¶ Cisco IOS Software version 15.2
¶ Preliminary assumptions
For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- IP switch address: SW_IP
- CoA password: COA_SECRET
- RADIUS communication key: RADIUS_KEY
- Name of the server group for RADIUS protocol: RADIUS_GROUP
- Switch management interface: MGMT_INT
- Configuration file name (cgg or txt format): CONF_FILE
- SNMP v2c password: SNMP_SECRET
- SNMP v3 password: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- Communication key for TACACS+ server: TAC+_KEY
- Name of the server group for TACACS+ protocol: TAC+_GROUP
¶ Configuration of connection with RADIUS server
S1#configure terminal
S1(config)#aaa new-model
S1(config)#radius-server vsa send
S1(config)#aaa group server radius RADIUS_GROUP
S1(config-sg-radius)#server-private NACVIEW_SERV auth-port 1812 acct-port 1813 key RADIUS_KEY
S1(config-sg-radius)#ip radius source-interface MGMT_INT
S1(config-sg-radius)#exit
S1(config)#aaa authentication dot1x default group RADIUS_GROUP
S1(config)#aaa accounting dot1x default start-stop group RADIUS_GROUP
S1(config)#aaa authorization network default group RADIUS_GROUP
S1(config)#dot1x system-auth-control
¶ CoA Configuration
S1#configure terminal
S1(config)#aaa server radius dynamic-author
S1(config-locsvr-da-radius)#client NACVIEW_SERV server-key COA_SECRET
S1(config-locsvr-da-radius)#port 3799
¶ Configuration of authorization
¶ 802.1x protocol
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#dot1x pae authenticator
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode single-host
S1(config-if)#authentication periodic
S1(config-if)#authentication violation replace
S1(config-if)#authentication order dot1x
S1(config-if)#authentication priority dot1x
¶ 802.1x + fall-back for MAC address authorization
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#dot1x pae authenticator
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode single-host
S1(config-if)#authentication periodic
S1(config-if)#authentication violation replace
S1(config-if)#mab eap
S1(config-if)#authentication order dot1x mab
S1(config-if)authentication priority dot1x mab
¶ 802.1x protocol + fall-back for MAC address authorization (multi-domain mode)
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#dot1x pae authenticator
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode multi-domain
S1(config-if)#authentication periodic
S1(config-if)#authentication violation replace
S1(config-if)#mab eap
S1(config-if)#authentication order dot1x mab
S1(config-if)authentication priority dot1x mab
¶ 802.1x protocol + fall-back for MAC address authorization (multi-host mode)
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#dot1x pae authenticator
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode multi-auth
S1(config-if)#authentication periodic
S1(config-if)#authentication violation replace
S1(config-if)#mab eap
S1(config-if)#authentication order dot1x mab
S1(config-if)authentication priority dot1x mab
¶ 802.1x protocol + fall-back for MAC address authorization (multi-auth mode)
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#dot1x pae authenticator
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode multi-domain
S1(config-if)#authentication periodic
S1(config-if)#authentication violation replace
S1(config-if)#mab eap
S1(config-if)#authentication order dot1x mab
S1(config-if)authentication priority dot1x mab
¶ MAC address authorization + fall-back for 802.1x
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#dot1x pae authenticator
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode single-host
S1(config-if)#authentication periodic
S1(config-if)#authentication violation replace
S1(config-if)#mab eap
S1(config-if)#authentication order mab dot1x
S1(config-if)authentication priority mab dot1x
¶ MAB authorization
S1#configure terminal
S1(config)#interface gigabitEthernet 0/1
S1(config-if)#spanning-tree portfast edge
S1(config-if)#switchport mode access
S1(config-if)#authentication port-control auto
S1(config-if)#authentication host-mode single-host
S1(config-if)#authentication periodic
S1(config-if)#authentication violation shutdown
S1(config-if)#mab eap
S1(config-if)#authentication order mab
S1(config-if)authentication priority mab
¶ VoIP phone authorization
Attention! For the MAC access policy for authorization of VoIP phones, add the following Post auth attributes:
cisco-avpair := device-traffic-class=voice
See screenshot below:
¶ TACACS+ configuration
S1(config)#aaa group server tacacs+ TAC+_GROUP
R1(config-sg-tacacs+)#server-private NACVIEW_SERV key TAC+_KEY
S1(config-sg-tacacs+)#accounting acknowledge broadcast
S1(config-sg-tacacs+)#ip tacacs source-interface MGMT_INT
S1(config-sg-tacacs+)#exit
S1(config)#aaa authentication login default group TAC+_GROUP
S1(config)#aaa authorization exec default group TAC+_GROUP
S1(config)#aaa accounting exec default start-stop group TAC+_GROUP
¶ SNMP
¶ SNMP v3 (recommended version)
S1#configure terminal
S1(config)#snmp-server enable traps
S1(config)#snmp-server group SNMP_GROUP v3 priv context vlan- match prefix
S1(config)#snmp-server ifindex persist
S1(config)#snmp-server trap-source MGMT_INT
S1(config)#snmp-server source-interface informs MGMT_INT
S1(config)#snmp-server source-interface traps MGMT_INT
S1(config)#snmp-server user SNMP_USER SNMP_GROUP v3 auth sha SNMP_AUTH priv des SNMP_PRIV
S1(config)#snmp-server host NACVIEW_SERV inform version 3 priv SNMP_USER
S1(config)#snmp-server host NACVIEW_SERV traps version 3 priv SNMP_USER
¶ SNMP v2c (version not recommended - ensuring the minimal safety level)
S1#configure terminal
S1(config)#snmp-server enable traps
S1(config)#snmp-server ifindex persist
S1(config)#snmp-server community SNMP_SECRET ro
S1(config)#snmp-server trap-source MGMT_INT
S1(config)#snmp-server source-interface informs MGMT_INT
S1(config)#snmp-server source-interface traps MGMT_INT
S1(config)#snmp-server host NACVIEW_SERV inform version 2c SNMP_SECRET
S1(config)#snmp-server host NACVIEW_SERV traps version 2c SNMP_SECRET
¶ System logs redirection to NACVIEW server
S1#configure terminal
S1(config)#logging host NACVIEW_SERV
S1(config)#logging source-interface MGMT_INT
S1(config)#logging on
¶ Auxiliary recommendations
Current device configuration: S1#show running-config
Initial device configuration: S1#show startup-config
802.1x Configuration: S1#show dot1x
Interface x configuration 802.1x: S1#show dot1x interface gigabitEthernet X/x details
RADIUS server configuration: S1#show radius server-group all
Interface x 802.1x statistics: S1#show dot1x interface gigabitEthernet X/x statistics
Current configuration copying on NACVIEW server: S1#copy running-config tftp://NACVIEW_SERV/CONF_FILE.txt
Saved configuration copying on NACVIEW server: S1#copy startup-config tftp://NACVIEW_SERV/CONF_FILE.txt
Configuration copying from NACVIEW server to current configuration: S1#copy tftp://NACVIEW_SERV/CONF_FILE.txt running-config
Configuration copying from NACVIEW server to saved configuration: S1#copy tftp://NACVIEW_SERV/CONF_FILE.txt startup-config