Re: Questions about NAC

From: Maxim Kurushkin (m.kurushkin@orange-ftgroup.ru)
Date: Mon Dec 11 2006 - 09:27:22 ART

Ok, I have configured next config:

aaa new-model
aaa authentication eou default none ( I have tried none and local )
eou clientless username cisco
eou clientless password cisco
eou allow clientless
eou logging
username cisco privilege 15 password 0 cisco
ip admission name TEST eapoudp inactivity-time 60 list 112
access-list 111 permit udp any any
access-list 111 deny ip any any
access-list 112 permit ip any any

interface GigabitEthernet0/0
 ip address 30.0.0.2 255.255.255.0
 ip access-group 111 in
 ip admission TEST

And I have pinged from PC (IP 30.0.0.1):
C:\>ping 30.0.0.2
Pinging 30.0.0.2 with 32 bytes of data:
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.2: Destination net unreachable.

WBR,
Maxim

Salau,Olayemi ?????:
>
> Now, let me try to answer your specific questions;
>
>
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> By specifying a aaa configuration: Rack1R6(config)*aaa
> authentication eou default local*
>
> Rack1R6(config)*username
> (username) password (password)*
>
> OR Simply use: Rack1R6(config)*aaa authentication eou default local
> **none*
>
> This should allow aaa authentication if you don't set up username and
> password (but then, is this what you want?)
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit any
>
> > any or permit only udp? What is NAC doing to permit or deny access? Is
>
> > NAC adding new lines to ACL ?
>
> You'll need to allow only eapoudp traffic(without validation) so as to
> exchange the eap protocol traffic between the PCs and Router which
> transits through the udp port; Then Block any other traffic until they
> are Validated
>
>
>
> Rack1R6(config)*access-list 102 permit udp any any eq 21862*
> Rack1R6(config)*access-list 102 deny ip any any*
>
>
>
>
>
> > Has somebody configured NAC ? :-)
>
> Ofcourse YES! Welcome to the NAC Freaks Hotspot!
>
> >
>
> Also, for your setup, don't forget to config the clientless username
> and password if you don't install CTA
>
> Rack1R6(config) eou clientless username (username)
>
> Rack1R6(config) eou clientless password (password)
>
>
>
> > WBR,
>
> > Maxim
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> The CTA basically resides on these PCs and sends information about
> Antivirus, patches, OS fixes etc (The main essence of NAC) to the
> Cisco Network Access Device (In your case the Router)
>
>
>
> Check out the Pre-requisite aspect of the page:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/h_nac.htm#wp1043332
>
>
>
> You'll see that a CTA is listed as required to be installed on the PC.
> From my understanding (CTA is a free download on Cisco website, you
> might need a CCO account though)
>
>
>
> Let me know how you get on
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> -----Original Message-----
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 11:09
> To: Salau,Olayemi
> Subject: Re: Questions about NAC
>
>
>
> Hello
>
> I mean Network Admission Control.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/h_nac.htm
>
> I am preparing for RS lab. I understand for what NAC is, but I dont
>
> understand how it works...
>
> For preparing, I have tried configuring NAC on router. But I have not
>
> RADIUS, Cisco Trust Agents or etc...
>
> I have configured something like this:
>
>
>
> PC0 <-> (gig0/0)ROUTER(gig0/1) <-> switch <-> PC1 , PC2
>
>
>
> I have tried to ping from PC1 and PC2 to PC0. But it does not (ACL on
>
> gig0/1 in with permit only udp - i configured as in guide).
>
> Then I tried to allaw PC1 to ping PC0. For static permit (because I
>
> havn't Radius and CTA) I have written on Router:
>
>
>
> identity profile eapoudp
>
> device authorize ip-address x.x.x.x (PC1 IP)
>
> and it does not ping too...
>
>
>
> WBR,
>
> Maxim
>
>
>
> Salau,Olayemi wrote:
>
> > Hello Maxim,
>
> >
>
> > I was wondering if you mean a Network Admission Control Appliance, if
>
> > yes, are you talking about a NAC Server or a NAC Manager Configuration.
>
> >
>
> > Sorry about my silly questions too, but would like to know about your
>
> > design around this NAC.
>
> >
>
> > Many Thanks
>
> > _________________________________________________
>
> > Olayemi Salau
>
> > Network Analyst
>
> > I.T. Solutions Division
>
> > Southampton City Council
>
> > ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> > * olayemi.salau@southampton.gov.uk
>
> > _________________________________________________
>
> > This e-mail is intended for the addressee only. If you are not the
>
> > intended recipient, please be aware that the unauthorised use or
>
> > disclosure of the information it contains, or the unauthorised copying
>
> > or re-transmission of the e-mail are strictly prohibited. Such action
>
> > may result in legal proceedings. If the e-mail has been sent to you in
>
> > error, please accept our apologies, advise the sender as soon as
>
> > possible and then delete the message. Under the Freedom of Information
>
> > Act 2000 / Data Protection Act 1998, the contents of this e-mail,
>
> > whether it is marked confidential or otherwise, may be disclosed. No
>
> > employee, Councillor or agent is authorised to conclude by e-mail any
>
> > binding agreement with another party on behalf of Southampton City
>
> > Council. The Council does not accept service by e-mail of court
>
> > proceedings, other processes or formal notices of any kind without
>
> > specific prior written agreement. E-mails to and from Southampton City
>
> > Council may be monitored in accordance with the law
>
> > -----Original Message-----
>
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> > Maxim Kurushkin
>
> > Sent: 10 December 2006 17:22
>
> > Cc: ccielab@groupstudy.com
>
> > Subject: Questions about NAC
>
> >
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit any
>
> > any or permit only udp? What is NAC doing to permit or deny access? Is
>
> > NAC adding new lines to ACL ?
>
> > Has somebody configured NAC ? :-)
>
> >
>
> > WBR,
>
> > Maxim
>
> >
>
> > _______________________________________________________________________
>
> > Subscription information may be found at:
>
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART