The following requires ACS to be configured:
- Configure Username/Password for NAH devices on NAD which is sent to ACS (this has been removed) - Audit Server used to audit the NAD devices - MAC bypass (applicable to 802.1x L2 NAC) For your case, you should have an Audit server integrated with the ACS. If you are trying this for CCIE lab, then your case is certainly out of scope. I have not tried with IP address or MAC address and not sure, if bypass can be done locally within ACS. With regards Kings On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > In which one of the four cases do we have to use the NAC Agentless profile > template from ACS? > > > This is what I'm trying to achieve using the eou bypass: > "NAD sends a request to the Cisco Secure ACS that includes the IP > address, MAC address, service type, and EAPoUDP session ID of the host. The > Cisco Secure ACS makes the access control decision and sends the policy to > the NAD" > > Based on the above, my understanding is that if we configure the eou > bypass feature the host will not go trough a posture assessment, instead > the NAD will send the a request to ACS for a policy for each connected > hosts. Something similar as the identitiy profile but centralized on ACS. > > > I have NAC L2 configured which works well for hosts with trust agent > installed. > Once I enable the eou bypass both type of clients (with CTA or without > CTA) fail to download a policy from ACS. > > SW2# > *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = > EAPOUDP > *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 > *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 > *Mar 2 09:57:29.949: RADIUS(00000025): sending > *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 for > Radius-Server 10.0.0.100 > *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to > 10.0.0.100:1645 id 1645/93, len 213 > *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 > SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 > *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call Check > [10] > *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 > "0019.5670.59af" > *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 > "001c.230a.4f38" > *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 > 169.254.138.118 > *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 > *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa > SW2#a:service=ip_admission" > *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 > *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 > "audit-session-id=000000000749572500000000A9FE8A76" > *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 Ethernet > [15] > *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 > *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E E6 01 > 3C 39 [ ^b<9] > *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type > SW2#[61] 6 Async [0] > *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 > > *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 > "FastEthernet0/43" > *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 10.0.0.2 > > *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 10.0.0.100:1645, > Access-Reject, len 50 > *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 - CC > 5D CF 91 8D 98 33 DF > *Mar 2 09:57:29.974 > SW2#: RADIUS: Reply-Message [18] 12 > *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ > Rejected] > *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 > *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 31 53 > 73 A6 [ H=2|?1Ss] > *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 > *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, total 10 > bytes > SW2# > *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| CiscoTrustAgent=NOT > DETECTED > > > SW2#sh eou all > > ---------------------------------------------------------------------------- > Address Interface AuthType Posture-Token Age(min) > > ---------------------------------------------------------------------------- > 169.254.138.118 FastEthernet0/43 UNKNOWN ------- 1 > > > > ACS failed logs: Authen failed 001c.230a.4f38 Default Group 001c.230a.4f38 > (Default) External DB user invalid or bad password. > > In case I create user 001c.230a.4f38 with password 001c.230a.4f38 ACs > will complain for invalid password. > > Thanks! > Oszkar > > On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < > [email protected]> wrote: > >> The following are various methods that we can use for dealing with >> Agentless hosts. >> >> >> - Static policy based on IP address or MAC configured on NAD >> - Configure Username/Password for NAH devices on NAD which is sent to >> ACS (this has been removed) >> - Audit Server used to audit the NAD devices >> - MAC bypass (applicable to 802.1x L2 NAC) >> >> >> ip admission name *admission-name* eapoudp bypass enables us to >> authenticate the end host by using some of it's unique parameters. >> audit-session-id is the key. An audit server then validates the host. >> >> >> >> Snippet from >> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >> Agentless Hosts >> >> End devices that do not run CTA cannot provide credentials when >> challenged by network access devices (NADs). Such hosts are termed >> "agentless" or "nonresponsive." In the Phase l release of Network Admission >> Control, agentless hosts were supported by either a static configuration >> using exception lists (an identity profile) or by using "clientless" >> username and password authentication on an ACS. These methods are >> restrictive and do not convey any specific information about the host while >> making policy decisions. >> EAPoUDP Bypass >> >> You can use the EAPoUDP Bypass feature to reduce latency of the >> validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, >> the NAD does not contact the host to request the antivirus condition (the >> NAD does not try to establish an EAPoUDP association with the host if the >> EAPoUDP Bypass option is configured). Instead, the NAD sends a request to >> the Cisco Secure ACS that includes the IP address, MAC address, service >> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the >> access control decision and sends the policy to the NAD. >> >> If EAPoUDP bypass is enabled, the NAD sends an agentless host request to >> the Cisco Secure ACS and applies the access policy from the server to the >> host. >> >> If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, the >> NAD also sends a nonresponsive-host request to the Cisco Secure ACS and >> applies the access policy from the server to the host. >> >> >> >> >> With regards >> Kings >> >> >> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]> wrote: >> >>> Hi Kings, >>> >>> As far as I know identity profile is locally configured on the NAD and >>> works even if you don't use the eou bypass. >>> >>> For eou bypass the config guide shows the steps only for the NAD side >>> (see below). >>> >>> Configuring a NAD to Bypass EAPoUDP Communication >>> >>> To configure a NAD to bypass EAPoUDP, perform the following steps. >>> *SUMMARY STEPS* >>> >>> *1.* enable >>> >>> *2.* configure terminal >>> >>> *3.* ip admission name *admission-name* eapoudp bypass >>> >>> *4.* eou allow clientless >>> >>> *5.* interface type *slot* / *port* >>> I assume there are some steps which has to be done on the ACS side as >>> well but I couldn't find any doc about this. >>> There is a NAC L2 Agentless profile template in the ACS, I have tried to >>> use that but couldn't make it work. >>> >>> Any thoughts? >>> >>> Thanks! >>> Oszkar >>> >>> >>> >>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> You can configure an identity profile. >>>> >>>> With regards >>>> Kings >>>> >>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]> wrote: >>>> >>>>> hi, >>>>> >>>>> Does anybody know the configuration steps for NAC L2 Agentless support >>>>> using the EOU bypass feature? >>>>> >>>>> Thanks, >>>>> Oszkar >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
