-
Catalyst 6500 Series Software Configuration Guide, 8.7
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2/PFC3
-
Configuring MLS
-
Configuring Access Control
-
Configuring NDE
-
Configuring GVRP
-
Configuring MVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Configuring Online Diagnostics
-
Administering the Switch
-
Configuring Redundancy
-
Configuring NSF with SSO MSFC Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring DHCP Snooping and IP Source Guard
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Configuring MAC Authentication Bypass
-
Configuring Web-Based Proxy Authentication
-
Tracking Host Aging
-
Configuring Network Admission Control
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Configuring MSFC IOS Features
-
Acronyms
-
Table Of Contents
Configuring Network Admission Control
Configuring Network Admission Control with LAN Port IP
Understanding How Network Admission Control with LAN Port IP Works
Virus Infections and Their Effect on Networks
How Network Admission Control Works
LAN Port IP Posture Validation Summary
LAN Port IP Hardware and Software Requirements
LAN Port IP Configuration Guidelines and Restrictions
LAN Port IP CLI Command Examples
Enabling or Disabling LAN Port IP Globally
Enabling or Disabling the Bypassing of LAN Port IP Posture Validation for Clientless Hosts
Statically Authorizing an IP Address as an Exception Host Device and Applying a Policy to the Device
Statically Authorizing a MAC Address as an Exception Host Device and Applying a Policy to the Device
Restarting a Host's State Machine
Specifying the CTA Packet Retransmit Time and RADIUS Server Retransmit Time
Enabling or Disabling EOU Logging for LAN Port IP Events
Setting EAPOUDP-Related Timers
Enabling or Disabling EOU RADIUS Accounting
Bypassing, Disabling, or Enabling LAN Port IP on a Per-Port Basis
Initializing LAN Port IP on a Per-Port Basis
Revalidating LAN Port IP on a Per-Port Basis
Redirecting LAN Port IP Control Packets to the Supervisor Engine
Displaying the Global EOU Configuration
Displaying a Summary of the LAN Port IP State on All LAN Port IP-Enabled Ports
Displaying a Summary of the LAN Port IP State on a Per-Port Basis
Displaying Host-Specific Information
Displaying EOU Authentication-Related Information
Displaying the EOU Results on a Posture-Token Basis
Clearing the LAN Port IP Configuration
Clearing All the Host EOU Sessions
Clearing the LAN Port IP Session for a Particular Host
Clearing an IP Address from an Exception Group or Clearing an Exception Group
Clearing EAPOUDP-Related Timers to Their Default Values
Clearing the CTA Packet Retransmit Time
Adding IP Addresses to Existing Policy Groups
Adding a Policy Group to the Policy Template
Clearing an IP Address from a Policy Group
Clearing a Policy Group from a Policy Template
Displaying Policy Group Information
Displaying Policy Templates and Their Associated Policy Groups
Configuring Inaccessible Authentication Bypass
Enabling and Disabling Inaccessible Authentication Bypass
Setting the RADIUS Keepalive Timer
Setting the RADIUS Auto-Initialize Feature
Displaying the Critical Status of Features on a Port
Displaying the AAA Fail Policy on a Port
Displaying RADIUS Server Information
Displaying the MAC Authorization Bypass Settings on a Port
Displaying the Web Authorization Settings on a Port
Displaying the EOU Settings on a Port
Clearing Policy Mapping on a Port
LAN Port IP Configuration Example
LAN Port IP Enhancements in Software Release 8.6(1) and Later Releases
Configuring URL Redirect Support for LAN Port IP Exception Hosts
Configuring LAN Port IP on Private VLAN Ports
Configuring Network Admission Control with LAN Port 802.1X
Understanding How Network Admission Control with LAN Port 802.1X Works
LAN Port 802.1X Enhancements in Software Release 8.6(1) and Later Releases
URL Redirection Support for LAN Port 802.1X
Enabling and Disabling the Session Timeout Override for LAN Port 802.1X
Configuring Network Admission Control
This chapter describes how to configure network admission control (NAC) on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Note
Note
Note
Note
This chapter consists of these sections:
•
•
Configuring Network Admission Control with LAN Port IP
These sections describe how to configure NAC with LAN port IP:
•
•
•
•
•
•
•
•
•
Understanding How Network Admission Control with LAN Port IP Works
These sections provide an understanding of LAN port IP:
•
•
Overview
NAC addresses the increased threat and impact of worms and viruses to networked businesses. This feature is part of the Cisco Self-Defending Network Initiative that helps customers identify, prevent, and adapt to security threats.
In its initial phase, NAC enables switches and routers to restrict access privileges from an end point that is attempting to connect to a network. The access can be based on information about the end-point device, such as its current antivirus state (version of antivirus software, virus definitions, and version of scan engine).
NAC systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, which keeps insecure nodes from infecting the network.
The key component of the Cisco NAC program is the Cisco Trust Agent (CTA), which resides on an end-point system and communicates with Cisco switches and routers on the network. The CTA collects security state information, such as the type of antivirus software that is used, and communicates this information to Cisco switches and routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco switch or router to perform enforcement against the end point.
Virus Infections and Their Effect on Networks
Virus infections are the single largest cause of serious security breaches for networks. Sources of virus infections are insecure end points (for example, PCs, laptops, and servers). Although the end points may have antivirus software installed, the software is often disabled. Even if the software is enabled, the end points may not have the latest virus definitions and scan engines. A larger security risk is from devices that do not have any antivirus software installed.
How Network Admission Control Works
End-point systems, or clients, are hosts on the network, such as PCs, laptops, workstations, and servers. The end-point systems are a potential source of virus infections, and their antivirus states need to be validated before they are granted network access. When an end point attempts an IP connection to a network through an upstream Cisco network access device (Cisco switch or router), the network access device challenges the end point for its antivirus state. The end-point systems run a client called Cisco Trust Agent, which collects antivirus state information from the end device and transports the information to the network access device. This information is then communicated to a Cisco Secure ACS where the antivirus state of the end point is validated and access control decisions are made and returned to network access devices. The network devices either permit, deny, or quarantine the end device. The Cisco Secure ACS may use back-end antivirus vendor-specific servers for evaluating the antivirus state of the end point.
Figure 44-1 shows how Cisco NAC works.
Figure 44-1 Cisco IOS Network Admission Control System
Network Access Device
A network access device (NAD) is a Cisco switch or router (a Layer 3 Extensible Authentication Protocol over UDP [EAPoUDP] access point) that provides connectivity to external networks, such as the Internet or remote enterprise networks.
Cisco Trust Agent
CTA is a specialized software that runs on end-point systems. CTA responds to challenges from the switch or router about the antivirus state of an end-point system. If an end-point system is not running the CTA, the network access device (switch or router) classifies the end-point system as "clientless."
Cisco Secure ACS
Cisco Secure ACS provides authentication, authorization, and accounting services for NAC using RADIUS authentication. Cisco Secure ACS returns access control decisions to the network access device on the basis of the antivirus credentials of the end-point system.
Using RADIUS cisco_av_pair vendor-specific attributes (VSAs), you can set the following attribute-value pairs (AV pairs) on the Cisco Secure ACS. These AV pairs are sent to the network access device with other access-control attributes:
•
url-redirect=http://10.1.1.1URL-redirect for audit support—The audit function is for hosts that do not have Cisco CTA enabled. The audit can be triggered by the ACS by sending down a policy required for audit when there is a clientless authentication done by the network access device (NAD). The audit is accomplished by sending down the audit server's URL as the URL-redirect policy for the host. When HTTP traffic is seen from the host, it is given the URL of the audit server. The policy that is configured through policy-based ACLs (PBACLs) allows communication between the audit server and the host. The session timeout is typically small for the audit to complete and when this timeout expires, a revalidation occurs and the NAD sends the previously received state attribute to the ACS to bring down a new policy. If the audit is not finished during this session timeout, the ACS sends another short session timeout and this process continues until an audit posture token is received. If the process never completes or is taking too long, the audit server returns an "error" posture token to the ACS.
•
posture-token=HealthyValid SPTs, in order from best to worst, are as follows:
–
–
–
–
–
Posture validation, or posture assessment, refers to the act of applying a set of rules to posture data to provide an assessment of the level of trust that you can place in an endpoint. The term posture is used to refer to the collection of attributes that play a role in the conduct and health of the endpoint device that is seeking access to the network. Some of these attributes relate to the endpoint device-type and operating system; other attributes belong to various security applications that might be present on the endpoint, such as antivirus (AV) scanning software. The posture token is one of the conditions in the authorization rules for network access. Posture validation, together with traditional user authentication, provides a complete security assessment of the endpoint device and the user.
•
status-query-timeout=150For more information about AV pairs that are supported by Cisco software, see the documentation for the releases of software that are implemented on your AAA clients.
Redirection
NAC supports HTTP redirection that redirects any HTTP request from the end-point device to a specified redirect address. This support mechanism redirects all HTTP requests from a source to a specified web page (URL) to which the latest antivirus files can be downloaded. You must set the value of the url-redirect VSA on the ACS and, correspondingly, associate an access control entry in the downloadable ACL that permits the access of the end-point system to the redirect URL address.
LAN Port IP Posture Validation Summary
LAN port IP allows posture-validating end-user devices to access the network based on their posture. End-user devices are classified into one of five possible states after posture validation: healthy, checkup, quarantine, infected, or unknown. Network access is given depending on the device's posture.
LAN port IP enforcement mechanisms include URL redirection and auditing. PBACLs are used for enforcing network access.
The basic steps in posture validation are as follows:
1.
Note
2.
3.
4.
5.
6.
7.
8.
9.
If the host does not respond to the EOU hello requests that are sent by the NAD, the NAD (after a preconfigured number of attempts), declares the host as clientless (no CTA). The NAD does a pseudo authentication on behalf of the host and brings down a policy. Other posture validation mechanisms, such as an audit, may be triggered.
In the clientless mode, the NAD sends three EOU hello messages (by default) before declaring that the host does not have a CTA. This process could take 90 seconds for doing a clientless authentication and installing that policy. To avoid this delay on a port that you know does not have a CTA, you can set the port mode to bypass using the per-port CLI (enter the set port eou mod/port bypass command). When this action is done, the port immediately does a clientless authentication when it learns a new IP address.
Exceptions are hosts that should not attempt posture validation because they are not capable. When a host that has been specified as an exception is detected, a preconfigured policy is installed.
LAN Port IP Hardware and Software Requirements
Follow these hardware and software requirements when configuring LAN port IP:
•
•
•
LAN Port IP Configuration Guidelines and Restrictions
Follow these configuration guidelines and restrictions when configuring LAN port IP:
•
•
•
–
–
–
–
–
–
Note
•
•
•
•
•
•
Note
Note
•
•
•
•
Configuring LAN Port IP
This section describes how to configure LAN port IP.
Note
Note
To configure LAN port IP, perform these steps:
Step 1
Console> (enable) set eou enableEoU globally enabled.Console> (enable)Step 2
Console> (enable) set port eou 7/1 autoEoU enabled on 7/1Console> (enable)Step 3
set radius server ip_addr [auth-port port] [acct-port port] [primary]
set radius key key
This example shows how to define the RADIUS server:
Console> (enable) set radius server 10.76.39.93 auth-port 1812 primary10.76.39.93 with auth-port 1812 acct-port 1813 added to radius server table as primary server.Console> (enable)This example shows how to define the RADIUS key:
Console> (enable) set radius key ciscoRadius key set to ciscoConsole> (enable)Step 4
a.
set security acl ip acl-name permit dhcp-snooping
set security acl ip acl-name permit arp-inspection
b.
set security acl ip acl-name permit eapoudp
c.
set security acl ip NACACL permit ip group healthy_hosts any
set security acl ip NACACL deny ip group infected_hosts any
set security acl ip NACACL permit ip group exception_hosts any
set security acl ip NACACL permit ip group clientless_hosts host 10.76.39.100
d.
set security acl ip NACACL permit url-redirect
Step 5
Step 6
set policy name exception_policy group exception_hosts
Step 7
Step 8
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
Ensure that the policy groups that are used in the ACLs are configured with the posture-token VSA, such as 26/9/1 sec:pg=healthy_hosts.
If you define a policy group in ACS but the VACL that is mapped to the VLAN does not refer to that group, posture validation will fail because the policy installation fails.
Step 9
set interface {sc0 | sl0 | sc1} {up | down}
set interface sc0 [vlan] [ip_addr/netmask [broadcast]]
Step 10
Step 11
LAN Port IP CLI Command Examples
This section describes how to configure the LAN port IP CLI:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enabling or Disabling LAN Port IP Globally
To globally enable or disable LAN port IP on the switch, perform this task in privileged mode (the default is disabled):
This example shows how to globally enable LAN port IP on the switch:
Console> (enable) set eou enableEoU globally enabled.Console> (enable)Enabling or Disabling the Bypassing of LAN Port IP Posture Validation for Clientless Hosts
To globally enable or disable the bypassing of the LAN port IP posture validation for clientless hosts, perform this task in privileged mode (the default is disable):
Enable or disable the bypassing of the LAN port IP posture validation for clientless hosts.
set eou allow clientless {enable | disable}
This example shows how to enable the bypassing of the LAN port IP posture validation for clientless hosts:
Console> (enable) set eou allow clientless enableEoU Clientless hosts will be allowedConsole> (enable)Statically Authorizing an IP Address as an Exception Host Device and Applying a Policy to the Device
This command allows a specific IP address to be treated as an exception host and when that host is detected, it will dynamically install the policy specified by the policy name.
Note
To statically authorize an IP device and apply an associated policy to the device, perform this task in privileged mode:
Statically authorize an IP device and apply an associated policy to the device.
set eou authorize ip ip_addr policy policy_name
set eou authorize ip ip_addr ip_mask policy policy_name
This example shows how to statically authorize an IP device and apply an associated policy to the device:
Console> (enable) set eou authorize ip 172.20.52.19 255.255.255.224 policy pollMapped IP address 172.20.52.0 IP mask 255.255.255.224 to policy name pollConsole> (enable)Statically Authorizing a MAC Address as an Exception Host Device and Applying a Policy to the Device
This command allows a specific MAC address to be treated as an exception host and when that host is detected, it will dynamically install the policy specified by the policy name.
Note
To statically authorize a device using the device MAC address and apply an associated policy to the device, perform this task in privileged mode:
This example shows how to statically authorize a device using the device MAC address and apply an associated policy to the device:
Console> (enable) set eou authorize mac-address 03-56-B7-45-65-56 policy pollMapped MAC 03-56-b7-45-65-56 to policy name poll.Console> (enable)Restarting a Host's State Machine
To restart a host's state machine, perform this task in privileged mode:
This example shows how to restart a host's state machine using the IP address:
Console> (enable) set eou initialize ip 172.20.52.19Initializing Eou for ipAddress 172.20.52.19Console> (enable)Specifying the CTA Packet Retransmit Time and RADIUS Server Retransmit Time
To specify the number of times that a packet is retransmitted to the CTA before declaring the CTA as nonresponsive, and to specify the RADIUS server retransmit time, perform this task in privileged mode (the default is 3 and the range is 1 through 10):
This example shows how to specify the number of times that a packet is retransmitted to the CTA before declaring the CTA as nonresponsive, and specify the RADIUS server retransmit time:
Console> (enable) set eou max-retry 6eou max-retry set to 6.Console> (enable)Revalidating a Host
To revalidate a host, perform this task in privileged mode:
This example shows how to revalidate all clientless hosts:
Console> (enable) set eou revalidate authentication clientlessRevalidate all clientless hostsConsole> (enable)Enabling or Disabling EOU Logging for LAN Port IP Events
To enable or disable EOU logging for LAN port IP events, perform this task in privileged mode (the default is disable):
Enable or disable EOU logging for LAN port IP events.
set eou logging {enable | disable}
This example shows how to enable EOU logging for LAN port IP events:
Console> (enable) set eou logging enableEoU Logging enabledConsole> (enable)Setting EAPOUDP-Related Timers
To set EAPOUDP-related timers, perform this task in privileged mode:
The timer defaults and ranges are as follows:
•
•
•
•
•
This example shows how to set the revalidation timer to 200 seconds:
Console> (enable) set eou timeout revalidation 200Console> (enable)Setting EOU Rate Limiting
To set EOU rate limiting (the default is 0 and the range is 10 through 200), perform this task in privileged mode:
Note
This example shows how to set EOU rate limiting to 40:
Console> (enable) set eou rate-limit 40eou ratelimit set to 40.Console> (enable)Enabling or Disabling EOU RADIUS Accounting
To enable or disable EOU RADIUS accounting, perform this task in privileged mode:
This example shows how to enable EOU RADIUS accounting:
Console> (enable) set eou radius-accounting enableRadius Accounting for Eou Enabled.Console> (enable)Bypassing, Disabling, or Enabling LAN Port IP on a Per-Port Basis
You can bypass, disable, or enable LAN port IP on a per-port basis. Specifying auto mode enables LAN port IP automatically if a client is found.
