From: Salau,Olayemi (Olayemi.Salau@southampton.gov.uk)
Date: Mon Dec 11 2006 - 09:14:51 ART
Now, let me try to answer your specific questions;
> Good day, Group.
> Sorry, I have 2 stupid questions:
> How I can configure NAC without the radius server?
By specifying a aaa configuration: Rack1R6(config)aaa authentication
eou default local
Rack1R6(config)username (username)
password (password)
OR Simply use: Rack1R6(config)aaa authentication eou default local none
This should allow aaa authentication if you don't set up username and
password (but then, is this what you want?)
> I have tried with
> identity profile eapoudp
> device authorize ip-address x.x.x.x
> but it's not working...
> And question 2 is: what ACL I must configure on interface - permit any
> any or permit only udp? What is NAC doing to permit or deny access? Is
> NAC adding new lines to ACL ?
You'll need to allow only eapoudp traffic(without validation) so as to
exchange the eap protocol traffic between the PCs and Router which
transits through the udp port; Then Block any other traffic until they
are Validated
Rack1R6(config)access-list 102 permit udp any any eq 21862
Rack1R6(config)access-list 102 deny ip any any
> Has somebody configured NAC ? :-)
Ofcourse YES! Welcome to the NAC Freaks Hotspot!
>
Also, for your setup, don't forget to config the clientless username and
password if you don't install CTA
Rack1R6(config) eou clientless username (username)
Rack1R6(config) eou clientless password (password)
> WBR,
> Maxim
Many Thanks
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART