Configuring NAC

Owned by Tracy Yang
Nov 13, 2023
3 min read


Prerequisite

You need to complete the NAC configuration on both AAA server and PICA8 switch when employ NAC function. The following section describes how configure NAC on PICA8 switch. For details about how to configure NAC on AAA server, please refer to the following documents in Typical Configuration of NAC:

  • Configuring Dynamic and Downloadable ACL for ClearPass
  • Configuring Dynamic and Downloadable ACL on Cisco ISE
  • Configuring Pica8 Switches with ClearPass Guest Central Web Authentication
  • Integrating Pica8 Switches with Cisco ISE

Procedure

Step1         Configure VLAN.

    a)      Create a VLAN.

    set vlans vlan-id <vlan-id>

    b)     Configure the interface to VLAN.

    set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

    c)     Configure the IP address of the VLAN.

    set l3-interface vlan-interface <interface-name> address <address> prefix-length <number>

    d)     Associate a Layer 3 interface with a VLAN.

    set vlans vlan-id <vlan-id> l3-interface <interface-name>

Step2         Configure IP address for RADIUS authentication server and the shared key.

    set protocols dot1x aaa radius authentication server-ip <ip-address> [shared-key <key-string>]

Step3         (Optional) Configure the UDP port for RADIUS authentication server and accounting server.

   set protocols dot1x aaa radius authentication server-ip <ip-addressauth-port <port-number>

   set protocols dot1x aaa radius authentication server-ip <ip-addressacct-port <port-number>

Step4         Configure the DNS serve IP address. This step is required for Web authentication.

   set system dns-server-ip <dns-server-ip>

NOTEs:

Make sure to configure the mapping of the domain name of the redirect URL to the IP address on the DNS server.

Step5         Configure the NAS IP address to the L3 interface IP which is connected to the AAA server.

                    set protocols dot1x aaa radius nas-ip <ip-address>

    This command is used to set the nas-ip field in RADIUS access-request message. It can be the IP address of a VLAN interface, eth0, routed interface or sub-interface.

Step6         Configure the authentication mode.

    set protocols dot1x interface <interface-name> auth-mode 802.1x

    set protocols dot1x interface <interface-name> auth-mode mac-radius

    set protocols dot1x interface <interface-name> auth-mode web

Step7         Configure block VLAN. This step is required for Web authentication.

    a)      Configure block VLAN ID.

    set protocols dot1x block-vlan-id <block-vlan-id>

    b)      Configure the interface to VLAN.

    set interface gigabit-ethernet <port> family ethernet-switching native-vlan-id <vlan-id>

    c)      Configure the IP address of block VLAN interface.

    set l3-interface vlan-interface <interface-name> address <address> prefix-length <number>

    d)      Associate a Layer 3 interface with block VLAN.

    set vlans vlan-id <block-vlan-id> l3-interface <interface-name>

Step8         Configure a RADIUS dynamic authorization client from which the switch accepts Change of Authorization (CoA) messages. This step is required for CoA and Web authentication.

    set protocols dot1x aaa radius dynamic-author client <client-ip> shared-key <key-string>

Step9         (Optional) Configure the UDP port of the RADIUS dynamic authorization server of CoA function. This is the UDP port on the switch side.

    set protocols dot1x aaa radius dynamic-author client <client-ipport <port-number>

Step10        Configure host mode for NAC authentication interface.

    set protocols dot1x interface <interface-name> host-mode <single | multiple>

Step11       Configure dynamic ACL on the switch.

    a)      Configure the filter conditions.

    set protocols dot1x filter <filter-name> sequence <sequence-number> from <filter-condition>

    b)      Configure the filter action.

    set protocols dot1x filter <filter-name> sequence <number> then action <discard | forward>

NOTE:

The filter name configured in the Filter-Id must be the same as the filter name of the dynamic ACL configured on the switch.

Step12        (Optional) Configure a server fail VLAN on the switch.

    set protocols dot1x server-fail-vlan-id <vlan-id>

Step13        (Optional) Enable fallback to WEB function.

    set protocols dot1x interface <interface-name> auth-mode 802.1x fallback-to-web disable <true |false>

Step14        (Optional) Enable open authentication function on a specified interface.

    set protocols dot1x interface <interface-nameauthentication-open disable <true | false>

Step15        (Optional) You can use either one of the following two commands to configure the maximum number of NAC sessions that are allowed to be established on the port enabled for NAC. 

                     By default, there is no limit on the number of NAC sessions.

     set protocols dot1x interface <interface-name> max-sessions <max-sessions-number>

                    set protocols dot1x max-sessions-per-port <max-sessions-number>

Step16        Commit the configuration.

    commit


Copyright © 2024 Pica8 Inc. All Rights Reserved.