To bypass, disable, specify auto mode, or set the aaa-fail policy for LAN port IP on a per-port basis, perform this task in privileged mode:
This example shows how to enable an aaa-fail policy on a port:
Console> (enable) set port eou 1/2 aaa-fail-policy test_policyPolicy test_policy mapped as aaa-fail-policy on port 1/2Console> (enable)This example shows how to enable LAN port IP on port 5/1:
Console> (enable) set port eou 5/1 autoEoU enabled on 5/1Console> (enable)This example shows how to set port 7/1 to bypass mode:
Console> (enable) set port eou 7/1 bypassEou Bypass enabled on 7/1Console> (enable)Initializing LAN Port IP on a Per-Port Basis
To initialize LAN port IP on a per-port basis, perform this task in privileged mode:
This example shows how to initialize LAN port IP on port 7/1:
Console> (enable) set port eou 7/1 initializeInitializing EoU for all hosts on port 7/1Console> (enable)Revalidating LAN Port IP on a Per-Port Basis
To revalidate LAN port IP on a per-port basis, perform this task in privileged mode:
This example shows how to revalidate LAN port IP on port 7/1:
Console> (enable) set port eou 7/1 revalidateRe-validating EoU for all hosts on port 7/1Console> (enable)Redirecting LAN Port IP Control Packets to the Supervisor Engine
To redirect all LAN port IP control packets to the supervisor engine (EAP over UDP packets), perform this task in privileged mode:
Redirect all LAN port IP control packets to the supervisor engine (EAP over UDP packets).
set security acl ip acl_name permit eapoudp ip_mask [before | modify] ace_insert_position
This example shows how to redirect all LAN port IP control packets to the supervisor engine (EAP over UDP packets):
Console> (enable) set security acl ip test permit eapoudp mask1 before pos1Successfully configured EAPoUDP ACL test. Use 'commit' command to save changesDisplaying the Global EOU Configuration
To display the global EOU configuration, perform this task in normal mode:
This example shows how to display the global EOU configuration:
Console> (enable) show eou configEou Protocol Version : 1Eou Global Config-----------------Eou Global Enable : EnabledEou Clientless : DisabledEou Logging : EnabledEou Radius Accounting : EnabledEou MaxRetry : 3Eou AAA timeout : 60Eou Hold timeout : 180Eou Retransmit timeout : 30Eou Revalidation timeout : 3600Eou Status Query timeout : 300Eou Rate Limit : 40Eou Udp Port : 21862Ip Exception List and Policies--------------------------------------0.0.0.18 255.255.255.224 TESTConsole> (enable)Displaying a Summary of the LAN Port IP State on All LAN Port IP-Enabled Ports
To display a summary of the LAN port IP state on all LAN port IP-enabled ports, perform this task in normal mode:
Display a summary of the LAN port IP state on all LAN port IP-enabled ports.
show eou all
This example shows how to display a summary of the LAN port IP state on all LAN port IP-enabled ports:
Console> (enable) show eou allEou Summary-----------Eou Global State = enabledCurrently Validating EOU Sessions = 0mNo/pNo Host Ip Nac_Token Host_Fsm_State Username------- ---------------- --------- -------------- --------Console> (enable)Displaying a Summary of the LAN Port IP State on a Per-Port Basis
To display a summary of the LAN port IP state on a per-port basis for LAN port IP-enabled ports, perform this task in normal mode:
Display a summary of the LAN port IP state on a per-port basis for LAN port IP-enabled ports.
show port eou mod/port
This example shows how to display a summary of the LAN port IP state on port 7/1:
Console> (enable) show port eou 7/1Port EOU-State IP Address MAC Address-------- --------- --------------- -----------------7/1 bypass - -Port FSM State Auth Type SQ-Timeout Session Timeout-------- ------------- ----------- ---------- ---------------7/1 - - - -Port Posture URL Redirect-------- ------------ --------------------7/1 - -Port Termination action Session id-------- ------------------ --------------------------------7/1 - -Console> (enable)Displaying Host-Specific Information
To display host-specific information, perform this task in normal mode:
Display host-specific information.
show eou host {ip | mac} value
show eou host mac_address mac_address
This example shows how to display host-specific information:
Console> (enable) show eou host 9.6.2.15HostIP HostMac Port Posture-token--------------- ----------------- ------ --------------------9.6.2.15 00-11-85-8d-bf-ab 2/5 HealthyIP Address Eou State AuthType SQTimeout SessTimeout--------------- ------------- -------- --------- -----------9.6.2.15 authenticated eap 301 3600Console> (enable)Displaying EOU Authentication-Related Information
To display the following authentication-related information, perform this task in normal mode:
•
•
•
Display authentication-related information.
show eou authentication {clientless | eap | static}
This example shows how to display authentication-related information:
Console> (enable) show eou authentication eapHost IP HostMac Port Posture-token--------------- ------------------ ------- --------------------9.6.2.15 00-11-85-8d-bf-ab 2/5 HealthyIP Address Eou State AuthType SQTimeout SessTimeout--------------- ------------- --------- --------- -----------9.6.2.15 authenticated eap 301 3600
Console> (enable)
Displaying the EOU Log
To display the EOU log, perform this task in normal mode:
This example shows how to display the EOU log:
Console> (enable) show eou logLPIP-EVENT : New ip on port 3/12 9.9.150.21 from Arp-inspectionLPIP-ERROR : Failure to get host information for 9.9.143.20LPIP-EVENT : Host 9.9.150.34 moved to EAPOUDP_TX_HELLO stateConsole> (enable)Displaying the EOU Results on a Posture-Token Basis
To display the EOU results on a posture-token basis, perform this task in normal mode:
Clearing the LAN Port IP Configuration
To clear the LAN port IP configuration and return to default values, perform this task in privileged mode:
This example shows how to clear the LAN port IP configuration and return to default values:
Console> (enable) clear eou configThis command will disable EoU on all ports and take EoU parameter values back to defaults.Do you want to continue (y/n) [n]? yConsole> (enable)Clearing All the Host EOU Sessions
This command clears all the host EOU sessions learned on all the ports. It does not clear the EOU configuration.
