Version: 3.5.3.2
For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- RADIUS communication key: RADIUS_KEY
- Communication key for TACACS+ server: TAC+_KEY
- SNMP v2c password: SNMP_SECRET
- SNMP v3 password: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- VLAN: VLAN_ID
S1#configure terminal
S1(config)#aaa authentication dot1x default radius
S1(config)#radius-server
S1(config)#radius-server host NACVIEW_SERV key RADIUS_KEY
S1(config)#radius server enable
S1(config)#aaa accounting dot1x start-stop group radius
S1(config)#dot1x system-auth-control
S1(config)#dot1x traps authentication failure 802.1x mac
S1(config)#dot1x traps authentication success 802.1x mac
S1(config)#dot1x supplicant traps authentication failure
S1(config)#dot1x supplicant traps authentication success
S1#configure terminal
S1(config)#tacacs-server host NACVIEW_SERV key TAC+_KEY
S1(config)#tacacs-server host source-interface vlan VLAN_ID
S1(config)#aaa accounting login start-stop group tacacs+
S1(config)#aaa authentication login authorization default tacacs local
S1(config)#line ssh
S1(config-line)#login authentication default
S1(config-line)#exit
S1(config)#no ip http server
S1(config)#no ip http secure-server
In this model tacacs is limited to work only for CLI. The last two commands disable browser access.
S1#configure terminal
S1(config)#interface ge 1
S1(config-if)#dot1x host-mode single-host
S1(config-if)#dot1x reauthentication
S1(config-ifdot1x timeout reauth-period 3600
S1(config-if)#dot1x authentication 802.1x
S1(config-if)#dot1x radius-attributes vlan static
S1(config-if)#dot1x port-control auto
S1#configure terminal
S1(config-if)#interface ge 1
S1(config-if)#dot1x authentication mac
S1(config-if)#dot1x reauthentication
S1(config-ifdot1x timeout reauth-period 3600
S1(config-if)#dot1x radius-attributes vlan static
S1(config-if)#dot1x port-control auto
S1#configure terminal
S1(config)#interface ge 1
S1(config-if)dot1x host-mode single-host
S1(config-if)dot1x reauthentication
S1(config-ifdot1x timeout reauth-period 3600
S1(config-if)dot1x authentication 802.1x mac
S1(config-if)dot1x radius-attributes vlan static
S1(config-if)dot1x port-control auto
S1#configure terminal
S1(config)#interface ge 1
S1(config-if)dot1x host-mode multi-session
S1(config-if)dot1x reauthentication
S1(config-if)dot1x timeout reauth-period 3600
S1(config-if)dot1x authentication 802.1x mac
S1(config-if)dot1x radius-attributes vlan static
S1(config-if)dot1x port-control auto
Note that devices have to be connected one by one. Multiple simultaneous connections can cause attempts to authenticate all devices only by one method: 802.1x or MAC.
S1#configure
S1(config)#snmp-server engineID local Default
The engine-id must be unique within your administrative domain.
Do you wish to continue ? (Y/N)[N] Y
The SNMPv3 database will be erased.
Do you wish to continue? (Y/N)[N] Y
S1(config)#snmp-server enable traps
S1(config)#snmp-server group SNMP_GROUP v3 priv read SNMP_VIEW write SNMP_VIEW notify SNMP_VIEW
S1(config)#snmp-server user SNMP_USER SNMP_GROUP v3 auth sha SNMP_AUTH priv SNMP_PRIV
S1(config)#snmp-server host NACVIEW_SERV version 3 priv SNMP_USER
S1(config)#snmp-server host NACVIEW_SERV traps version 3 priv SNMP_USER
S1(config)#nmp-server host NACVIEW_SERV informs version 3 priv SNMP_USER
S1(config)#snmp-server server
S1#configure terminal
S1(config)#snmp-server enable traps
S1(config)#snmp-server community SNMP_SECRET rw
S1(config)#snmp-server trap-source VLAN_ID
S1(config)#snmp-server host NACVIEW_SERV inform version 2c SNMP_SECRET
S1(config)#snmp-server host NACVIEW_SERV traps version 2c SNMP_SECRET
S1(config)#snmp-server server
S1#configure terminal
S1(config)#logging host NACVIEW_SERV