Configuring IEEE 802.1x Authentication
You can configure a port to use only web authentication. You can also configure the port to first try and
use IEEE 802.1x authentication and then to use web authorization if the client does not support
IEEE 802.1x authentication.
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
•
•
Note
For more information, see the
Web Authentication with Automatic MAC Check
You can use web authentication with automatic MAC check to authenticate a client that does not support
IEEE 802.1x or web browser functionality. This allows end hosts, such as printers, to automatically
authenticate by using the MAC address without any additional required configuration.
Web authentication with automatic MAC check only works in web authentication standalone mode. You
cannot use this if web authentication is configured as a fallback to IEEE 802.1x authentication.
The MAC address of the device must be configured in the Access Control Server (ACS) for the automatic
MAC check to succeed. The automatic MAC check allows managed devices, such as printers, to skip
web authentication.
Note
The interoperability of web authentication (with automatic MAC check) and IEEE 802.1x MAC
authentication configured on different ports of the same switch is not supported.
Configuring IEEE 802.1x Authentication
These sections contain this configuration information:
•
•
•
•
•
•
•
Cisco IE 3000 Switch Software Configuration Guide
10-18
The first attribute,
priv-lvl=15
who is logging into the switch.
The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar
to IEEE 802.1X per-user ACLs. However, instead of
, and the
proxyacl
source
address replaces the
field when the ACL is applied.)
any
For example:
proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0
proxyacl# 30=permit udp any any eq syslog
proxyacl# 40=permit udp any any eq tftp
The proxyacl entry determines the type of allowed network access.
Default IEEE 802.1x Authentication Configuration, page 10-19
IEEE 802.1x Authentication Configuration Guidelines, page 10-20
Configuring 802.1x Readiness Check, page
Configuring IEEE 802.1x Authentication, page
Configuring the Switch-to-RADIUS-Server Communication, page 10-24
Configuring the Host Mode, page 10-26
Configuring Periodic Re-Authentication, page 10-26
Chapter 10
, must always be set to 15. This sets the privilege level of the user
field in each entry must be
"Configuring Web Authentication" section on page
10-22(optional)
10-23(optional)
(optional)
Configuring IEEE 802.1x Port-Based Authentication
, this attribute must begin with
ip:inacl
. (After authentication, the client IP
any
10-38.
(required)
(optional)
OL-13018-01