Dynamic ACLs on 2960S switch using ACS 5.2

Justin Westover · ‎04-21-2011

I am testing a ACS 5.2 in our lab environment, I am testing port security for policy based VLAN and ACL assignment. The problem I am having is with the 2960S switches; in my current setup it is working but it doesn't seem to me like it is the way that it should be working. I have a downloadable ACL in the ACS defined and associated to an Access policy and it is working correctly. The problem is, from what I understand, I have to assign a default ACL on the switchport? So what I have assigned on the switchport is ip access-group 10 in. The downloadable ACL from the ACS is also called 10. Do I really need to match the ACL on the switchport with the ACL name I have created in ACS? That doesn't seem like it's dynamic if that is the case? What is the ACL that I should apply to the switch port (if any) in order for the downloadable acls that I configure in the ACS to work no matter what port the user is patched into?

Nicolas Darchis · ‎04-22-2011

No.

What you can do is put an access list (whatever the name) "permit any any" on the all swich ports. And as soon as dot1x clients authenticate, they get a new ACL download that replaces the default ACL.

This is if only a few type of dot1x users are having a dynamic ACL.

You can also use the opposite logic, put a deny ip access list on all the ports and the users will download the correct ACL depending on their radius attributes.

I even think that the very latest IOS has a command to say "if no ACL is defined on port, then default ACL will be x" so that you don't have to define on all the ports one by one.

Nicolas

Justin Westover · ‎04-22-2011

Do you know the specfic command you are referring to? Since this switch is in my lab environment I can update the code no problem. I have never heard of the command you are referring to though in regards to the default ACL?