication	192
Configuring the Switch-to-RADIUS-Server Communication	193
Configuring the Host Mode	195
Configuring Periodic Re-Authentication	195
Manually Re-Authenticating a Client Connected to a Port	196
Changing the Quiet Period	196
Changing the Switch-to-Client Retransmission Time	197
Setting the Switch-to-Client Frame-Retransmission Number	198
Setting the Re-Authentication Number	199
Configuring IEEE 802.1x Accounting	199
Configuring a Guest VLAN	200
Configuring a Restricted VLAN	201
Configuring the Inaccessible Authentication Bypass Feature	203
Configuring IEEE 802.1x Authentication with WoL	205
Configuring MAC Authentication Bypass	206
Configuring IEEE 802.1x Authentication Using a RADIUS Server	207
Disabling IEEE 802.1x Authentication on the Port	208
Resetting the IEEE 802.1x Authentication Configuration to the Default Values	208
Displaying IEEE 802.1x Statistics and Status	209
Configuring Interface Characteristics	211
Understanding Interface Types	211
Port-Based VLANs	212
Switch Ports	212
Internal Gigabit Ethernet Ports	212
Access Ports	213
Trunk Ports	213
EtherChannel Port Groups	214
Dual-Purpose Uplink Ports	214
Connecting Interfaces	215
Management-Only Interface	215
Using Interface Configuration Mode	216
Procedures for Configuring Interfaces	216
Configuring a Range of Interfaces	217
Configuring and Using Interface Range Macros	218
Configuring Ethernet Interfaces	220
Default Ethernet Interface Configuration	220
Configuring Interface Speed and Duplex Mode	221
Speed and Duplex Configuration Guidelines	221
Setting the Type of a Dual-Purpose Uplink Port	222
Setting the Interface Speed and Duplex Parameters	224
Configuring IEEE 802.3x Flow Control	225
Configuring Auto-MDIX on an Interface	226
Adding a Description for an Interface	227
Configuring the System MTU	228
Monitoring and Maintaining the Interfaces	229
Monitoring Interface Status	229
Clearing and Resetting Interfaces and Counters	230
Shutting Down and Restarting the Interface	230
Configuring Smartports Macros	231
Understanding Smartports Macros	231
Configuring Smartports Macros	232
Default Smartports Macro Configuration	232
Smartports Macro Configuration Guidelines	233
Creating Smartports Macros	234
Applying Smartports Macros	235
Applying Cisco-Default Smartports Macros	236
Displaying Smartports Macros	238
Configuring VLANs	239
Understanding VLANs	239
Supported VLANs	240
VLAN Port Membership Modes	241
Configuring Normal-Range VLANs	242
Token Ring VLANs	243
Normal-Range VLAN Configuration Guidelines	243
VLAN Configuration Mode Options	244
VLAN Configuration in config-vlan Mode	244
VLAN Configuration in VLAN Database Configuration Mode	244
Saving VLAN Configuration	244
Default Ethernet VLAN Configuration	245
Creating or Modifying an Ethernet VLAN	246
Deleting a VLAN	247
Assigning Static-Access Ports to a VLAN	248
Configuring Extended-Range VLANs	249
Default VLAN Configuration	249
Extended-Range VLAN Configuration Guidelines	250
Creating an Extended-Range VLAN	250
Displaying VLANs	251
Configuring VLAN Trunks	252
Trunking Overview	252
Encapsulation Types	254
IEEE 802.1Q Configuration Considerations	254
Default Layer 2 Ethernet Interface VLAN Configuration	255
Configuring an Ethernet Interface as a Trunk Port	255
Interaction with Other Features	255
Configuring a Trunk Port	256
Defining the Allowed VLANs on a Trunk	257
Changing the Pruning-Eligible List	258
Configuring the Native VLAN for Untagged Traffic	259
Configuring Trunk Ports for Load Sharing	259
Load Sharing Using STP Port Priorities	260
Load Sharing Using STP Path Cost	261
Configuring VMPS	263
Understanding VMPS	263
Dynamic-Access Port VLAN Membership	264
Default VMPS Client Configuration	264
VMPS Configuration Guidelines	264
Configuring the VMPS Client	265
Entering the IP Address of the VMPS	265
Configuring Dynamic-Access Ports on VMPS Clients	265
Reconfirming VLAN Memberships	266
Changing the Reconfirmation Interval	266
Changing the Retry Count	267
Monitoring the VMPS	267
Troubleshooting Dynamic-Access Port VLAN Membership	268
VMPS Configuration Example	268
Configuring VTP	271
Understanding VTP	271
The VTP Domain	272
VTP Modes	273
VTP Advertisements	273
VTP Version 2	274
VTP Pruning	274
Configuring VTP	276
Default VTP Configuration	276
VTP Configuration Options	277
VTP Configuration in Global Configuration Mode	277
VTP Configuration in VLAN Database Configuration Mode	277
VTP Configuration Guidelines	278
Domain Names	278
Passwords	278
VTP Version	278
Configuration Requirements	279
Configuring a VTP Server	279
Configuring a VTP Client	281
Disabling VTP (VTP Transparent Mode)	282
Enabling VTP Version 2	283
Enabling VTP Pruning	284
Adding a VTP Client Switch to a VTP Domain	284
Monitoring VTP	286
Configuring Voice VLAN	287
Understanding Voice VLAN	287
Cisco IP Phone Voice Traffic	288
Cisco IP Phone Data Traffic	288
Configuring Voice VLAN	289
Default Voice VLAN Configuration	289
Voice VLAN Configuration Guidelines	289
