From: Noel Debouver III (noeldebouveriii@yahoo.com)
Date: Fri Jan 05 2007 - 21:44:36 ART
I think of from anyone to anyone the idea being that users can come from
anywhere. I could limit it to just a vlan or a subnet as the case may be. It
does make more sense to be more exact.
I like the idea of denying users in
vlan_20 and preventing them from getting to vlan_22. I need to look at my my
source I used for my answer. Cisco wrote a paper on nac. I'll get it and
ensure I did not miss the point.
----- Original Message ----
From: Ivan
<ivan@iip.net>
To: ccielab@groupstudy.com; Noel Debouver III
<noeldebouveriii@yahoo.com>
Sent: Friday, January 5, 2007 6:27:39 PM
Subject:
Re: NAC question
Are you sure about any any in ACL101 ?
acl 101 permit udp
any any eq 21862
acl 101 deny ip VLAN_20 VLAN_22
acl 101 permit ip any any
On
Saturday 06 January 2007 02:06, Noel Debouver III wrote:
> Users from VLAN_20
going to VLAN_22. Configure R2 to authorize them on
> radius server at
10.1.1.1 and check the last antivirus updates.
>
> I'm thinking:
>
> aaa
>
new-model
> aaa authentication eou default group radius
> ip admission name AV
> eapoudp
>
> int F0/2
> ip access-group 101 in
> ip admission AV
>
>
access-list 101
> permit udp any any eq 21862
> access-list 101 deny ip any
any
>
> radius-server
> host 10.1.1.1 key CCIE
>
>
>
> By the way I researched
my answer from a white paper
> by Cisco on NAC. So I am not sure if port
21862 is just for CA or is it
> in general?
>
> Any ideas.
>
> Would you do it
diffently, why or why not?
>
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART