Professional Documents
Culture Documents
radius server key 7 "cd36…c90" key used for security check with Cisco ISE,
should match the key on Cisco ISE
interface Gi1/0/1
interface Gi1/0/3
Dell DACL means Dynamic ACL which in turn Cisco calls as Per-user ACL.
Interface...................................... Gi1/0/3
Method......................................... 802.1X
Session time................................... 35
Filter ID......................................
Redirect ACL...................................
Redirect URL...................................
Inbound Interface(s):
Gi1/0/3
Rule Number: 1
Action......................................... permit
Protocol....................................... 255(ip)
Rule Number: 2
Action......................................... permit
Protocol....................................... 255(ip)
Second step in a customer test case is to authenticate a user which just logged in on a PC and got the full
access to a network:
Interface...................................... Gi1/0/3
Method......................................... 802.1X
Session time................................... 96
Filter ID......................................
Redirect ACL...................................
Redirect URL...................................
Dell#show ip access-lists
No ACLs are configured Dynamic ACL has been removed from a switch
This method uses ACL syntax on a RADIUS server to create a new ingress ACL on the switch:
ip:inacl[#number]={extended-access-control-list}
ipv6:inacl[#number]={ extended-access-control-list}
• The ip token indicates an IPv4 ACL definition follows the equals sign.
• The ipv6 token indicates an IPv6 ACL definition follows the equals sign.
• The tokens ip:inacl and ipv6:inacl are in lower case and are followed by an equals sign with no
intervening white space.
Dynamic ACL Example (Extended syntax, that is, ip access-list extended ...)
ip:inacl#100=permit ip any 209.165.0.0 0.0.255.255
ip:inacl#110=permit ip any 209.166.0.0 0.0.255.255
ip:inacl#120=permit ip any 209.167.0.0 0.0.255.255
Multiple ip:inacl /ipv6:inacl av-pairs may be present in the RADIUS message. However, only the first
definition will be applied for the authentication session. Different sessions, as in the case of the data and
voice VLAN authenticating independently, may both have Dynamic ACLs. It is recommended that the
DACLs be carefully designed so that they work in harmony, such as, at a minimum, no ACL numbers are
duplicated across the DACLs. DACLs are applied at the port level and are capable of affecting any traffic
ingressing the port. If there are syntax errors in the received ACLs (other than duplicate rules), the ACL
rules are not applied, the RADIUS Access-Accept is treated as an Access-Reject, and a WARN log
message or "Interface X/X/X not authorized. Application of downloaded ACL
did not complete due to invalid syntax XXXXX" is issued indicating that a received
RADIUS rule is misconfigured with invalid syntax or configured with both ip:traffic-class and inacl rules
and identifying the affected interface. If Accounting is enabled, the Acct-Start packet is not sent. An EAP-
Failure is sent to the 802.1X client.