Step 1
|
enable
|
Enables privileged EXEC mode.
Enter your password, if prompted.
|
Step 2
|
configure terminal
Device# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type control subscriber
control-policy-name
Device(config)# policy-map type control PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
|
Defines a control policy for subscriber sessions.
|
Step 4
|
event
event-name [match-all | match-first]
Device(config-event-control-policymap)# event session-started match-all
|
Specifies the type of event that triggers actions in a control policy if conditions are met.
-
match-all is the default behavior.
-
To display the available event types, use the question mark (?) online help function. For a complete description of event types, see the event command.
|
Step 5
|
priority-number
class {control-class-name | always} [do-all | do-until-failure | do-until-success]
Device(config-class-control-policymap)# 10 class always do-until-failure
|
Associates a control class with one or more actions in a control policy.
|
Step 6
|
action-number
activate {policy
type
control
subscriber
control-policy-name [child [no-propagation | concurrent] | service-template
template-name [aaa-list
list-name] [precedence
number] [replace-all]}
Device(config-action-control-policymap)# 10 activate service-template DefaultCriticalAuthVlan_SRV_TEMPLATE
|
(Optional) Activates a control policy or service template on a subscriber session.
|
Step 7
|
action-number
authenticate using {dot1x | mab | webauth} [aaa {authc-list
authc-list-name | authz-list
authz-list-name]} [merge] [parameter-map
map-name] [priority
priority-number] [replace | replace-all] [retries
number {retry-time
seconds}]
Device(config-action-control-policymap)# 20 authenticate using dot1x retries 2 retry-time 0 priority 10
|
(Optional) Initiates the authentication of a subscriber session using the specified method.
|
Step 8
|
action-number
authentication-restart
seconds
Device(config-action-control-policymap)# 20 authentication-restart 60
|
(Optional) Sets a timer to restart the authentication process after an authentication or authorization failure.
|
Step 9
|
action-number
authorize
Device(config-action-control-policymap)# 30 authorize
|
(Optional) Initiates the authorization of a subscriber session.
|
Step 10
|
action-number
clear-authenticated-data-hosts-on-port
Device(config-action-control-policymap)# 20 clear-authenticated-data-hosts-on-port
|
(Optional) Clears authenticated data hosts on a port after an authentication failure.
|
Step 11
|
action-number
clear-session
Device(config-action-control-policymap)# 10 clear-session
|
(Optional) Clears an active subscriber session.
|
Step 12
|
action-number
deactivate {policy type control subscriber
control-policy-name | service-template
template-name}
Device(config-action-control-policymap)# 20 deactivate service-template
|
(Optional) Deactivates a control policy or service template on a subscriber session.
|
Step 13
|
action-number
err-disable
Device(config-action-control-policymap)# 10 err-disable
|
(Optional)Temporarily disables a port after a session violation event.
|
Step 14
|
action-number
pause reauthentication
Device(config-action-control-policymap)# 40 pause reauthentication
|
(Optional) Pauses reauthentication after an authentication failure.
|
Step 15
|
action-number
protect
Device(config-action-control-policymap)# 10 protect
|
(Optional) Silently drops violating packets after a session violation event.
|
Step 16
|
action-number
replace
Device(config-action-control-policymap)# 10 replace
|
(Optional) Clears the existing session and creates a new session after a violation event.
|
Step 17
|
action-number
restrict
Device(config-action-control-policymap)# 10 restrict
|
(Optional) Drops violating packets and generates a syslog entry after a session violation event.
|
Step 18
|
action-number
resume reauthentication
Device(config-action-control-policymap)# 10 resume reauthentication
|
(Optional) Resumes the reauthentication process after an authentication failure.
|
Step 19
|
action-number
set-timer
timer-name
seconds
Device(config-action-control-policymap)# 20 set-timer RESTART 60
|
(Optional) Starts a named policy timer.
|
Step 20
|
action-number
terminate {dot1x | mab | webauth}
Device(config-action-control-policymap)# 10 terminate mab
|
(Optional) Terminates an authentication method on a subscriber session.
|
Step 21
|
action-number
unauthorize
Device(config-action-control-policymap)# 20 unauthorize
|
(Optional) Removes all authorization data from a subscriber session.
|
Step 22
|
end
Device(config-action-control-policymap)# end
|
(Optional) Exits control policy-map action configuration mode and returns to privileged EXEC mode.
|
Step 23
|
show policy-map type control subscriber {all | name
control-policy-name}
Device# show policy-map type control subscriber name PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
|
(Optional) Displays information about identity control policies.
|