Users Guide
320 Authentication, Authorization, and Accounting
ACL Using Authentication Manager to Configure MAB with RADIUS Server
The following is a relatively complex example of using an ACL to control
access to Gi1/0/1, using the Authentication Manager to configure MAB in
conjunction with a RADIUS server.
1
Create VLAN 60 which will be used for management access via Gi1/0/1:
console#config
console(config)#vlan 60
console(config-vlan60)#exit
2
Enable the authentication manager:
console(config)#authentication enable
3
Create an access list limiting IP communication exclusively to host
172.25.129.299. All other IP addresses are excluded. This address is in the
Bogons address space:
console(config)#ip access-list RADIUSCAP
console(config-ip-acl)#permit ip any 172.25.129.229 0.0.0.0
console(config-ip-acl)#permit ip 172.25.129.229 0.0.0.0 any
console(config-ip-acl)#deny ip any any
console(config-ip-acl)#permit every
console(config-ip-acl)#exit
4
Set a default gateway for the switch:
console(config)#ip default-gateway 172.25.128.254
5
Set a default route with administrative distance 253:
console(config)#ip route 0.0.0.0 0.0.0.0 172.25.128.254 253
6
Assign an IP address to the management VLAN:
console(config)#interface vlan 60
console(config-vlan60)#ip address 172.25.128.214 255.255.0.0
console(config-vlan60)#exit
7
Enable 802.1x client authentication via RADIUS and allow VLAN
assignment to 802.1x clients:
console(config)#dot1x system-auth-control
console(config)#aaa authentication dot1x default radius
console(config)#aaa authorization network default radius
8
Allow 802.1x client VLANs to be dynamically created via RADIUS:
console(config)#authentication dynamic-vlan enable
9
Configure the primary RADIUS sever and set it to authenticate both
802.1X and MAB authentication: