Which 802.1x command is needed for dACL to be applied on a switch port?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control auto
D. radius-server vsa send authentication
E. aaa authorization network default group radius
Answer E
I think both “radius-server vsa send” and “aaa authorization network default group radius” are needed for ACL to be applied to the port.
“radius-server vsa send ” allows AV pair to be sent between NAS and RADIUS server.
The downloadable IP Access-lists use the Cisco Atrribute Value Pair (AVP) “ip:inacl”
Example: ip:inacl#100=permit ip any 172.20.254.0 0.0.0.255
ip:inacl#200=deny ip any any
The command “radius-server vsa send authentication” only sends authentication specifric attributes. The command should be “radius-server vsa send” that sends both authentication and accounting.
The “aaa authorization network default group radius” command is needed to Governs network authorizations via RADIUS (VLAN / ACL assignment) .
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
+1
The correct answer is E
radius-server vsa send authentication
interface g0/1
ip access-group 99 in
end
This answer seems to be wrong, I see this manual where you can see in Table 1 that “aaa authorization network default group radius” command says:
Governs network authorizations via RADIUS (VLAN / ACL assignment)
while all other options are totally different.
Correct Answer: E.
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html