To clear all the host EOU sessions learned on all the ports, perform this task in privileged mode:
This example shows how to clear all the host EOU sessions learned on all the ports:
Console> (enable) clear eou allConsole> (enable)Clearing the LAN Port IP Session for a Particular Host
To clear the LAN port IP session for a particular host by MAC address or IP address, perform this task in privileged mode:
Clear the LAN port IP session for a particular host by MAC address or IP address.
clear eou host {ip-address | mac-address}
This example shows how to clear an EOU session for a host with a specified IP address:
Console> (enable) clear eou host 9.9.10.10EOU session of host with IP 9.9.10.10 cleared.Console> (enable)Clearing an IP Address from an Exception Group or Clearing an Exception Group
To clear an IP address from an exception group or clear an exception group, perform this task in privileged mode:
This example shows how to clear an IP address from an exception group:
Console> (enable) clear eou authorize ip 10.1.1.1 255.255.255.240 policy pol1Cleared host 10.1.1.1 255.255.255.240 from exception group and removed its policy mapping.Console> (enable)Clearing EAPOUDP-Related Timers to Their Default Values
To clear EAPOUDP-related timers to their default values, perform this task in privileged mode:
Clear EAPOUDP-related timers to their default values.
clear eou timeout [aaa | hold-period | restransmit | revalidation | status-query]
This example shows how to clear the hold-period timers to their default values:
Console> (enable) clear eou timeout hold-periodConsole> (enable)Clearing the CTA Packet Retransmit Time
To clear the global CTA packet retransmit time, perform this task in privileged mode (this command sets the retransmit time back to the default value of 3):
This example shows how to clear the global CTA packet retransmit time:
Console> (enable) clear eou max-retryEou max-retry set to 3Console> (enable)Configuring Policy-Based ACLs
This section describes how to configure policy-based ACLs (PBACLs):
•
•
•
•
•
•
Adding IP Addresses to Existing Policy Groups
This command allows you to add an IP address to an existing policy group. The command fails if the group name is not already present in the group database.
To add an IP address to an existing policy group, perform this task in privileged mode:
Add an IP address to an existing policy group.
set policy group group-name ip-address ip-address
This example shows how to add an IP address to an existing policy group:
Console> (enable) set policy group grp1 ip-address 100.1.1.1 255.255.255.255Added IP 100.1.1.1/255.255.255.255 to policy group grp1.Console> (enable)Adding a Policy Group to the Policy Template
You can add a policy group to the policy template. If a policy template does not exist, it is created. Similarly, if the policy group name does not exist, it is created.
To add a policy group to the policy template, perform this task in privileged mode:
Add a policy group to the policy template.
set policy name policy-name group group-name
This example shows how to add a policy group to the policy template:
Console> (enable) set policy name pol1 group grp1Added group grp1 to policy template pol1.Console> (enable)Clearing an IP Address from a Policy Group
To clear an IP address from a policy group, perform this task in privileged mode:
Clear an IP address from a policy group.
clear policy group group-name ip-address ip-address
This example shows how to clear an IP address from a policy group:
Console> (enable) clear policy group grp1 ip-address 100.1.1.1Cleared IP 100.1.1.1 from policy group grp1.Console> (enable)Clearing a Policy Group from a Policy Template
To clear a policy group from a policy template, perform this task in privileged mode:
Clear a policy group from a policy template.
clear policy name policy-name group group-name
This example shows how to clear a policy group from a policy template:
Console> (enable) clear policy name pol1 group grp1Cleared group grp1 from policy template pol1.Console> (enable)Displaying Policy Group Information
To display policy group information, perform this task in normal mode:
This example shows how to display policy group information:
Console> (enable) show policy group allGroup Name = grp1Group Id = 1No.of IP Addresses = 3Src Type = ACL CLIList of Hosts in group.-----------------------Interface = 0/0IpAddress = 100.1.1.1Src type = CONFIGInterface = 0/0IpAddress = 100.1.1.2Src type = CONFIG--------------------------------------------------Group Name = grp2Group Id = 2No.of IP Addresses = 0Src Type = ACL CLIConsole> (enable)Displaying Policy Templates and Their Associated Policy Groups
To display policy templates and their associated policy groups, perform this task in normal mode:
Display policy templates and their associated policy groups.
show policy name {all | policy-name}
This example shows how to display policy templates and their associated policy groups:
Console> (enable) show policy name allPolicy Template pol1Security Policy Groups :grp1 grp2Console> (enable)Configuring Inaccessible Authentication Bypass
When a switch cannot reach configured RADIUS servers and hosts cannot be authenticated, you can configure the switch to allow network access to the hosts connected to critical ports. A critical port is enabled by the inaccessible authentication bypass (IAB) feature.
When IAB is enabled, the switch checks the status of the configured RADIUS servers whenever the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can authenticate the host. However, if all the RADIUS servers are unavailable, the switch grants network access to the host and puts the port in the critical-authentication state.
The operation function of the IAB feature depends on the authorization state of the port:
•
•
•
When the RADIUS server is available, all the ports in critical state are reinitialized if IAB initialization is enabled. Enable the IAB initialization feature by using the set radius keepalive init [enable | disable] command. The IAB initialization feature is disabled by default. If this feature is not enabled, the port waits until the reauthentication timer expires.
If IAB is enabled using the set radius keepalive [enable | disable] command, the switch sends periodic requests to the server. The interval between requests is configurable. Use the set radius keepalivetimer time command to set the timer. The server state can be in Init, CheckUp, Dead, or Alive state. During the initialization state, the first request is sent to all the RADIUS servers. The request waits for a response. If there is no response, the server state will be moved to Checkup. In the Checkup state, the switch sends two more requests to the server. If there is no response to the requests, the switch will be marked as "dead." If there is a response to the request, the server will be marked as "alive." To set the retry timer, use the set radius timeout time command to send a second request when there is no response to the first request.
