Re: NAC

From: Ivan Kuchin (ivan@iip.net)
Date: Thu Feb 15 2007 - 06:26:14 ART

• Next message: Ivan: "Re: dot1x authentication methods"
• Previous message: Blastmor: "Re: Shape average/peak"
• Maybe in reply to: Class Act: "NAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you don't have EOU client there is opprtunity using clientless
authentication.

aaa authentication eou default none
eou clientless username cisco
eou clientless password cisco
eou allow clientless

ip admission name CLIENTLESS eapoudp inactivity-time 60 list 111
access-list 111 permit ip any any

identity profile eapoudp
 device authorize ip address 30.0.0.1 policy eapoudppol
identity policy eapoudppol
 access-group exempt-acl
ip access-list extended exempt-acl
 permit ip any any

On Thursday 15 February 2007 01:18, Sasa Milic wrote:
> Hi Jo,
>
> I have tested L3 NAC with ACS 4.0, web server and client (cisco trust agent
> and trend micro office scan that includes CTA). Let me tell you this.
>
> 1. It won't work. You need to add "radius-server vsa send authentication",
> so that router is allowed to use Cisco attributes that are needed for NAC
> to work. If you have complete lab with acs, client and web server, you can
> test nac with:
>
> show ip admission cache
> show ip admission configuration
> show ip admission watch-list
>
> Also, various debug commands help a lot if you want to see how it works
> inside-out:
>
> debug ip admission eapoudp
> debug radius
> debug aaa authentication
> debug aaa authorisation
>
> 2. Yes, you need to create access-list that will match specific traffic
> that will start NAC. It is called intercept list.
>
> 3. No, with L3 NAC only intercept access list is used.
>
> 4. Tons of good documentation on CCO. I could send you couple of PDFs that
> I've saved, or ACS database dump if you want to see how stuf is configured
> in ACS with posture validation rules and network access profiles.
>
> Regards,
> Sasa, #8635
>
>
> ----- Original Message -----
> From: "Class Act" <droppedpacket2006@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, February 14, 2007 10:32 PM
> Subject: NAC
>
> > Can anyone give me some help with Network Access Control. I have
> > included the
> > example configuration from Cisco Documentation that I have been using,
> > below.
> > 1. What commands are best for verifying your confiuration?
> >
> > 2. If I only
> > want to apply this admission policy to a subset of the traffic going
> > through
> > an interface, do I still use an access list but match that specific
> > traffic?
> > 3. Is there any other method to identify the traffic other than ACL?
> >
> > 4. Is
> > there a good reference that will explain the flow for this process?
> >
> > Regards,
> > Jo
> >
> >
> > Network Admission Control: Example
> > aaa new-model
> > aaa authentication eou
> > default group radius
> > aaa session-id common
> >
> > ! The following line creates a
> > network admission rule. A list is not specified; therefore,
> >
> > ! the rule
> > intercepts all traffic on the applied interface.
> > ip admission name avrule
> > eapoudp
> >
> > eou logging
> >
> >
> > interface FastEthernet0/0
> > ip address 10.13.11.106
> > 255.255.255.0
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet0/1
> > ip address
> > 10.0.0.1 255.255.255.0
> > ip access-group 102 in
> > ! The following line
> > configures an IP admission control interface.
> > ip admission avrule
> > duplex
> > auto
> > speed auto
> >
> > ! The following lines configure an interface access list
> > that allows EAPoUDP traffic
> > ! and blocks the rest of the traffic until it is
> > validated.
> > access-list 102 permit udp any any eq 21862
> > access-list 102 deny
> > ip any any
> >
> > ! The following line configures RADIUS.
> > radius-server host
> > 10.13.11.105 auth-port 1645 acct-port 1646 key cisco
> > !
> > _________________________________________________________________________
> >____ _______
> > We won't tell. Get more on shows you hate to love
> > (and love to hate):
> > Yahoo! TV's Guilty Pleasures list.
> > http://tv.yahoo.com/collections/265
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
iWAN kU^IN (mail to: ivan@iip.net)
NOC iip.net 
137-31-04

• Next message: Ivan: "Re: dot1x authentication methods"
• Previous message: Blastmor: "Re: Shape average/peak"
• Maybe in reply to: Class Act: "NAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:46 ART