From: Tyson Scott (tscott@ipexpert.com)
Date: Mon Jan 26 2009 - 22:36:06 ARST
Have you included
radius-server vsa send authentication
Regards,
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: tscott@ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edouard Zorrilla
Sent: Monday, January 26, 2009 6:48 PM
To: Sadiq Yakasai
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: 802.1x with ACL
Sir,
I am able to do 802.1x with vlan assignment, but not with ACL assignment. Do
you know any link on Cisco web site with an example like that ?
Let me change the any inside cisco-av-pair and see what happen.
Thanks
Regards
----- Original Message -----
From: Sadiq Yakasai
To: Edouard Zorrilla
Cc: security@groupstudy.com ; ccielab@groupstudy.com
Sent: Monday, January 26, 2009 12:07 PM
Subject: Re: 802.1x with ACL
Hi there,
Per-user ACLs work when the ACL is configured with the source as "any" on
ACS. The switch will replace this with the IP address of the devices that
authenticates on the port. When you do a debug or show on the port, Ibet you
would see authorization failure and not authentication failure.
<show dot1x authe f0/20 detail> should give us a very good view of whats
happening here.
[009\001] cisco-av-pair {check}
ip:inacl#1=deny ip any 150.1.0.0 0.0.255.255
ip:inacl#2=permit ip any any.
Let us know how you get on please.
HTH,
Sadiq
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST