cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1033
Views
0
Helpful
9
Replies

802.1x NAC and per-user ACLs

rossmpersonal
Level 1
Level 1

Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.

Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

9 Replies 9

jafrazie
Cisco Employee
Cisco Employee

802.1X with per-user ACLs has been avail on 3550s, 3750s, etc. since 12.1(14)EA1.

Hope this helps,

Does this apply to when NAC is done via 802.1x?

Also when will 802.1x NAC support URL redirection?

It shouldn't matter, since NAC is primarily about being able to increase your authorization decision capability (identified credentials PLUS posture, like the hotfixes you have loaded, etc.). It has less to do with the specific policy that actually gets enforced and how (ACL, VLAN, etc.) which could be enforced via identified crednetial alone (for example).

I have no idea when 802.1X NAC will support URL re-direction. Can you help me understand the use case?

Please verify that it doesn't matter because according to page 9 of http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf 802.1x with posture validation (802.1x NAC) does not support downloadable ACLs, which as far as I can tell are the same as per-user ACLs, and url-redirection. However, I can't tell if http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf is out of date.

The use case for URL redirection is for redirecting hosts which fail posture validation to a website which helps them become compliant, such as Windows Update. L3 NAC currently supports URL redirection. When will 802.1x NAC support URL redirection?

Thanks.

It doesn't matter ;-). Example:

<http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a008039475e.html#wp1065459>

"Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing, but you can configure the VSA anyway per the above.

Hope this helps,

What are "Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing as ? Thanks.

Also, please look into the url-redirection question.

Thanks.

Specifically, how are "downloadable acls" different than "per-user acls"?

You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.

802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.

With per-user ACLs, you'd configure a VSA like:

ip:inacl#1=deny ip any host 10.1.8.3

ip:inacl#2=permit ip any any

The "downloadable IP ACL" config would look like:

deny ip any host 10.1.8.3

permit ip any any

In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.

So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).

Hope this helps,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: