40-21
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 40 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
–
url-redirect = <HTTP or HTTPS URL>
–
url-redirect-acl = switch ACL name or number
These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device and
forward the client web browser to the specified redirect address from which the latest antivirus files can
be downloaded. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web
browser is redirected. The url-redirect-acl AV pair contains the name or number of an ACL that specifies
the HTTP or HTTPS traffic to be redirected. Traffic that matches a permit entry in the redirect ACL is
redirected.
Note The redirect or default ACL must be defined on the switch.
ACLs
If downloadable ACL is configured for a particular client on the authentication server, you must
configure a default port ACL on a client-facing switch port.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to
the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not
apply, the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable
ACL, this ACL takes precedence over the default ACL already configured on the switch port. However,
if the switch receives a host access policy from the Cisco Secure ACS, but the default ACL is not
configured, the authorization failure is declared.
For details on how to configure a downloadable policy, refer to the “Configuring a Downloadable Policy”
section on page 40-43.
Using 802.1X with RADIUS-Provided Session Timeouts
You can specify whether a switch uses a locally configured or a RADIUS-provided reauthentication
timeout. If the switch is configured to use the local timeout, it reauthenticates the host when the timer
expires.
If the switch is configured to use the RADIUS-provided timeout, it scans the RADIUS Access-Accept
message for the Session-Timeout and optional Termination-Action attributes. The switch uses the value
of the Session-Timeout attribute to determine the duration of the session, and it uses the value of the
Termination-Action attribute to determine the switch action when the session's timer expires.
If the Termination-Action attribute is present and its value is RADIUS-Request, the switch
reauthenticates the host. If the Termination-Action attribute is not present, or its value is Default, the
switch terminates the session.
Note The supplicant on the port detects that its session was terminated and attempts to initiate a new session.
Unless the authentication server treats this new session differently, the client may see only a brief
interruption in network connectivity as the switch sets up a new session.
If the switch is configured to use the RADIUS-supplied timeout, but the Access-Accept message does
not include a Session-Timeout attribute, the switch never reauthenticates the supplicant. This behavior
is consistent with Cisco's wireless access points.
For details on how to configure RADIUS-provided session timeouts, see the “Configuring
RADIUS-Provided Session Timeouts” section on page 40-51.
