Lan Port Ip Cli Command Examples - Cisco WS-C6506 Software Manual

Chapter 44 Configuring Network Admission Control
c.
d.
For clientless nonresponsive hosts (NRH hosts), enable the clientless functionality by entering the set
Step 5
eou allow clientless enable command.
Define a policy for NRH hosts. The specified groups should also be present in the ACL that is defined
Step 6
in the previous steps:
set policy name exception_policy group exception_hosts
Specify an exception host and assign the policy by entering the set eou authorize ip 77.0.0.90 policy
Step 7
exception_policy command.
Configure the RADIUS server. For RADIUS server configuration details, refer to the Implementing
Step 8
Network Admission Control Phase One Configuration and Deployment publication at this URL:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
Ensure that the policy groups that are used in the ACLs are configured with the posture-token VSA, such
as 26/9/1 sec:pg=healthy_hosts.
If you define a policy group in ACS but the VACL that is mapped to the VLAN does not refer to that
group, posture validation will fail because the policy installation fails.
Ensure that the sc0 interface is configured with a proper IP address by entering these commands:
Step 9
set interface {sc0 | sl0 | sc1} {up | down}
set interface sc0 [vlan] [ip_addr/netmask [broadcast]]
Ensure that there is a default router in the VLAN to which the host is connected. If there is no default
Step 10
router, you need a static ARP on the host for the sc0 IP address.
If the host and the management interface (sc0) are in the same VLAN, and you have a VACL configured
Step 11
for that VLAN, you should configure an ACE to allow traffic to the RADIUS server from the switch IP
address.

LAN Port IP CLI Command Examples

This section describes how to configure the LAN port IP CLI:
•
•
•
OL-8978-04
Define other policy statements using policy groups that correspond to various LAN port IP states as
follows:
set security acl ip NACACL permit ip group healthy_hosts any
set security acl ip NACACL deny ip group infected_hosts any
set security acl ip NACACL permit ip group exception_hosts any
set security acl ip NACACL permit ip group clientless_hosts host 10.76.39.100
For URL redirection, apply this ACE at an appropriate position:
set security acl ip NACACL permit url-redirect
Enabling or Disabling LAN Port IP Globally, page 44-10
Enabling or Disabling the Bypassing of LAN Port IP Posture Validation for Clientless Hosts,
page 44-11
Statically Authorizing an IP Address as an Exception Host Device and Applying a Policy to the
Device, page 44-11
Configuring Network Admission Control with LAN Port IP
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
44-9