The following sections describe how to configure IAB:
•
•
•
•
•
•
•
•
•
•
Enabling and Disabling Inaccessible Authentication Bypass
To enable or disable IAB, perform this task in enable mode:
This example shows how to enable IAB:
Console> (enable) set port critical 5/1 enablePort, 5/1 Critical feature enabled.Console> (enable)This example shows how to enable IAB:
Console> (enable) set port critical 5/1 disablePort, 5/1 Critical feature disabled.Console> (enable)Setting the AAA Fail Policy
To set the AAA fail policy, perform this task in enable mode:
This example shows how to set AAA fail policy for EOU:
Console> (enable) set port eou 12/1 aaa-fail-policy critical-eou-policyPolicy critical-eou-policy mapped as aaa-fail-policy on port 12/1Console> (enable)To set web-based proxy authentication on a port, perform this task in enable mode:
Set web-based proxy authentication on a port.
set port webauth mod/port [aaa-fail-policy | disable | enable | initialize] policy-name
This example shows how to enable webauth on a port:
Console> (enable) set port web-auth 5/1 enablePort 5/1 Web-auth is enabled.Console> (enable)This example shows how to set AAA fail policy for webauth:
Console> (enable) set port web-auth 12/1 aaa-fail-policy critical-webauth-policy Policy critical-webauth-policy set as web-auth aaa-fail-policy for port 12/1Console> (enable)Setting the RADIUS Keepalive Timer
To enable or disable the RADIUS keepalive timer, perform this task in enable mode:
This example shows how to enable the RADIUS keepalive timer:
Console> (enable) set radius keepalive enableRadius Keepalive enabled.This example shows how to disable the RADIUS keepalive timer:
Console> (enable) set radius keepalive disableRadius Keepalive disabled.Setting the RADIUS Auto-Initialize Feature
To enable or disable the RADIUS auto-initialize feature, perform this task in enable mode:
This example shows how to enable the RADIUS auto-initialize feature:
Console> (enable) set radius auto-initialize enableRadius Auto-initialize enabled.This example shows how to disable the RADIUS auto-initialize feature:
Console> (enable) set radius auto-initialize disableRadius Auto-initialize disabled.Displaying the Critical Status of Features on a Port
To display the critical status of features on a port, perform this task in enable mode:
This example shows how to display the critical status of features on a port:
Console> (enable) show port critical 5/1Port Critical State Features in Critical State----- -------------- ---------------------------5/1 enabled dot1x, eouDisplaying the AAA Fail Policy on a Port
To display the AAA fail policy for EOU on a port, perform this task in enable mode:
This example shows how to display AAA fail policy on a port:
Console> (enable) show port eou 5/1 aaa-fail-policyPort AAA-Fail-Policy----- ------------------5/1To display the AAA fail policy for web-auth on a port, perform this task in enable mode:
Display the AAA fail policy for web-auth on a port.
show port web-auth mod/port aaa-fail-policy
This example shows how to display AAA fail policy on a port:
Console> (enable) show port web-auth 5/1 aaa-fail-policyPort AAA-Fail-Policy----- ------------------5/1Displaying RADIUS Server Information
To display RADIUS server information, perform this task in enable mode:
This example shows how to display RADIUS server information:
Console> (enable) show radiusActive RADIUS Server : 0.0.0.0RADIUS Deadtime : 0 minutesRADIUS Key :RADIUS Retransmit : 2RADIUS Timeout : 5 secondsFramed-Ip Address Transmit : DisabledRADIUS Framed MTU : 1000 bytesRADIUS Keepalive : EnabledRADIUS Keepalive Timer : 0 minutesRADIUS Autoinitialize Critical: DisabledRADIUS-Server Status Auth-port Acct-port Resolved IP Addrese-------------------------------- ------- --------- --------- -------------------Displaying the MAC Authorization Bypass Settings on a Port
To display the MAC authorization bypass settings on a port, perform this task in enable mode:
Display the MAC authorization bypass settings on a port.
show port mac-auth-bypass mod/port
This example shows how to display the MAC authorization bypass settings on a port:
Console> (enable) show port mac-auth-bypass 5/1Port Mac-Auth-Bypass State MAC Address Auth-State Vlan----- --------------------- ----------------- ----------------- -----5/1 Disabled - - 1Port Termination action Session Timeout Shutdown/Time-Left----- ------------------ --------------- ------------------5/1 - 3600 NO -Port PolicyGroups----- -----------------------------------------------------5/1 -Port Critical Critical-Status----- -------- ---------------5/1 Disabled -Console> (enable)Displaying the Web Authorization Settings on a Port
To display web authorization settings on a port, perform this task in enable mode:
This example shows how to display the web authorization settings on a port:
Console> (enable) show port web-auth 5/1Port IP-Address Vlan Enabled Web-Auth-State Critical-Status----- --------------- ---- --------- ----------------- ---------------5/1 - 1 enabled - -Port IP-Address Session-Timeout Session-Timeleft Radius-Rcvd-Timeout----- --------------- --------------- ---------------- -------------------5/1 - - - NoPort IP-Address Policy-Groups----- --------------- -------------5/1 - -Displaying the EOU Settings on a Port
To display the EOU settings on a port, perform this task in enable mode:
This example shows how to display the EOU settings on a port:
Console> (enable) show port eou 5/1Port EOU-State IP Address MAC Address Critical-Status-------- --------- --------------- ----------------- ---------------5/1 disabled - - -Port FSM State Auth Type SQ-Timeout Session Timeout-------- ------------- ----------- ---------- ---------------5/1 - - - -Port Posture URL Redirect-------- ------------ --------------------5/1 - -Port Termination action Session id-------- ------------------ --------------------------------5/1 - -Port PolicyGroups-------- ------------------------------------------------------5/1 -Port Critical----- --------5/1 enabledClearing Policy Mapping on a Port
To clear the policy mapping on a port, perform this task in enable mode:
This example shows how to clear the EOU policy mapping on a port:
Console> (enable) clear port eou 5/1 aaa-fail-policyaaa-fail-policy cleared successfully on port 5/1To clear the web-based proxy authentication mapping on a port, perform this task in enable mode:
Clear the webauth policy mapping on a port.
