RE: Questions about NAC

From: Haas, Brad (bhaas@netinfosys.com)
Date: Tue Dec 12 2006 - 22:21:50 ART

Next message: Scott Morris: "RE: RE: anybody passed the CCIE r/s exam ?"
Previous message: Bob Sinclair: "RE: As-path Q ^ and _"
Maybe in reply to: Maxim Kurushkin: "Questions about NAC"
Next in thread: mbanenas@yahoo.com: "Re: RE: Questions about NAC"
Maybe reply: mbanenas@yahoo.com: "Re: RE: Questions about NAC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Is NAC something I need to be concerned with for R&S, or is this a
security topic? If anyone has heard of this being "fair game" on the
lab please let me know. I want to make sure I am prepared, but I don't
think NAC even crossed my mind as being in the lab until this thread.
-Brad

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Maxim Kurushkin
Sent: Tuesday, December 12, 2006 11:07 AM
To: SalauOlayemi
Cc: Cisco certification
Subject: Re: Questions about NAC

Eeeeeee!!!
It is working! :-)
It does not activited when you try to ping/access to router himself.
Only networks behind router!!!

On Router: ----------------------------------
interface GigabitEthernet0/0
ip address 30.0.0.2 255.255.255.128
ip access-group 111 in
ip admission TEST

interface GigabitEthernet0/1
ip address 30.0.0.129 255.255.255.128

On PC: -------------------------------------
C:\>ping 30.0.0.211
Pinging 30.0.0.211 with 32 bytes of data:
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.211: bytes=32 time=2ms TTL=255
Reply from 30.0.0.211: bytes=32 time<1ms TTL=255

Logging from Router: ------------------------------
*Dec 12 16:02:34.014: %EOU-6-SESSION: IP=30.0.0.1| HOST=DETECTED|
Interface=GigabitEthernet0/0
*Dec 12 16:02:34.014: %EOU-6-IDENTITY_MATCH: IP=30.0.0.1|
PROFILE=EAPoUDP| POLICYNAME=christmas
*Dec 12 16:02:34.014: %EOU-6-POLICY: IP=30.0.0.1| ACLNAME=exempt-acl
*Dec 12 16:02:34.014: %EOU-6-POSTURE: IP=30.0.0.1| HOST=AUTHORIZED|
Interface=GigabitEthernet0/0
*Dec 12 16:02:34.014: %EOU-6-AUTHTYPE: IP=30.0.0.1| AuthType=STATIC

R2851#sh eou all
------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
------------------------------------------------------------------
30.0.0.1 GigabitEthernet STATIC ------- 2

R2851#sh access-lists
Extended IP access list 111
     permit ip host 30.0.0.1 any (10 matches) <--------EEEEEE!!!!!
    10 permit udp any any (11 matches)
    20 deny ip any any (217 matches)

Config from Router:
------------------------------------------------------
aaa new-model
aaa authentication eou default local
username cisco password 0 cisco
eou clientless username cisco
eou clientless password cisco
eou allow clientless
eou logging
identity profile eapoudp
device authorize ip-address 30.0.0.1 policy christmas
identity policy christmas
access-group exempt-acl
access-list 112 permit ip any any

WBR
Maxim

Salau,Olayemi wrote:
>
> Can you please send a log of the eou process
>
> Can you do *show eou all* please?
>
>
>
> I suspect your association is fine, just authorization is giving
> problems, ensure you have this line of aaa configured:
>
>
>
> *aaa authorization network default group radius*
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> **Southampton** **City Council**
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> _________________________________________________
>
> This e-mail is intended for the addressee only. If you are not the
> intended recipient, please be aware that the unauthorised use or
> disclosure of the information it contains, or the unauthorised copying

> or re-transmission of the e-mail are strictly prohibited. Such action
> may result in legal proceedings. If the e-mail has been sent to you in

> error, please accept our apologies, advise the sender as soon as
> possible and then delete the message. Under the Freedom of Information

> Act 2000 / Data Protection Act 1998, the contents of this e-mail,
> whether it is marked confidential or otherwise, may be disclosed. No
> employee, Councillor or agent is authorised to conclude by e-mail any
> binding agreement with another party on behalf of Southampton City
> Council. The Council does not accept service by e-mail of court
> proceedings, other processes or formal notices of any kind without
> specific prior written agreement. E-mails to and from Southampton City

> and policy" part
>
>
>
> identity profile eapoudp
>
> device authorize ip address 30.0.0.1 policy christmas
>
> identity policy christmas
>
> access-group exempt-acl
>
> ip access-list extended exempt-acl
>
> permit ip any any
>
>
>
> This is the whole essence of NAC my friend, you've got to have a
> policy to compare your end device with ... you get?
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> **Southampton** **City Council**
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> _________________________________________________
>
> This e-mail is intended for the addressee only. If you are not the
> intended recipient, please be aware that the unauthorised use or
> disclosure of the information it contains, or the unauthorised copying

> or re-transmission of the e-mail are strictly prohibited. Such action
> may result in legal proceedings. If the e-mail has been sent to you in

> error, please accept our apologies, advise the sender as soon as
> possible and then delete the message. Under the Freedom of Information

> Council may be monitored in accordance with the law
>
>
------------------------------------------------------------------------
>
> *From:* Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> *Sent:* 11 December 2006 12:27
> *To:* Salau,Olayemi
> *Cc:* Cisco certification
> *Subject:* Re: Questions about NAC
>
>
>
> Ok, I have configured next config:
>
> aaa new-model
> aaa authentication eou default none ( I have tried none and local )
> eou clientless username cisco
> eou clientless password cisco
> eou allow clientless
> eou logging
> username cisco privilege 15 password 0 cisco
> ip admission name TEST eapoudp inactivity-time 60 list 112
> access-list 111 permit udp any any
> access-list 111 deny ip any any
> access-list 112 permit ip any any
>
> interface GigabitEthernet0/0
> ip address 30.0.0.2 255.255.255.0
> ip access-group 111 in
> ip admission TEST
>
> And I have pinged from PC (IP 30.0.0.1):
> C:\>ping 30.0.0.2
> Pinging 30.0.0.2 with 32 bytes of data:
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
> Reply from 30.0.0.2: Destination net unreachable.
>
> WBR,
> Maxim
>
>
> Salau,Olayemi PI[ET:
>
> Now, let me try to answer your specific questions;
>
>
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> By specifying a aaa configuration: Rack1R6(config)*aaa
> authentication eou default local*
>
> Rack1R6(config)*username
> (username) password (password)*
>
> OR Simply use: Rack1R6(config)*aaa authentication eou default local
> **none*
>
> This should allow aaa authentication if you don't set up username and
> password (but then, is this what you want?)
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit
any
>
> > any or permit only udp? What is NAC doing to permit or deny access?
Is
>
> > NAC adding new lines to ACL ?
>
> You'll need to allow only eapoudp traffic(without validation) so as to

> exchange the eap protocol traffic between the PCs and Router which
> transits through the udp port; Then Block any other traffic until they

> are Validated
>
>
>
> Rack1R6(config)*access-list 102 permit udp any any eq 21862*
> Rack1R6(config)*access-list 102 deny ip any any*
>
>
>
>
>
> > Has somebody configured NAC ? :-)
>
> Ofcourse YES! Welcome to the NAC Freaks Hotspot!
>
> >
>
> Also, for your setup, don't forget to config the clientless username
> and password if you don't install CTA
>
> Rack1R6(config) eou clientless username (username)
>
> Rack1R6(config) eou clientless password (password)
>
>
>
> > WBR,
>
> > Maxim
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> _________________________________________________
>
>
>
> The CTA basically resides on these PCs and sends information about
> Antivirus, patches, OS fixes etc (The main essence of NAC) to the
> Cisco Network Access Device (In your case the Router)
>
>
>
> Check out the Pre-requisite aspect of the page:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
ec_c/part15/h_nac.htm#wp1043332
>
>
>
> You'll see that a CTA is listed as required to be installed on the PC.

> From my understanding (CTA is a free download on Cisco website, you
> might need a CCO account though)
>
>
>
> Let me know how you get on
>
>
>
> Many Thanks
>
> _________________________________________________
>
> Olayemi Salau
>
> Network Analyst
>
> I.T. Solutions Division
>
> Southampton City Council
>
> ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> _________________________________________________
>
>
>
> -----Original Message-----
> From: Maxim Kurushkin [mailto:m.kurushkin@orange-ftgroup.ru]
> Sent: 11 December 2006 11:09
> To: Salau,Olayemi
> Subject: Re: Questions about NAC
>
>
>
> Hello
>
> I mean Network Admission Control.
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
ec_c/part15/h_nac.htm
>
> I am preparing for RS lab. I understand for what NAC is, but I dont
>
> understand how it works...
>
> For preparing, I have tried configuring NAC on router. But I have not
>
> RADIUS, Cisco Trust Agents or etc...
>
> I have configured something like this:
>
>
>
> PC0 <-> (gig0/0)ROUTER(gig0/1) <-> switch <-> PC1 , PC2
>
>
>
> I have tried to ping from PC1 and PC2 to PC0. But it does not (ACL on
>
> gig0/1 in with permit only udp - i configured as in guide).
>
> Then I tried to allaw PC1 to ping PC0. For static permit (because I
>
> havn't Radius and CTA) I have written on Router:
>
>
>
> identity profile eapoudp
>
> device authorize ip-address x.x.x.x (PC1 IP)
>
> and it does not ping too...
>
>
>
> WBR,
>
> Maxim
>
>
>
> Salau,Olayemi wrote:
>
> > Hello Maxim,
>
> >
>
> > I was wondering if you mean a Network Admission Control Appliance,
if
>
> > yes, are you talking about a NAC Server or a NAC Manager
Configuration.
>
> >
>
> > Sorry about my silly questions too, but would like to know about
your
>
> > design around this NAC.
>
> >
>
> > Many Thanks
>
> > _________________________________________________
>
> > Olayemi Salau
>
> > Network Analyst
>
> > I.T. Solutions Division
>
> > Southampton City Council
>
> > ( 023 8083 4070 7 077 8811 2036 3 079 5825 7509
>
> > * olayemi.salau@southampton.gov.uk
> <mailto:olayemi.salau@southampton.gov.uk>
>
> > _________________________________________________
>
> > This e-mail is intended for the addressee only. If you are not the
>
> > intended recipient, please be aware that the unauthorised use or
>
> > disclosure of the information it contains, or the unauthorised
copying
>
> > or re-transmission of the e-mail are strictly prohibited. Such
action
>
> > may result in legal proceedings. If the e-mail has been sent to you
in
>
> > error, please accept our apologies, advise the sender as soon as
>
> > possible and then delete the message. Under the Freedom of
Information
>
> > Act 2000 / Data Protection Act 1998, the contents of this e-mail,
>
> > whether it is marked confidential or otherwise, may be disclosed. No
>
> > employee, Councillor or agent is authorised to conclude by e-mail
any
>
> > binding agreement with another party on behalf of Southampton City
>
> > Council. The Council does not accept service by e-mail of court
>
> > proceedings, other processes or formal notices of any kind without
>
> > specific prior written agreement. E-mails to and from Southampton
City
>
> > Council may be monitored in accordance with the law
>
> > -----Original Message-----
>
> > From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> [mailto:nobody@groupstudy.com] On Behalf Of
>
> > Maxim Kurushkin
>
> > Sent: 10 December 2006 17:22
>
> > Cc: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
>
> > Subject: Questions about NAC
>
> >
>
> > Good day, Group.
>
> > Sorry, I have 2 stupid questions:
>
> > How I can configure NAC without the radius server?
>
> > I have tried with
>
> > identity profile eapoudp
>
> > device authorize ip-address x.x.x.x
>
> > but it's not working...
>
> > And question 2 is: what ACL I must configure on interface - permit
any
>
> > any or permit only udp? What is NAC doing to permit or deny access?
Is
>
> > NAC adding new lines to ACL ?
>
> > Has somebody configured NAC ? :-)
>
> >
>
> > WBR,
>
> > Maxim
>
> >
>
> >

Next message: Scott Morris: "RE: RE: anybody passed the CCIE r/s exam ?"
Previous message: Bob Sinclair: "RE: As-path Q ^ and _"
Maybe in reply to: Maxim Kurushkin: "Questions about NAC"
Next in thread: mbanenas@yahoo.com: "Re: RE: Questions about NAC"
Maybe reply: mbanenas@yahoo.com: "Re: RE: Questions about NAC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART