44-6
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 44 Configuring Network Admission Control
Configuring Network Admission Control with LAN Port IP
9. If it is a success, the ACS sends the posture token VSA and a policy associated with the posture that
includes the PBACL groups, session timeout, status query timeout, and authenticated username.
If the host does not respond to the EOU hello requests that are sent by the NAD, the NAD (after a
preconfigured number of attempts), declares the host as clientless (no CTA). The NAD does a pseudo
authentication on behalf of the host and brings down a policy. Other posture validation mechanisms, such
as an audit, may be triggered.
In the clientless mode, the NAD sends three EOU hello messages (by default) before declaring that the
host does not have a CTA. This process could take 90 seconds for doing a clientless authentication and
installing that policy. To avoid this delay on a port that you know does not have a CTA, you can set the
port mode to bypass using the per-port CLI (enter the set port eou mod/port bypass command). When
this action is done, the port immediately does a clientless authentication when it learns a new IP address.
Exceptions are hosts that should not attempt posture validation because they are not capable. When a
host that has been specified as an exception is detected, a preconfigured policy is installed.
LAN Port IP Hardware and Software Requirements
Follow these hardware and software requirements when configuring LAN port IP:
• You must have a Catalyst 6500 series switch running software release 8.5(1) or later releases.
• You must have CTA installed on the end-point devices (for example, on PCs and laptops).
• You must have an ACS for AAA.
LAN Port IP Configuration Guidelines and Restrictions
Follow these configuration guidelines and restrictions when configuring LAN port IP:
• You must be familiar with configuring access control lists (ACLs) and policy-based ACLs
(PBACLs).
• You should be familiar with configuring authentication, authorization, and accounting (AAA).
• LAN port IP works with other security features such as 802.1X, MAC authentication bypass, and
web-based proxy authentication. The restrictions that apply to 802.1X ports also apply to LAN port
IP ports as follows:
–
LAN port IP can be configured on access ports only; it cannot be configured on trunk ports.
–
LAN port IP ports cannot be part of an EtherChannel.
–
LAN port IP cannot be enabled with dynamic ports.
–
LAN port IP can be enabled on Ethernet ports only.
–
LAN port IP ports cannot be SPAN destination ports.
–
LAN port IP ports cannot be part of a private VLAN.
Note With software release 8.6(1) and later releases, LAN port IP ports can be part of a private
VLAN. For more information, see the “Configuring LAN Port IP on Private VLAN Ports”
section on page 44-34.
• LAN port IP, when enabled with any authentication feature such as 802.1X or MAC authentication
bypass, is initialized only after the authentication is finished.
To Next Page
Loading...
Need help?
General