Catalyst 6500 Series Software Configuration Guide, 8.7
Configuring Network Admission Control
Download this chapter
Configuring Network Admission ControlConfiguring Network Admission Control
give_us_feedback

Table Of Contents

Configuring Network Admission Control

Configuring Network Admission Control with LAN Port IP

Understanding How Network Admission Control with LAN Port IP Works

Overview

Virus Infections and Their Effect on Networks

How Network Admission Control Works

Network Access Device

Cisco Trust Agent

Cisco Secure ACS

Redirection

LAN Port IP Posture Validation Summary

LAN Port IP Hardware and Software Requirements

LAN Port IP Configuration Guidelines and Restrictions

Configuring LAN Port IP

LAN Port IP CLI Command Examples

Enabling or Disabling LAN Port IP Globally

Enabling or Disabling the Bypassing of LAN Port IP Posture Validation for Clientless Hosts

Statically Authorizing an IP Address as an Exception Host Device and Applying a Policy to the Device

Statically Authorizing a MAC Address as an Exception Host Device and Applying a Policy to the Device

Restarting a Host's State Machine

Specifying the CTA Packet Retransmit Time and RADIUS Server Retransmit Time

Revalidating a Host

Enabling or Disabling EOU Logging for LAN Port IP Events

Setting EAPOUDP-Related Timers

Setting EOU Rate Limiting

Enabling or Disabling EOU RADIUS Accounting

Bypassing, Disabling, or Enabling LAN Port IP on a Per-Port Basis

Initializing LAN Port IP on a Per-Port Basis

Revalidating LAN Port IP on a Per-Port Basis

Redirecting LAN Port IP Control Packets to the Supervisor Engine

Displaying the Global EOU Configuration

Displaying a Summary of the LAN Port IP State on All LAN Port IP-Enabled Ports

Displaying a Summary of the LAN Port IP State on a Per-Port Basis

Displaying Host-Specific Information

Displaying EOU Authentication-Related Information

Displaying the EOU Log

Displaying the EOU Results on a Posture-Token Basis

Clearing the LAN Port IP Configuration

Clearing All the Host EOU Sessions

Clearing the LAN Port IP Session for a Particular Host

Clearing an IP Address from an Exception Group or Clearing an Exception Group

Clearing EAPOUDP-Related Timers to Their Default Values

Clearing the CTA Packet Retransmit Time

Configuring Policy-Based ACLs

Adding IP Addresses to Existing Policy Groups

Adding a Policy Group to the Policy Template

Clearing an IP Address from a Policy Group

Clearing a Policy Group from a Policy Template

Displaying Policy Group Information

Displaying Policy Templates and Their Associated Policy Groups

Configuring Inaccessible Authentication Bypass

Enabling and Disabling Inaccessible Authentication Bypass

Setting the AAA Fail Policy

Setting the RADIUS Keepalive Timer

Setting the RADIUS Auto-Initialize Feature

Displaying the Critical Status of Features on a Port

Displaying the AAA Fail Policy on a Port

Displaying RADIUS Server Information

Displaying the MAC Authorization Bypass Settings on a Port

Displaying the Web Authorization Settings on a Port

Displaying the EOU Settings on a Port

Clearing Policy Mapping on a Port

LAN Port IP Configuration Example

LAN Port IP Enhancements in Software Release 8.6(1) and Later Releases

Configuring URL Redirect Support for LAN Port IP Exception Hosts

Configuring LAN Port IP on Private VLAN Ports

Configuring Network Admission Control with LAN Port 802.1X

Understanding How Network Admission Control with LAN Port 802.1X Works

LAN Port 802.1X Enhancements in Software Release 8.6(1) and Later Releases

URL Redirection Support for LAN Port 802.1X

Enabling and Disabling the Session Timeout Override for LAN Port 802.1X


Configuring Network Admission Control

This chapter describes how to configure network admission control (NAC) on the Catalyst 6500 series switches.

Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.

Note For information on configuring IEEE 802.1X authentication, see Chapter 40, "Configuring 802.1X Authentication."

Note For information on configuring MAC authentication bypass, see Chapter 41, "Configuring MAC Authentication Bypass."

Note For information on using port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port, see Chapter 38, "Configuring Port Security." That chapter also provides information on using port security to filter the traffic that is destined to or received from a specific host that is based on the host MAC address.

Note For information on configuring authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6500 series switches, see Chapter 39, "Configuring the Switch Access Using AAA."

This chapter consists of these sections:

Configuring Network Admission Control with LAN Port IP

Configuring Network Admission Control with LAN Port 802.1X

Configuring Network Admission Control with LAN Port IP

These sections describe how to configure NAC with LAN port IP:

Understanding How Network Admission Control with LAN Port IP Works

LAN Port IP Posture Validation Summary

LAN Port IP Hardware and Software Requirements

LAN Port IP Configuration Guidelines and Restrictions

Configuring LAN Port IP

LAN Port IP CLI Command Examples

Configuring Policy-Based ACLs

Configuring Inaccessible Authentication Bypass

LAN Port IP Configuration Example

LAN Port IP Enhancements in Software Release 8.6(1) and Later Releases

Understanding How Network Admission Control with LAN Port IP Works

These sections provide an understanding of LAN port IP:

Overview

Virus Infections and Their Effect on Networks

How Network Admission Control Works

Network Access Device

Cisco Trust Agent

Cisco Secure ACS

Redirection

Overview

NAC addresses the increased threat and impact of worms and viruses to networked businesses. This feature is part of the Cisco Self-Defending Network Initiative that helps customers identify, prevent, and adapt to security threats.

In its initial phase, NAC enables switches and routers to restrict access privileges from an end point that is attempting to connect to a network. The access can be based on information about the end-point device, such as its current antivirus state (version of antivirus software, virus definitions, and version of scan engine).

NAC systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, which keeps insecure nodes from infecting the network.

The key component of the Cisco NAC program is the Cisco Trust Agent (CTA), which resides on an end-point system and communicates with Cisco switches and routers on the network. The CTA collects security state information, such as the type of antivirus software that is used, and communicates this information to Cisco switches and routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco switch or router to perform enforcement against the end point.

Virus Infections and Their Effect on Networks

Virus infections are the single largest cause of serious security breaches for networks. Sources of virus infections are insecure end points (for example, PCs, laptops, and servers). Although the end points may have antivirus software installed, the software is often disabled. Even if the software is enabled, the end points may not have the latest virus definitions and scan engines. A larger security risk is from devices that do not have any antivirus software installed.

How Network Admission Control Works

End-point systems, or clients, are hosts on the network, such as PCs, laptops, workstations, and servers. The end-point systems are a potential source of virus infections, and their antivirus states need to be validated before they are granted network access. When an end point attempts an IP connection to a network through an upstream Cisco network access device (Cisco switch or router), the network access device challenges the end point for its antivirus state. The end-point systems run a client called Cisco Trust Agent, which collects antivirus state information from the end device and transports the information to the network access device. This information is then communicated to a Cisco Secure ACS where the antivirus state of the end point is validated and access control decisions are made and returned to network access devices. The network devices either permit, deny, or quarantine the end device. The Cisco Secure ACS may use back-end antivirus vendor-specific servers for evaluating the antivirus state of the end point.

Figure 44-1 shows how Cisco NAC works.

Figure 44-1 Cisco IOS Network Admission Control System

Network Access Device

A network access device (NAD) is a Cisco switch or router (a Layer 3 Extensible Authentication Protocol over UDP [EAPoUDP] access point) that provides connectivity to external networks, such as the Internet or remote enterprise networks.

Cisco Trust Agent

CTA is a specialized software that runs on end-point systems. CTA responds to challenges from the switch or router about the antivirus state of an end-point system. If an end-point system is not running the CTA, the network access device (switch or router) classifies the end-point system as "clientless."

Cisco Secure ACS

Cisco Secure ACS provides authentication, authorization, and accounting services for NAC using RADIUS authentication. Cisco Secure ACS returns access control decisions to the network access device on the basis of the antivirus credentials of the end-point system.

Using RADIUS cisco_av_pair vendor-specific attributes (VSAs), you can set the following attribute-value pairs (AV pairs) on the Cisco Secure ACS. These AV pairs are sent to the network access device with other access-control attributes:

url-redirect—Enables the AAA client to intercept an HTTP request and redirect it to a new URL. This redirection is useful if the result of posture validation indicates that the network access control end point requires an update or patch that you have made available on a remediation web server. For example, a user can be redirected to a remediation web server to download and apply a new virus Directory Administration Tool (DAT) file or an operating system patch as follows: 

url-redirect=http://10.1.1.1

URL-redirect for audit support—The audit function is for hosts that do not have Cisco CTA enabled. The audit can be triggered by the ACS by sending down a policy required for audit when there is a clientless authentication done by the network access device (NAD). The audit is accomplished by sending down the audit server's URL as the URL-redirect policy for the host. When HTTP traffic is seen from the host, it is given the URL of the audit server. The policy that is configured through policy-based ACLs (PBACLs) allows communication between the audit server and the host. The session timeout is typically small for the audit to complete and when this timeout expires, a revalidation occurs and the NAD sends the previously received state attribute to the ACS to bring down a new policy. If the audit is not finished during this session timeout, the ACS sends another short session timeout and this process continues until an audit posture token is received. If the process never completes or is taking too long, the audit server returns an "error" posture token to the ACS.

posture-token—Enables Cisco Secure ACS to send a text version of a system posture token (SPT) that is derived by posture validation. The SPT is always sent in numeric format. Using the posture-token AV pair makes it easier to view the result of a posture validation request on the AAA client as follows: 

posture-token=Healthy

Valid SPTs, in order from best to worst, are as follows:

Healthy

Checkup

Quarantine

Infected

Unknown

Posture validation, or posture assessment, refers to the act of applying a set of rules to posture data to provide an assessment of the level of trust that you can place in an endpoint. The term posture is used to refer to the collection of attributes that play a role in the conduct and health of the endpoint device that is seeking access to the network. Some of these attributes relate to the endpoint device-type and operating system; other attributes belong to various security applications that might be present on the endpoint, such as antivirus (AV) scanning software. The posture token is one of the conditions in the authorization rules for network access. Posture validation, together with traditional user authentication, provides a complete security assessment of the endpoint device and the user.

status-query-timeout—Overrides the status-query default value of the AAA client with the value that you specify, in seconds, as follows: 

status-query-timeout=150

For more information about AV pairs that are supported by Cisco software, see the documentation for the releases of software that are implemented on your AAA clients.

Redirection

NAC supports HTTP redirection that redirects any HTTP request from the end-point device to a specified redirect address. This support mechanism redirects all HTTP requests from a source to a specified web page (URL) to which the latest antivirus files can be downloaded. You must set the value of the url-redirect VSA on the ACS and, correspondingly, associate an access control entry in the downloadable ACL that permits the access of the end-point system to the redirect URL address.

LAN Port IP Posture Validation Summary

LAN port IP allows posture-validating end-user devices to access the network based on their posture. End-user devices are classified into one of five possible states after posture validation: healthy, checkup, quarantine, infected, or unknown. Network access is given depending on the device's posture.

LAN port IP enforcement mechanisms include URL redirection and auditing. PBACLs are used for enforcing network access.

The basic steps in posture validation are as follows:

1. The NAD learns the MAC and IP address bindings using ARP inspection and/or DHCP snooping.

Note If you use DHCP triggering for posture validation, you must also enable ARP inspection. If ARP inspection is not enabled, the posture validation completes but the session is torn down within a few minutes because the ARP probe replies from the client are not seen by the EAP Over UDP (EOU) state machinery.

2. The NAD sends an EOU hello request to the host.

3. If the host is running CTA, it responds back with a hello response.

4. The NAD sends an EOU validate identity request.

5. The CTA responds back with an EOU validate response.

6. The NAD extracts the EAP packet from the EOU, embeds it in the RADIUS access request, and sends it to the authentication server (such as the ACS).

7. The ACS sends back an access challenge that is relayed back to the CTA in the form of an EOU validate packet.

8. Step 6 and Step 7 continue until the ACS sends a success or failure response for the posture validation session.

9. If it is a success, the ACS sends the posture token VSA and a policy associated with the posture that includes the PBACL groups, session timeout, status query timeout, and authenticated username.

If the host does not respond to the EOU hello requests that are sent by the NAD, the NAD (after a preconfigured number of attempts), declares the host as clientless (no CTA). The NAD does a pseudo authentication on behalf of the host and brings down a policy. Other posture validation mechanisms, such as an audit, may be triggered.

In the clientless mode, the NAD sends three EOU hello messages (by default) before declaring that the host does not have a CTA. This process could take 90 seconds for doing a clientless authentication and installing that policy. To avoid this delay on a port that you know does not have a CTA, you can set the port mode to bypass using the per-port CLI (enter the set port eou mod/port bypass command). When this action is done, the port immediately does a clientless authentication when it learns a new IP address.

Exceptions are hosts that should not attempt posture validation because they are not capable. When a host that has been specified as an exception is detected, a preconfigured policy is installed.

LAN Port IP Hardware and Software Requirements

Follow these hardware and software requirements when configuring LAN port IP:

You must have a Catalyst 6500 series switch running software release 8.5(1) or later releases.

You must have CTA installed on the end-point devices (for example, on PCs and laptops).

You must have an ACS for AAA.

LAN Port IP Configuration Guidelines and Restrictions

Follow these configuration guidelines and restrictions when configuring LAN port IP:

You must be familiar with configuring access control lists (ACLs) and policy-based ACLs (PBACLs).

You should be familiar with configuring authentication, authorization, and accounting (AAA).

LAN port IP works with other security features such as 802.1X, MAC authentication bypass, and web-based proxy authentication. The restrictions that apply to 802.1X ports also apply to LAN port IP ports as follows:

LAN port IP can be configured on access ports only; it cannot be configured on trunk ports.

LAN port IP ports cannot be part of an EtherChannel.

LAN port IP cannot be enabled with dynamic ports.

LAN port IP can be enabled on Ethernet ports only.

LAN port IP ports cannot be SPAN destination ports.

LAN port IP ports cannot be part of a private VLAN.

Note With software release 8.6(1) and later releases, LAN port IP ports can be part of a private VLAN. For more information, see the "Configuring LAN Port IP on Private VLAN Ports" section.

LAN port IP, when enabled with any authentication feature such as 802.1X or MAC authentication bypass, is initialized only after the authentication is finished.

802.1X—802.1X authentication may apply a Layer 2 policy, such as a VLAN assignment, and can also bring Layer 3 policy attributes, such as policy-based ACLs (PBACLs), to a port. A LAN port IP policy consists only of the policy-group membership that is downloaded from the RADIUS server.

Multihost and multiauthentication modes are not supported—802.1X with LAN port IP is supported only in single-host mode.

Auxiliary VLANs—LAN port IP is supported on multi-VLAN access ports.

Guest VLANs and the authentication failure VLAN—When LAN port IP is configured with these two features, the LAN port IP operation differs only in that the IP address that it gets for posture validation is from the guest VLAN or authentication failure VLAN.

DHCP snooping and/or ARP inspection—IP learning is through ARP inspection or DHCP snooping. You must enable at least one of these features for LAN port IP to work. These features are required to trigger LAN port IP (you must map a PBACL containing the ACEs of these features to the VLAN that the LAN port IP port resides in). If you do not enable one of these features, a Layer 2 switch cannot learn new IP addresses that appear on a port.

Note If you use DHCP triggering for posture validation, you must also enable ARP inspection. If ARP inspection is not enabled, the posture validation completes but the session is torn down within a few minutes because the ARP probe replies from the client are not seen by the EOU state machinery.

Note Supervisor Engine 1 does not support ARP inspection. With a Supervisor Engine 1, you must enable DHCP snooping.

Port security—LAN port IP works with port security. Only port security-validated MAC addresses are allowed to go through posture validation. If a port security violation occurs and results in a port shutdown, the LAN port IP state of the port is also cleared. When you configure an authentication feature, the authenticating feature gives the MAC address to port security to secure if it has been successfully authenticated and then LAN port IP is initialized.

Security ACLs (VACLs)—Security ACLs are used as PBACLs and PBACLs are supported in VACL mode only with LAN port IP.

MAC authentication bypass—LAN port IP is initialized only after a successful authentication using MAC authentication bypass, 802.1X, or web-based proxy authentication.

Web-based proxy authentication—LAN port IP is initialized only after web-based proxy authentication completes verifying identity credentials. In the web-based proxy authentication state, a port waits indefinitely for authentication to complete. In this stage, only DHCP and DNS are allowed to go through. The ACL configured on the interface handles the redirecting of HTTP traffic. The PBACL configured on the interface should ensure that any other traffic is not allowed.

Configuring LAN Port IP

This section describes how to configure LAN port IP.

Note To display LAN port IP configuration information and to clear LAN port IP configuration elements, see the "LAN Port IP CLI Command Examples" section. To configure policy-based ACLs (PBACLs), see the "Configuring Policy-Based ACLs" section.

Note For assistance in following these configuration steps, see the "LAN Port IP Configuration Example" section.

To configure LAN port IP, perform these steps:

Step 1 Enable LAN port IP globally on the switch by entering the set eou {enable | disable} command (the default is disabled). 

Console> (enable) set eou enable

EoU globally enabled.

Console> (enable)

Step 2 Enable LAN port IP on a per-port basis by entering the set port eou mod/port {bypass | auto | disable | initialize | revalidate} command. 

Console> (enable) set port eou 7/1 auto

EoU enabled on 7/1

Console> (enable)

Step 3 Define the RADIUS server and RADIUS key by entering the following commands:

set radius server ip_addr [auth-port port] [acct-port port] [primary]

set radius key key

This example shows how to define the RADIUS server: 

Console> (enable) set radius server 10.76.39.93 auth-port 1812 primary

10.76.39.93 with auth-port 1812 acct-port 1813 added to radius server table as primary 
server.

Console> (enable)

This example shows how to define the RADIUS key: 

Console> (enable) set radius key cisco

Radius key set to cisco

Console> (enable)

Step 4 Define a policy-based ACL (PBACL) and map it to a VLAN as follows:

a. Enable DHCP snooping and/or ARP inspection:

set security acl ip acl-name permit dhcp-snooping

set security acl ip acl-name permit arp-inspection

b. Enable EAPoUDP redirection:

set security acl ip acl-name permit eapoudp

c. Define other policy statements using policy groups that correspond to various LAN port IP states as follows:

set security acl ip NACACL permit ip group healthy_hosts any

set security acl ip NACACL deny ip group infected_hosts any

set security acl ip NACACL permit ip group exception_hosts any

set security acl ip NACACL permit ip group clientless_hosts host 10.76.39.100

d. For URL redirection, apply this ACE at an appropriate position:

set security acl ip NACACL permit url-redirect

Step 5 For clientless nonresponsive hosts (NRH hosts), enable the clientless functionality by entering the set eou allow clientless enable command.

Step 6 Define a policy for NRH hosts. The specified groups should also be present in the ACL that is defined in the previous steps:

set policy name exception_policy group exception_hosts

Step 7 Specify an exception host and assign the policy by entering the set eou authorize ip 77.0.0.90 policy exception_policy command.

Step 8 Configure the RADIUS server. For RADIUS server configuration details, refer to the Implementing Network Admission Control Phase One Configuration and Deployment publication at this URL:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf

Ensure that the policy groups that are used in the ACLs are configured with the posture-token VSA, such as 26/9/1 sec:pg=healthy_hosts.

If you define a policy group in ACS but the VACL that is mapped to the VLAN does not refer to that group, posture validation will fail because the policy installation fails.

Step 9 Ensure that the sc0 interface is configured with a proper IP address by entering these commands:

set interface {sc0 | sl0 | sc1} {up | down}

set interface sc0 [vlan] [ip_addr/netmask [broadcast]]

Step 10 Ensure that there is a default router in the VLAN to which the host is connected. If there is no default router, you need a static ARP on the host for the sc0 IP address.

Step 11 If the host and the management interface (sc0) are in the same VLAN, and you have a VACL configured for that VLAN, you should configure an ACE to allow traffic to the RADIUS server from the switch IP address.

LAN Port IP CLI Command Examples

This section describes how to configure the LAN port IP CLI:

Enabling or Disabling LAN Port IP Globally

Enabling or Disabling the Bypassing of LAN Port IP Posture Validation for Clientless Hosts

Statically Authorizing an IP Address as an Exception Host Device and Applying a Policy to the Device

Statically Authorizing a MAC Address as an Exception Host Device and Applying a Policy to the Device

Restarting a Host's State Machine

Specifying the CTA Packet Retransmit Time and RADIUS Server Retransmit Time

Revalidating a Host

Enabling or Disabling EOU Logging for LAN Port IP Events

Setting EAPOUDP-Related Timers

Setting EOU Rate Limiting

Enabling or Disabling EOU RADIUS Accounting

Bypassing, Disabling, or Enabling LAN Port IP on a Per-Port Basis

Initializing LAN Port IP on a Per-Port Basis

Revalidating LAN Port IP on a Per-Port Basis

Redirecting LAN Port IP Control Packets to the Supervisor Engine

Displaying the Global EOU Configuration

Displaying a Summary of the LAN Port IP State on All LAN Port IP-Enabled Ports

Displaying a Summary of the LAN Port IP State on a Per-Port Basis

Displaying Host-Specific Information

Displaying EOU Authentication-Related Information

Displaying the EOU Log

Displaying the EOU Results on a Posture-Token Basis

Clearing the LAN Port IP Configuration

Clearing All the Host EOU Sessions

Clearing the LAN Port IP Session for a Particular Host

Clearing an IP Address from an Exception Group or Clearing an Exception Group

Clearing EAPOUDP-Related Timers to Their Default Values

Clearing the CTA Packet Retransmit Time

Enabling or Disabling LAN Port IP Globally

To globally enable or disable LAN port IP on the switch, perform this task in privileged mode (the default is disabled):

Task
Command

Globally enable or disable LAN port IP on the switch.

set eou {enable | disable}


This example shows how to globally enable LAN port IP on the switch: 

Console> (enable) set eou enable

EoU globally enabled.

Console> (enable)

Enabling or Disabling the Bypassing of LAN Port IP Posture Validation for Clientless Hosts

To globally enable or disable the bypassing of the LAN port IP posture validation for clientless hosts, perform this task in privileged mode (the default is disable):

Task
Command

Enable or disable the bypassing of the LAN port IP posture validation for clientless hosts.

set eou allow clientless {enable | disable}


This example shows how to enable the bypassing of the LAN port IP posture validation for clientless hosts: 

Console> (enable) set eou allow clientless enable

EoU Clientless hosts will be allowed

Console> (enable)

Statically Authorizing an IP Address as an Exception Host Device and Applying a Policy to the Device

This command allows a specific IP address to be treated as an exception host and when that host is detected, it will dynamically install the policy specified by the policy name.

Note If the policy template does not exist, entering these commands creates the policy template.

To statically authorize an IP device and apply an associated policy to the device, perform this task in privileged mode:

Task
Command

Statically authorize an IP device and apply an associated policy to the device.

set eou authorize ip ip_addr policy policy_name

set eou authorize ip ip_addr ip_mask policy policy_name


This example shows how to statically authorize an IP device and apply an associated policy to the device: 

Console> (enable) set eou authorize ip 172.20.52.19 255.255.255.224 policy poll 

Mapped IP address 172.20.52.0 IP mask 255.255.255.224 to policy name poll

Console> (enable)

Statically Authorizing a MAC Address as an Exception Host Device and Applying a Policy to the Device

This command allows a specific MAC address to be treated as an exception host and when that host is detected, it will dynamically install the policy specified by the policy name.

Note If the policy template does not exist, entering these commands creates the template.

To statically authorize a device using the device MAC address and apply an associated policy to the device, perform this task in privileged mode:

Task
Command

Statically authorize a device using the device MAC address and apply an associated policy to the device.

set eou authorize mac-address mac_address policy policy_name

set eou authorize mac-address mac_address mac_mask policy policy_name


This example shows how to statically authorize a device using the device MAC address and apply an associated policy to the device: 

Console> (enable) set eou authorize mac-address 03-56-B7-45-65-56 policy poll

Mapped MAC 03-56-b7-45-65-56 to policy name poll.

Console> (enable)

Restarting a Host's State Machine

To restart a host's state machine, perform this task in privileged mode:

Task
Command

Restart a host's state machine.

set eou initialize all

set eou initialize authentication {clientless | eap | static}

set eou initialize ip ip-address

set eou initialize mac mac-address

set eou initialize posture-token posture-token


This example shows how to restart a host's state machine using the IP address: 

Console> (enable) set eou initialize ip 172.20.52.19

Initializing Eou for ipAddress 172.20.52.19

Console> (enable)

Specifying the CTA Packet Retransmit Time and RADIUS Server Retransmit Time

To specify the number of times that a packet is retransmitted to the CTA before declaring the CTA as nonresponsive, and to specify the RADIUS server retransmit time, perform this task in privileged mode (the default is 3 and the range is 1 through 10):

Task
Command

Specify the number of times that a packet is retransmitted to the CTA before declaring the CTA as nonresponsive, and specify the RADIUS server retransmit time.

set eou max-retry max-retry


This example shows how to specify the number of times that a packet is retransmitted to the CTA before declaring the CTA as nonresponsive, and specify the RADIUS server retransmit time: 

Console> (enable) set eou max-retry 6

eou max-retry set to 6.

Console> (enable)

Revalidating a Host

To revalidate a host, perform this task in privileged mode:

Task
Command

Revalidate a host.

set eou revalidate all

set eou revalidate authentication {clientless | eap | static}

set eou revalidate ip ip-address

set eou revalidate mac mac-address

set eou revalidate posture-token posture-token


This example shows how to revalidate all clientless hosts: 

Console> (enable) set eou revalidate authentication clientless

Revalidate all clientless hosts

Console> (enable)

Enabling or Disabling EOU Logging for LAN Port IP Events

To enable or disable EOU logging for LAN port IP events, perform this task in privileged mode (the default is disable):

Task
Command

Enable or disable EOU logging for LAN port IP events.

set eou logging {enable | disable}


This example shows how to enable EOU logging for LAN port IP events: 

Console> (enable) set eou logging enable

EoU Logging enabled

Console> (enable)

Setting EAPOUDP-Related Timers

To set EAPOUDP-related timers, perform this task in privileged mode:

Task
Command

Set EAPOUDP-related timers.

set eou timeout aaa aaa-timeout

set eou timeout hold-period hold-timeout

set eou timeout retransmit retransmit-timeout

set eou timeout revalidation revalidation-timeout

set eou timeout status-query status-query-timeout


The timer defaults and ranges are as follows:

aaa—The default is 60 seconds; the range is 1 through 60 seconds.

hold-period—The default is 180 seconds; the range is 60 through 86400 seconds.

retransmit—The default is 3 seconds; the range is 1 through 60 seconds.

revalidation—The default is 36000 seconds; the range is 5 through 86400 seconds.

status-query—The default is 300 seconds; the range is 30 through 1800 seconds.

This example shows how to set the revalidation timer to 200 seconds: 

Console> (enable) set eou timeout revalidation 200

Console> (enable)

Setting EOU Rate Limiting

To set EOU rate limiting (the default is 0 and the range is 10 through 200), perform this task in privileged mode:

Note The default rate limit value of 0 disables rate limiting. With rate limiting disabled, there is no limit on simultaneous LAN port IP authentication sessions.

Task
Command

Set EOU rate limiting.

set eou rate-limit ratelimit


This example shows how to set EOU rate limiting to 40: 

Console> (enable) set eou rate-limit 40

eou ratelimit set to 40.

Console> (enable)

Enabling or Disabling EOU RADIUS Accounting

To enable or disable EOU RADIUS accounting, perform this task in privileged mode:

Task
Command

Enable or disable EOU RADIUS accounting.

set eou radius-accounting {enable | disable}


This example shows how to enable EOU RADIUS accounting: 

Console> (enable) set eou radius-accounting enable 

Radius Accounting for Eou Enabled.

Console> (enable)

Bypassing, Disabling, or Enabling LAN Port IP on a Per-Port Basis

You can bypass, disable, or enable LAN port IP on a per-port basis. Specifying auto mode enables LAN port IP automatically if a client is found.

To bypass, disable, specify auto mode, or set the aaa-fail policy for LAN port IP on a per-port basis, perform this task in privileged mode:

Task
Command

Bypass, disable, specify auto mode, or set the aaa-fail policy for LAN port IP on a per-port basis.

set port eou mod/port {aaa-fail-policy | auto | bypass | disable | initialize | revalidate}


This example shows how to enable an aaa-fail policy on a port: 

Console> (enable) set port eou 1/2 aaa-fail-policy test_policy 

Policy test_policy mapped as aaa-fail-policy on port 1/2

Console> (enable)

This example shows how to enable LAN port IP on port 5/1: 

Console> (enable) set port eou 5/1 auto

EoU enabled on 5/1

Console> (enable)

This example shows how to set port 7/1 to bypass mode: 

Console> (enable) set port eou 7/1 bypass 


Eou Bypass enabled on 7/1

Console> (enable)

Initializing LAN Port IP on a Per-Port Basis

To initialize LAN port IP on a per-port basis, perform this task in privileged mode:

Task
Command

Initialize LAN port IP on a per-port basis.

set port eou mod/port initialize


This example shows how to initialize LAN port IP on port 7/1: 

Console> (enable) set port eou 7/1 initialize

Initializing EoU for all hosts on port 7/1

Console> (enable)

Revalidating LAN Port IP on a Per-Port Basis

To revalidate LAN port IP on a per-port basis, perform this task in privileged mode:

Task
Command

Revalidate LAN port IP on a per-port basis.

set port eou mod/port revalidate


This example shows how to revalidate LAN port IP on port 7/1: 

Console> (enable) set port eou 7/1 revalidate 

Re-validating EoU for all hosts on port 7/1

Console> (enable)

Redirecting LAN Port IP Control Packets to the Supervisor Engine

To redirect all LAN port IP control packets to the supervisor engine (EAP over UDP packets), perform this task in privileged mode:

Task
Command

Redirect all LAN port IP control packets to the supervisor engine (EAP over UDP packets).

set security acl ip acl_name permit eapoudp ip_mask [before | modify] ace_insert_position


This example shows how to redirect all LAN port IP control packets to the supervisor engine (EAP over UDP packets): 

Console> (enable) set security acl ip test permit eapoudp mask1 before pos1

Successfully configured EAPoUDP ACL test. Use 'commit' command to save changes

Displaying the Global EOU Configuration

To display the global EOU configuration, perform this task in normal mode:

Task
Command

Display the global EOU configuration.

show eou config


This example shows how to display the global EOU configuration: 

Console> (enable) show eou config

Eou Protocol Version : 1

Eou Global Config

-----------------

Eou Global Enable         : Enabled

Eou Clientless            : Disabled

Eou Logging               : Enabled

Eou Radius Accounting     : Enabled

Eou MaxRetry              : 3

Eou AAA timeout           : 60

Eou Hold timeout          : 180

Eou Retransmit timeout    : 30

Eou Revalidation timeout  : 3600

Eou Status Query timeout  : 300

Eou Rate Limit            : 40

Eou Udp Port              : 21862


Ip Exception List and Policies

--------------------------------------

0.0.0.18         255.255.255.224  TEST


Console> (enable)

Displaying a Summary of the LAN Port IP State on All LAN Port IP-Enabled Ports

To display a summary of the LAN port IP state on all LAN port IP-enabled ports, perform this task in normal mode:

Task
Command

Display a summary of the LAN port IP state on all LAN port IP-enabled ports.

show eou all


This example shows how to display a summary of the LAN port IP state on all LAN port IP-enabled ports: 

Console> (enable) show eou all

Eou Summary

-----------

Eou Global State = enabled


Currently Validating EOU Sessions = 0

mNo/pNo   Host Ip            Nac_Token   Host_Fsm_State   Username

-------   ----------------   ---------   --------------   --------

Console> (enable)

Displaying a Summary of the LAN Port IP State on a Per-Port Basis

To display a summary of the LAN port IP state on a per-port basis for LAN port IP-enabled ports, perform this task in normal mode:

Task
Command

Display a summary of the LAN port IP state on a per-port basis for LAN port IP-enabled ports.

show port eou mod/port


This example shows how to display a summary of the LAN port IP state on port 7/1: 

Console> (enable) show port eou 7/1

Port     EOU-State IP Address      MAC Address

-------- --------- --------------- -----------------

 7/1     bypass    -               -                 


Port     FSM State     Auth Type   SQ-Timeout Session Timeout 

-------- ------------- ----------- ---------- ---------------

 7/1      -             -           -          -             


Port     Posture      URL Redirect

-------- ------------ --------------------

 7/1      -            -


Port     Termination action Session id

-------- ------------------ --------------------------------

 7/1      -                  -

Console> (enable)

Displaying Host-Specific Information

To display host-specific information, perform this task in normal mode:

Task
Command

Display host-specific information.

show eou host {ip | mac} value

show eou host mac_address mac_address


This example shows how to display host-specific information: 

Console> (enable) show eou host 9.6.2.15

HostIP          HostMac           Port   Posture-token 

--------------- ----------------- ------ --------------------

9.6.2.15        00-11-85-8d-bf-ab 2/5    Healthy 

IP Address      Eou State     AuthType SQTimeout SessTimeout 

--------------- ------------- -------- --------- -----------

9.6.2.15        authenticated eap      301       3600 

Console> (enable)

Displaying EOU Authentication-Related Information

To display the following authentication-related information, perform this task in normal mode:

clientless—Display all clientless ports

eap—Display all ports with EAP authentication

static—Display all hosts in the exception list

Task
Command

Display authentication-related information.

show eou authentication {clientless | eap | static}