Version: 4.1.6.53
For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- RADIUS communication key: RADIUS_KEY
- Communication key for TACACS+ server: TAC+_KEY
- SNMP v2c password: SNMP_SECRET
- SNMP v3 password: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- VLAN: VLAN_ID
C1300# configure terminal
C1300(config)#radius-server host NACVIEW_SERV auth-port 1812 acct-port 1813 key RADIUS_KEY
C1300(config)#radius-server host source-interface Vlan VLAN_ID
C1300(config)#aaa authentication dot1x default radius
C1300(config)#aaa accounting dot1x start-stop group radius
C1300# configure terminal
C1300(config)# aaa server radius dynamic-author
C1300(config-locsvr-da-radius)# client NACVIEW_SERV server-key RADIUS_KEY
C1300(config-locsvr-da-radius)# port 3799
C1300(config-locsvr-da-radius)# exit
C1300#configure terminal
C1300(config)#tacacs-server host NACVIEW_SERV key TAC+_KEY
C1300(config)#tacacs-server host source-interface vlan VLAN_ID
C1300(config)#aaa accounting login start-stop group tacacs+
C1300(config)#aaa authentication login authorization default tacacs local
C1300(config)#line ssh
C1300(config-line)#login authentication default
C1300(config-line)#exit
C1300(config)#ip http authentication aaa login-authentication tacacs local
C1300(config)#ip http secure-server authentication aaa login-authentication tacacs local
In this model tacacs is limited to work only for CLI. The last two commands disable browser access.
C1300(config)#dot1x system-auth-control
C1300(config)#dot1x mac-auth eap
C1300(config)#interface GigabitEthernet3
C1300(config-if)#dot1x authentication 802.1x
C1300(config-if)#dot1x host-mode single-host
C1300(config-if)#dot1x radius-attributes vlan
C1300(config-if)#dot1x reauthentication
C1300(config-if)#dot1x timeout reauth-period 3600
C1300(config-if)#dot1x port-control auto
C1300(config)#interface GigabitEthernet3
C1300(config-if)#dot1x authentication 802.1x mac
C1300(config-if)#dot1x host-mode single-host
C1300(config-if)#dot1x radius-attributes vlan
C1300(config-if)#dot1x reauthentication
C1300(config-if)#dot1x timeout reauth-period 3600
C1300(config-if)#dot1x port-control auto
C1300(config)#interface GigabitEthernet3
C1300(config-if)#dot1x authentication 802.1x mac
C1300(config-if)#dot1x host-mode multi-session
C1300(config-if)#dot1x max-hosts 10
C1300(config-if)#dot1x radius-attributes vlan
C1300(config-if)#dot1x reauthentication
C1300(config-if)#dot1x timeout reauth-period 3600
C1300(config-if)#dot1x port-control auto
C1300#configure
C1300(config)#snmp-server server
C1300(config)#snmp-server engineID local Default
The engine-id must be unique within your administrative domain.
Do you wish to continue ? (Y/N)[N] Y
The SNMPv3 database will be erased.
Do you wish to continue? (Y/N)[N] Y
C1300(config)#snmp-server enable traps
C1300(config)#snmp-server trap authentication
C1300(config)#snmp-server group SNMP_GROUP v3 priv read SNMP_VIEW write SNMP_VIEW
C1300(config)#snmp-server user SNMP_USER SNMP_GROUP v3 auth sha SNMP_AUTH priv SNMP_PRIV
#C1300(config)#snmp-server host NACVIEW_SERV traps version 3 priv SNMP_USER
#C1300(config)#nmp-server host NACVIEW_SERV informs version 3 priv SNMP_USER
C1300#configure terminal
C1300(config)#snmp-server enable traps
C1300(config)#snmp-server community SNMP_SECRET rw
C1300(config)#snmp-server source-source VLAN_ID
C1300(config)#snmp-server host NACVIEW_SERV inform version 2c SNMP_SECRET
C1300(config)#snmp-server host NACVIEW_SERV traps version 2c SNMP_SECRET
C1300(config)#snmp-server server
C1000#configure terminal
C1000(config)#logging host NACVIEW_SERV
C1000(config)#logging source-interface MGMT_INT
C1000(config)#logging on