clear port webauth mod/port aaa-fail-policy
This example shows how to clear the webauth policy mapping on a port:
Console> (enable) clear port webauth 5/1 aaa-fail-policyaaa-fail-policy cleared successfully on port 5/1LAN Port IP Configuration Example
Use this configuration example when configuring LAN port IP:
•
•
•
begin!# ***** NON-DEFAULT CONFIGURATION *****!!#time: Fri Mar 4 2005, 17:11:20!#version 8.5(0.44)JAC!!#Nacset eou enableset eou allow clientless enableset policy name exception_policy group exception_hostsset eou authorize ip 77.0.0.90 policy exception_policy!#radiusset radius server 10.76.39.93 auth-port 1812 primaryset radius key cisco!#vtpset vtp mode transparent vlanset vlan 12 name RADIUS_CONNECTIVIY type ethernet mtu 1500 said 100012 state activeset vlan 77 name ALL_HOSTS type ethernet mtu 1500 said 100077 state activeset vlan 1,3!#ipset interface sc0 12 9.6.3.3/255.255.255.0 9.6.3.255set interface sl0 downset interface sc1 77 77.0.0.2/255.255.255.0 77.0.0.255set ip route 10.0.0.0/255.0.0.0 9.6.3.1!!#security ACLsclear security acl all#NACACLset security acl ip NACACL permit arpset security acl ip NACACL permit arp-inspection any anyset security acl ip NACACL permit dhcp-snoopingset security acl ip NACACL permit udp any eq 21862 host 9.6.3.3 eq 53000set security acl ip NACACL permit ip group Healthy_hosts anyset security acl ip NACACL deny ip group infected_hosts anyset security acl ip NACACL permit ip group exception_hosts anyset security acl ip NACACL permit ip group clientless_hosts host 10.76.39.100#commit security acl all ## map the ACL to VLAN 77set security acl map NACACL 77!#module 8 : 48-port 10/100BaseTX Ethernetset vlan 12 8/14set vlan 77 8/13,8/24set port name 8/13 HOSTSset port name 8/14 RADIUSset port name 8/24 HOSTSset port eou 8/13 enableset port eou 8/24 bypassset port dhcp-snooping 8/14 trust enable!#module 9 empty!#module 15 : 1-port Multilayer Switch Feature Card!#module 16 empty!#switch port analyzerset span permit-list disableset span permit-list includeendsup2> (enable)The configuration on the MSFC (default router) is as follows:
Router# show runBuilding configuration...Current configuration : 509 bytes!version 12.1service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Router!!ip subnet-zero!!!ip multicast-routingip dhcp-server 10.76.39.93redundancyhigh-availabilitysingle-router-mode!!!interface Vlan12ip address 9.6.3.6 255.255.255.0!interface Vlan77ip address 77.0.0.76 255.255.255.0ip helper-address 10.76.39.93!ip classlessip route 10.76.0.0 255.255.0.0 Vlan12no ip http server!!!line con 0line vty 0 4login!!endLAN Port IP Enhancements in Software Release 8.6(1) and Later Releases
These sections describe the enhancements for configuring NAC with LAN port IP in software release 8.6(1) and later releases:
•
•
Configuring URL Redirect Support for LAN Port IP Exception Hosts
Exception hosts (such as printers and IP phones) cannot validate posture. The IP/MAC addresses of the exception hosts are added to an exception list. When a host in the exception list is detected on an interface, a preconfigured policy is installed.
For normal, nonexception hosts, URL redirection is accomplished through information that is received from the RADIUS server after a successful posture validation. Because the RADIUS server is not contacted, exception hosts must find a way to access a server, or you must provide a URL through which the hosts can download software components (such as antivirus updates).
Configuration Guidelines and Restrictions
Follow these configuration guidelines and restrictions when configuring URL redirect for LAN port IP exception hosts:
•
•
•
Specifying the Policy Name and URL Redirect String
The set policy name policy-name url-redirect url-redirect-string command maps a URL redirect string to a policy name. URL strings of up to 255 characters are allowed. If the URL string exceeds 255 characters, the command fails.
To specify the policy name and URL redirect string, perform this task in privileged mode:
Specify the policy name and URL redirect string.
set policy name policy-name url-redirect url-redirect-string
This example shows how to specify the policy name and URL redirect string:
Console> (enable) set policy name exception_policy url-redirect http://cisco.comUrl Redirect http://cisco.com mapped to policy name exception_policyConsole> (enable)Displaying the Policy Name and URL Redirect String Mapping
To display the policy name and URL redirect string mapping, perform this task in normal mode:
Display the policy name and URL redirect string mapping.
show policy name [all | policy-name]
This example shows how to display the policy name and URL redirect string mapping for the specified policy:
Console> (enable) show policy name exception_policyPolicy Name : exception_policy----------------------------------------------URL-Redirect : http://cisco.comConsole> (enable)This example shows how to display the policy names and URL redirect string mappings for all policies:
Console> (enable) show policy name allPolicy Name : TEST----------------------------------------------Associated IP Address/Mask Information:0.0.0.18/255.255.255.224Policy Name : poll----------------------------------------------Associated IP Address/Mask Information:0.0.0.19/255.255.255.224Policy Name : BLDG_F----------------------------------------------Policy Name : exception_policy----------------------------------------------URL-Redirect : http://cisco.comConsole> (enable)Clearing the URL Redirect String Associated with the Policy Name
To clear the URL redirect string associated with the policy name, perform this task in privileged mode:
Clear the URL redirect string associated with the policy name.
clear policy name policy-name url-redirect
This example shows how to clear the URL redirect string associated with the policy name:
Console> (enable) clear policy name exception_policy url-redirectCleared url-redirect for the policy exception_policyConsole> (enable)Configuring LAN Port IP on Private VLAN Ports
Note
A private VLAN port is associated with two VLANs, the primary VLAN and the secondary VLAN. Traffic coming from the host (ingress traffic) is tagged with the secondary VLAN and traffic coming from the router port is tagged with the primary VLAN. To trigger EOU on a port, an ARP inspection or DHCP snooping ACL must be mapped to the port VLAN. To trigger EOU on a port in a private VLAN, you must map an ARP inspection or DHCP snooping ACL explicitly to the secondary VLAN as it is the VLAN that is associated with the ingress traffic.
Different PBACLs can be mapped to the primary and secondary VLANs. After a successful posture validation, if the PBACL that is mapped to the primary and secondary VLAN have groups where the host is a member, they are expanded to accommodate the IP address of the host.
Configuring Network Admission Control with LAN Port 802.1X
These sections describe how to configure NAC with LAN port 802.1X:
•
•
Understanding How Network Admission Control with LAN Port 802.1X Works
Note
Note
LAN port 802.1X combined with standard 802.1X authentication provides a unified authentication and posture validation mechanism at the Layer 2 network edge. LAN port 802.1X acts at the same point in the network as LAN port IP but uses different mechanisms to initiate posture validation, to carry the communication between host and authentication server, and to enforce the resulting access limitations.
Posture validation in LAN port 802.1X is triggered by the standard 802.1X mechanisms (either the supplicant sends an EAPOL-Start message to the NAD, or the NAD probes the supplicant with an EAP-Request/Identity message); the posture information may be sent with the user identity credentials for validation by the back-end server. The authentication exchange between the supplicant and the NAD is over EAPOL. Policy enforcement is done by assigning the authenticated port to a specified VLAN to provide segmentation and quarantine of poorly postured hosts at Layer 2.
Note
The LAN port 802.1X policy enforcements include the following (which are already supported with standard 802.1X authentication):
•
•
•
For LAN port 802.1X, the policy enforcement uses a VLAN/PBACL combination where LAN port IP uses only PBACLs.
Reauthentication works the same way as in standard 802.1X authentication which makes use of the RADIUS server-sent session timeout and termination action attributes or the local CLI-configured attributes. These attributes are not received as part of the Access-Accept message from the RADIUS server.
With LAN port 802.1X, hosts are classified into one of the following categories:
•
•
•
•
•
LAN Port 802.1X Enhancements in Software Release 8.6(1) and Later Releases
These sections describe the enhancements for configuring NAC with LAN port 802.1X in software release 8.6(1) and later releases:
•
•
URL Redirection Support for LAN Port 802.1X
After a successful LAN port 802.1X authentication, you can redirect HTTP traffic to the supervisor engine using URL redirection. URL redirection requires that you configure an ACL with an ACE that will redirect all ingress traffic with destination TCP port 80 to the supervisor engine. Enter the set security acl ip acl-name permit url-redirect command to create the ACE. Any ACL that is mapped to a port/VLAN with this ACE redirects all HTTP traffic to the supervisor engine.
URL redirection requires that the IP address of an authenticated host appears in a URL redirect list. The IP address of the host can be obtained in three ways:
•
•
•
DHCP snooping is given the highest precedence, followed by ARP inspection, and then framed IP. If the IP address is received through a higher precedence mechanism than the current one and the previous IP address differs from the current one, the installed policies are removed and updated with the latest IP address. Also, the host IP address added to the URL redirect list is updated with the preferred IP address.
As a result of URL redirection, the NAD intercepts all HTTP traffic from the host that matches the URL redirect match ACL (configured locally or downloaded from the ACS). The intercepted HTTP TCP session is terminated at the NAD. The URL redirect feature then invokes the feature-specific handler that posts an HTTP 302 redirect status code to the host over the terminated TCP session in the following format:
HTTP/1.1 302 Page MovedLocation: <REDIRECT URL-ADDRESS>Pragma: no-cacheCache-Control: no-cacheThe redirect URL address is sent from the RADIUS server. When the host browser receives the 302 status code, it initiates a new HTTP request to the provided redirected URL address and the redirection occurs.
The redirect URL that is sent from the RADIUS server needs to be configured on the RADIUS server. A typical URL redirect VSA would be as follows:
Url-redirect=<url-address>To prevent all the HTTP packets from being redirected to software by the ACL on the interface, you must ensure that packets destined to the redirected URL are not redirected to the software for URL redirection. The ACL must have an ACE installed so that it occurs before the URL redirection ACE that permits traffic to the redirected host. Installing the ACE in this position ensures that the redirected request will encounter the prepositioned ACE and will not be intercepted by the supervisor engine.
A host can be added to URL redirection through the LAN port IP, web-based proxy authentication, and LAN port 802.1X. Web-based proxy authentication is given the highest precedence, followed by LAN port IP, and then LAN port 802.1X. The host port is opened only after a successful 802.1X authentication. When the host tries to access the web, it has to be authenticated through web-based proxy authentication, followed by posture validation by LAN port IP. The host is permitted to access the URL that is received from the RADIUS server after a successful 802.1X authentication.
For URL redirection to work with LAN port 802.1X, there must be an ACL mapped to the VLAN of the port that has DHCP snooping, ARP inspection, and the URL redirect ACE.
Enabling and Disabling the Session Timeout Override for LAN Port 802.1X
After a successful 802.1X authentication, and if reauthentication is enabled on a port, 802.1X authentication will reauthenticate the port when the reauthentication timer expires. The reauthentication timer value can be configured through the CLI or can be sent from the RADIUS server. The set port dot1x mod/port re-authperiod server {disable | enable} command allows you to specify whether the reauthentication timer value from the RADIUS server will be used or whether the CLI-configured value will be used. By default, the session timeout value that is received from the RADIUS server takes precedence over the CLI-configured timeout value. See Table 44-1 for suggested session timeout override mapping values.
Note
To enable or disable the session timeout override for LAN port 802.1X, perform this task in privileged mode:
Enable or disable the session timeout override for LAN port 802.1X.
set port dot1x mod/port re-authperiod server {disable | enable}
This example shows how to enable the session timeout override for LAN port 802.1X:
Console> (enable) set port dot1x 5/8 re-authperiod server enablePort 5/8 session-timeout-override option is enabledConsole> (enable)This example shows how to display the session timeout override setting for LAN port 802.1X:
Console> (enable) show port dot1x 5/8Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------5/8 - - force-authorized -Port Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------5/8 SingleAuth disabled disabled Both -Port Posture-Token Critical-Status Termination action Session-timeout----- ------------- --------------- ------------------ ---------------5/8 - - - -Port Session-Timeout-Override Url-Redirect----- ------------------------ ----------------------------------5/8 enabled -Port Critical----- --------5/8 disabledConsole> (enable)
