45-20
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 45 Configuring Network Admission Control
Configuring NAC
The following example illustrates how to apply a AAA down policy:
Router#
config t
Enter configuration commands, one per line. End with CNTL/Z.
Step 13
Router(config)#
radius-server host
{
hostname
|
ip-address
}
test
username
username
idle-time 1 key
string
(Optional) Configures the RADIUS server parameters.
For the
hostname
or
ip-address,
specify the hostname or IP address of the
remote RADIUS server.
For the
key
string
value, specify the authentication and encryption key
used between the switch and the RADIUS daemon running on the
RADIUS server. The key is a text string that must match the encryption
key used on the RADIUS server.
Note
Always configure the key as the last item in the
radius-server
host
command syntax because leading spaces are ignored, but
spaces within and at the end of the key are used. If you use spaces
in the key, do not enclose the key in quotation marks unless the
quotation marks are part of the key. This key must match the
encryption used on the RADIUS daemon.
The
test username
value parameter is used for configuring the dummy
username that tests whether the AAA server is active or not.
The
idle-time
parameter is used to set how often the server should be tested
to determine its operational status. If there is no traffic to the RADIUS server,
the NAD sends dummy radius packets to the RADIUS server based on the
idle-time.
If you want to use multiple RADIUS servers, reenter this command.
Step 14
Router(config)#
radius-server
attribute 8 include-in-access-req
(Optional) Configures the switch to send the Framed-IP-Address
RADIUS attribute (Attribute[8]) in access-request or accounting-request
packets if the switch is connected to nonresponsive hosts.
To configure the switch to not send the Framed-IP-Address attribute, use
the
no radius-server attribute 8
include-in-access-req
global
configuration command.
Step 15
Router(config)#
radius-server vsa
send authentication
Configures the network access server to recognize and use vendor-specific
attributes.
Step 16
Router(config)#
radius-server
dead-criteria
{
tries
|
time
}
value
Forces one or both of the criteria (used to mark a RADIUS server as dead)
to be the indicated constant.
Step 17
Router(config)#
eou logging
(Optional) Enables EAPoUDP system logging events.
To disable the logging of EAPoUDP system events, use the
no eou
logging
global configuration command.
Step 18
Router(config)#
end
Returns to privileged EXEC mode.
Step 19
Router#
show ip admission
{[
cache
]
[
configuration
] [
eapoudp
]}
Displays the NAC configuration or network admission cache entries.
Step 20
Router#
show ip device tracking
{
all
|
interface
interface-id
|
ip
ip-address
|
mac
mac-address
}
Displays information about the entries in the IP device tracking table.
Step 21
Router(#
copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command
Purpose