aaa new-model
aaa authentication password-prompt "Enter Password:"
aaa authentication username-prompt "Enter Username:"
aaa authentication login default group tacacs+ local enable
aaa authentication login admin group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa server radius dynamic-author
client 192.168.20.11 server-key 7 123456
port 3799
auth-type all
ignore session-key
ignore server-key
no ip domain-lookup
no ip bootp server
ip device tracking probe delay 10
ip dhcp snooping vlan 9
ip dhcp bootp ignore
dot1x system-auth-control
interface GigabitEthernet3/12
switchport access vlan 9
switchport mode access
switchport voice vlan 13
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security aging time 1440
switchport port-security aging type inactivity
switchport port-security
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
spanning-tree portfast edge
!
interface Vlan9
description testvlan
ip address 192.168.9.1 255.255.255.0
ip access-group Data out
ip helper-address 192.168.20.11
ip helper-address 192.168.10.3
ip helper-address 192.168.10.4
!
ip http server
ip http access-class 10
ip http authentication aaa
ip http secure-server
!
ip access-list extended CPR
deny udp any eq bootpc any eq bootps
deny udp any any eq 53
deny ip any host 192.168.20.10 <cppm IP>
deny ip any host 192.168.20.11 <cppm cluster IP>
permit tcp any any eq 80
permit tcp any any eq 443
ip access-list extended Data
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
deny tcp any any eq lpd
deny tcp any any range 5800 5809
deny tcp any any range 5900 5909
deny tcp any any range 6000 6009
permit ip any any
radius server CPPM
address ipv4 192.168.20.11 auth-port 1812 acct-port 1813
key 7 123456
!
access-list 10 permit 192.168.20.0 0.0.0.255
access-list 10 permit 192.168.9.0 0.0.0.255
access-list 10 permit 192.168.10.0 0.0.0.255
radius-server vsa send authentication