Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesCisco BLp-Class Ethernet Switch

161

162

163

164

165

166

167

168

169

170

6-18

Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide

380261-003

Chapter 6 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

MAC authentication bypass interacts with the features:

• IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x

authentication is enabled on the port.

• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a

guest VLAN if one is configured.

• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port

is authenticated with MAC authentication bypass.

• Port security—See the “Using IEEE 802.1x Authentication with Port Security” section on

page 6-16.

• Voice VLAN—See the “Using IEEE 802.1x Authentication with Voice VLAN Ports” section on

page 6-15.

• VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.

• Private VLAN—You can assign a client to a private VLAN.

• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an

IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception

list.

Using Web Authentication

You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality.

You can configure a port to use only web authentication. You can also configure the port to first try and

use IEEE 802.1x authentication and then to use web authorization if the client does not support

IEEE 802.1x authentication.

Web authentication requires two Cisco Attribute-Value (AV) pair attributes:

• The first attribute, priv-lvl=15, must always be set to 15. This sets the privilege level of the user

who is logging into the switch.

• The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar

to IEEE 802.1X per-user ACLs. However, instead of

ip:inacl, this attribute must begin with

proxyacl, and the source field in each entry must be any. (After authentication, the client IP

address replaces the

any field when the ACL is applied.)

For example:

proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0

proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0

proxyacl# 30=permit udp any any eq syslog

proxyacl# 40=permit udp any any eq tftp

Note The proxyacl entry determines the type of allowed network access .

For more information, see the “Configuring Web Authentication” section on page 6-38.