SDK Resources > Posture Validation (NAC) > Configuring the Switch

Configuring the Switch

THE ACS works in conjunction with a switch. The ACS, in essence, implements its policies using the switch. The user defines VLANs with specific names and assigns specific ports. Traffic then flows through the switch based on the disposition of the traffic by the ACS and PVS.

note-icon Note:

Beginning in Intel AMT Release 9.0 NAC is no longer supported.

The following script was used to configure a Cisco Catalyst 3750 switch. The DHCP server must be configured with the same VLAN and gateway values as the switch.

Here are the general switch command formats:

Configure switch with ACS address:

radius-server host ACS address auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server retransmit 1

radius-server deadtime 1

radius-server key cisco123

radius-server vsa send authentication

Configure switch with DHCP address:

ip dhcp snooping

ip dhcp-server DHCP address

Configure VLANs. Note that the VLAN names have specific meanings to the NAC: “pass”, “remediation”, “infected”, “checkup”, and “unknown” are all dispositions of the NAC server.

vlan internal allocation policy ascending

!

vlan 2

 name pass

!

interface Vlan2

 ip address Gateway address 255.255.255.0

 ip helper-address DHCP address

Configure Ports to support 802.1X

interface GigabitEthernet1/0/Port

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period Timeout Rate

 dot1x reauthentication

 spanning-tree portfast

The following is an example of a switch configuration session.

Current configuration : 4374 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Catalyst3750

!

enable secret 5 $1$ycvB$OpLPqJsQdvZ4D/7fCu2oF0

enable password Cisco

!

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

aaa session-id common

switch 1 provision ws-c3750g-24t

vtp domain ella_domain

vtp mode transparent

ip subnet-zero

ip routing

no ip dhcp conflict logging

!

!

!

!

dot1x system-auth-control

no file verify auto

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2

 name pass

!

vlan 3

name remediation

!

vlan 4

 name infected

!

vlan 5

 name checkup

!

vlan 6

 name unknown

!

!

interface GigabitEthernet1/0/1

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 2

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/2

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 8

dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/3

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 20

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/4

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 2000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/5

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 3000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/6

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 3000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/7

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 4000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/8

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 4000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/9

switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 5000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/10

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 5000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/11

 switchport mode access

 dot1x port-control auto

 dot1x timeout reauth-period 6000

 dot1x reauthentication

 spanning-tree portfast

!

interface GigabitEthernet1/0/12

 switchport mode access

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

 switchport mode access

!

interface GigabitEthernet1/0/15

 switchport mode access

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

!

interface GigabitEthernet1/0/24

 switchport access vlan 2

 switchport mode access

 dot1x port-control auto

 spanning-tree portfast

!

interface Vlan1

 ip address 10.0.1.254 255.255.255.0

 ip helper-address 10.0.1.3

!

interface Vlan2

 ip address 10.0.0.254 255.255.255.0

 ip helper-address 10.0.1.3

!

interface Vlan3

 ip address 10.0.2.254 255.255.255.0

 ip helper-address 10.0.1.3

!

interface Vlan4

 ip address 10.0.3.254 255.255.255.0

 ip helper-address 10.0.1.3

!

interface Vlan5

 ip address 10.0.4.254 255.255.255.0

 ip helper-address 10.0.1.3

!

interface Vlan6

 ip address 10.0.5.254 255.255.255.0

 ip helper-address 10.0.1.3

!

ip classless

ip http server

ip http secure-server

!

!

!

arp access-list all

radius-server host 10.0.1.1 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server retransmit 1

radius-server deadtime 1

radius-server key cisco123

radius-server vsa send authentication

!

control-plane

!

!

line con 0

 exec-timeout 0 0

 password Intel2006

line vty 0 4

 password cisco

line vty 5 15

 password cisco

!

!

monitor session 1 source interface Gi1/0/1

monitor session 1 destination interface Gi1/0/23 encapsulation replicate

!

End

Copyright © 2006-2022, Intel Corporation. All rights reserved.