Configuring NAC

Prerequisite

You need to complete the NAC configuration on both AAA server and PICA8 switch when employ NAC function. The following section describes how configure NAC on PICA8 switch. For details about how to configure NAC on AAA server, please refer to the following documents in Typical Configuration of NAC:

Configuring Dynamic and Downloadable ACL for ClearPass
Configuring Dynamic and Downloadable ACL on Cisco ISE
Configuring Pica8 Switches with ClearPass Guest Central Web Authentication
Integrating Pica8 Switches with Cisco ISE

Procedure

Step1 Configure VLAN.

a) Create a VLAN.

set vlans vlan-id <vlan-id>

b) Configure the interface to VLAN.

set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

c) Configure the IP address of the VLAN.

set l3-interface vlan-interface <interface-name> address <address> prefix-length <number>

d) Associate a Layer 3 interface with a VLAN.

set vlans vlan-id <vlan-id> l3-interface <interface-name>

Step2 Configure IP address for RADIUS authentication server and the shared key.

set protocols dot1x aaa radius authentication server-ip <ip-address> [shared-key <key-string>]

Step3 Configure the IPv4 address and port number of the Web authentication server. This step is required for Web authentication.

set protocols dot1x aaa web server-ip <ipv4-address> [port <port-number>]

Step4 Configure the NAS IP address to the L3 VLAN interface IP which is connected to the AAA server.

set protocols dot1x aaa radius nas-ip <ip-address>

This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the AAA server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.

Step5 Configure the authentication mode.

set protocols dot1x interface <interface-name> auth-mode 802.1x

set protocols dot1x interface <interface-name> auth-mode mac-radius

set protocols dot1x interface <interface-name> auth-mode web

Step6 Configure block VLAN. This step is required for Web authentication.

a) Configure block VLAN ID.

set protocols dot1x block-vlan-id <block-vlan-id>

b) Configure the interface to VLAN.

set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

c) Configure the IP address of block VLAN interface.

set l3-interface vlan-interface <interface-name> address <address> prefix-length <number>

d) Associate a Layer 3 interface with block VLAN.

set vlans vlan-id <block-vlan-id> l3-interface <interface-name>

Step7 Configure a RADIUS dynamic authorization client from which the switch accepts Change of Authorization (CoA) messages. This step is required for CoA and Web authentication.

set protocols dot1x aaa radius dynamic-author client <client-ip> shared-key <key-string>

Step8 Configure host mode for NAC authentication interface.

set protocols dot1x interface <interface-name> host-mode <single | multiple>

Step9 Configure dynamic ACL on the switch.

a) Configure the filter conditions.

set protocols dot1x filter <filter-name> sequence <sequence-number> from <filter-condition>

b) Configure the filter action.

set protocols dot1x filter <filter-name> sequence <number> then action <discard | forward>

NOTE:

The filter name configured in the Filter-Id must be the same as the filter name of the dynamic ACL configured on the switch.

Step10 (Optional) Configure a server fail VLAN on the switch.

set protocols dot1x server-fail-vlan-id <vlan-id>

Step11 (Optional) Enable fallback to WEB function.

set protocols dot1x interface <interface-name> auth-mode 802.1x fallback-to-web disable <true |false>

Step12 (Optional) Enable open authentication function on a specified interface.

set protocols dot1x interface <interface-name> authentication-open disable <true | false>

Step13 Commit the configuration.

commit