From: Gabriel Nunes (gabriel.nunes@gmail.com)
Date: Wed Dec 06 2006 - 10:42:26 ART
So, you are saying that if I do only this:
aaa new-model
aaa authentication eou default group radius
radius-server host x.x.x.x key xxxx
ip admission name WORMS eapoudp
int g0/0
ip admission WORMS
It is wrong...?
is it mandatory to configure that ACL?
access-list 102 permit udp any any eq 21862
access-list 102 deny ip any any
On 12/6/06, srdja blagojevic <srdja1@pexim.co.yu> wrote:
>
> Udo,
>
> without ACL 102 all traffic on fa0/1 interface will pass without checking
> AV
> compatibility of the host, so no traffic would be NAC controlled.
>
> ACL 102 deny all trafic, and intercept ACL (or all traffic if there is no
> intercept ACL) will cover traffic that will be NAC controlled (and that
> will
> be passed "around" ACL 102 on fa0/1 interface).
>
> HTH,
> Srdja
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Udo
> Sent: Wednesday, December 06, 2006 12:00
> To: Gabriel Nunes
> Cc: Hewie; Cisco certification
> Subject: Re: NAC question
>
> Hi,
>
> in the following environment what is the reason for acl 102 inbound to
> eth0/1 ?
> Is this the acl which trigger the NAC process ?
>
> Udo
>
>
> ===================================0
>
> aaa new-model
> !
> !
> aaa authentication eou default group radius aaa session-id common ip
> subnet-zero ip cef !
> ! The following line creates a network admission rule. A list is not
> specified; therefore, ! the rule intercepts all traffic on the applied
> interface.
> ip admission name avrule eapoudp
> !
> eou logging
> !
> !
> interface FastEthernet0/0
> ip address 10.13.11.106 255.255.255.0
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 10.0.0.1 255.255.255.0
> =====================================
> -->> ip access-group 102 in
> -->> what is the reason for this acl ??
> ======================================
> ip admission avrule
> duplex auto
> speed auto
>
> access-list 102 permit udp any any eq 21862
> access-list 102 deny ip any any
>
>
>
>
>
>
>
>
> Am Mittwoch, den 06.12.2006, 07:22 -0200 schrieb Gabriel Nunes:
> > Yes, The question is asking for this...
> >
> > Thanks!
> >
> >
> > On 12/6/06, Hewie <whewetson@gmail.com> wrote:
> > >
> > > Hi Gabriel,
> > >
> > > The NAC L3 architecture requires an ACL to trigger the NAC process,
> > > you could simply use a permit ip any any statement. Any particular
> > > reason why you don't want to use an ACL?
> > >
> > > Hewie
> > >
> > >
> > > On 12/5/06, Gabriel Nunes <gabriel.nunes@gmail.com> wrote:
> > >
> > > > Does someone know how to configure a router to authorize the users
> > > > on radius server and check the last antivirus updates without
> > > > using ACL?
> > > >
> > > > Thanks!
> > > >
> > > > Gabriel
> > > >
> > > > __________________________________________________________________
> > > > _____ Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART