Hi Kings, This is what I have.. In the pop-up I have got "HEALTY" but no redirect-url, and when browsing the ip specified on the redirect-acl the redirection does not happen..
Any thoughts? SW2#sh run | i http ip http server ip http secure-server SW2#sh eou ip 10.0.0.10 Address : 10.0.0.10 MAC Address : 00e0.4c03.5787 Interface : FastEthernet0/43 AuthType : EAP Audit Session ID : 000000000BC8503F000000000A00000A PostureToken : Healthy Age(min) : 2 URL Redirect : http://r5.cisco.com URL Redirect ACL : redirect-acl ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 User Name : XXX:oszkari Revalidation Period : 36000 Seconds Status Query Period : 300 Seconds Current State : AUTHENTICATED Extended IP access list redirect-acl 20 deny tcp any host 136.1.122.6 eq www (192 matches) Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 (per-user) 10 permit ip any any r5.cisco.com resolves to 136.1.122.5 (which is another IOS box in the network with http server enabled) Oszkar On Fri, Apr 27, 2012 at 11:02 PM, Kingsley Charles < [email protected]> wrote: > For url-direct to work, the IP address to which you are browsing should be > blocked by the ACL. > > redirect acl should be a named acl and it has worked for me once that too > on switch when configured for NACL L2 IP. > > With regards > Kings > > > On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]> wrote: > >> Hi Kings, >> >> Thanks for the reply! Yes, I was trying it for the lab. So for NAH >> scenarios the only thing we need to know is the identity profile configured >> on the NAD? >> >> Did you ever make the URL redirect work with NAC? I have seen an older >> post of yours about this. >> I'm facing the same issue..I have the redirect url, redirect-acl >> downloaded from the ACS. I have the redirect-acl (with deny statement) >> defined on the NAD, but I don't get any URL in the popup screen and the >> http redirect does not happen no matter what I'm trying to access. >> >> Thanks! >> Oszkar >> >> >> On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> The following requires ACS to be configured: >>> >>> >>> >>> - Configure Username/Password for NAH devices on NAD which is sent >>> to ACS (this has been removed) >>> - Audit Server used to audit the NAD devices >>> - MAC bypass (applicable to 802.1x L2 NAC) >>> >>> >>> For your case, you should have an Audit server integrated with the ACS. >>> If you are trying this for CCIE lab, then your case is certainly out of >>> scope. >>> >>> I have not tried with IP address or MAC address and not sure, if bypass >>> can be done locally within ACS. >>> >>> With regards >>> Kings >>> >>> >>> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]> wrote: >>> >>>> Hi Kings, >>>> >>>> In which one of the four cases do we have to use the NAC Agentless >>>> profile template from ACS? >>>> >>>> >>>> This is what I'm trying to achieve using the eou bypass: >>>> "NAD sends a request to the Cisco Secure ACS that includes the IP >>>> address, MAC address, service type, and EAPoUDP session ID of the host. The >>>> Cisco Secure ACS makes the access control decision and sends the policy to >>>> the NAD" >>>> >>>> Based on the above, my understanding is that if we configure the eou >>>> bypass feature the host will not go trough a posture assessment, instead >>>> the NAD will send the a request to ACS for a policy for each connected >>>> hosts. Something similar as the identitiy profile but centralized on ACS. >>>> >>>> >>>> I have NAC L2 configured which works well for hosts with trust agent >>>> installed. >>>> Once I enable the eou bypass both type of clients (with CTA or without >>>> CTA) fail to download a policy from ACS. >>>> >>>> SW2# >>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = >>>> EAPOUDP >>>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 >>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 >>>> *Mar 2 09:57:29.949: RADIUS(00000025): sending >>>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 for >>>> Radius-Server 10.0.0.100 >>>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to >>>> 10.0.0.100:1645 id 1645/93, len 213 >>>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 >>>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 >>>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call Check >>>> [10] >>>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 >>>> "0019.5670.59af" >>>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 >>>> "001c.230a.4f38" >>>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 >>>> 169.254.138.118 >>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 >>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa >>>> SW2#a:service=ip_admission" >>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 >>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 >>>> "audit-session-id=000000000749572500000000A9FE8A76" >>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 Ethernet >>>> [15] >>>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 >>>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E E6 >>>> 01 3C 39 [ ^b<9] >>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type >>>> SW2#[61] 6 Async [0] >>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 >>>> >>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 >>>> "FastEthernet0/43" >>>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 10.0.0.2 >>>> >>>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 10.0.0.100:1645, >>>> Access-Reject, len 50 >>>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 - >>>> CC 5D CF 91 8D 98 33 DF >>>> *Mar 2 09:57:29.974 >>>> SW2#: RADIUS: Reply-Message [18] 12 >>>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D >>>> [ Rejected] >>>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 >>>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 31 >>>> 53 73 A6 [ H=2|?1Ss] >>>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 >>>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, total >>>> 10 bytes >>>> SW2# >>>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| >>>> CiscoTrustAgent=NOT DETECTED >>>> >>>> >>>> SW2#sh eou all >>>> >>>> ---------------------------------------------------------------------------- >>>> Address Interface AuthType Posture-Token >>>> Age(min) >>>> >>>> ---------------------------------------------------------------------------- >>>> 169.254.138.118 FastEthernet0/43 UNKNOWN ------- 1 >>>> >>>> >>>> >>>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group >>>> 001c.230a.4f38 (Default) External DB user invalid or bad password. >>>> >>>> In case I create user 001c.230a.4f38 with password 001c.230a.4f38 ACs >>>> will complain for invalid password. >>>> >>>> Thanks! >>>> Oszkar >>>> >>>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> The following are various methods that we can use for dealing with >>>>> Agentless hosts. >>>>> >>>>> >>>>> - Static policy based on IP address or MAC configured on NAD >>>>> - Configure Username/Password for NAH devices on NAD which is sent >>>>> to ACS (this has been removed) >>>>> - Audit Server used to audit the NAD devices >>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>> >>>>> >>>>> ip admission name *admission-name* eapoudp bypass enables us to >>>>> authenticate the end host by using some of it's unique parameters. >>>>> audit-session-id is the key. An audit server then validates the host. >>>>> >>>>> >>>>> >>>>> Snippet from >>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >>>>> Agentless Hosts >>>>> >>>>> End devices that do not run CTA cannot provide credentials when >>>>> challenged by network access devices (NADs). Such hosts are termed >>>>> "agentless" or "nonresponsive." In the Phase l release of Network >>>>> Admission >>>>> Control, agentless hosts were supported by either a static configuration >>>>> using exception lists (an identity profile) or by using "clientless" >>>>> username and password authentication on an ACS. These methods are >>>>> restrictive and do not convey any specific information about the host >>>>> while >>>>> making policy decisions. >>>>> EAPoUDP Bypass >>>>> >>>>> You can use the EAPoUDP Bypass feature to reduce latency of the >>>>> validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, >>>>> the NAD does not contact the host to request the antivirus condition (the >>>>> NAD does not try to establish an EAPoUDP association with the host if the >>>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a request to >>>>> the Cisco Secure ACS that includes the IP address, MAC address, service >>>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the >>>>> access control decision and sends the policy to the NAD. >>>>> >>>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host request >>>>> to the Cisco Secure ACS and applies the access policy from the server to >>>>> the host. >>>>> >>>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, >>>>> the NAD also sends a nonresponsive-host request to the Cisco Secure ACS >>>>> and >>>>> applies the access policy from the server to the host. >>>>> >>>>> >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]>wrote: >>>>> >>>>>> Hi Kings, >>>>>> >>>>>> As far as I know identity profile is locally configured on the NAD >>>>>> and works even if you don't use the eou bypass. >>>>>> >>>>>> For eou bypass the config guide shows the steps only for the NAD >>>>>> side (see below). >>>>>> >>>>>> Configuring a NAD to Bypass EAPoUDP Communication >>>>>> >>>>>> To configure a NAD to bypass EAPoUDP, perform the following steps. >>>>>> *SUMMARY STEPS* >>>>>> >>>>>> *1.* enable >>>>>> >>>>>> *2.* configure terminal >>>>>> >>>>>> *3.* ip admission name *admission-name* eapoudp bypass >>>>>> >>>>>> *4.* eou allow clientless >>>>>> >>>>>> *5.* interface type *slot* / *port* >>>>>> I assume there are some steps which has to be done on the ACS side as >>>>>> well but I couldn't find any doc about this. >>>>>> There is a NAC L2 Agentless profile template in the ACS, I have tried >>>>>> to use that but couldn't make it work. >>>>>> >>>>>> Any thoughts? >>>>>> >>>>>> Thanks! >>>>>> Oszkar >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> You can configure an identity profile. >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]>wrote: >>>>>>> >>>>>>>> hi, >>>>>>>> >>>>>>>> Does anybody know the configuration steps for NAC L2 Agentless >>>>>>>> support using the EOU bypass feature? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Oszkar >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>> www.PlatinumPlacement.com >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
