Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
Also, when will URL redirection to a remediation server be supported with 802.1x NAC?
It shouldn't matter, since NAC is primarily about being able to increase your authorization decision capability (identified credentials PLUS posture, like the hotfixes you have loaded, etc.). It has less to do with the specific policy that actually gets enforced and how (ACL, VLAN, etc.) which could be enforced via identified crednetial alone (for example).
I have no idea when 802.1X NAC will support URL re-direction. Can you help me understand the use case?
Please verify that it doesn't matter because according to page 9 of http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf 802.1x with posture validation (802.1x NAC) does not support downloadable ACLs, which as far as I can tell are the same as per-user ACLs, and url-redirection. However, I can't tell if http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf is out of date.
The use case for URL redirection is for redirecting hosts which fail posture validation to a website which helps them become compliant, such as Windows Update. L3 NAC currently supports URL redirection. When will 802.1x NAC support URL redirection?
It doesn't matter ;-). Example:
"Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing, but you can configure the VSA anyway per the above.
Hope this helps,
What are "Downloadable IP ACLs" from an ACS point of viw are indeed NOT the same thing as ? Thanks.
Also, please look into the url-redirection question.
It's not the same thing as this (for example):
Not sure I know the roadmap info.
You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
With per-user ACLs, you'd configure a VSA like:
ip:inacl#1=deny ip any host 10.1.8.3
ip:inacl#2=permit ip any any
The "downloadable IP ACL" config would look like:
deny ip any host 10.1.8.3
permit ip any any
In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
Hope this helps,