05-28-2007 06:36 PM - edited 02-21-2020 01:32 AM
Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
Also, when will URL redirection to a remediation server be supported with 802.1x NAC?
05-31-2007 08:28 PM
802.1X with per-user ACLs has been avail on 3550s, 3750s, etc. since 12.1(14)EA1.
Hope this helps,
06-04-2007 05:03 PM
Does this apply to when NAC is done via 802.1x?
Also when will 802.1x NAC support URL redirection?
06-04-2007 05:16 PM
It shouldn't matter, since NAC is primarily about being able to increase your authorization decision capability (identified credentials PLUS posture, like the hotfixes you have loaded, etc.). It has less to do with the specific policy that actually gets enforced and how (ACL, VLAN, etc.) which could be enforced via identified crednetial alone (for example).
I have no idea when 802.1X NAC will support URL re-direction. Can you help me understand the use case?
06-13-2007 12:42 PM
Please verify that it doesn't matter because according to page 9 of http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf 802.1x with posture validation (802.1x NAC) does not support downloadable ACLs, which as far as I can tell are the same as per-user ACLs, and url-redirection. However, I can't tell if http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf is out of date.
The use case for URL redirection is for redirecting hosts which fail posture validation to a website which helps them become compliant, such as Windows Update. L3 NAC currently supports URL redirection. When will 802.1x NAC support URL redirection?
Thanks.
06-13-2007 07:41 PM
It doesn't matter ;-). Example:
"Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing, but you can configure the VSA anyway per the above.
Hope this helps,
06-15-2007 09:18 AM
What are "Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing as ? Thanks.
Also, please look into the url-redirection question.
Thanks.
06-15-2007 09:25 AM
It's not the same thing as this (for example):
Not sure I know the roadmap info.
06-15-2007 01:15 PM
Specifically, how are "downloadable acls" different than "per-user acls"?
06-16-2007 11:10 AM
You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
With per-user ACLs, you'd configure a VSA like:
ip:inacl#1=deny ip any host 10.1.8.3
ip:inacl#2=permit ip any any
The "downloadable IP ACL" config would look like:
deny ip any host 10.1.8.3
permit ip any any
In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
Hope this helps,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: