Scribd
Upload
42 views5 pages

Global Configuration AAA Commands

Commande de configuration de NAC wired

Uploaded by

TESSY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
42 views5 pages

Global Configuration AAA Commands

Commande de configuration de NAC wired

Uploaded by

TESSY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

 Global Configuration AAA Commands

 aaa new-model #enable AAA


 aaa authentication dot1x default group
radius #Create an authentication method for
802.1X
 aaa authorization network default group
radius #Create an authorization method for
802.1X
 aaa accounting dot1x default start-stop
group radius #Create an accounting method for
802.1X
 aaa accounting update newinfo periodic
2880

 Global Configuration RADIUS Commands


- IOS 12.2.x
 username radius-test password password #add
a username and password for the RADIUS
keepalive
 radius-server host ise_ip_address auth-port
1812 acct-port 1813 test username radius-
test key shared_secret #Add the Cisco ISE
servers to the RADIUS group

- IOS 15.x and IOS XE


 username radius-test secret password #, add a
username and password for the RADIUS
keepalive
 radius server [name] #Add the Cisco ISE server
 address ipv4 [ip-address] auth-port 1812 acct-
port 1813 #Configure the IP address,
authentication port, and accounting port
 key [shared-secret] #Configure the shared
secret
 automate-tester username [username-from-
step-1]

- IOS 12.2.x, 15.x, and IOS XE


 radius-server dead-criteria time 5 tries 3
#Set the dead criteria
 aaa server radius dynamic-author #Enable
Change of Authorization (CoA)
 client ise_ip_address server-key shared_secret
 radius-server vsa send authentication
#Configure the switch to use the Cisco VSAs
 radius-server vsa send accounting
 radius-server attribute 6 on-for login-auth
#Enable the vendor-specific attributes (VSAs)
 radius-server attribute 8 include-inaccess-
req
 radius-server attribute 25 access-request
include
 ip radius source-interface interface_name
#Ensure that the switch always sends traffic
from the correct interface.Therefore, it is a best
practice to always force any management
communications to occur via a specific interface
 snmp-server trap-source interface_name
 snmp-server source-interface informs
interface_name

 Global 802.1X Commands


 dot1x system-auth-control #Enable 802.1X
globally on the switch.
- IOS 12.2.x, 15.x
 ip device tracking #Enable dACLs to function
for IOS Version 12.2 and Version 15.x
- IOS 15.2(2) or IOS XE 03.06.00 and later versions
 ip device tracking probe auto-source
 ip device tracking probe delay 10

 Creating Local Access Control Lists


- ACL TO BE USED ON SWITCH PORTS IN MONITOR
MODE
 ip access-list extended ACL-ALLOW
 permit ip any any
 ip access-list ext ACL-DEFAULT
 remark DHCP
 permit udp any eq bootpc any eq bootps
 remark DNS
 permit udp any any eq domain
 remark Ping
 permit icmp any any
 remark PXE / TFTP
 permit udp any any eq tftp
 remark Drop all the rest
 deny ip any any log

- ACL TO BE USED FOR URL REDIRECTION WITH WEB


AUTHENTICATION

 ip access-list ext ACL-WEBAUTH-REDIRECT


 remark explicitly deny DNS from being
redirected to address a bug
 deny udp any any eq 53
 remark redirect all applicable traffic to the
ISE Server
 permit tcp any any eq 80
 permit tcp any any eq 443
 remark all other traffic will be implicitly
denied from the redirection

- ACL to be used for URL redirection with the posture


agent
 ip access-list ext ACL-AGENT-REDIRECT
 remark explicitly deny DNS and DHCP from
being redirected
 deny udp any any eq 53 bootps
 remark redirect HTTP traffic only
 permit tcp any any eq 80
 remark all other traffic will be implicitly
denied from the redirection

 Configure Flexible Authentication and High


Availability
NB: show running-config all | inc radius-server
show running-config all | inc ip device tracking
show ip device tracking all

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy