IBM Tivoli and Cisco User Manual
Page 310
292
Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
Configuring Cisco 3750 switch for NAC L2 802.1x
New for NAC Phase 2 is the ability of a Cisco switch to act as a NAC policy
enforcement device. For the purposes of this book, we used a Cisco 3750 switch,
running the Advanced IP Services Version 12.2(25) SEE2 version of IOS.
Switch Ports Model
SW Version
SW Image
* 1
26 WS-C3750-24P
12.2(25)SEE2
C3750-ADVIPSERVICESK
Our example is using L2Dot1x. The protocol used in this architecture is EAPOL,
as opposed to EAPoUDP (EOU). For this reason, there is no EOU configuration
required on the switch, just a straightforward dot1x configuration. We recommend
that you check the Cisco Web site for the latest hardware/software compatibility
matrixes, as this could determine which deployments of NAC are available to
you. For example, at the time of writing this book, a Cisco 2950 switch supports
NAC L2 802.1x, but
not
NAC L2/L3 IP (no support for EoU). Another example is
that a Cisco 6500 running 12.2(18)SXF does
not
support NAC L2 802.1x
authentication and validation on edge switches.
The current switch compatibility matrix can be found at:
The basic switch configuration is listed below:
aaa new-model
aaa authentication login local_only line
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
ip routing
!
dot1x system-auth-control
!
ip radius source-interface Vlan9
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server host 192.168.9.22 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco123
radius-server vsa send authentication
Note: Always thoroughly document the environment on which you wish to
deploy this solution. You may find that the environment is either already
compatible or requires IOS upgrades or hardware upgrades.