! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cnac3550 ! enable secret 5 $1$cdxQ$ClOjOGQFKIJOQApPufS2W. enable password nacnac06 ! username admin privilege 15 secret 5 $1$A6PW$5Oq9dm1UispKvBK7u5Y2T/ aaa new-model aaa authentication login default local aaa authentication dot1x default group radius aaa authentication eou default group radius aaa authorization exec default local if-authenticated aaa authorization network default group radius aaa accounting network default start-stop group radius ! aaa session-id common ip subnet-zero ip routing no ip domain-lookup ip admission name NAC_Demo eapoudp ! ip device tracking vtp mode transparent ! ! ! ! ! eou allow clientless eou timeout hold-period 60 eou timeout status-query 60 eou timeout revalidation 60 eou logging dot1x system-auth-control no file verify auto ! spanning-tree mode pvst spanning-tree extend system-id no spanning-tree vlan 1-1000 ! vlan internal allocation policy ascending vlan dot1q tag native ! vlan 10 name NAC_Demo ! vlan 11 name Quarantine ! vlan 12 name Success ! vlan 13 name Guest ! vlan 1000 name Core ! ! interface FastEthernet0/1 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/2 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/3 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/4 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/5 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/6 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/7 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/8 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/9 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/10 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/11 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/12 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/13 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/14 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/15 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/16 description default switchport access vlan 10 switchport mode access ip access-group NAC_Interface_ACL in ip admission NAC_Demo ! interface FastEthernet0/17 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/18 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/19 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/20 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/21 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/22 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/23 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/24 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/25 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/26 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/27 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/28 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/29 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/30 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/31 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/32 description default switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x timeout reauth-period server dot1x timeout tx-period 3 dot1x timeout supp-timeout 3 dot1x reauthentication dot1x guest-vlan 13 spanning-tree portfast ! interface FastEthernet0/33 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/34 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/35 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/36 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/37 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/38 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/39 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/40 description default switchport access vlan 1000 switchport mode access ! interface FastEthernet0/41 description default switchport access vlan 11 switchport mode access ! interface FastEthernet0/42 description default switchport access vlan 12 switchport mode access ! interface FastEthernet0/43 description default switchport access vlan 13 switchport mode access ! interface FastEthernet0/44 description default switchport access vlan 10 switchport mode access ! interface FastEthernet0/45 description default switchport mode access ! interface FastEthernet0/46 description default switchport mode access ! interface FastEthernet0/47 description default switchport mode access ! interface FastEthernet0/48 description mgmt switchport trunk encapsulation dot1q switchport trunk allowed vlan 10-13,1000 switchport mode dynamic auto ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport mode dynamic desirable ! interface Vlan1 no ip address ! interface Vlan10 no ip address ! interface Vlan13 no ip address ! interface Vlan1000 description Core ip address 45.200.1.42 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 45.200.1.3 ip http server ip http secure-server ! ip radius source-interface Vlan1000 ! ip access-list extended DUMMY permit ip any any ip access-list extended NAC_Intercept_ACL permit ip 45.200.13.0 0.0.0.255 any ip access-list extended NAC_Interface_ACL permit udp any any eq 21862 remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any host 45.200.1.2 eq domain remark WWW permit tcp any host 45.200.7.2 eq www remark Altiris permit ip any host 45.200.1.46 remark LANDesk permit tcp any host 45.200.1.43 permit tcp any host 45.200.1.44 remark Qualys permit ip any host 45.200.1.47 remark Trend permit ip any host 45.200.7.16 permit ip any host 45.200.7.192 remark Log deny ip any any log ip access-list extended NAC_URL_Redir_ACL deny tcp any host 45.200.1.46 deny tcp any host 45.200.1.47 deny tcp any host 45.200.7.2 deny tcp any host 45.200.7.16 permit ip any any ! radius-server attribute 8 include-in-access-req radius-server host 45.200.1.70 auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646 radius-server key nit44nac radius-server vsa send authentication ! control-plane ! ! line con 0 line vty 0 4 exec-timeout 0 0 password nacnac06 logging synchronous line vty 5 15 password nacnac06 ! end