Configuring a Port Connected to a Cisco7960 IP Phone	290
Configuring Cisco IP Phone Voice Traffic	290
Configuring the Priority of Incoming Data Frames	292
Displaying Voice VLAN	292
Configuring STP	293
Understanding Spanning-Tree Features	293
STP Overview	294
Spanning-Tree Topology and BPDUs	295
Bridge ID, Switch Priority, and Extended System ID	296
Spanning-Tree Interface States	296
Blocking State	298
Listening State	298
Learning State	298
Forwarding State	298
Disabled State	299
How a Switch or Port Becomes the Root Switch or Root Port	299
Spanning Tree and Redundant Connectivity	300
Spanning-Tree Address Management	300
Accelerated Aging to Retain Connectivity	300
Spanning-Tree Modes and Protocols	301
Supported Spanning-Tree Instances	301
Spanning-Tree Interoperability and Backward Compatibility	302
STP and IEEE 802.1Q Trunks	302
Configuring Spanning-Tree Features	302
Default Spanning-Tree Configuration	303
Spanning-Tree Configuration Guidelines	304
Changing the Spanning-Tree Mode.	305
Disabling Spanning Tree	306
Configuring the Root Switch	306
Configuring a Secondary Root Switch	308
Configuring Port Priority	308
Configuring Path Cost	310
Configuring the Switch Priority of a VLAN	311
Configuring Spanning-Tree Timers	312
Configuring the Hello Time	312
Configuring the Forwarding-Delay Time for a VLAN	313
Configuring the Maximum-Aging Time for a VLAN	313
Configuring the Transmit Hold-Count	314
Displaying the Spanning-Tree Status	314
Configuring MSTP	315
Understanding MSTP	316
Multiple Spanning-Tree Regions	316
IST, CIST, and CST	317
Operations Within an MST Region	317
Operations Between MST Regions	318
IEEE 802.1s Terminology	319
Hop Count	319
Boundary Ports	320
IEEE 802.1s Implementation	320
Port Role Naming Change	321
Interoperation Between Legacy and Standard Switches	321
Detecting Unidirectional Link Failure	322
Interoperability with IEEE 802.1D STP	322
Understanding RSTP	322
Port Roles and the Active Topology	323
Rapid Convergence	324
Synchronization of Port Roles	325
Bridge Protocol Data Unit Format and Processing	326
Processing Superior BPDU Information	327
Processing Inferior BPDU Information	327
Topology Changes	327
Configuring MSTP Features	328
Default MSTP Configuration	328
MSTP Configuration Guidelines	329
Specifying the MST Region Configuration and Enabling MSTP	330
Configuring the Root Switch	331
Configuring a Secondary Root Switch	332
Configuring Port Priority	333
Configuring Path Cost	334
Configuring the Switch Priority	335
Configuring the Hello Time	336
Configuring the Forwarding-Delay Time	337
Configuring the Maximum-Aging Time	337
Configuring the Maximum-Hop Count	338
Specifying the Link Type to Ensure Rapid Transitions	338
Designating the Neighbor Type	339
Restarting the Protocol Migration Process	339
Displaying the MST Configuration and Status	340
Configuring Optional Spanning-Tree Features	341
Understanding Optional Spanning-Tree Features	341
Understanding Port Fast	342
Understanding BPDU Guard	342
Understanding BPDU Filtering	343
Understanding UplinkFast	343
Understanding BackboneFast	345
Understanding EtherChannel Guard	347
Understanding Root Guard	348
Understanding Loop Guard	349
Configuring Optional Spanning-Tree Features	349
Default Optional Spanning-Tree Configuration	349
Optional Spanning-Tree Configuration Guidelines	350
Enabling Port Fast	350
Enabling BPDU Guard	351
Enabling BPDU Filtering	352
Enabling UplinkFast for Use with Redundant Links	353
Enabling BackboneFast	353
Enabling EtherChannel Guard	354
Enabling Root Guard	355
Enabling Loop Guard	355
Displaying the Spanning-Tree Status	356
Configuring Flex Links and the MAC Address-Table Move Update Feature	357
Understanding Flex Links and the MAC Address-Table MoveUpdate	357
Flex Links	357
MAC Address-Table Move Update	358
Configuring Flex Links and MAC Address-Table Move Update	360
Configuration Guidelines	360
Default Configuration	360
Configuring Flex Links and MAC Address-Table Move Update	361
Configuring Flex Links	361
Configuring the MAC Address-Table Move Update Feature	362
Monitoring Flex Links and the MAC Address-Table MoveUpdate	364
Configuring DHCP Features	365
Understanding DHCP Features	365
DHCP Server	366
DHCP Relay Agent	366
DHCP Snooping	366
Option-82 Data Insertion	367
Configuring DHCP Features	370
Default DHCP Configuration	370
DHCP Snooping Configuration Guidelines	371
Configuring the DHCP Relay Agent	372
Enabling DHCP Snooping and Option 82	372
Enabling the Cisco IOS DHCP Server Database	374
Displaying DHCP Snooping Information	374
Configuring IGMP Snooping and MVR	375
Understanding IGMP Snooping	375
IGMP Versions	376
Joining a Multicast Group	377
Leaving a Multicast Group	379
Immediate Leave	379
IGMP Configurable-Leave Timer	379
IGMP Report Suppression	380
Configuring IGMP Snooping	380
Default IGMP Snooping Configuration	380
Enabling or Disabling IGMP Snooping	381
Setting the Snooping Method	382
Configuring a Multicast Router Port	383

Match case Limit results 1 per page

7-11

Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide

OL-8915-01

Chapter 7

Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic

ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).

To configure VLAN assignment you need to perform these tasks:

•

Enable AAA authorization by using the

network

keyword to allow interface configuration from the

RADIUS server.

•

Enable IEEE 802.1x authentication. (The VLAN assignment feature is automatically enabled when

you configure IEEE 802.1x authentication on an access port).

•

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return

these attributes to the switch:

–

[64] Tunnel-Type = VLAN

–

[65] Tunnel-Medium-Type = 802

–

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value

VLAN

(type 13). Attribute [65] must contain the value

802

(type 6). Attribute [81] specifies the

VLAN name

VLAN ID

assigned to the

IEEE 802.1x-authenticated user.

For examples of tunnel attributes, see the

“Configuring the Switch to Use Vendor-Specific RADIUS

Attributes” section on page 6-29

Using IEEE 802.1x Authentication with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and

service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected

to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the

switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The

switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a

link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running

configuration. When the port is unauthorized, the switch removes the ACL from the port.

You can configure only port ACLS on the switch port.RADIUS supports per-user attributes, including

vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are

passed to the switch during the authentication process. The VSAs used for per-user ACLs are

inacl#<

for the ingress direction and

outacl#<

for the egress direction. MAC ACLs are supported only in the

ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs

in the egress direction on Layer 2 ports. For more information, see

Chapter 26, “Configuring Network

Security with ACLs.”

Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS

server. When the definitions are passed from the RADIUS server, they are created by using the extended

naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.

You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on

the switch. The attribute contains the ACL number followed by

.in

for ingress filtering or

.out

for egress

filtering. If the RADIUS server does not allow the

.in

.out

syntax, the access list is applied to the

outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the

Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and

IP extended ACLs).

Only one IEEE 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled

on the port, the per-user ACL attribute is disabled for the associated port.