Re: Questions about NAC

From: Gabriel Nunes (gabriel.nunes@gmail.com)
Date: Mon Dec 11 2006 - 09:53:00 ART

• Next message: Darby Weaver: "Re: Rancid anyone?"
• Previous message: Tony Schaffran: "RE: anybody passed the CCIE r/s exam ?"
• Maybe in reply to: Maxim Kurushkin: "Questions about NAC"
• Next in thread: Salau,Olayemi: "RE: Questions about NAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The point is that when the question ask you to apply this feature it says
that the PCs are behing BB* and you have to establich BGP with this BB*...

On 12/11/06, Salau,Olayemi <Olayemi.Salau@southampton.gov.uk> wrote:
>
> Hello Gabriel,
>
>
>
> BGP uses tcp port 179
>
>
>
> So I would use Rack1R6(config)access-list 102 permit tcp any any eq 179
before
> the deny any any statement
>
>
> Although, I am not aware that you can establish a bgp peering relationship
> between a PC and a Router/Switch  or do I need to do some more homework on
> BGP?
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> *Southampton City Council*
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
> This e-mail is intended for the addressee only. If you are not the
> intended recipient, please be aware that the unauthorised use or disclosure
> of the information it contains, or the unauthorised copying or
> re-transmission of the e-mail are strictly prohibited. Such action may
> result in legal proceedings. If the e-mail has been sent to you in error,
> please accept our apologies, advise the sender as soon as possible and then
> delete the message. Under the Freedom of Information Act 2000 / Data
> Protection Act 1998, the contents of this e-mail, whether it is marked
> confidential or otherwise, may be disclosed. No employee, Councillor or
> agent is authorised to conclude by e-mail any binding agreement with
another
> party on behalf of Southampton City Council. The Council does not accept
> service by e-mail of court proceedings, other processes or formal notices
of
> any kind without specific prior written agreement. E-mails to and from
> Southampton City Council may be monitored in accordance with the law
> ------------------------------
>
> *From:* Gabriel Nunes [mailto:gabriel.nunes@gmail.com]
> *Sent:* 11 December 2006 12:31
> *To:* Salau,Olayemi
> *Cc:* Maxim Kurushkin; Cisco certification
> *Subject:* Re: Questions about NAC
>
>
>
> Hi Salau!
>
>
>
> What we have to do to allow the routing protocol on the interface which we
> permit only UDP 21862?
>
>
>
> In case we need to establish some BGP peering there, for example...
>
> Thanks,
>
>
>
> Gabriel
>
>
>
>
>
> On 12/11/06, *Salau,Olayemi* <Olayemi.Salau@southampton.gov.uk> wrote:
>
> Now, let me try to answer your specific questions;
>
>
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> By specifying a aaa configuration: Rack1R6(config)aaa authentication
> eou default local
>
> Rack1R6(config)username (username)
> password (password)
>
> OR Simply use: Rack1R6(config)aaa authentication eou default local none
>
> This should allow aaa authentication if you don't set up username and
> password (but then, is this what you want?)
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit any
>
>
> > any or permit only udp? What is NAC doing to permit or deny access? Is
>
>
> > NAC adding new lines to ACL ?
>
> You'll need to allow only eapoudp traffic(without validation) so as to
> exchange the eap protocol traffic between the PCs and Router which
> transits through the udp port; Then Block any other traffic until they
> are Validated
>
>
>
> Rack1R6(config)access-list 102 permit udp any any eq 21862
> Rack1R6(config)access-list 102 deny ip any any
>
>
>
>
>
> > Has somebody configured NAC ? :-)
>
> Ofcourse YES! Welcome to the NAC Freaks Hotspot!
>
> >
>
> Also, for your setup, don't forget to config the clientless username and
> password if you don't install CTA
>
> Rack1R6(config) eou clientless username (username)
>
> Rack1R6(config) eou clientless password (password)
>
>
>
> > WBR,
>
> > Maxim
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> The CTA basically resides on these PCs and sends information about
> Antivirus, patches, OS fixes etc (The main essence of NAC) to the Cisco
