802.1x NAC and per-user ACLs

Unanswered Question
May 28th, 2007
User Badges:

Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.

Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Thu, 05/31/2007 - 20:28
User Badges:
  • Cisco Employee,

802.1X with per-user ACLs has been avail on 3550s, 3750s, etc. since 12.1(14)EA1.

Hope this helps,

rossmpersonal Mon, 06/04/2007 - 17:03
User Badges:

Does this apply to when NAC is done via 802.1x?

Also when will 802.1x NAC support URL redirection?

jafrazie Mon, 06/04/2007 - 17:16
User Badges:
  • Cisco Employee,

It shouldn't matter, since NAC is primarily about being able to increase your authorization decision capability (identified credentials PLUS posture, like the hotfixes you have loaded, etc.). It has less to do with the specific policy that actually gets enforced and how (ACL, VLAN, etc.) which could be enforced via identified crednetial alone (for example).

I have no idea when 802.1X NAC will support URL re-direction. Can you help me understand the use case?

rossmpersonal Wed, 06/13/2007 - 12:42
User Badges:

Please verify that it doesn't matter because according to page 9 of http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf 802.1x with posture validation (802.1x NAC) does not support downloadable ACLs, which as far as I can tell are the same as per-user ACLs, and url-redirection. However, I can't tell if http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf is out of date.

The use case for URL redirection is for redirecting hosts which fail posture validation to a website which helps them become compliant, such as Windows Update. L3 NAC currently supports URL redirection. When will 802.1x NAC support URL redirection?


rossmpersonal Fri, 06/15/2007 - 09:18
User Badges:

What are "Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing as ? Thanks.

Also, please look into the url-redirection question.


rossmpersonal Fri, 06/15/2007 - 13:15
User Badges:

Specifically, how are "downloadable acls" different than "per-user acls"?

jafrazie Sat, 06/16/2007 - 11:10
User Badges:
  • Cisco Employee,

You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.

802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.

With per-user ACLs, you'd configure a VSA like:

ip:inacl#1=deny ip any host

ip:inacl#2=permit ip any any

The "downloadable IP ACL" config would look like:

deny ip any host

permit ip any any

In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.

So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).

Hope this helps,


This Discussion