Table of Contents
Advertisement
Understanding NAC
Retransmission Timer
The retransmission timer controls the amount of time that the switch waits for a response from the client
before resending a request during posture validation. Setting the timer value too low might cause
unnecessary transmissions, and setting the timer value too high might cause poor response times.
The default value of the retransmission timer is 3 seconds.
Revalidation Timer
The revalidation timer controls the amount of time that a NAC policy is applied to a client that used
EAPoUDP messages during posture validation. The timer starts after the initial posture validation is
complete. The timer resets when the host is revalidated. The default value of the revalidation timer is
36000 seconds (10 hours).
You can specify the revalidation timer value on the switch by using the eou timeout revalidation
seconds global configuration command. You can also specify the revalidation timer value on an interface
by using the eou timeout revalidation seconds interface configuration command.
The revalidation timer can be configured locally on the switch or it can be downloaded from the control
Note
server.
The revalidation timer operation is based on Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute[29]) in the Access-Accept message from the Cisco
Secure ACS running AAA. If the switch gets the Session-Timeout value, this value overrides the
revalidation timer value on the switch.
If the revalidation timer expires, the switch action depends on one of these values of the
Termination-Action attribute:
•
•
•
•
Status-Query Timer
The status-query timer controls the amount of time the switch waits before verifying that the previously
validated client is present and that its posture has not changed. Only clients that were authenticated with
EAPoUDP messages use this timer, which starts after the client is initially validated. The default value
of the status-query timer is 300 seconds (5 minutes).
The timer resets when the host is reauthenticated. When the timer expires, the switch checks the host
posture validation by sending a Status-Query message to the host. If the host sends a message to the
switch that the posture has changed, the switch revalidates the posture of the host.
NAC Layer 2 IP Validation and Redundant Supervisor Engines
On Catalyst 6500 series switches with redundant supervisor engines, when RPR mode redundancy is
configured, a switchover causes the loss of all information about currently postured hosts. When SSO
mode redundancy is configured, a switchover triggers a reposturing of all currently postured hosts.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
41-10
If the value of the Termination-Action RADIUS attribute is the default, the session ends.
If the switch gets a value for the Termination-Action attribute other than the default, the EAPoUDP
session and the current access policy remain in effect during posture revalidation.
If the value of the Termination-Action attribute is RADIUS, the switch revalidates the client.
If the packet from the server does not include the Termination-Action attribute, the EAPoUDP
session ends.
Chapter 41
Configuring Network Admission Control
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module