Per-User ACL Support for 802.1X/MAB/Webauth Users
|
|||||||||||||||||||||||||
Contents
Per-User ACL Support for 802.1X/MAB/Webauth UsersLast Updated: July 17, 2012
This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using IEEE 802.1X, MAB authentication bypass, or web authentication.
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for Per-User ACL Support for 802.1X/MAB/Webauth Users
Information About Per-User ACL Support for 802.1X/MAB/Webauth Users802.1X Authentication with Per-User ACLsPer-user access control lists (ACLs) can be configured to provide different levels of network access and service to an 802.1X-authenticated user. When the RADIUS server authenticates a user that is connected to an 802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the 802.1X port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the switch removes the ACL from the port. Router ACLs and input port ACLs can be confiugured on the same switch. However, a port ACL takes precedence over a router ACL. If an input port ACL is applied to an interface that belongs to a VLAN, the port ACL takes precedence over an input router ACL that is applied to the VLAN interface. Incoming packets received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration conflicts, the user profiles should be carefully planned and stored on the RADIUS server. RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl#<n > for the ingress direction and outacl#<n > for the egress direction. MAB ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see the "Configuring Network Security with ACLs|" module. The extended ACL syntax style should be used to define the per-user configuration that is stored on the RADIUS server. When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if the Filter-Id attribute is used, it can point to a standard ACL. The Filter-Id attribute can be used to specify an inbound or outbound ACL that is already configured on the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs). Only one 802.1X-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port. The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs. How to Configure Per-User ACL Support for 802.1X/MAB/Webauth UsersConfiguring Downloadable ACLs To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task.
SUMMARY STEPS
DETAILED STEPS Configuration Examples for Per-User ACL Support for 802.1X/MAB/Webauth UsersExample: Configuring a Switch for a Downloadable PolicyThe following example shows how to configure a switch for a downloadable policy: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authorization network default local group radius Switch(config)# ip device tracking Switch(config)# ip access-list extended default_acl Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Switch(config)# radius-server vsa send authentication Switch(config)# interface fastEthernet 2/13 Switch(config-if)# ip access-group default_acl in Switch(config-if)# exit Additional ReferencesRelated Documents
MIBsTechnical Assistance
Feature Information for Per-User ACL Support for 802.1X/MAB/Webauth UsersThe following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||||||||||||||||||||