problem with nac l2 ip config - Cisco Community

300

Views

0

Helpful

2

Replies

I am trying to configure NAC L2 IP on a Catalyst 3550. After finishing, nothing happends. Here is my config file. Can someone see a fault in it?

Thanks for your help

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

!

aaa new-model

aaa authentication eou default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

!

aaa session-id common

ip subnet-zero

ip admission name NAC-L2-IP eapoudp

!

ip dhcp snooping vlan 1000

ip dhcp snooping

ip device tracking

vtp domain nws

vtp mode transparent

!

!

!

!

!

eou logging

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 200,638

!

interface FastEthernet0/1

switchport mode access

ip access-group interfac_acl in

ip admission NAC-L2-IP

!

interface FastEthernet0/2

switchport mode dynamic desirable

......

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport access vlan 200

switchport mode dynamic desirable

speed 100

duplex full

ip dhcp snooping trust

!

interface GigabitEthernet0/1

switchport mode dynamic desirable

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

no ip address

shutdown

!

interface Vlan200

ip address 10.0.200.1 255.255.255.0

!

interface Vlan1000

ip address 10.7.1.1 255.255.255.0

ip helper-address 10.0.200.2

!

ip classless

ip http server

ip http secure-server

ip radius source-interface Vlan200

!

ip access-list extended interface_acl

permit udp any any eq 21862

remark allow dhcp

permit udp any eq bootpc any eq bootps

remark allow dns

permit udp any any eq domain

remark allow http access to update server

permit tcp any host 10.0.200.30 eq www

remark allow icmp

permit icmp any any

remark implicent deny

deny ip any any

!

radius-server attribute 8 include-in-access-req

radius-server host 10.0.200.2 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key cisco123

radius-server vsa send authentication

!

control-plane

!

!

line con 0

line vty 5 13

line vty 14 15

exec-timeout 0 0

!

!

end

2 Replies 2

By default Catalyst 3550 doesnt support NAC.There are certain IOS Images which supports NAC.NAC - L2 IP is supported by IOS Version 12.2(25)SED.See if this is the version in the switch,if not try upgrading the Image to the one mentioned.Refer the URL

http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_configuration_guide09186a00805764fd.html#wp1130453 for more informations.

you shutdown your default vlan 1, but you have not assign another vlan to your access port. So its impossible for your client to get an IP Address.

you will need one for NAC-L2-IP.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card