Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata



Prerequisite

You need to complete the NAC configuration on both AAA server and PICA8 switch when employ NAC function. The following section describes how configure NAC on PICA8 switch. For details about how to configure NAC on AAA server, please refer to the following documents in Typical Configuration of NAC:

  • Configuring Dynamic and Downloadable ACL for ClearPass
  • Configuring Dynamic and Downloadable ACL on Cisco ISE
  • Configuring Pica8 Switches with ClearPass Guest Central Web Authentication
  • Integrating Pica8 Switches with Cisco ISE

Procedure

Step1         Configure VLAN.

    a)      Create a VLAN.

    set vlans vlan-id <vlan-id>

    b)     Configure the interface to VLAN.

    set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

    c)     Configure the IP address of the VLAN.

    set vlan-interface interface <interface-name> vif <vif-name> address <address> prefix-length <number>

    d)     Associate a Layer 3 interface with a VLAN.

    set vlans vlan-id <vlan-id> l3-interface <interface-name>

Step2         Configure IP address for RADIUS authentication server and the shared key.

    set protocols dot1x aaa radius authentication server-ip <ip-address> [shared-key <key-string>]

Step3         Configure the IPv4 address and port number of the Web authentication server. This step  is required for Web authentication.

    set protocols dot1x aaa web server-ip <ipv4-address> [port <port-number>]

Step4         Configure the NAS IP address to the L3 VLAN interface IP which is connected to the AAA server.

                    set protocols dot1x aaa radius nas-ip <ip-address>

    This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the AAA server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.

Step5         Configure the authentication mode.

    set protocols dot1x interface <interface-name> auth-mode 802.1x

    set protocols dot1x interface <interface-name> auth-mode mac-radius

    set protocols dot1x interface <interface-name> auth-mode web

Step6         Configure block VLAN. This step is required for Web authentication.

    a)      Configure block VLAN ID.

    set protocols dot1x block-vlan-id <block-vlan-id>

    b)      Configure the interface to VLAN.

    set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

    c)      Configure the IP address of block VLAN interface.

    set vlan-interface interface <interface-name> vif <vif-name> address <address> prefix-length <number>

    d)      Associate a Layer 3 interface with block VLAN.

    set vlans vlan-id <block-vlan-id> l3-interface <interface-name>

Step7         Configure a RADIUS dynamic authorization client from which the switch accepts Change of Authorization (CoA) messages. This step is required for CoA and Web authentication.

    set protocols dot1x aaa radius dynamic-author client <client-ip> shared-key <key-string>

Step8         Configure host mode for NAC authentication interface.

    set protocols dot1x interface <interface-name> host-mode <single | multiple>

Step9         Configure dynamic ACL on the switch.

    a)      Configure the filter conditions.

    set protocols dot1x filter <filter-name> sequence <sequence-number> from <filter-condition>

    b)      Configure the filter action.

    set protocols dot1x filter <filter-name> sequence <number> then action <discard | forward>

NOTE:

The filter name configured in the Filter-Id must be the same as the filter name of the dynamic ACL configured on the switch.

Step10        (Optional) Configure a server fail VLAN on the switch.

    set protocols dot1x server-fail-vlan-id <vlan-id>

Step11        (Optional) Enable fallback to WEB function.

    set protocols dot1x interface <interface-name> auth-mode 802.1x fallback-to-web disable <true |false>

Step12        (Optional) Enable open authentication function on a specified interface.

    set protocols dot1x interface <interface-nameauthentication-open disable <true | false>

Step13        Commit the configuration.

    commit


  • No labels