RE: NAC question

From: srdja blagojevic (srdja1@pexim.co.yu)
Date: Wed Dec 06 2006 - 10:25:18 ART

• Next message: Bob Sinclair: "RE: IP Multicast - tunnel between Spokes in NBMA"
• Previous message: Chee Chew Leong: "RE: 3560 to Cisco IP Phone"
• Maybe in reply to: Gabriel Nunes: "NAC question"
• Next in thread: Gabriel Nunes: "Re: NAC question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Udo,

without ACL 102 all traffic on fa0/1 interface will pass without checking AV
compatibility of the host, so no traffic would be NAC controlled.

ACL 102 deny all trafic, and intercept ACL (or all traffic if there is no
intercept ACL) will cover traffic that will be NAC controlled (and that will
be passed "around" ACL 102 on fa0/1 interface).

HTH,
Srdja

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Udo
Sent: Wednesday, December 06, 2006 12:00
To: Gabriel Nunes
Cc: Hewie; Cisco certification
Subject: Re: NAC question

Hi,

in the following environment what is the reason for acl 102 inbound to
eth0/1 ?
Is this the acl which trigger the NAC process ?

Udo

===================================0

aaa new-model
!
!
aaa authentication eou default group radius aaa session-id common ip
subnet-zero ip cef !
! The following line creates a network admission rule. A list is not
specified; therefore, ! the rule intercepts all traffic on the applied
interface.
ip admission name avrule eapoudp
!
eou logging
!
!
interface FastEthernet0/0
 ip address 10.13.11.106 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.0.0.1 255.255.255.0
=====================================
-->> ip access-group 102 in
-->> what is the reason for this acl ??
======================================
 ip admission avrule
 duplex auto
 speed auto

access-list 102 permit udp any any eq 21862
access-list 102 deny ip any any

Am Mittwoch, den 06.12.2006, 07:22 -0200 schrieb Gabriel Nunes:
> Yes, The question is asking for this...
>
> Thanks!
>
>
> On 12/6/06, Hewie <whewetson@gmail.com> wrote:
> >
> > Hi Gabriel,
> >
> > The NAC L3 architecture requires an ACL to trigger the NAC process,
> > you could simply use a permit ip any any statement. Any particular
> > reason why you don't want to use an ACL?
> >
> > Hewie
> >
> >
> > On 12/5/06, Gabriel Nunes <gabriel.nunes@gmail.com> wrote:
> >
> > > Does someone know how to configure a router to authorize the users
> > > on radius server and check the last antivirus updates without
> > > using ACL?
> > >
> > > Thanks!
> > >
> > > Gabriel
> > >
> > > __________________________________________________________________
> > > _____ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bob Sinclair: "RE: IP Multicast - tunnel between Spokes in NBMA"
• Previous message: Chee Chew Leong: "RE: 3560 to Cisco IP Phone"
• Maybe in reply to: Gabriel Nunes: "NAC question"
• Next in thread: Gabriel Nunes: "Re: NAC question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART