Cisco Gigabit Ethernet Switch Module for HPBladeSystem p-Class Release Notes, CiscoIOSRelease12.2(35)SE and later
23
Cisco Gigabit Ethernet Switch Module for HP BladeSystem p-Class Release Notes, Cisco IOS Release 12.2(35)SE and later
459515-002
Documentation Updates
Update to the “Configuring IEEE 802.1x chapter
These sections were added to the “Configuring IEEE 802.1x” chapter:
Using Web Authentication
You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality.
You can configure a port to use only web authentication. You can also configure the port to first try and
use IEEE 802.1x authentication and then to use web authorization if the client does not support
IEEE
802.1x authentication.
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
• The first attribute, priv-lvl=15, must always be set to 15. This sets the privilege level of the user
who is logging into the switch.
• The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar
to IEEE 802.1X per-user ACLs. However, instead of
ip:inacl, this attribute must begin with
proxyacl, and the source field in each entry must be any. (After authentication, the client IP
address replaces the
any field when the ACL is applied.)
For example:
proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0
proxyacl# 30=permit udp any any eq syslog
proxyacl# 40=permit udp any any eq tftp
Note The proxyacl entry determines the type of allowed network access.
For more information, see the “Configuring Web Authentication” section on page 23.
Configuring Web Authentication
Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization,
accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable
AAA by using RADIUS authentication and enable device tracking.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
aaa new-model Enable AAA.