Configuring a Cisco switch for use with the Symantec LAN Enforcer


Article ID: 181006


Updated On:


Network Access Control Enforcer 6100 Series Appliance Network Access Control




The Symantec LAN Enforcer appliance is part of the Symantec Network Access Control (SNAC) suite. The device can be used with 802.1x enabled switches and access points to open, close, or redirect ports to a particular vlan based on Host Integrity checks performed on the endpoint.

This article provides the Cisco IOS commands necessary for configuring a (newly-reset/plain-configuration) Cisco Catalyst switch for use with the Symantec LAN Enforcer. The commands are applicable for models including the 2950, 2960 and 3750.


  • Show the current (running) configuration:
    (from the plain ">" prompt, first use the "enable" command to switch to a "#" prompt)
    #show run


  • Start up vlan 1 on a newly reset switch and assign an IP address:
    #conf t
    #interface vlan1
    # no shutdown
    # ip address


  • Configure the switch for 802.1x:
    #conf t
    #aaa new-model
    #aaa authentication dot1x default group radius
    #aaa authorization network default group radius
    #dot1x system-auth-control


  • Configure the Symantec LAN Enforcer as the Radius server for the switch:
    (the IP address of the LAN Enforcer in the example is, the shared secret entered in the SEPM Enforcer configuration is MySharedSecret$1)
    #conf t
    #radius-server host auth-port 1812 acct-port 1813 key MySharedSecret$1
    #radius-server retransmit 3


  • Configure a port on the switch for dot1x authentication (to be controlled by the LAN Enforcer):
    (the port configured here is port #6 on the switch - repeat the steps for all ports that should be authenticated with the Enforcer)
    #conf t
    #interface fa0/6
    # switchport mode access
    # dot1x port-control auto
    # dot1x reauthentication
    # dot1x timeout reauth-period 30

The above configuration will work with the Lan Enforcer in both Basic and Transparent mode (with/without optional RADIUS user authentication). Changing from a Transparent to a Basic setup does not require re-configuration on the switch side.


The below commands are optional, for configuring a quarantine vlan.

  • Set up a new vlan for the SNAC quarantine:
    (the id "7" and name "quarantine" should be entered identically in the SEPM Enforcer configuration switch profile, to allow the Enforcer to dynamically assign vlans)
    #conf t
    #vlan 7
    # name quarantine


  • Hard-code a separate port on the switch to the quarantine vlan:
    (useful for a server hosting quarantine resources, or any other machine you want to make available on the quarantine vlan)
    #conf t
    #interface fa0/8
    # switchport access vlan 7


Optionally a guest vlan can be configured for each port, where a machine without a supplicant would be assigned.

  • Configure a guest vlan:
    #conf t
    #interface fa0/6
    # dot1x guest-vlan 12


The below is an optional command for recent switch models only, for assigning a particular vlan in case the link between the switch and LAN Enforcer is broken.

  • Assign a critical vlan to a port on the switch:
    #conf t
    #interface fa0/6
    # dot1x critical
    # dot1x critical vlan 3
    # dot1x critical recovery action reinitialize


The below commands are useful for showing information on port status and vlan assignment.

  • Display a list of interfaces with connection status and vlan assignment:
    #show interfaces status
  • Display a list of vlans and which ports are assigned to each:
    #show vlan brief