10-66
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
Configuring Downloadable ACLs
The policies take effect after client authentication and the client IP address addition to the IP device
tracking table. The switch then applies the downloadable ACL to the port.
Beginning in privileged EXEC mode:
Configuring a Downloadable Policy
Beginning in privileged EXEC mode:
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
ip device tracking Configure the ip device tracking table.
Step 3
aaa new-model Enables AAA.
Step 4
aaa authorization network default group
radius
Sets the authorization method to local. To remove the
authorization method, use the no aaa authorization network
default group radius command.
Step 5
radius-server vsa send authentication Configure the radius vsa send authentication.
Step 6
interface interface-id Specify the port to be configured, and enter interface
configuration mode.
Step 7
ip access-group acl-id in Configure the default ACL on the port in the input direction.
Note The acl-id is an access list name or number.
Step 8
show running-config interface interface-id Verify your configuration.
Step 9
copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
access-list access-list-number deny
source source-wildcard log
Defines the default port ACL by using a source address and wildcard.
The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Enter deny or permit to specify whether to deny or permit access if
conditions are matched.
The source is the source address of the network or host that sends a packet,
such as this:
• The 32-bit quantity in dotted-decimal format.
• The keyword any as an abbreviation for source and source-wildcard
value of 0.0.0.0 255.255.255.255. You do not need to enter a
source-wildcard value.
• The keyword host as an abbreviation for source and source-wildcard
of source 0.0.0.0.
(Optional) Applies the source-wildcard wildcard bits to the source.
(Optional) Enters log to cause an informational logging message about the
packet that matches the entry to be sent to the console.