SoftWare Version V702R101C008B007
BootRom Version 7.2.40
HardWare Version 2.0.1
NACVIEW_SERV - Server IP address
RADIUS_KEY - Radius server communication key
RADIUS_GROUP - Server group name for RADIUS protocol
SW_IP - Switch management IP address
SNMP_SECRET - SNMP v2c password
SNMP_AUTH and SNMP_PRIV - SNMP v3 passwords
SNMP_USER and SNMP_GROUP - accordingly the user and SNMP group
CONF_FILE - Configuration file name (.txt or .cfg)
TAC+_KEY - Communication key with the Tacacs+ Server
VLAN_X - Authorization target VLAN
S4600-52P-SI#config
S4600-52P-SI(config)#radius nas-ipv4 SW_IP
S4600-52P-SI(config)#radius-server authentication host NACVIEW_SERV port 1812 key RADIUS_KEY
S4600-52P-SI(config)#radius-server accounting host NACVIEW_SERV port 1813 key RADIUS_KEY
S4600-52P-SI(config)#radius-server attributes vlan enable
S4600-52P-SI(config)#aaa enable
S4600-52P-SI(config)#aaa-accounting enable
S4600-52P-SI(config)#aaa-accounting update enable
NOTE: If more than one RADIUS server is configured on the switch, you can use the ‘primary’ parameter to set it like a priority server.
For example:radius-server authentication host NACVIEW_SERV port 1812 key RADIUS_KEY primary
S4600-52P-SI#config
S4600-52P-SI(config)#dot1x enable
S4600-52P-SI(config)#dot1x re-authentication
S4600-52P-SI(config)#dot1x macbased port-down-flush
S4600-52P-SI(config)#dot1x eapor enable
MAC authentication works only for statically set VLAN on the port. If a VLAN is assigned from NACVIEW that does not match those set on the port, no access on the switch will be granted, although in NACVIEW it will appear as a successful authorization. If the 'do not forward VLAN' option is selected on NACVIEW, then the switch will grant access to any VLAN that is set on the port.
S4600-52P-SI#config
S4600-52P-SI(config)#mac-address-learning cpu-control
S4600-52P-SI(config)#mac-authentication-bypass enable
S4600-52P-SI(config)#mac-authentication-bypass timeout re-authperiod 300
S4600-52P-SI#config
S4600-52P-SI(config)#interface ethernet 1/0/1
S4600-52P-SI(config-if-ethernet1/0/1)#spanning-tree portfast
S4600-52P-SI(config-if-ethernet1/0/1)#switchport mode hybrid
S4600-52P-SI(config-if-ethernet1/0/1)#switchport hybrid native vlan 1
S4600-52P-SI(config-if-ethernet1/0/1)#switchport hybrid allowed vlan 1;VLAN_X;VLAN_Y untag
S4600-52P-SI(config-if-ethernet1/0/1)#dot1x enable
S4600-52P-SI(config-if-ethernet1/0/1)#dot1x port-control auto
S4600-52P-SI(config-if-ethernet1/0/1)#dot1x port-method macbased
S4600-52P-SI(config-if-ethernet1/0/1)#dot1x max-user macbased 5
S4600-52P-SI(config-if-ethernet1/0/1)#mac-authentication-bypass enable
S4600-52P-SI(config)#tacacs-server authentication host NACVIEW_SERV key 0 TAC+_KEY primary
S4600-52P-SI(config)#tacacs-server nas-ipv4 SW_IP
S4600-52P-SI(config)#authentication line vty login tacacs local
S4600-52P-SI(config)#authentication enable tacacs
S4600-52P-SI(config)#authorization line vty exec tacacs
S4600-52P-SI(config)#authorization line vty command 1 tacacs
S4600-52P-SI(config)#authorization line vty command 7 tacacs
S4600-52P-SI(config)#authorization line vty command 15 tacacs
S4600-52P-SI(config)#accounting line vty command 1 start-stop tacacs
S4600-52P-SI(config)#accounting line vty command 7 start-stop tacacs
S4600-52P-SI(config)#accounting line vty command 15 start-stop tacacs
S4600-52P-SI(config)#accounting line vty exec start-stop tacacs
DCN S4600 does not support command authorization (permit and deny settings in the NACVIEW system will not be taken into account)
S4600-52P-SI(config)#snmp-server enable
S4600-52P-SI(config)#snmp-server host NACVIEW_SERV v3 authpriv SNMP_USER
S4600-52P-SI(config)#snmp-server securityip NACVIEW_SERV
S4600-52P-SI(config)#snmp-server user SNMP_USER SNMP_GROUP authPriv des SNMP_PRIV auth sha SNMP_AUTH
S4600-52P-SI(config)#snmp-server group SNMP_GROUP authpriv read default write default notify default
S4600-52P-SI(config)#snmp-server view default 1. include
S4600-52P-SI(config)#snmp-server enable
S4600-52P-SI(config)#snmp-server securityip NACVIEW_SERV
S4600-52P-SI(config)#snmp-server community rw 0 SNMP_SECRET
S4600-52P-SI(config)#logging NACVIEW_SERV
S4600-52P-SI(config)#logging source-ip SW_IP
S4600-52P-SI(config)#logging NACVIEW_SERV level debugging
Configuration to receive debug notifications
S4600-52P-SI#copy running-config tftp://NACVIEW_SERV/CONF_FILE - copying the current configuration to the TFTP server
S4600-52P-SI#show running-config full - viewing the whole current configuration
S4600-52P-SI(config-if-ethernet1/0/1)#show running-config current-mode - the device viewing in a given area (here: ethernet 1/0/1 interface)
S4600-52P-SI#show dot1x interface etherne 1/0/1 - viewing interface dot1x configuration
S4600-52P-SI#show dot1x user - viewing users authorized by dot1x
S4600-52P-SI#terminal monitor - debug messages display in the console
S4600-52P-SI#terminal length 0 - disable page numbering in the console