Hi Kings,
In which one of the four cases do we have to use the NAC Agentless profile
template from ACS?
This is what I'm trying to achieve using the eou bypass:
"NAD sends a request to the Cisco Secure ACS that includes the IP address,
MAC address, service type, and EAPoUDP session ID of the host. The Cisco
Secure ACS makes the access control decision and sends the policy to the
NAD"
Based on the above, my understanding is that if we configure the eou bypass
feature the host will not go trough a posture assessment, instead the NAD
will send the a request to ACS for a policy for each connected hosts.
Something similar as the identitiy profile but centralized on ACS.
I have NAC L2 configured which works well for hosts with trust agent
installed.
Once I enable the eou bypass both type of clients (with CTA or without CTA)
fail to download a policy from ACS.
SW2#
*Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = EAPOUDP
*Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0
*Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37
*Mar 2 09:57:29.949: RADIUS(00000025): sending
*Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 for
Radius-Server 10.0.0.100
*Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to
10.0.0.100:1645 id 1645/93, len 213
*Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5
SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22
*Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call Check
[10]
*Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16
"0019.5670.59af"
*Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16
"001c.230a.4f38"
*Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6
169.254.138.118
*Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32
*Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa
SW2#a:service=ip_admission"
*Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57
*Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51
"audit-session-id=000000000749572500000000A9FE8A76"
*Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 Ethernet
[15]
*Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18
*Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E E6 01
3C 39 [ ^b<9]
*Mar 2 09:57:29.957: RADIUS: NAS-Port-Type
SW2#[61] 6 Async [0]
*Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0
*Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18
"FastEthernet0/43"
*Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 10.0.0.2
*Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 10.0.0.100:1645,
Access-Reject, len 50
*Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 - CC
5D CF 91 8D 98 33 DF
*Mar 2 09:57:29.974
SW2#: RADIUS: Reply-Message [18] 12
*Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [
Rejected]
*Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18
*Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 31 53
73 A6 [ H=2|?1Ss]
*Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93
*Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, total 10
bytes
SW2#
*Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| CiscoTrustAgent=NOT
DETECTED
SW2#sh eou all
----------------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
----------------------------------------------------------------------------
169.254.138.118 FastEthernet0/43 UNKNOWN ------- 1
ACS failed logs: Authen failed 001c.230a.4f38 Default Group 001c.230a.4f38
(Default) External DB user invalid or bad password.
In case I create user 001c.230a.4f38 with password 001c.230a.4f38 ACs
will complain for invalid password.
Thanks!
Oszkar
On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles <
[email protected]> wrote:
> The following are various methods that we can use for dealing with
> Agentless hosts.
>
>
> - Static policy based on IP address or MAC configured on NAD
> - Configure Username/Password for NAH devices on NAD which is sent to
> ACS (this has been removed)
> - Audit Server used to audit the NAD devices
> - MAC bypass (applicable to 802.1x L2 NAC)
>
>
> ip admission name *admission-name* eapoudp bypass enables us to
> authenticate the end host by using some of it's unique parameters.
> audit-session-id is the key. An audit server then validates the host.
>
>
>
> Snippet from
> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html
> Agentless Hosts
>
> End devices that do not run CTA cannot provide credentials when challenged
> by network access devices (NADs). Such hosts are termed "agentless" or
> "nonresponsive." In the Phase l release of Network Admission Control,
> agentless hosts were supported by either a static configuration using
> exception lists (an identity profile) or by using "clientless" username and
> password authentication on an ACS. These methods are restrictive and do not
> convey any specific information about the host while making policy
> decisions.
> EAPoUDP Bypass
>
> You can use the EAPoUDP Bypass feature to reduce latency of the validation
> of hosts that are not using CTA. If EAPoUDP bypass is enabled, the NAD does
> not contact the host to request the antivirus condition (the NAD does not
> try to establish an EAPoUDP association with the host if the EAPoUDP Bypass
> option is configured). Instead, the NAD sends a request to the Cisco Secure
> ACS that includes the IP address, MAC address, service type, and EAPoUDP
> session ID of the host. The Cisco Secure ACS makes the access control
> decision and sends the policy to the NAD.
>
> If EAPoUDP bypass is enabled, the NAD sends an agentless host request to
> the Cisco Secure ACS and applies the access policy from the server to the
> host.
>
> If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, the
> NAD also sends a nonresponsive-host request to the Cisco Secure ACS and
> applies the access policy from the server to the host.
>
>
>
>
> With regards
> Kings
>
>
> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]> wrote:
>
>> Hi Kings,
>>
>> As far as I know identity profile is locally configured on the NAD and
>> works even if you don't use the eou bypass.
>>
>> For eou bypass the config guide shows the steps only for the NAD side
>> (see below).
>>
>> Configuring a NAD to Bypass EAPoUDP Communication
>>
>> To configure a NAD to bypass EAPoUDP, perform the following steps.
>> *SUMMARY STEPS*
>>
>> *1.* enable
>>
>> *2.* configure terminal
>>
>> *3.* ip admission name *admission-name* eapoudp bypass
>>
>> *4.* eou allow clientless
>>
>> *5.* interface type *slot* / *port*
>> I assume there are some steps which has to be done on the ACS side as
>> well but I couldn't find any doc about this.
>> There is a NAC L2 Agentless profile template in the ACS, I have tried to
>> use that but couldn't make it work.
>>
>> Any thoughts?
>>
>> Thanks!
>> Oszkar
>>
>>
>>
>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> You can configure an identity profile.
>>>
>>> With regards
>>> Kings
>>>
>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]> wrote:
>>>
>>>> hi,
>>>>
>>>> Does anybody know the configuration steps for NAC L2 Agentless support
>>>> using the EOU bypass feature?
>>>>
>>>> Thanks,
>>>> Oszkar
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
