IBM Tivoli and Cisco manual

Note: Both NAC L2 802.1x and NAC L2 IP configurations can be supported on the same switch. Similarly, the authorization setup under Network Access Profiles can be configured to support both NAC L2 802.1x clients and NAC L2 IP clients. This allows you to have a hybrid environment, using one ACS.

This section describes how to configure a Cisco 3750 switch acting as the NAD:

aaa new-model

aaaauthentication login local_only line aaa authentication eou default group radius aaa authorization network default group radius aaa authorization auth-proxy default group radius

!

ip admission name l2-lpip eapoudp

!

ip device tracking

!

eou timeout hold-period 61 eou timeout status-query 60 eou timeout retransmit 7 eou timeout revalidation 60 eou logging

identity profile eapoudp

!

<output omitted>

interface FastEthernet1/0/11 description **L2IP Test Port** switchport access vlan 11 switchport mode access

ip access-group initial-acl in spanning-tree portfast

ip admission l2-lpip

!

<output omitted>

!

ip access-list extended Healthy_ACL remark **Healthy ACL**

permit ip any any

ip access-list extended Quarantine_ACL remark **Quarantine ACLs**

permit udp any eq bootpc any eq bootps permit udp any host 192.168.9.22 eq 21862 permit icmp any host 192.168.9.220 permit icmp any host 192.168.104.10 permit ip any host 192.168.9.220

permit ip any host 192.168.104.10 permit tcp any any eq www

296Building a Network Access Control Solution with IBM Tivoli and Cisco Systems