- Configuring IEEE 802.1X Port-Based Authentication
- IEEE 802.1X Common Session ID
- IEEE 802.1X Guest VLAN
- IEEE 802.1X RADIUS Accounting
- IEEE 802.1X RADIUS-Supplied Session Timeout
- IEEE 802.1X Voice VLAN
- IEEE 802.1X VLAN Assignment
- Remote Site IEEE 802.1X Local Authentication Service
- IEEE 802.1X Multiple Authentication
- IEEE 802.1X Multidomain Authentication
- IEEE 802.1X Flexible Authentication
- IEEE 802.1X Open Authentication
- IEEE 802.1X Auth Fail VLAN
- Critical Voice VLAN Support
- IEEE 802.1X with ACL Assignments
- IEEE 802.1X Wake on LAN Support
- Network Edge Authentication Topology
- Per-User ACL Support for 802.1X/MAB/Webauth Users
- Finding Feature Information
- Prerequisites for Per-User ACL Support for 802.1X/MAB/Webauth Users
- Restrictions for Per-User ACL Support for 802.1X/MAB/Webauth Users
- Information About Per-User ACL Support for 802.1X/MAB/Webauth Users
- How to Configure Per-User ACL Support for 802.1X/MAB/Webauth Users
- Configuration Examples for Per-User ACL Support for 802.1X/MAB/Webauth Users
- Additional References
- Feature Information for Per-User ACL Support for 802.1X/MAB/Webauth Users
Per-User ACL Support for 802.1X/MAB/Webauth Users
This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using IEEE 802.1X, MAB authentication bypass, or web authentication.
- Finding Feature Information
- Prerequisites for Per-User ACL Support for 802.1X/MAB/Webauth Users
- Restrictions for Per-User ACL Support for 802.1X/MAB/Webauth Users
- Information About Per-User ACL Support for 802.1X/MAB/Webauth Users
- How to Configure Per-User ACL Support for 802.1X/MAB/Webauth Users
- Configuration Examples for Per-User ACL Support for 802.1X/MAB/Webauth Users
- Additional References
- Feature Information for Per-User ACL Support for 802.1X/MAB/Webauth Users
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Per-User ACL Support for 802.1X/MAB/Webauth Users
AAA authentication must be enabled.
AAA authorization must be enabled by using the network keyword to allow interface configuration from the RADIUS server.
802.1X authentication must be enabled.
The user profile and VSAs must be configured on the RADIUS server.
Restrictions for Per-User ACL Support for 802.1X/MAB/Webauth Users
Per-user Access Control Lists (ACLs) are supported only in single-host mode.
This feature does not support standard ACLs on the switch port.
Only one 802.1X-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs.
ACLs are not supported on fixed Cisco Integrated Services Routers (ISRs).
Information About Per-User ACL Support for 802.1X/MAB/Webauth Users
802.1X Authentication with Per-User ACLs
Per-user access control lists (ACLs) can be configured to provide different levels of network access and service to an 802.1X-authenticated user. When the RADIUS server authenticates a user that is connected to an 802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the 802.1X port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the switch removes the ACL from the port.
Router ACLs and input port ACLs can be confiugured on the same switch. However, a port ACL takes precedence over a router ACL. If an input port ACL is applied to an interface that belongs to a VLAN, the port ACL takes precedence over an input router ACL that is applied to the VLAN interface. Incoming packets received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration conflicts, the user profiles should be carefully planned and stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl#<n > for the ingress direction and outacl#<n > for the egress direction. MAB ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see the “Configuring Network Security with ACLs|” module.
The extended ACL syntax style should be used to define the per-user configuration that is stored on the RADIUS server. When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if the Filter-Id attribute is used, it can point to a standard ACL.
The Filter-Id attribute can be used to specify an inbound or outbound ACL that is already configured on the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Only one 802.1X-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs.
How to Configure Per-User ACL Support for 802.1X/MAB/Webauth Users
Configuring Downloadable ACLs
To configure a switch to accept downloadable ACLs or redirect URLs from the RADIUS server during authentication of an attached host, perform this task.
1.
enable
2.
configure
terminal
3.
ip
device
tracking
4.
aaa
new-model
5.
aaa
authorization
network
default
group
radius
6.
radius-server
vsa
send
authentication
7.
interface
interface-id
8.
ip
access-group
acl-id
in
9. end
10.
show
running-config
interfaceinterface-id
11.
copy
running-config
startup-config
DETAILED STEPS
Configuration Examples for Per-User ACL Support for 802.1X/MAB/Webauth Users
Example: Configuring a Switch for a Downloadable Policy
The following example shows how to configure a switch for a downloadable policy:
Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authorization network default local group radius Switch(config)# ip device tracking Switch(config)# ip access-list extended default_acl Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Switch(config)# radius-server vsa send authentication Switch(config)# interface fastEthernet 2/13 Switch(config-if)# ip access-group default_acl in Switch(config-if)# exit
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Authentication commands |
Cisco IOS Security Command Reference Commands A to C |
|
IPsec |
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 15.0. |
|
RADIUS |
“Configuring RADIUS” module. |
|
Standalone MAB Support |
Standalone MAB Support |
|
Layer 2 ports |
Configuring Network Security with ACLs |
Standards and RFCs
|
Standard/RFC |
Title |
|---|---|
|
IEEE 802.1X protocol |
— |
|
RFC 3580 |
IEEE 802.1x Remote Authentication Dial In User Service (RADIUS) |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Per-User ACL Support for 802.1X/MAB/Webauth Users
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Per-User ACL Support for 802.1X/MAB/Webauth Users |
Cisco IOS 15.2(2)T |
This feature allows per-user ACLs to be downloaded from the Cisco Access Control Server (ACS) as policy enforcement after authentication using IEEE 802.1X, MAB authentication bypass, or web authentication. |
Feedback