| Step 1 |  
                                       			 enable  
                                       		  
                                     |  Enables
                                          				privileged EXEC mode. 
                                          			 
                                        | 
                              
                                 | Step 2 |  
                                       			 configure
                                             				  terminal  
                                       		  
                                     Device# configure terminal
 |  Enters global
                                          				configuration mode. 
                                          			 
                                        | 
                              
                                 | Step 3 |  
                                       			 policy-map type control
                                             				  subscriber 
                                          				control-policy-name  
                                       		  
                                     Device(config)# policy-map type control subscriber POLICY_1
 |  Defines a
                                          				control policy for subscriber sessions. 
                                          			 
                                        | 
                              
                                 | Step 4 | event 
                                          				event-name [match-all | 
                                          				match-first]  
                                       		  
                                     Device(config-event-control-policymap)# event session-started
 | Specifies the type of event that triggers actions in a control policy if conditions are met.   
                                          						
                                          
                                             							
                                             match-all  is the default behavior. 
                                             
                                             							
                                             To display the available event types, use the question mark (?) online help function. For a complete description of event types, see the event  command. 
                                              | 
                              
                                 | Step 5 |  
                                       			 priority-number 
                                          				class
                                          				{control-class-name | 
                                          				always} [do-all | 
                                          				do-until-failure | 
                                          				do-until-success]  
                                       		  
                                     Device(config-class-control-policymap)# 10 class always
 |  Associates a
                                          				control class with one or more actions in a control policy. 
                                          			 
                                        | 
                              
                                 | Step 6 | action-number 
                                          				activate {policy 
                                          				type 
                                          				control 
                                          				subscriber 
                                          				control-policy-name [child [no-propagation | 
                                          				concurrent] | 
                                          				service-template 
                                          				template-name [aaa-list 
                                          				list-name] [precedence 
                                          				number] [replace-all]}  
                                       		  
                                     Device(config-action-control-policymap)# 10 activate service-template FALLBACK
 | (Optional)
                                          				Activates a control policy or service template on a subscriber session. 
                                          			 
                                        | 
                              
                                 | Step 7 |  
                                       			 action-number 
                                          				authenticate using {dot1x | 
                                          				mab
                                          				| 
                                          				webauth} [aaa {authc-list 
                                          				authc-list-name | 
                                          				authz-list 
                                          				authz-list-name]} [merge] [parameter-map 
                                          				map-name] [priority 
                                          				priority-number] [replace | 
                                          				replace-all] [retries 
                                          				number {retry-time 
                                          				seconds}]  
                                       		  
                                     Device(config-action-control-policymap)# 10 authenticate using dot1x priority 10
 |  (Optional)
                                          				Initiates the authentication of a subscriber session using the specified
                                          				method. 
                                          			 
                                        | 
                              
                                 | Step 8 |  
                                       			 action-number 
                                          				authentication-restart 
                                          				seconds  
                                       		  
                                     Device(config-action-control-policymap)# 20 authentication-restart 60
 |  (Optional)
                                          				Sets a timer to restart the authentication process after an authentication or
                                          				authorization failure. 
                                          			 
                                        | 
                              
                                 | Step 9 |  
                                       			 action-number 
                                          				authorize  
                                       		  
                                     Device(config-action-control-policymap)# 10 authorize
 |  (Optional)
                                          				Initiates the authorization of a subscriber session. 
                                          			 
                                        | 
                              
                                 | Step 10 |  
                                       			 action-number 
                                          				clear-authenticated-data-hosts-on-port  
                                       		  
                                     Device(config-action-control-policymap)# 20 clear-authenticated-data-hosts-on-port
 |  (Optional)
                                          				Clears authenticated data hosts on a port after an authentication failure. 
                                          			 
                                        | 
                              
                                 | Step 11 |  
                                       			 action-number 
                                          				clear-session  
                                       		  
                                     Device(config-action-control-policymap)# 30 clear-session
 |  (Optional)
                                          				Clears an active subscriber session. 
                                          			 
                                        | 
                              
                                 | Step 12 |  
                                       			 action-number 
                                          				deactivate {policy type control subscriber 
                                          				control-policy-name | 
                                          				service-template 
                                          				template-name}  
                                       		  
                                     Device(config-action-control-policymap)# 20 deactivate service-template interface_template
 |  (Optional)
                                          				Deactivates a control policy or service template on a subscriber session. 
                                          			 
                                        | 
                              
                                 | Step 13 |  
                                       			 action-number 
                                          				err-disable  
                                       		  
                                     Device(config-action-control-policymap)# 10 err-disable
 | 
                                          				(Optional)Temporarily disables a port after a session violation event. 
                                          			 
                                        | 
                              
                                 | Step 14 |  
                                       			 action-number 
                                          				pause
                                             				  reauthentication  
                                       		  
                                     Device(config-action-control-policymap)# 20 pause reauthentication
 |  (Optional)
                                          				Pauses reauthentication after an authentication failure. 
                                          			 
                                        | 
                              
                                 | Step 15 |  
                                       			 action-number 
                                          				protect  
                                       		  
                                     Device(config-action-control-policymap)# 10 protect
 |  (Optional)
                                          				Silently drops violating packets after a session violation event. 
                                          			 
                                        | 
                              
                                 | Step 16 |  
                                       			 action-number 
                                          				replace  
                                       		  
                                     Device(config-action-control-policymap)# 10 replace
 |  (Optional)
                                          				Clears the existing session and creates a new session after a violation event. 
                                          			 
                                        | 
                              
                                 | Step 17 |  
                                       			 action-number 
                                          				restrict  
                                       		  
                                     Device(config-action-control-policymap)# 10 restrict
 |  (Optional)
                                          				Drops violating packets and generates a syslog entry after a session violation
                                          				event. 
                                          			 
                                        | 
                              
                                 | Step 18 |  
                                       			 action-number 
                                          				resume
                                             				  reauthentication  
                                       		  
                                     Device(config-action-control-policymap)# 20 resume reauthentication
 |  (Optional)
                                          				Resumes the reauthentication process after an authentication failure. 
                                          			 
                                        | 
                              
                                 | Step 19 |  
                                       			 action-number 
                                          				set-timer 
                                          				timer-name 
                                          				seconds  
                                       		  
                                     Device(config-action-control-policymap)# 20 set-timer RESTART 60
 |  (Optional)
                                          				Starts a named policy timer. 
                                          			 
                                        | 
                              
                                 | Step 20 |  
                                       			 action-number 
                                          				terminate {dot1x | 
                                          				mab
                                          				| 
                                          				webauth}  
                                       		  
                                     Device(config-action-control-policymap)# 20 terminate webauth
 |  (Optional)
                                          				Terminates an authentication method on a subscriber session. 
                                          			 
                                        | 
                              
                                 | Step 21 |  
                                       			 action-number 
                                          				unauthorize  
                                       		  
                                     Device(config-action-control-policymap)# 20 unauthorize
 |  (Optional)
                                          				Removes all authorization data from a subscriber session. 
                                          			 
                                        | 
                              
                                 | Step 22 |  
                                       			 end  
                                       		  
                                     Device(config-action-control-policymap)# end
 |  (Optional)
                                          				Exits control policy-map action configuration mode and returns to privileged
                                          				EXEC mode. 
                                          			 
                                        | 
                              
                                 | Step 23 |  
                                       			 show policy-map type
                                             				  control subscriber {all | 
                                          				name
                                          				
                                          				control-policy-name}  
                                       		  
                                     Device# show policy-map type control subscriber POLICY_1
 |  (Optional)
                                          				Displays information about identity control policies. 
                                          			 
                                        |