For requirements of this document the following network infrastructure values have been assumed:
- NACVIEW IP server address: NACVIEW_SERV
- IP switch address: SW_IP
- RADIUS communication key: RADIUS_KEY
- Name of configuration file (format.cfg): CONF_FILE
- Switch management interface: VR_MGMT
- SNMP v2c password: SNMP_SECRET
- SNMP v3 passwords: SNMP_AUTH, SNMP_PRIV
- SNMP user: SNMP_USER
- SNMP group: SNMP_GROUP
- Communication key for TACACS+ server: TAC+_KEY
configure radius netlogin primary server NACVIEW_SERV client-ip SW_IP vr VR_MGMT
configure radius netlogin primary shared-secret RADIUS_KEY
enable radius netlogin
configure radius-accounting netlogin primary server NACVIEW_SERV client-ip SW_IP vr VR_MGMT
configure radius-accounting netlogin primary shared-secret RADIUS_KEY
enable radius-accounting netlogin
create vlan vNetlogin
configure netlogin vlan vNetlogin
The above recommendations are neccessary for the control access switch in EXOS network, however do not directly belong either to RADIUS configuration or any other way how to configure logging into the network. VLAN name here is arbitrary (here used: vNetlogin). We recommend to use a name which can be easily associated with the network access control in EXOS.
enable netlogin dot1x mac web-based
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin dot1x eapol-transmit-version v2
enable netlogin reauthenticate-on-refresh
configure netlogin mac authentication database-order radius
configure netlogin add mac-list default
configure netlogin dot1x timers reauth-period 6000
The following commands apply to the situation, where each authorized client can have a different VLAN.
enable netlogin dot1x
enable netlogin ports 1 dot1x
configure netlogin ports 1 mode mac-based-vlans
configure netlogin ports 1 no-restart
The following commands apply to the situation where all clients need to be authorized in the same VLAN.
enable netlogin dot1x
enable netlogin ports 1 dot1x
configure netlogin ports 1 mode port-based-vlans
configure netlogin ports 1 no-restart
enable netlogin ports 2 dot1x mac
enable netlogin ports 2 mac
configure tacacs primary server NACVIEW_SERV 49 client-ip SW_IP vr VR_MGMT
configure tacacs primary shared-secret TAC+_KEY
configure tacacs-accounting primary server NACVIEW_SERV 49 client-ip SW_IP vr VR_MGMT
configure tacacs-accounting primary shared-secret TAC+_KEY
enable tacacs
enable tacacs-accounting
enable tacacs-authorization
configure snmpv3 add user SNMP_USER authentication sha SNMP_AUTH privacy des SNMP_PRIV
configure snmpv3 add group SNMP_GROUP user SNMP_USER sec-model usm
configure snmpv3 add access SNMP_GROUP sec-model usm
enable snmp access snmpv3
configure snmp add community readwrite SNMP_SECRET
enable snmp access snmp-v1v2c
enable snmp community SNMP_SECRET
configure syslog add NACVIEW_SERV vr VR_MGMT local0
configure log target syslog NACVIEW_SERV vr VR_MGMT local0 filter DefaultFilter
configure log target syslog NACVIEW_SERV vr VR_MGMT local0 match Any
configure log target syslog NACVIEW_SERV vr VR_MGMT local0 format timestamp seconds date Mmmdd event-name none priority tag-name
enable log target syslog NACVIEW_SERV vr VR_MGMT local0
Network access control configuration: show configuration netlogin
Configuration of authorization: show configuration aaa
Details of general 802.1x configuration and all the ports with 802.1x switched: show netlogin dot1x detail
Details of general mac -based auth configuration and all the ports with mac-based auth switched: show netlogin mac
Active and authorized sessions: show netlogin session
Configuration and status of the all ports, the updated authorized clients: show netlogin
Configuration and status of a (single) port, the updated authorized clients: show netlogin port 1