Support User Manuals

IBM Tivoli and Cisco Network Card User Manual

Open as PDF

of 516

292 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Configuring Cisco 3750 switch for NAC L2 802.1x

New for NAC Phase 2 is the ability of a Cisco switch to act as a NAC policy

enforcement device. For the purposes of this book, we used a Cisco 3750 switch,

running the Advanced IP Services Version 12.2(25) SEE2 version of IOS.

Switch Ports Model SW Version SW Image

* 1 26 WS-C3750-24P 12.2(25)SEE2 C3750-ADVIPSERVICESK

Our example is using L2Dot1x. The protocol used in this architecture is EAPOL,

as opposed to EAPoUDP (EOU). For this reason, there is no EOU configuration

required on the switch, just a straightforward dot1x configuration. We recommend

that you check the Cisco Web site for the latest hardware/software compatibility

matrixes, as this could determine which deployments of NAC are available to

you. For example, at the time of writing this book, a Cisco 2950 switch supports

NAC L2 802.1x, but

not NAC L2/L3 IP (no support for EoU). Another example is

that a Cisco 6500 running 12.2(18)SXF does

not support NAC L2 802.1x

authentication and validation on edge switches.

The current switch compatibility matrix can be found at:

http://www.cisco.com/en/US/partner/netsol/ns617/networking_solutions_

documentation_roadmap09186a008066499c.html#wp1016600

The basic switch configuration is listed below:

aaa new-model

aaa authentication login local_only line

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group radius

!

ip routing

!

dot1x system-auth-control

!

ip radius source-interface Vlan9

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server host 192.168.9.22 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key cisco123

radius-server vsa send authentication

Note: Always thoroughly document the environment on which you wish to

deploy this solution. You may find that the environment is either already

compatible or requires IOS upgrades or hardware upgrades.

previous next