Cisco Wired Layer 2 Integration(IE2000)
Note – In this example, a Cisco IE-2000-4TS-B configuration is provided. However, any Cisco IE Layer 2 switch supporting the following features are eligible for integration:
- RADIUS Authentication/Accounting
- 802.1X
- MAC Authentication Bypass (MAB)
- RADIUS Change of Authorization (CoA)
- Cisco-AVPair “url-redirect”
- Cisco-AVPair “url-redirect-acl”
Note – In this example the NAC RADIUS Server / Policy Server is 10.10.10.10 (replace this IP with the IP of your NAC system)
Note – Replace the VLAN number on the example port configuration with the desired default VLAN for the port.
Note – The “radius-server vsa send authentication” command is enabled by default and auto-generated on some IOS
versions. If the command does not show up in a sh run, “sh run all” can be used to verify that it is configured on the
switch.
Layer 3 DHCP prerequisites
interface vlanX (Layer 3 interface for enforced network)ip helper-address X.X.X.X (DHCP server)ip helper-address X.X.X.X (IP address of NAC Enforcer)!EndLayer 2 Switch Configuration
x
aaa new-modelaaa authentication dot1x default group radiusaaa authorization network default local group radiusaaa accounting dot1x default start-stop group radiusaaa session-id commonaaa accounting update newinfo periodic 10!aaa server radius dynamic-authorclient 10.10.10.10 server-key XXXXXport 3799auth-type any!dot1x system-auth-controlip device tracking!interface GigabitEthernetX/X/X (replace with interface number)description NAC User Test Portswitchport access vlan X (replace with desired default VLAN for port)switchport mode accessip access-group sc_initial_acl inauthentication port-control automabdot1x pae authenticator (only required if endpoints are configured for 802.1X)dot1x timeout tx-period 15dot1x max-reauth-req 1authentication host-mode multi-auth!ip http serverip http secure-serverip radius source-interface X (Layer 3 management interface)!ip access-list extended sc_initial_aclpermit ip any any!ip access-list extended sc_quarantine_aclremark allow dns and dhcpdeny udp any any eq domaindeny udp any any eq bootpsremark do not redirect web traffic destined for NAC appliancedeny tcp any host 10.10.10.10 eq wwwdeny tcp any host 10.10.10.10 eq 443deny tcp any host 10.10.10.10 eq 8443deny tcp any host 198.31.193.211 eq wwwdeny tcp any host 198.31.193.211 eq 443deny tcp any host 198.31.193.211 eq 8443remark do not redirect web traffic destined for the redirect URLwww.customerwebsite.com (replace x’s below with website address)deny tcp any host x.x.x.x eq wwwdeny tcp any host x.x.x.x eq 443deny tcp any host x.x.x.x eq 8443permit ip any any (redirect all other traffic)!radius-server NAC address 10.10.10.10 auth-port 1812 acct-port 1813 key XXXXXradius-server vsa send authentication!EndExamples of other types of ACL exceptions (if required):remark allow PXE bootdeny udp any host x.x.x.x eq tftpdeny udp any host x.x.x.x range 1025 5000remark allow authentication to domain controllerdeny tcp any host x.x.x.x eq 53deny udp any host x.x.x.x eq 53deny tcp any host x.x.x.x eq 88deny udp any host x.x.x.x eq 88deny udp any host x.x.x.x eq 123deny tcp any host x.x.x.x eq 135deny udp any host x.x.x.x eq 137deny tcp any host x.x.x.x eq 139deny tcp any host x.x.x.x eq 389deny udp any host x.x.x.x eq 389deny tcp any host x.x.x.x eq 445deny udp any host x.x.x.x eq 445deny tcp any host x.x.x.x eq 3268Was this page helpful?