Chapter 45
Configuring Network Admission Control
Command
Step 3
Router(config)# access-list
access-list-number {deny | permit}
source [ source-wildcard ] [log]
Step 4
Router(config-if)# interface
interface-id
Step 5
Router(config-if)# ip access-group
{ access-list-number | name } in
Step 6
Router(config-if)# ip admission
name rule-name
Step 7
Router(config)# exit
Step 8
Router(config)# aaa new-model
Step 9
Router(config)# aaa authentication
eou default group radius
Step 10
Router(config)# aaa authorization
network default local
Step 11
Router(config)# ip device tracking
Step 12
Router(config)# ip device tracking
[probe {count count | interval
interval }]
OL-4266-08
Purpose
Defines the default port ACL by using a source address and wildcard.
The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Enter deny or permit to specify whether to deny or permit access if
conditions are matched.
The source is the source address of the network or host from which the
packet is being sent specified as follows:
•
The 32-bit quantity in dotted-decimal format.
•
The keyword any as an abbreviation for source and source-wildcard
value of 0.0.0.0 255.255.255.255. You do not need to enter a
source-wildcard value.
The keyword host as an abbreviation for source and source-wildcard
•
of source 0.0.0.0.
(Optional) Applies the source-wildcard wildcard bits to the source.
(Optional) Enters log to cause an informational logging message about the
packet that matches the entry to be sent to the console.
Enters interface configuration mode.
Controls access to the specified interface.
Applies the specified IP NAC rule to the interface.
To remove the IP NAC rule that was applied to a specific interface, use the
no ip admission rule-name interface configuration command.
Returns to global configuration mode.
Enables AAA.
Sets authentication methods for EAPoUDP.
To remove the EAPoUDP authentication methods, use the no aaa
authentication eou default global configuration command.
Sets the authorization method to local. To remove the authorization method,
use no aaa authorization network default local command.
Enables the IP device tracking table.
To disable the IP device tracking table, use the no ip device tracking
global configuration commands.
(Optional) Configures these parameters for the IP device tracking table:
count count—Sets the number of times that the switch sends the ARP
•
probe. The range is from 1 to 5. The default is 3.
interval interval—Sets the number of seconds that the switch waits
•
for a response before resending the ARP probe. The range is from 30
to 300 seconds. The default is 30 seconds.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Configuring NAC
45-19