From: Sasa Milic (smilic2@pexim.co.yu)
Date: Wed Feb 14 2007 - 19:18:31 ART
Hi Jo,
I have tested L3 NAC with ACS 4.0, web server and client (cisco trust agent
and trend micro office scan that includes CTA). Let me tell you this.
1. It won't work. You need to add "radius-server vsa send authentication",
so that router is allowed to use Cisco attributes that are needed for NAC to
work. If you have complete lab with acs, client and web server, you can test
nac with:
show ip admission cache
show ip admission configuration
show ip admission watch-list
Also, various debug commands help a lot if you want to see how it works
inside-out:
debug ip admission eapoudp
debug radius
debug aaa authentication
debug aaa authorisation
2. Yes, you need to create access-list that will match specific traffic that
will start NAC. It is called intercept list.
3. No, with L3 NAC only intercept access list is used.
4. Tons of good documentation on CCO. I could send you couple of PDFs that
I've saved, or ACS database dump if you want to see how stuf is configured
in ACS with posture validation rules and network access profiles.
Regards,
Sasa, #8635
----- Original Message -----
From: "Class Act" <droppedpacket2006@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, February 14, 2007 10:32 PM
Subject: NAC
> Can anyone give me some help with Network Access Control. I have included
> the
> example configuration from Cisco Documentation that I have been using,
> below.
> 1. What commands are best for verifying your confiuration?
>
> 2. If I only
> want to apply this admission policy to a subset of the traffic going
> through
> an interface, do I still use an access list but match that specific
> traffic?
> 3. Is there any other method to identify the traffic other than ACL?
>
> 4. Is
> there a good reference that will explain the flow for this process?
>
> Regards,
> Jo
>
>
> Network Admission Control: Example
> aaa new-model
> aaa authentication eou
> default group radius
> aaa session-id common
>
> ! The following line creates a
> network admission rule. A list is not specified; therefore,
>
> ! the rule
> intercepts all traffic on the applied interface.
> ip admission name avrule
> eapoudp
>
> eou logging
>
>
> interface FastEthernet0/0
> ip address 10.13.11.106
> 255.255.255.0
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address
> 10.0.0.1 255.255.255.0
> ip access-group 102 in
> ! The following line
> configures an IP admission control interface.
> ip admission avrule
> duplex
> auto
> speed auto
>
> ! The following lines configure an interface access list
> that allows EAPoUDP traffic
> ! and blocks the rest of the traffic until it is
> validated.
> access-list 102 permit udp any any eq 21862
> access-list 102 deny
> ip any any
>
> ! The following line configures RADIUS.
> radius-server host
> 10.13.11.105 auth-port 1645 acct-port 1646 key cisco
> !
> _____________________________________________________________________________
> _______
> We won't tell. Get more on shows you hate to love
> (and love to hate):
> Yahoo! TV's Guilty Pleasures list.
> http://tv.yahoo.com/collections/265
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:46 ART