You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1X authentication or MAC authentication bypass of the host. You can also download ACLs during web authentication.
A downloadable ACL is also referred to as a dACL.
If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication mode, the switch changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all devices that are connected to the 802.1X-enabled port.
If no ACLs are downloaded during 802.1X authentication, the switch applies the static default ACL on the port to the host. On a voice VLAN port that is configured in multiple-authentication or MDA mode, the switch applies the ACL only to the phone as part of the authorization policies.
Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default-ACL is created, and policies are enforced before dACLs are downloaded and applied.
The auth-default-ACL does not appear in the running configuration.
The auth-default-ACL is created when at least one host with an authorization policy is detected on the port. The auth-default-ACL is removed from the port when the last authenticated session ends. You can configure the auth-default-ACL by using the
auth-default-acl global configuration command.
The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in single host mode. You must configure a static ACL on the interface to support CDP bypass.
The 802.1X and MAC authentication methods support two authentication modes,
closed . If there is no static ACL on a port in
closed authentication mode:
An auth-default-ACL is created.
The auth-default-ACL allows only DHCP traffic until policies are enforced.
When the first host authenticates, the authorization policy is applied without IP address insertion.
When a second host is detected, the policies for the first host are refreshed, and policies for the first and subsequent sessions are enforced with IP address insertion.
If there is no static ACL on a port in
open authentication mode:
An auth-default-ACL-OPEN is created and allows all traffic.
Policies are enforced with IP address insertion to prevent security breaches.
Web authentication is subject to the auth-default-ACL-OPEN.
To control access for hosts with no authorization policy, you can configure a directive. The supported values for the directive are
default . When you configure the
open directive, all traffic is allowed. The
default directive subjects traffic to the access provided by the port. You can configure the directive in the user profile on the AAA server or on the switch. To configure the directive on the AAA server, use the
=<open/default> global command. To configure the directive on the switch, use the
open global configuration command.
The default value of the directive is
If a host falls back to web authentication on a port without a configured ACL:
If the port is in open authentication mode, the auth-default-ACL-OPEN is created.
If the port is in closed authentication mode, the auth-default-ACL is created.
The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL that is associated with the port.
If you use a custom logo with web authentication and it is stored on an external server, the port ACL must allow access to the external server before authentication. You must either configure a static port ACL or change the auth-default-ACL to provide appropriate access to the external server.