> Network Access Device (In your case the Router)
>
>
>
> Check out the Pre-requisite aspect of the page:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
> ec_c/part15/h_nac.htm#wp1043332
>
>
>
> You'll see that a CTA is listed as required to be installed on the PC.
> >From my understanding (CTA is a free download on Cisco website, you
> might need a CCO account though)
>
>
>
> Let me know how you get on
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> -----Original Message-----
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 11:09
> To: Salau,Olayemi
> Subject: Re: Questions about NAC
>
>
>
> Hello
>
> I mean Network Admission Control.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
> ec_c/part15/h_nac.htm
>
> I am preparing for RS lab. I understand for what NAC is, but I dont
>
> understand how it works...
>
> For preparing, I have tried configuring NAC on router. But I have not
>
> RADIUS, Cisco Trust Agents or etc...
>
> I have configured something like this:
>
>
>
> PC0 <-> (gig0/0)ROUTER(gig0/1) <-> switch <-> PC1 , PC2
>
>
>
> I have tried to ping from PC1 and PC2 to PC0. But it does not (ACL on
>
> gig0/1 in with permit only udp - i configured as in guide).
>
> Then I tried to allaw PC1 to ping PC0. For static permit (because I
>
> havn't Radius and CTA) I have written on Router:
>
>
>
> identity profile eapoudp
>
> device authorize ip-address x.x.x.x (PC1 IP)
>
> and it does not ping too...
>
>
>
> WBR,
>
> Maxim
>
>
>
> Salau,Olayemi wrote:
>
> > Hello Maxim,
>
> >
>
> > I was wondering if you mean a Network Admission Control Appliance, if
>
> > yes, are you talking about a NAC Server or a NAC Manager
> Configuration.
>
> >
>
> > Sorry about my silly questions too, but would like to know about your
>
> > design around this NAC.
>
> >
>
> > Many Thanks
>
> > _________________________________________________
>
> > Olayemi Salau
>
> > Network Analyst
>
> > I.T. Solutions Division
>
> > Southampton City Council
>
> > ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> > * olayemi.salau@southampton.gov.uk
>
> > _________________________________________________
>
> > This e-mail is intended for the addressee only. If you are not the
>
> > intended recipient, please be aware that the unauthorised use or
>
> > disclosure of the information it contains, or the unauthorised copying
>
> > or re-transmission of the e-mail are strictly prohibited. Such action
>
> > may result in legal proceedings. If the e-mail has been sent to you in
>
> > error, please accept our apologies, advise the sender as soon as
>
> > possible and then delete the message. Under the Freedom of Information
>
> > Act 2000 / Data Protection Act 1998, the contents of this e-mail,
>
> > whether it is marked confidential or otherwise, may be disclosed. No
>
> > employee, Councillor or agent is authorised to conclude by e-mail any
>
> > binding agreement with another party on behalf of Southampton City
>
> > Council. The Council does not accept service by e-mail of court
>
> > proceedings, other processes or formal notices of any kind without
>
> > specific prior written agreement. E-mails to and from Southampton City
>
> > Council may be monitored in accordance with the law
>
> > -----Original Message-----
>
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>
> > Maxim Kurushkin
>
> > Sent: 10 December 2006 17:22
>
> > Cc: ccielab@groupstudy.com
>
> > Subject: Questions about NAC
>
> >
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit any
>
>
> > any or permit only udp? What is NAC doing to permit or deny access? Is
>
>
> > NAC adding new lines to ACL ?
>
> > Has somebody configured NAC ? :-)
>
> >
>
> > WBR,
>
> > Maxim
>
> >
>
> >
> _______________________________________________________________________
>
> > Subscription information may be found at:
>
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Darby Weaver: "Re: Rancid anyone?"
• Previous message: Tony Schaffran: "RE: anybody passed the CCIE r/s exam ?"
• Maybe in reply to: Maxim Kurushkin: "Questions about NAC"
• Next in thread: Salau,Olayemi: "RE: Questions about NAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART