45-10
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 45 Configuring Network Admission Control
Understanding NAC
For the IP device tracking table, you can configure the number of times that the switch sends ARP probes
for an entry before removing an entry from the table and you can also configure the number of seconds
that the switch waits before resending the ARP probe. If the switch uses the default settings of the IP
device tracking table, the switch sends ARP probes every 30 seconds for all the entries. When the host
responds to the probe, the host state is refreshed and remains active. The switch can send up to three
additional ARP probes at 30-second intervals if the switch does not get a response. After the maximum
number of ARP probes are sent, the switch removes the host entry from the table. The switch ends the
EAPoUDP session for the host if a session was set up.
Using the IP device tracking ensures that hosts are detected in a timely manner, despite the limitations
of using DHCP. If an link goes down, the IP device tracking entries associated with the interface are not
removed, and the state of entries is changed to inactive. The switch does not limit the number of entries
in the IP device tracking table but applies a limit to remove inactive entries. All entries remain in the IP
device tracking table until it contains has more than the limit. When the table reaches the limit to start
removing inactive entries, the switch removes the inactive entries if the table has inactive entries and
adds new entries. If the table does not have inactive entries, the number of entries in the IP device
tracking table increases. When a host becomes
inactive
, the switch ends the host session. For Catalyst
3750, 3560, 3550, 2970, 2960, 2955, 2950, and 2940 switches and for Cisco EtherSwitch service
modules, the limit to remove inactive entries is 512. For Cisco 7600 series routers and Catalyst 4000 and
6000 switches, the limit is 2048.
After an interface link is restored, the switch sends ARP probes for the entry associated with the
interface. The switch ages out entries for hosts that do not respond to ARP probes. The switch changes
the state of hosts that respond to an active host and initiates posture validation.
Retransmission Timer
The retransmission timer controls the amount of time that the switch waits for a response from the client
before resending a request during posture validation. Setting the timer value too low might cause
unnecessary transmissions, and setting the timer value too high might cause poor response times.
The default value of the retransmission timer is 3 seconds.
Revalidation Timer
The revalidation timer controls the amount of time that a NAC policy is applies to a client that used
EAPoUDP messages during posture validation. The timer starts after the initial posture validation is
complete. The timer resets when the host is revalidated. The default value of the revalidation timer is
36000 seconds (10 hours).
You can specify the revalidation timer value on the switch by using the
eou timeout revalidation
seconds
global configuration command. You can also specify the revalidation timer value on an interface
by using the
eou timeout revalidation
seconds
interface configuration command.
Note
The revalidation timer can be configured locally on the switch or it can be downloaded from the control
server.
The revalidation timer operation is based on Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute[29]) in the Access-Accept message from the Cisco
Secure ACS running AAA. If the switch gets the Session-Timeout value, this value overrides the
revalidation timer value on the switch.