Table of Contents
Advertisement
Configuring NAC
To configure NAC AAA down policy, perform this task:
Command
Step 1
Router# configure terminal
Step 2
Router(config)# ip admission name
rule-name eapoudp event timeout aaa
policy identity
identity_policy_name
Step 3
Router(config)# access-list
access-list-number {deny | permit}
source [source-wildcard] [log]
Step 4
Router(config-if)# interface
interface-id
Step 5
Router(config-if)# ip access-group
{access-list-number | name} in
Step 6
Router(config-if)# ip admission
name rule-name
Step 7
Router(config)# exit
Step 8
Router(config)# aaa new-model
Step 9
Router(config)# aaa authentication
eou default group radius
Step 10
Router(config)# aaa authorization
network default local
Step 11
Router(config)# ip device tracking
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
41-18
Purpose
Enters global configuration mode.
Creates a NAC rule and associates an identity policy to be applied to sessions,
when the AAA server is unreachable.
To remove the rule on the switch, use the no ip admission name
rule-name eapoudp event timeout aaa policy identity global
configuration command.
Defines the default port ACL by using a source address and wildcard.
The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Enter deny or permit to specify whether to deny or permit access if
conditions are matched.
The source is the source address of the network or host from which the
packet is being sent specified as follows:
The 32-bit quantity in dotted-decimal format.
•
•
The keyword any as an abbreviation for source and source-wildcard
value of 0.0.0.0 255.255.255.255. You do not need to enter a
source-wildcard value.
The keyword host as an abbreviation for source and source-wildcard
•
of source 0.0.0.0.
(Optional) Applies the source-wildcard wildcard bits to the source.
(Optional) Enters log to cause an informational logging message about the
packet that matches the entry to be sent to the console.
Enters interface configuration mode.
Controls access to the specified interface.
Applies the specified IP NAC rule to the interface.
To remove the IP NAC rule that was applied to a specific interface, use the
no ip admission rule-name interface configuration command.
Returns to global configuration mode.
Enables AAA.
Sets authentication methods for EAPoUDP.
To remove the EAPoUDP authentication methods, use the no aaa
authentication eou default global configuration command.
Sets the authorization method to local. To remove the authorization method,
use no aaa authorization network default local command.
Enables the IP device tracking table.
To disable the IP device tracking table, use the no ip device tracking
global configuration commands.
Chapter 41
Configuring Network Admission Control
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module