Chapter 45
Configuring Network Admission Control
If the revalidation timer expires, the switch action depends on one of these values of the
Termination-Action attribute:
•
•
•
•
Status-Query Timer
The status-query timer controls the amount of time the switch waits before verifying that the previously
validated client is present and that its posture has not changed. Only clients that were authenticated with
EAPoUDP messages use this timer, which starts after the client is initially validated. The default value
of the status-query timer is 300 seconds (5 minutes).
The timer resets when the host is reauthenticated. When the timer expires, the switch checks the host
posture validation by sending a Status-Query message to the host. If the host sends a message to the
switch that the posture has changed, the switch revalidates the posture of the host.
NAC Layer 2 IP Validation and Redundant Supervisor Engines
On Cisco 7600 series routers with redundant supervisor engines, when RPR mode redundancy is
configured, a switchover causes the loss of all information about currently postured hosts. When SSO
mode redundancy is configured, a switchover triggers a reposturing of all currently postured hosts.
NAC Layer 2 IP Validation and Redundant Modular Switches
When RPR mode redundancy is configured, a switchover will lose all information regarding currently
postured hosts. When SSO mode redundancy is configured, a switchover will trigger a reposturing of all
currently postured hosts.
AAA Down Policy for NAC Layer 2 IP Validation
With the AAA down policy feature, the validation process operates in the following order:
1.
2.
3.
Note
When the AAA server is down, the AAA down policy is applied only if there is no existing policy
associated with the host. During revalidation when the AAA server goes down, the policies being used
for the host are retained.
OL-4266-08
If the value of the Termination-Action RADIUS attribute is the default, the session ends.
If the switch gets a value for the Termination-Action attribute other than the default, the EAPoUDP
session and the current access policy remain in effect during posture revalidation.
If the value of the Termination-Action attribute is RADIUS, the switch revalidates the client.
If the packet from the server does not include the Termination-Action attribute, the EAPoUDP
session ends.
A new session is detected.
Before posture validation is triggered and provided the AAA server is unreachable, the AAA down
policy is applied and session state is maintained as AAA DOWN.
When the AAA server is once again available, a revalidation is retriggered for the host.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding NAC
45-11