ACLs on a Cisco 4506 using new code 12.2(50)SG RRS feed

  • Question

  • We recently upgraded the code on our enterprise Cisco 4506 and are testing out the new hostmode multi-auth commands.  however, using dot1x with this, I cannot quarantine with VLANs because they do not work when a port is in multi-auth.  They do however, support downloadable ACLS.

    In the past, I have tested using Cisco VSA for Cisco-av-pair on a 3560 and it worked, using the format:
    ip:inacl#1=permit ip any host
    ip:inacl#2=permit ip any any

    however, this does not appear to be working on the 4506

    We have the following commands enabled per the Cisco documentation
    ip device tracking
    radius-server vsa send authentication

    These are also set...
    aaa authentication dot1x default group radius
    aaa authorization network default group radius

    Anyone know how to quarantine when a port is using hostmode multi-auth?

    thank you,

    Thursday, February 12, 2009 11:46 PM


  • Hi,

    I'm curious about why VLANs don't work when the port is in multi-auth. Is this specific to that switch? Can you not use multiple tagged VLANs? 

    The Filter-ID attribute is often used to assign ACLs - have you looked into this?


    Friday, February 20, 2009 6:13 AM