For url-direct to work, the IP address to which you are browsing should be blocked by the ACL.
redirect acl should be a named acl and it has worked for me once that too on switch when configured for NACL L2 IP. With regards Kings On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > Thanks for the reply! Yes, I was trying it for the lab. So for NAH > scenarios the only thing we need to know is the identity profile configured > on the NAD? > > Did you ever make the URL redirect work with NAC? I have seen an older > post of yours about this. > I'm facing the same issue..I have the redirect url, redirect-acl > downloaded from the ACS. I have the redirect-acl (with deny statement) > defined on the NAD, but I don't get any URL in the popup screen and the > http redirect does not happen no matter what I'm trying to access. > > Thanks! > Oszkar > > > On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles < > [email protected]> wrote: > >> The following requires ACS to be configured: >> >> >> >> - Configure Username/Password for NAH devices on NAD which is sent to >> ACS (this has been removed) >> - Audit Server used to audit the NAD devices >> - MAC bypass (applicable to 802.1x L2 NAC) >> >> >> For your case, you should have an Audit server integrated with the ACS. >> If you are trying this for CCIE lab, then your case is certainly out of >> scope. >> >> I have not tried with IP address or MAC address and not sure, if bypass >> can be done locally within ACS. >> >> With regards >> Kings >> >> >> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]> wrote: >> >>> Hi Kings, >>> >>> In which one of the four cases do we have to use the NAC Agentless >>> profile template from ACS? >>> >>> >>> This is what I'm trying to achieve using the eou bypass: >>> "NAD sends a request to the Cisco Secure ACS that includes the IP >>> address, MAC address, service type, and EAPoUDP session ID of the host. The >>> Cisco Secure ACS makes the access control decision and sends the policy to >>> the NAD" >>> >>> Based on the above, my understanding is that if we configure the eou >>> bypass feature the host will not go trough a posture assessment, instead >>> the NAD will send the a request to ACS for a policy for each connected >>> hosts. Something similar as the identitiy profile but centralized on ACS. >>> >>> >>> I have NAC L2 configured which works well for hosts with trust agent >>> installed. >>> Once I enable the eou bypass both type of clients (with CTA or without >>> CTA) fail to download a policy from ACS. >>> >>> SW2# >>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = >>> EAPOUDP >>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 >>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 >>> *Mar 2 09:57:29.949: RADIUS(00000025): sending >>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 for >>> Radius-Server 10.0.0.100 >>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to >>> 10.0.0.100:1645 id 1645/93, len 213 >>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 >>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 >>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call Check >>> [10] >>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 >>> "0019.5670.59af" >>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 >>> "001c.230a.4f38" >>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 >>> 169.254.138.118 >>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 >>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa >>> SW2#a:service=ip_admission" >>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 >>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 >>> "audit-session-id=000000000749572500000000A9FE8A76" >>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 Ethernet >>> [15] >>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 >>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E E6 >>> 01 3C 39 [ ^b<9] >>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type >>> SW2#[61] 6 Async [0] >>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 >>> >>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 >>> "FastEthernet0/43" >>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 10.0.0.2 >>> >>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 10.0.0.100:1645, >>> Access-Reject, len 50 >>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 - >>> CC 5D CF 91 8D 98 33 DF >>> *Mar 2 09:57:29.974 >>> SW2#: RADIUS: Reply-Message [18] 12 >>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ >>> Rejected] >>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 >>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 31 >>> 53 73 A6 [ H=2|?1Ss] >>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 >>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, total >>> 10 bytes >>> SW2# >>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| >>> CiscoTrustAgent=NOT DETECTED >>> >>> >>> SW2#sh eou all >>> >>> ---------------------------------------------------------------------------- >>> Address Interface AuthType Posture-Token >>> Age(min) >>> >>> ---------------------------------------------------------------------------- >>> 169.254.138.118 FastEthernet0/43 UNKNOWN ------- 1 >>> >>> >>> >>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group >>> 001c.230a.4f38 (Default) External DB user invalid or bad password. >>> >>> In case I create user 001c.230a.4f38 with password 001c.230a.4f38 ACs >>> will complain for invalid password. >>> >>> Thanks! >>> Oszkar >>> >>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> The following are various methods that we can use for dealing with >>>> Agentless hosts. >>>> >>>> >>>> - Static policy based on IP address or MAC configured on NAD >>>> - Configure Username/Password for NAH devices on NAD which is sent >>>> to ACS (this has been removed) >>>> - Audit Server used to audit the NAD devices >>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>> >>>> >>>> ip admission name *admission-name* eapoudp bypass enables us to >>>> authenticate the end host by using some of it's unique parameters. >>>> audit-session-id is the key. An audit server then validates the host. >>>> >>>> >>>> >>>> Snippet from >>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >>>> Agentless Hosts >>>> >>>> End devices that do not run CTA cannot provide credentials when >>>> challenged by network access devices (NADs). Such hosts are termed >>>> "agentless" or "nonresponsive." In the Phase l release of Network Admission >>>> Control, agentless hosts were supported by either a static configuration >>>> using exception lists (an identity profile) or by using "clientless" >>>> username and password authentication on an ACS. These methods are >>>> restrictive and do not convey any specific information about the host while >>>> making policy decisions. >>>> EAPoUDP Bypass >>>> >>>> You can use the EAPoUDP Bypass feature to reduce latency of the >>>> validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, >>>> the NAD does not contact the host to request the antivirus condition (the >>>> NAD does not try to establish an EAPoUDP association with the host if the >>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a request to >>>> the Cisco Secure ACS that includes the IP address, MAC address, service >>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the >>>> access control decision and sends the policy to the NAD. >>>> >>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host request >>>> to the Cisco Secure ACS and applies the access policy from the server to >>>> the host. >>>> >>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, >>>> the NAD also sends a nonresponsive-host request to the Cisco Secure ACS and >>>> applies the access policy from the server to the host. >>>> >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]> wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> As far as I know identity profile is locally configured on the NAD >>>>> and works even if you don't use the eou bypass. >>>>> >>>>> For eou bypass the config guide shows the steps only for the NAD side >>>>> (see below). >>>>> >>>>> Configuring a NAD to Bypass EAPoUDP Communication >>>>> >>>>> To configure a NAD to bypass EAPoUDP, perform the following steps. >>>>> *SUMMARY STEPS* >>>>> >>>>> *1.* enable >>>>> >>>>> *2.* configure terminal >>>>> >>>>> *3.* ip admission name *admission-name* eapoudp bypass >>>>> >>>>> *4.* eou allow clientless >>>>> >>>>> *5.* interface type *slot* / *port* >>>>> I assume there are some steps which has to be done on the ACS side as >>>>> well but I couldn't find any doc about this. >>>>> There is a NAC L2 Agentless profile template in the ACS, I have tried >>>>> to use that but couldn't make it work. >>>>> >>>>> Any thoughts? >>>>> >>>>> Thanks! >>>>> Oszkar >>>>> >>>>> >>>>> >>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> You can configure an identity profile. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]>wrote: >>>>>> >>>>>>> hi, >>>>>>> >>>>>>> Does anybody know the configuration steps for NAC L2 Agentless >>>>>>> support using the EOU bypass feature? >>>>>>> >>>>>>> Thanks, >>>>>>> Oszkar >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>> www.PlatinumPlacement.com >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
