Cisco Switch Configuration Post IOS Version 12.2.(50)SE for Symantec LAN Enforcer


Article ID: 155840


Updated On:


Network Access Control on Appliance Network Access Control Enforcer 6100 Series Appliance Network Access Control


Starting with Cisco IOS  12.2(50)SE, Cisco changed some of the command syntax for Authentication.  This article list the differences between pre and post 12.2(50)SE


mode 12.2.(50)SE or elder versions 12.2.(50)SE or newer versions Description
global aaa new-model aaa new-model  
global aaa authentication dot1x default group radius aaa authentication dot1x default group radius define dot1x authentication method
global aaa authorization network default group radius aaa authorization network default group radius define network authentication method
global radius server host x.x.x.x auth-port 1812 acct-port 1813 key ******* radius-server host x.x.x.x auth-port 1812 key ******* set the radius server(Enforcer)
global radius-server deadtime radius-server deadtime Set the number of minutes that a RADIUS server is not sent requests
global dot1x system-auth-control-enable dot1x system-auth-control enable Dot1x authentication on a switch
interface switchport mode access switchport mode access set the interface mode to access
interface switchport access vlan 10  switchport access vlan 10  set the VLAN ID
interface dot1x port-control auto authentication port-control auto enable Dot1x authentication
interface dot1x reauthentication authentication periodic Enable reauthentication
  dot1x timeout reauth-period  authentication timer reauthenticate set the reauthentication timer
interface dot1x guest-vlan 30  authentication no-response authorize vlan 30  set the guest VLAN
interface dot1x timeout quiet-period 30 authentication timer inactivity Set the number of seconds that the switch remains in the quiet state
following a failed authentication exchange with the client
interface dot1x timeout tx-period dot1x max-reauth-req  Set the number of seconds that the switch waits for a response to an
EAP-request/identity frame from the client before resending the request.
interface dot1x host-mode multi-host authentication host-mode multi-host By default only a single host will be permitted on a dot1x authenticated port. Setting this option allows multiple hosts to be permitted. Can be useful for allowing vmware in bridging mode or connecting a Cisco IP phone. 
interface dot1x mac-auth-bypass  authentication order mab enable MAB