THE ACS works in conjunction with a switch. The ACS, in essence, implements its policies using the switch. The user defines VLANs with specific names and assigns specific ports. Traffic then flows through the switch based on the disposition of the traffic by the ACS and PVS.
|
Beginning in Intel AMT Release 9.0 NAC is no longer supported. |
The following script was used to configure a Cisco Catalyst 3750 switch. The DHCP server must be configured with the same VLAN and gateway values as the switch.
Here are the general switch command formats:
Configure switch with ACS address:
radius-server host ACS address auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server retransmit 1
radius-server deadtime 1
radius-server key cisco123
radius-server vsa send authentication
Configure switch with DHCP address:
ip dhcp snooping
ip dhcp-server DHCP address
Configure VLANs. Note that the VLAN names have specific meanings to the NAC: “pass”, “remediation”, “infected”, “checkup”, and “unknown” are all dispositions of the NAC server.
vlan internal allocation policy ascending
!
vlan 2
name pass
!
interface Vlan2
ip address Gateway address 255.255.255.0
ip helper-address DHCP address
Configure Ports to support 802.1X
interface GigabitEthernet1/0/Port
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period Timeout Rate
dot1x reauthentication
spanning-tree portfast
The following is an example of a switch configuration session.
Current configuration : 4374 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Catalyst3750
!
enable secret 5 $1$ycvB$OpLPqJsQdvZ4D/7fCu2oF0
enable password Cisco
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa session-id common
switch 1 provision ws-c3750g-24t
vtp domain ella_domain
vtp mode transparent
ip subnet-zero
ip routing
no ip dhcp conflict logging
!
!
!
!
dot1x system-auth-control
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name pass
!
vlan 3
name remediation
!
vlan 4
name infected
!
vlan 5
name checkup
!
vlan 6
name unknown
!
!
interface GigabitEthernet1/0/1
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 2
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 8
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 20
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 2000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 3000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 3000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 4000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 4000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 5000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 5000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 6000
dot1x reauthentication
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport mode access
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
switchport mode access
!
interface GigabitEthernet1/0/15
switchport mode access
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport access vlan 2
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface Vlan1
ip address 10.0.1.254 255.255.255.0
ip helper-address 10.0.1.3
!
interface Vlan2
ip address 10.0.0.254 255.255.255.0
ip helper-address 10.0.1.3
!
interface Vlan3
ip address 10.0.2.254 255.255.255.0
ip helper-address 10.0.1.3
!
interface Vlan4
ip address 10.0.3.254 255.255.255.0
ip helper-address 10.0.1.3
!
interface Vlan5
ip address 10.0.4.254 255.255.255.0
ip helper-address 10.0.1.3
!
interface Vlan6
ip address 10.0.5.254 255.255.255.0
ip helper-address 10.0.1.3
!
ip classless
ip http server
ip http secure-server
!
!
!
arp access-list all
radius-server host 10.0.1.1 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server retransmit 1
radius-server deadtime 1
radius-server key cisco123
radius-server vsa send authentication
!
control-plane
!
!
line con 0
exec-timeout 0 0
password Intel2006
line vty 0 4
password cisco
line vty 5 15
password cisco
!
!
monitor session 1 source interface Gi1/0/1
monitor session 1 destination interface Gi1/0/23 encapsulation replicate
!
End
Copyright © 2006-2022, Intel Corporation. All rights reserved. |