From: Martin Kiefer (martin@kiefer.dk)
Date: Mon Dec 11 2006 - 17:59:46 ART
Hi there.
I am reading this thread with great interest :-)
Just my coment:
Have you guys studied this document on cisco.com:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
ec_c/part15/h_nac.htm#wp1052888
Best regards
Martin
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Salau,Olayemi
> Sent: Monday, December 11, 2006 3:01 PM
> To: Maxim Kurushkin
> Cc: Cisco certification
> Subject: RE: Questions about NAC
>
> Can you please send a log of the eou process
>
> Can you do show eou all please?
>
>
>
> I suspect your association is fine, just authorization is
> giving problems, ensure you have this line of aaa configured:
>
>
>
> aaa authorization network default group radius
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> * 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> _________________________________________________
>
> This e-mail is intended for the addressee only. If you are
> not the intended recipient, please be aware that the
> unauthorised use or disclosure of the information it
> contains, or the unauthorised copying or re-transmission of
> the e-mail are strictly prohibited. Such action may result in
> legal proceedings.
> If the e-mail has been sent to you in error, please accept
> our apologies, advise the sender as soon as possible and then
> delete the message. Under the Freedom of Information Act 2000
> / Data Protection Act 1998, the contents of this e-mail,
> whether it is marked confidential or otherwise, may be disclosed.
> No employee, Councillor or agent is authorised to conclude by
> e-mail any binding agreement with another party on behalf of
> Southampton City Council.
> The Council does not accept service by e-mail of court
> proceedings, other processes or formal notices of any kind
> without specific prior written agreement. E-mails to and from
> Southampton City Council may be monitored in accordance with the law
>
> _____
>
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 13:13
> To: Salau,Olayemi
> Cc: Cisco certification
> Subject: Re: Questions about NAC
>
>
>
> Thanks, Salau.
> But does not work. :-)
>
> Rt2851#sh run | b ident
> identity profile eapoudp
> device authorize ip-address 30.0.0.1 policy christmas
> identity policy christmas access-group exempt-acl
>
> Rt2851#sh access-lists exempt-acl
> Extended IP access list exempt-acl
> 10 permit ip any any
>
> C:\>ping 30.0.0.2
> Pinging 30.0.0.2 with 32 bytes of data:
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
>
> WBR,
> Maxim
>
> Salau,Olayemi wrote:
>
> Good Job Maxim,
>
>
>
> Now one important missing part in your config is the
> "identity profile and policy" part
>
>
>
> identity profile eapoudp
>
> device authorize ip address 30.0.0.1 policy christmas
>
> identity policy christmas
>
> access-group exempt-acl
>
> ip access-list extended exempt-acl
>
> permit ip any any
>
>
>
> This is the whole essence of NAC my friend, you've got to
> have a policy to compare your end device with ... you get?
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> * 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> _________________________________________________
>
> This e-mail is intended for the addressee only. If you are
> not the intended recipient, please be aware that the
> unauthorised use or disclosure of the information it
> contains, or the unauthorised copying or re-transmission of
> the e-mail are strictly prohibited. Such action may result in
> legal proceedings.
> If the e-mail has been sent to you in error, please accept
> our apologies, advise the sender as soon as possible and then
> delete the message. Under the Freedom of Information Act 2000
> / Data Protection Act 1998, the contents of this e-mail,
> whether it is marked confidential or otherwise, may be disclosed.
> No employee, Councillor or agent is authorised to conclude by
> e-mail any binding agreement with another party on behalf of
> Southampton City Council.
> The Council does not accept service by e-mail of court
> proceedings, other processes or formal notices of any kind
> without specific prior written agreement. E-mails to and from
> Southampton City Council may be monitored in accordance with the law
>
> _____
>
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 12:27
> To: Salau,Olayemi
> Cc: Cisco certification
> Subject: Re: Questions about NAC
>
>
>
> Ok, I have configured next config:
>
> aaa new-model
> aaa authentication eou default none ( I have tried none and
> local ) eou clientless username cisco eou clientless password
> cisco eou allow clientless eou logging username cisco
> privilege 15 password 0 cisco ip admission name TEST eapoudp
> inactivity-time 60 list 112 access-list 111 permit udp any any
> access-list 111 deny ip any any
> access-list 112 permit ip any any
>
> interface GigabitEthernet0/0
> ip address 30.0.0.2 255.255.255.0
> ip access-group 111 in
> ip admission TEST
>
> And I have pinged from PC (IP 30.0.0.1):
> C:\>ping 30.0.0.2
> Pinging 30.0.0.2 with 32 bytes of data:
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
>
> WBR,
> Maxim
>
>
> Salau,Olayemi PI[ET:
>
> Now, let me try to answer your specific questions;
>
>
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> By specifying a aaa configuration: Rack1R6(config)aaa
> authentication eou default local
>
> Rack1R6(config)username
> (username) password (password)
>
> OR Simply use: Rack1R6(config)aaa authentication eou default
> local none
>
> This should allow aaa authentication if you don't set up
> username and password (but then, is this what you want?)
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface -
> permit any
>
> > any or permit only udp? What is NAC doing to permit or deny
> access? Is
>
> > NAC adding new lines to ACL ?
>
> You'll need to allow only eapoudp traffic(without validation)
> so as to exchange the eap protocol traffic between the PCs
> and Router which transits through the udp port; Then Block
> any other traffic until they are Validated
>
>
>
> Rack1R6(config)access-list 102 permit udp any any eq 21862
> Rack1R6(config)access-list 102 deny ip any any
>
>
>
>
>
> > Has somebody configured NAC ? :-)
>
> Ofcourse YES! Welcome to the NAC Freaks Hotspot!
>
> >
>
> Also, for your setup, don't forget to config the clientless
> username and password if you don't install CTA
>
> Rack1R6(config) eou clientless username (username)
>
> Rack1R6(config) eou clientless password (password)
>
>
>
> > WBR,
>
> > Maxim
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> The CTA basically resides on these PCs and sends information
> about Antivirus, patches, OS fixes etc (The main essence of
> NAC) to the Cisco Network Access Device (In your case the Router)
>
>
>
> Check out the Pre-requisite aspect of the page:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
> 4/124cg/hsec_c/
> part15/h_nac.htm#wp1043332
>
>
>
> You'll see that a CTA is listed as required to be installed
> on the PC. >From my understanding (CTA is a free download on
> Cisco website, you might need a CCO account though)
>
>
>
> Let me know how you get on
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
>
> _________________________________________________
>
>
>
> -----Original Message-----
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 11:09
> To: Salau,Olayemi
> Subject: Re: Questions about NAC
>
>
>
> Hello
>
> I mean Network Admission Control.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
> 4/124cg/hsec_c/
> part15/h_nac.htm
>
> I am preparing for RS lab. I understand for what NAC is, but I dont
>
> understand how it works...
>
> For preparing, I have tried configuring NAC on router. But I have not
>
> RADIUS, Cisco Trust Agents or etc...
>
> I have configured something like this:
>
>
>
> PC0 <-> (gig0/0)ROUTER(gig0/1) <-> switch <-> PC1 , PC2
>
>
>
> I have tried to ping from PC1 and PC2 to PC0. But it does not (ACL on
>
> gig0/1 in with permit only udp - i configured as in guide).
>
> Then I tried to allaw PC1 to ping PC0. For static permit (because I
>
> havn't Radius and CTA) I have written on Router:
>
>
>
> identity profile eapoudp
>
> device authorize ip-address x.x.x.x (PC1 IP)
>
> and it does not ping too...
>
>
>
> WBR,
>
> Maxim
>
>
>
> Salau,Olayemi wrote:
>
> > Hello Maxim,
>
> >
>
> > I was wondering if you mean a Network Admission Control
> Appliance, if
>
> > yes, are you talking about a NAC Server or a NAC Manager
> Configuration.
>
> >
>
> > Sorry about my silly questions too, but would like to know
> about your
>
> > design around this NAC.
>
> >
>
> > Many Thanks
>
> > _________________________________________________
>
> > Olayemi Salau
>
> > Network Analyst
>
> > I.T. Solutions Division
>
> > Southampton City Council
>
> > ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> > * olayemi.salau@southampton.gov.uk
>
> > _________________________________________________
>
> > This e-mail is intended for the addressee only. If you are not the
>
> > intended recipient, please be aware that the unauthorised use or
>
> > disclosure of the information it contains, or the
> unauthorised copying
>
> > or re-transmission of the e-mail are strictly prohibited.
> Such action
>
> > may result in legal proceedings. If the e-mail has been
> sent to you in
>
> > error, please accept our apologies, advise the sender as soon as
>
> > possible and then delete the message. Under the Freedom of
> Information
>
> > Act 2000 / Data Protection Act 1998, the contents of this e-mail,
>
> > whether it is marked confidential or otherwise, may be disclosed. No
>
> > employee, Councillor or agent is authorised to conclude by
> e-mail any
>
> > binding agreement with another party on behalf of Southampton City
>
> > Council. The Council does not accept service by e-mail of court
>
> > proceedings, other processes or formal notices of any kind without
>
> > specific prior written agreement. E-mails to and from
> Southampton City
>
> > Council may be monitored in accordance with the law
>
> > -----Original Message-----
>
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf
> > Of
>
> > Maxim Kurushkin
>
> > Sent: 10 December 2006 17:22
>
> > Cc: ccielab@groupstudy.com
>
> > Subject: Questions about NAC
>
> >
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface -
> permit any
>
> > any or permit only udp? What is NAC doing to permit or deny
> access? Is
>
> > NAC adding new lines to ACL ?
>
> > Has somebody configured NAC ? :-)
>
> >
>
> > WBR,
>
> > Maxim
>
> >
>
> >
> ______________________________________________________________________
> > _
>
> > Subscription information may be found at:
>
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART