RE: NAC question

From: srdja blagojevic (srdja1@pexim.co.yu)
Date: Wed Dec 06 2006 - 10:48:52 ART

• Next message: haducbinh: "RE: Matching Class A, B and C traffic"
• Previous message: Andrew Bruce Caslow: "RE: IPv6 Redistribution - OSPFv3/RIPng"
• Maybe in reply to: Gabriel Nunes: "NAC question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

IMHO it is mandatory to have interface list.
 
HTH,
Srdja

  _____

From: Gabriel Nunes [mailto:gabriel.nunes@gmail.com]
Sent: Wednesday, December 06, 2006 14:42
To: srdja blagojevic
Cc: Udo; Hewie; Cisco certification
Subject: Re: NAC question

So, you are saying that if I do only this:
 
aaa new-model
aaa authentication eou default group radius
radius-server host x.x.x.x key xxxx

ip admission name WORMS eapoudp

int g0/0
ip admission WORMS
 
It is wrong...?
 
is it mandatory to configure that ACL?
 
access-list 102 permit udp any any eq 21862
access-list 102 deny ip any any

 
On 12/6/06, srdja blagojevic <srdja1@pexim.co.yu> wrote:

Udo,

without ACL 102 all traffic on fa0/1 interface will pass without checking AV
compatibility of the host, so no traffic would be NAC controlled.

ACL 102 deny all trafic, and intercept ACL (or all traffic if there is no
intercept ACL) will cover traffic that will be NAC controlled (and that will
be passed "around" ACL 102 on fa0/1 interface).

HTH,
Srdja

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Udo
Sent: Wednesday, December 06, 2006 12:00
To: Gabriel Nunes
Cc: Hewie; Cisco certification
Subject: Re: NAC question

Hi,

in the following environment what is the reason for acl 102 inbound to
eth0/1 ?
Is this the acl which trigger the NAC process ?

Udo

===================================0

aaa new-model
!
!
aaa authentication eou default group radius aaa session-id common ip
subnet-zero ip cef !
! The following line creates a network admission rule. A list is not
specified; therefore, ! the rule intercepts all traffic on the applied
interface.
ip admission name avrule eapoudp
!
eou logging
!
!
interface FastEthernet0/0
ip address 10.13.11.106 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
=====================================
-->> ip access-group 102 in
-->> what is the reason for this acl ??
======================================
ip admission avrule
duplex auto
speed auto

access-list 102 permit udp any any eq 21862
access-list 102 deny ip any any

Am Mittwoch, den 06.12.2006, 07:22 -0200 schrieb Gabriel Nunes:
> Yes, The question is asking for this...
>
> Thanks!
>
>
> On 12/6/06, Hewie <whewetson@gmail.com <mailto:whewetson@gmail.com> >
wrote:
> >
> > Hi Gabriel,
> >
> > The NAC L3 architecture requires an ACL to trigger the NAC process,
> > you could simply use a permit ip any any statement. Any particular
> > reason why you don't want to use an ACL?
> >
> > Hewie
> >
> >
> > On 12/5/06, Gabriel Nunes <gabriel.nunes@gmail.com
<mailto:gabriel.nunes@gmail.com> > wrote:
> >
> > > Does someone know how to configure a router to authorize the users
> > > on radius server and check the last antivirus updates without
> > > using ACL?
> > >
> > > Thanks!
> > >
> > > Gabriel
> > >
> > > __________________________________________________________________
> > > _____ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: haducbinh: "RE: Matching Class A, B and C traffic"
• Previous message: Andrew Bruce Caslow: "RE: IPv6 Redistribution - OSPFv3/RIPng"
• Maybe in reply to: Gabriel Nunes: "NAC question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART