Re: 802.1x with ACL

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Tue Jan 27 2009 - 00:54:30 ARST

• Next message: Dale Shaw: "Re: StockWise"
• Previous message: Anthony Sequeira: "Re: CCIE R&S Bootcamps"
• Maybe in reply to: Edouard Zorrilla: "802.1x with ACL"
• Next in thread: Narbik Kocharians: "Re: 802.1x with ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Tyson and Sadiq,

I find out the problem. As Tyson said :

command : "radius-server vsa send authentication"

Was missing, now it is working:

Rack1SW2#sh ip access-lists
Extended IP access list FastEthernet0/20#IP0 (per-user)
    10 permit ip host 10.0.0.100 host 150.1.1.1
    20 deny ip 10.0.0.0 0.0.0.255 150.1.0.0 0.0.255.255
    30 permit ip any any
Rack1SW2#

Thanks a lot,

Regards

----- Original Message -----
From: "Tyson Scott" <tscott@ipexpert.com>
To: "'Edouard Zorrilla'" <ezorrilla@tsf.com.pe>; "'Sadiq Yakasai'"
<sadiqtanko@gmail.com>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Monday, January 26, 2009 7:36 PM
Subject: RE: 802.1x with ACL

> Have you included
> radius-server vsa send authentication
>
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto: tscott@ipexpert.com
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Edouard Zorrilla
> Sent: Monday, January 26, 2009 6:48 PM
> To: Sadiq Yakasai
> Cc: security@groupstudy.com; ccielab@groupstudy.com
> Subject: Re: 802.1x with ACL
>
> Sir,
>
> I am able to do 802.1x with vlan assignment, but not with ACL assignment.
> Do
> you know any link on Cisco web site with an example like that ?
>
> Let me change the any inside cisco-av-pair and see what happen.
>
> Thanks
>
> Regards
>
> ----- Original Message -----
> From: Sadiq Yakasai
> To: Edouard Zorrilla
> Cc: security@groupstudy.com ; ccielab@groupstudy.com
> Sent: Monday, January 26, 2009 12:07 PM
> Subject: Re: 802.1x with ACL
>
>
> Hi there,
>
> Per-user ACLs work when the ACL is configured with the source as "any" on
> ACS. The switch will replace this with the IP address of the devices that
> authenticates on the port. When you do a debug or show on the port, Ibet
> you
> would see authorization failure and not authentication failure.
>
>
> <show dot1x authe f0/20 detail> should give us a very good view of whats
> happening here.
>
> [009\001] cisco-av-pair {check}
> ip:inacl#1=deny ip any 150.1.0.0 0.0.255.255
> ip:inacl#2=permit ip any any.
>
> Let us know how you get on please.
>
> HTH,
> Sadiq
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Dale Shaw: "Re: StockWise"
• Previous message: Anthony Sequeira: "Re: CCIE R&S Bootcamps"
• Maybe in reply to: Edouard Zorrilla: "802.1x with ACL"
• Next in thread: Narbik Kocharians: "Re: 802.1x with ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST