Configuring Cisco 3750 switch for NAC L2 802.1x

New for NAC Phase 2 is the ability of a Cisco switch to act as a NAC policy enforcement device. For the purposes of this book, we used a Cisco 3750 switch, running the Advanced IP Services Version 12.2(25) SEE2 version of IOS.

Switch

Ports

Model

SW Version

SW Image

*

1

26

WS-C3750-24P

12.2(25)SEE2

C3750-ADVIPSERVICESK

Our example is using L2Dot1x. The protocol used in this architecture is EAPOL, as opposed to EAPoUDP (EOU). For this reason, there is no EOU configuration required on the switch, just a straightforward dot1x configuration. We recommend that you check the Cisco Web site for the latest hardware/software compatibility matrixes, as this could determine which deployments of NAC are available to you. For example, at the time of writing this book, a Cisco 2950 switch supports NAC L2 802.1x, but not NAC L2/L3 IP (no support for EoU). Another example is that a Cisco 6500 running 12.2(18)SXF does not support NAC L2 802.1x authentication and validation on edge switches.

The current switch compatibility matrix can be found at:

http://www.cisco.com/en/US/partner/netsol/ns617/networking_solutions_ documentation_roadmap09186a008066499c.html#wp1016600

Note: Always thoroughly document the environment on which you wish to deploy this solution. You may find that the environment is either already compatible or requires IOS upgrades or hardware upgrades.

The basic switch configuration is listed below:

aaa new-model

aaa authentication login local_only line

aaaauthentication dot1x default group radius aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa accounting dot1x default start-stop group radius

!

ip routing

!

dot1x system-auth-control

!

ip radius source-interface Vlan9

!

radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server host 192.168.9.22 auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646

radius-server key cisco123 radius-server vsa send authentication

292Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 309 Page 311
Page 310
Image 310
IBM Tivoli and Cisco manual Configuring Cisco 3750 switch for NAC L2
Page 309 Page 311
Top Page Image Contents