NAC
The NAC profile is a Network Access Control (NAC) profile that is used to assign configuration to a port. An NAC profile defines the access policies and the services which are expressed as service profiles. Up to 8 service profiles or vlans can be associated with a NAC profile. The NAC profile in RADIUS configured systems can also define the set of profiles from which RADIUS can choose to assign to a port.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9OQUMtVFJFRSgxKS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3NjIwOTAwMjR9fX1dfQ__&Signature=obw1B4taktPyAcxYAEJkqizKR7omxx-eZvhAUMgaOtTDW4bfmAX-VPLnaul4TGMLs7q7SUGoyC9TQnUUfzwKQ4BrpvmbKEl5VtdelAgOstR-foLSGo6-SNtQ5RrZ0v3rIgY~XnaImvDKAP3ZVZlexz99D2kY~FB79lOAuXFS3kzmt0RtjMsvHA~d5wm54majF3fPcrT~K2swgCpE9sCjW4xngjm2gFJ3ZgHcx74EIgRz9yd3tT5omcKZt89KJKhPrmQ8WmvwhAAWbDcDjrb3BPtV7GtigQ6WvcCNP~k85EA7r8Y5aI4dQKgtdlUlv2DeNRbkqEeLbXVxgFFol~QvIA__&Key-Pair-Id=K2TK3EG287XSFC)
NAC Profile Attributes
| Attribute | Values | Default | Req | Description |
|---|---|---|---|---|
| Name | Printable string | N/A | Y | The name of the NAC Profile |
| Access-violation-auto-disable | true | false | True | N | Whether to disable the port when access violations are detected for the duration of the access-violation-reenable-timeout. This is known in many systems as err-disable. |
| Access-iolation-reenable-imeout | 0 | 60..86400 | 300 | N |
If set to zero, the port will be permanently disabled on an access violation until an admin user disables and re-enables the port. |
| Max-macs | 0..64 | 16 | N | The maximum number of MACs that are allowed in service on this port. |
| Enable-default-vlan | true | false | False | Y | Whether to apply the default vlans to the port. For service to be rendered on the port under normal circumstances, this needs to be set to true. Note that the default vlan has this set to false to deny service on ports until they are configured with a default vlan. |
| Default-vlan-config | Container | |||
| Svc-profile-names | N/A | Y | At least one service profile must be added to the port to render service on the port. Each service profile represents a vlan and its associated QoS configuration. | |
| Pae-dynamic-service-enabled | true | false | False | N | Whether to enable 802.1x/MAB on this port. |
| Enable-filter-id | true | false | False | N | When 802.1x with RADIUS is in use, whether to look for configuration information in the Filter ID RADIUS attribute. |
| Egress-vlan-enabled | true | false | False | N | Whether to honor egress vlan id configuration information in RADIUS responses. Typically this information is in the filter-id attribute. |
| Tunnel-id-enabled | true | false | False | N | Whether to honor egress vlan id configuration information in RADIUS responses. Typically, this information is in the filter-id attribute. |
| Mac-bypass | true | false> | False | N | Whether to perform MAC authentication bypass which allows RADIUS authentication using the MAC as username and password. This is often used with devices that do not support 802.1x. |
| Bypass-config | Container for MAC bypass configuration. | |||
| Auth-method | PAP | eap-md5-mac eap-md5-secret |
Pap | N | When MAC bypass is in use specifies the method for sending the auth credentials.
|
| Mab-username | String | N/A | N | This attribute must be included if MAB auth is enabled. When a username/password is used to authenticate the MAB supplicant. |
| Mab-password | String | N/A | N | This attribute must be included if mab auth is enabled. |
| Guest=vlan-enabled | true | false | False | N | Whether to fail over to a guest vlan at the end of a timeout where the user has failed to authenticate. |
| Guest-vlan-config | Container | |||
| Service-profile-names | String | N/A | N | The service profile(s) to apply to the port when the authentication times out and the guest vlan is applied. |
| Auth-fail-enabled | true | false | False | N | If authentication fails whether or not to apply an auth fail vlan (quarantine vlan) to the port. This is often better configured via the filter-id coming back from RADIUS. |
| Auth-fail-config | Container | |||
| Startup-delay | 0.3600 | 0 | N | The delay to be imposed prior to applying auth failure configuration on an auth fail event. |
| Svc-profile-name | String | N/A | N | The service profile to apply whenever authentication fails. |
Note: * = required parameter
- Command Path – tolt>profiles>nac-profiles>
- Module – tolt
- Container – profiles
- Container – nac-profiles
- Types –
- *name – The name of the NAC Profile.
- Printable string
- Access-violation-auto-disable – Whether to disable the port when access violations are detected for the duration of the access-violation-reenable-timeout. This is known in many systems as err-disable.
- true | false
- Access-violation-reenable-timeout – If set to zero, the port will be permanently disabled on an access violation until an admin user disables and re-enables the port.
- 0 | 60..86400 (default 300)
- Max-macs – The maximum number of MACs that are allowed in service on this port.
- 0..64 (default 16)
- *Enable-default-vlan – Whether to apply the default vlans to the port. For service to be rendered on the port under normal circumstances, this needs to be set to true. Note that the default vlan has this set too false to deny service on ports until they are configured with a default vlan.
- true | false (default false)
- Default-vlan-config - Container
- *Svc-profile-names - At least one service profile must be added to the port to render service on the port. Each service profile represents a vlan and its associated QoS configuration.
- string
- Pae-dynamic-service-enabled - Whether to enable 802.1x/MAB on this port.
-
true | false (default false)
-
- Enable=filter-id - When 802.1x with RADIUS is in use, whether to look for configuration information in the Filter ID RADIUS attribute.
- true | false (default false)
- Egress-vlan-enabled - Whether to honor egress vlan id configuration information in RADIUS responses. Typically this information is in the filter-id attribute.
- true | false (default false)
- true | false (default false)
- Tunnel-id-enabled - Whether to honor the tunnel id configuration in the RADIUS responses. Typically, this information is in the filter-id attribute.
- true | false (default false)
- Mac-bypass - Whether to perform MAC authentication bypass which allows RADIUS authentication using the MAC as username and password. This is often used with devices that do not support 802.1x.
- true | false (default false)
- *Svc-profile-names - At least one service profile must be added to the port to render service on the port. Each service profile represents a vlan and its associated QoS configuration.
- Bypass-config - Container for MAC bypass configuration.
- Auth-method - When MAC bypass is in use specifies the method for sending the auth credentials.
PAP – Password Authentication Protocol
eap-md5-mac – use a md5 hash of the mac as credentials for MAB.
eap-md5-secret – use an md5 hash of a password to authenticate the MAB port.- <PAP | eap-md5-mac | eap-md5-secret (default PAP)
- Mab-username - This attribute must be included if MAB auth is enabled. When a username/password is used to authenticate the MAB supplicant.
- string
- Mab-password - This attribute must be included if mab auth is enabled.
- string
- Guest=vlan-enabled - Whether to fail over to a guest vlan at the end of a timeout where the user has failed to authenticate.
- true | false (default false)
- Auth-method - When MAC bypass is in use specifies the method for sending the auth credentials.
- Guest-vlan-config - Container
- Service-profile-names - The service profile(s) to apply to the port when the authentication times out and the guest vlan is applied.
- string
- Auth-fail-enabled - If authentication fails, whether or not to apply an auth fail vlan (quarantine vlan) to the port. This is often better configured via the filter-id coming back from RADIUS.
- true | false (default false)
- Service-profile-names - The service profile(s) to apply to the port when the authentication times out and the guest vlan is applied.
- Auth-fail-config - Container
- Startup-delay - The delay to be imposed prior to applying auth failure configuration on an auth fail event.
- 0...3600 (default 0)
- Svc-profile-name - The service profile to apply whenever authentication fails.
- string
- Startup-delay - The delay to be imposed prior to applying auth failure configuration on an auth fail event.
- *name – The name of the NAC Profile.
NAC Profile Create Simple
- Command Path – tolt>profiles>nac-profiles>
- Module – tolt
- Container – profiles
- Container – nac-profiles
- Type – Example Parameter
- *name – vlan-3000-nac
- From the MDS1-ESUA<config># command line, input tolt profiles nac-profiles vlan-3000-nac and press Enter.
- Input commit and press Enter. Outputs similar to the following are displayed:
MDS1-ESUA<config># tolt profiles nap-profiles vlan-3000-nac <enter> MDS1-ESUA<config># commit <enter> Commit Complete MDS1-ESUA<config># _ |
NAC Profile Delete
- Command Path – no>tolt>profiles>nac-profiles>
- Command – no
- Module – tolt
- Container – profiles
- Container – nac-profiles
- Types – Example Parameters
- *name – vlan-3000-nac
- default-vlan-enabled true
- *container – default-vlan-config
- svc-profile-names vlan-300
- From the MDS1-ESUA<config># command line, input no tolt profiles nac-profiles vlan-3000-nac and press Enter.
- Input default-vlan-enabled true and press Enter.
- Input default-vlan-config svc-profile-names vlan-3000 and press Enter.
- Input commit and press Enter. Outputs similar to the following are displayed:
MDS1-ESUA<config># no tolt interfaces nac-profiles vlan-3000-nac
|
FEEDBACK: Are you happy with this material?
Thank you Your feedback helps us to continually improve our content.
On this page