Chapter 8
Configuring 802.1x Port-Based Authentication
port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on
other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To
avoid configuration conflicts, you should carefully plan the user profiles stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific
attributes (VSAs) are in octet-string format and are passed to the switch during the authentication
process. The VSAs used for per-user ACLs are
the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs
only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For
more information, see
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS
server. When the definitions are passed from the RADIUS server, they are created by using the extended
naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on
the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress
filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the
outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the
Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and
IP extended ACLs).
Only one 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the
port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters.
For examples of vendor-specific attributes, see the
RADIUS Attributes" section on page
Chapter 25, "Configuring Network Security with ACLs."
To configure per-user ACLs, you need to perform these tasks:
•
•
•
•
•
Configuring 802.1x Authentication
These sections describe how to configure 802.1x port-based authentication on your switch:
•
•
•
•
•
•
•
•
78-15870-01
Chapter 25, "Configuring Network Security with ACLs."
Enable AAA authentication.
Enable AAA authorization by using the network keyword to allow port configuration from the
RADIUS server.
Enable 802.1x.
Configure the user profile and VSAs on the RADIUS server.
Configure the 802.1x port for single-host mode.
Default 802.1x Configuration, page 8-10
802.1x Configuration Guidelines, page 8-11
Configuring 802.1x Authentication, page 8-11
Configuring the Switch-to-RADIUS-Server Communication, page 8-13
Configuring Periodic Re-Authentication, page 8-14
Manually Re-Authenticating a Client Connected to a Port, page 8-14
Changing the Quiet Period, page 8-15
Changing the Switch-to-Client Retransmission Time, page 8-15
for the ingress direction and
inacl#<n>
"Configuring the Switch to Use Vendor-Specific
7-29. For more information about configuring ACLs, see
(required)
(optional)
(optional)
Catalyst 3750 Metro Switch Software Configuration Guide
Configuring 802.1x Authentication
outacl#<n>
(required)
(optional)
(optional)
for
8-9