06-13-2006 03:32 AM - edited 02-21-2020 12:57 AM
I am trying to configure NAC L2 IP on a Catalyst 3550. After finishing, nothing happends. Here is my config file. Can someone see a fault in it?
Thanks for your help
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
aaa new-model
aaa authentication eou default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
ip subnet-zero
ip admission name NAC-L2-IP eapoudp
!
ip dhcp snooping vlan 1000
ip dhcp snooping
ip device tracking
vtp domain nws
vtp mode transparent
!
!
!
!
!
eou logging
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 200,638
!
interface FastEthernet0/1
switchport mode access
ip access-group interfac_acl in
ip admission NAC-L2-IP
!
interface FastEthernet0/2
switchport mode dynamic desirable
......
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport access vlan 200
switchport mode dynamic desirable
speed 100
duplex full
ip dhcp snooping trust
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
ip address 10.0.200.1 255.255.255.0
!
interface Vlan1000
ip address 10.7.1.1 255.255.255.0
ip helper-address 10.0.200.2
!
ip classless
ip http server
ip http secure-server
ip radius source-interface Vlan200
!
ip access-list extended interface_acl
permit udp any any eq 21862
remark allow dhcp
permit udp any eq bootpc any eq bootps
remark allow dns
permit udp any any eq domain
remark allow http access to update server
permit tcp any host 10.0.200.30 eq www
remark allow icmp
permit icmp any any
remark implicent deny
deny ip any any
!
radius-server attribute 8 include-in-access-req
radius-server host 10.0.200.2 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key cisco123
radius-server vsa send authentication
!
control-plane
!
!
line con 0
line vty 5 13
line vty 14 15
exec-timeout 0 0
!
!
end
06-19-2006 01:18 PM
By default Catalyst 3550 doesnt support NAC.There are certain IOS Images which supports NAC.NAC - L2 IP is supported by IOS Version 12.2(25)SED.See if this is the version in the switch,if not try upgrading the Image to the one mentioned.Refer the URL
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_configuration_guide09186a00805764fd.html#wp1130453 for more informations.
06-22-2006 11:50 PM
you shutdown your default vlan 1, but you have not assign another vlan to your access port. So its impossible for your client to get an IP Address.
you will need one for NAC-L2-IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide