Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 113

Chapter 3 Configuring Router and Switch Devices
To enable the NAC-specific data on a Cisco router, enter the following commands:
For more information on these commands and related commands, see the Network Admission Control
feature document at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008021650d.html
Cisco Switches
NAC Phase II enables Cisco switches to act as network access devices. To support this new feature, you
must configure the Cisco switch to initiate 802.1x authentication when the link state changes from down
to up and periodically if the port remains up but unauthenticated. NAC requires that hosts use 802.1x
supplicants, or clients, to authenticate to the Cisco Secure ACS server before gaining access to network
services. Enabling the 802.1x messages on your network helps you troubleshoot supplicant failures
becauise connection attempts are logged, which you can analyze.
Configuring the Cisco switch to act as proxy between the Cisco Secure ACS server and the 802.1x
supplicants is a multi-step process. First, the e switch must be defined as a AAA client (RADIUS) in the
Cisco Secure ACS server. For information on defining a AAA client, see
14-5. Second, the switch must be configured to use a a RADIUS server. Then, you must enable the
following features on each interface installed in the switch:
•
•
•
•
The following URLs detail how to configure these features:
Dot1x and Radius Sever
DHCP Snooping
78-17020-01
Router(config)#eou allow ip-station-id
Router(config)#eou logging
802.1X port-based authentication. The device requests the identity of the client and begins
relaying authentication messages between the client and the authentication server. Each client
attempting to access the network is uniquely identified by the system by using the client's MAC
address.
802.1x reauthentication. The device re-authenticates the supplicants after the reauthentication
timeout value is reached, which is 3600 seconds by default.
802.1x accounting. The device logs authentication successes and failures, as well as link down
events and users logging off. The switch publishes these audit records to the Cisco Secure ACS
server for logging.
DHCP snooping. The device filters DHCP requests, safeguarding against spoof attacks. This
feature ensures that MARS receives reliable data and identifies the port number of the 802.1x
supplicant.
IOS Software:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sec/3750scg/sw8021x.htm
CatOS Software:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/confg_gd/8021x.htm
IOS Software:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sec/3750scg/swdhcp82.htm
CatOS Software:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_4/confg_gd/dhcp.htm
Define AAA Clients, page
User Guide for Cisco Security MARS Local Controller
Cisco Router Devices
3-5