From: Gabriel Nunes (gabriel.nunes@gmail.com)
Date: Mon Dec 11 2006 - 09:30:32 ART
Hi Salau!
What we have to do to allow the routing protocol on the interface which we
permit only UDP 21862?
In case we need to establish some BGP peering there, for example...
Thanks,
Gabriel
On 12/11/06, Salau,Olayemi <Olayemi.Salau@southampton.gov.uk> wrote:
>
> Now, let me try to answer your specific questions;
>
>
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> By specifying a aaa configuration: Rack1R6(config)aaa authentication
> eou default local
>
> Rack1R6(config)username (username)
> password (password)
>
> OR Simply use: Rack1R6(config)aaa authentication eou default local none
>
> This should allow aaa authentication if you don't set up username and
> password (but then, is this what you want?)
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit any
>
>
> > any or permit only udp? What is NAC doing to permit or deny access? Is
>
>
> > NAC adding new lines to ACL ?
>
> You'll need to allow only eapoudp traffic(without validation) so as to
> exchange the eap protocol traffic between the PCs and Router which
> transits through the udp port; Then Block any other traffic until they
> are Validated
>
>
>
> Rack1R6(config)access-list 102 permit udp any any eq 21862
> Rack1R6(config)access-list 102 deny ip any any
>
>
>
>
>
> > Has somebody configured NAC ? :-)
>
> Ofcourse YES! Welcome to the NAC Freaks Hotspot!
>
> >
>
> Also, for your setup, don't forget to config the clientless username and
> password if you don't install CTA
>
> Rack1R6(config) eou clientless username (username)
>
> Rack1R6(config) eou clientless password (password)
>
>
>
> > WBR,
>
> > Maxim
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> The CTA basically resides on these PCs and sends information about
> Antivirus, patches, OS fixes etc (The main essence of NAC) to the Cisco
> Network Access Device (In your case the Router)
>
>
>
> Check out the Pre-requisite aspect of the page:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
> ec_c/part15/h_nac.htm#wp1043332
>
>
>
> You'll see that a CTA is listed as required to be installed on the PC.
> >From my understanding (CTA is a free download on Cisco website, you
> might need a CCO account though)
>
>
>
> Let me know how you get on
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> -----Original Message-----
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 11:09
> To: Salau,Olayemi
> Subject: Re: Questions about NAC
>
>
>
> Hello
>
> I mean Network Admission Control.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
> ec_c/part15/h_nac.htm
>
> I am preparing for RS lab. I understand for what NAC is, but I dont
>
> understand how it works...
>
> For preparing, I have tried configuring NAC on router. But I have not
>
> RADIUS, Cisco Trust Agents or etc...
>
> I have configured something like this:
>
>
>
> PC0 <-> (gig0/0)ROUTER(gig0/1) <-> switch <-> PC1 , PC2
>
>
>
> I have tried to ping from PC1 and PC2 to PC0. But it does not (ACL on
>
> gig0/1 in with permit only udp - i configured as in guide).
>
> Then I tried to allaw PC1 to ping PC0. For static permit (because I
>
> havn't Radius and CTA) I have written on Router:
>
>
>
> identity profile eapoudp
>
> device authorize ip-address x.x.x.x (PC1 IP)
>
> and it does not ping too...
>
>
>
> WBR,
>
> Maxim
>
>
>
> Salau,Olayemi wrote:
>
> > Hello Maxim,
>
> >
>
> > I was wondering if you mean a Network Admission Control Appliance, if
>
> > yes, are you talking about a NAC Server or a NAC Manager
> Configuration.
>
> >
>
> > Sorry about my silly questions too, but would like to know about your
>
> > design around this NAC.
>
> >
>
> > Many Thanks
>
> > _________________________________________________
>
> > Olayemi Salau
>
> > Network Analyst
>
> > I.T. Solutions Division
>
> > Southampton City Council
>
> > ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> > * olayemi.salau@southampton.gov.uk
>
> > _________________________________________________
>
> > This e-mail is intended for the addressee only. If you are not the
>
> > intended recipient, please be aware that the unauthorised use or
>
> > disclosure of the information it contains, or the unauthorised copying
>
> > or re-transmission of the e-mail are strictly prohibited. Such action
>
> > may result in legal proceedings. If the e-mail has been sent to you in
>
> > error, please accept our apologies, advise the sender as soon as
>
> > possible and then delete the message. Under the Freedom of Information
>
> > Act 2000 / Data Protection Act 1998, the contents of this e-mail,
>
> > whether it is marked confidential or otherwise, may be disclosed. No
>
> > employee, Councillor or agent is authorised to conclude by e-mail any
>
> > binding agreement with another party on behalf of Southampton City
>
> > Council. The Council does not accept service by e-mail of court
>
> > proceedings, other processes or formal notices of any kind without
>
> > specific prior written agreement. E-mails to and from Southampton City
>
> > Council may be monitored in accordance with the law
>
> > -----Original Message-----
>
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>
> > Maxim Kurushkin
>
> > Sent: 10 December 2006 17:22
>
> > Cc: ccielab@groupstudy.com
>
> > Subject: Questions about NAC
>
> >
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit any
>
>
> > any or permit only udp? What is NAC doing to permit or deny access? Is
>
>
> > NAC adding new lines to ACL ?
>
> > Has somebody configured NAC ? :-)
>
> >
>
> > WBR,
>
> > Maxim
>
> >
>
> >
> _______________________________________________________________________
>
> > Subscription information may be found at:
>
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART