The following are various methods that we can use for dealing with Agentless hosts.
- Static policy based on IP address or MAC configured on NAD - Configure Username/Password for NAH devices on NAD which is sent to ACS (this has been removed) - Audit Server used to audit the NAD devices - MAC bypass (applicable to 802.1x L2 NAC) ip admission name *admission-name* eapoudp bypass enables us to authenticate the end host by using some of it's unique parameters. audit-session-id is the key. An audit server then validates the host. Snippet from http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html Agentless Hosts End devices that do not run CTA cannot provide credentials when challenged by network access devices (NADs). Such hosts are termed "agentless" or "nonresponsive." In the Phase l release of Network Admission Control, agentless hosts were supported by either a static configuration using exception lists (an identity profile) or by using "clientless" username and password authentication on an ACS. These methods are restrictive and do not convey any specific information about the host while making policy decisions. EAPoUDP Bypass You can use the EAPoUDP Bypass feature to reduce latency of the validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, the NAD does not contact the host to request the antivirus condition (the NAD does not try to establish an EAPoUDP association with the host if the EAPoUDP Bypass option is configured). Instead, the NAD sends a request to the Cisco Secure ACS that includes the IP address, MAC address, service type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the access control decision and sends the policy to the NAD. If EAPoUDP bypass is enabled, the NAD sends an agentless host request to the Cisco Secure ACS and applies the access policy from the server to the host. If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, the NAD also sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host. With regards Kings On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > As far as I know identity profile is locally configured on the NAD and > works even if you don't use the eou bypass. > > For eou bypass the config guide shows the steps only for the NAD side > (see below). > > Configuring a NAD to Bypass EAPoUDP Communication > > To configure a NAD to bypass EAPoUDP, perform the following steps. > *SUMMARY STEPS* > > *1.* enable > > *2.* configure terminal > > *3.* ip admission name *admission-name* eapoudp bypass > > *4.* eou allow clientless > > *5.* interface type *slot* / *port* > I assume there are some steps which has to be done on the ACS side as well > but I couldn't find any doc about this. > There is a NAC L2 Agentless profile template in the ACS, I have tried to > use that but couldn't make it work. > > Any thoughts? > > Thanks! > Oszkar > > > > On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < > [email protected]> wrote: > >> You can configure an identity profile. >> >> With regards >> Kings >> >> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]> wrote: >> >>> hi, >>> >>> Does anybody know the configuration steps for NAC L2 Agentless support >>> using the EOU bypass feature? >>> >>> Thanks, >>> Oszkar >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
