You won't see the re-direct ACL. If you want to see it, either add along with "HEALTHY" and you remove HEALTHY. Something like http://1.2.3.4. Since it is http url, it will shown as an hyper link which you can click.
One more thing, redirect will happen automatically, if the address is being blocked by the acl in the nac interface. redirect acl is an ACL which tells for which addresses redirect should happen. With regards Kings On Sat, Apr 28, 2012 at 8:05 PM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > This is what I have.. > In the pop-up I have got "HEALTY" but no redirect-url, and when browsing > the ip specified on the redirect-acl the redirection does not happen.. > > Any thoughts? > > > SW2#sh run | i http > ip http server > ip http secure-server > > SW2#sh eou ip 10.0.0.10 > Address : 10.0.0.10 > MAC Address : 00e0.4c03.5787 > Interface : FastEthernet0/43 > AuthType : EAP > Audit Session ID : 000000000BC8503F000000000A00000A > PostureToken : Healthy > Age(min) : 2 > URL Redirect : http://r5.cisco.com > URL Redirect ACL : redirect-acl > ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 > User Name : XXX:oszkari > Revalidation Period : 36000 Seconds > Status Query Period : 300 Seconds > Current State : AUTHENTICATED > > > > Extended IP access list redirect-acl > 20 deny tcp any host 136.1.122.6 eq www (192 matches) > Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 > (per-user) > 10 permit ip any any > > r5.cisco.com resolves to 136.1.122.5 (which is another IOS box in the > network with http server enabled) > > Oszkar > > > > On Fri, Apr 27, 2012 at 11:02 PM, Kingsley Charles < > [email protected]> wrote: > >> For url-direct to work, the IP address to which you are browsing should >> be blocked by the ACL. >> >> redirect acl should be a named acl and it has worked for me once that too >> on switch when configured for NACL L2 IP. >> >> With regards >> Kings >> >> >> On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]> wrote: >> >>> Hi Kings, >>> >>> Thanks for the reply! Yes, I was trying it for the lab. So for NAH >>> scenarios the only thing we need to know is the identity profile configured >>> on the NAD? >>> >>> Did you ever make the URL redirect work with NAC? I have seen an older >>> post of yours about this. >>> I'm facing the same issue..I have the redirect url, redirect-acl >>> downloaded from the ACS. I have the redirect-acl (with deny statement) >>> defined on the NAD, but I don't get any URL in the popup screen and the >>> http redirect does not happen no matter what I'm trying to access. >>> >>> Thanks! >>> Oszkar >>> >>> >>> On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> The following requires ACS to be configured: >>>> >>>> >>>> >>>> - Configure Username/Password for NAH devices on NAD which is sent >>>> to ACS (this has been removed) >>>> - Audit Server used to audit the NAD devices >>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>> >>>> >>>> For your case, you should have an Audit server integrated with the ACS. >>>> If you are trying this for CCIE lab, then your case is certainly out of >>>> scope. >>>> >>>> I have not tried with IP address or MAC address and not sure, if bypass >>>> can be done locally within ACS. >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]>wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> In which one of the four cases do we have to use the NAC Agentless >>>>> profile template from ACS? >>>>> >>>>> >>>>> This is what I'm trying to achieve using the eou bypass: >>>>> "NAD sends a request to the Cisco Secure ACS that includes the IP >>>>> address, MAC address, service type, and EAPoUDP session ID of the host. >>>>> The >>>>> Cisco Secure ACS makes the access control decision and sends the policy to >>>>> the NAD" >>>>> >>>>> Based on the above, my understanding is that if we configure the eou >>>>> bypass feature the host will not go trough a posture assessment, instead >>>>> the NAD will send the a request to ACS for a policy for each connected >>>>> hosts. Something similar as the identitiy profile but centralized on ACS. >>>>> >>>>> >>>>> I have NAC L2 configured which works well for hosts with trust agent >>>>> installed. >>>>> Once I enable the eou bypass both type of clients (with CTA or without >>>>> CTA) fail to download a policy from ACS. >>>>> >>>>> SW2# >>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = >>>>> EAPOUDP >>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 >>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 >>>>> *Mar 2 09:57:29.949: RADIUS(00000025): sending >>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 >>>>> for Radius-Server 10.0.0.100 >>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to >>>>> 10.0.0.100:1645 id 1645/93, len 213 >>>>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 >>>>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 >>>>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call >>>>> Check [10] >>>>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 >>>>> "0019.5670.59af" >>>>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 >>>>> "001c.230a.4f38" >>>>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 >>>>> 169.254.138.118 >>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 >>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa >>>>> SW2#a:service=ip_admission" >>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 >>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 >>>>> "audit-session-id=000000000749572500000000A9FE8A76" >>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 Ethernet >>>>> [15] >>>>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 >>>>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E E6 >>>>> 01 3C 39 [ ^b<9] >>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type >>>>> SW2#[61] 6 Async [0] >>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 >>>>> >>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 >>>>> "FastEthernet0/43" >>>>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 10.0.0.2 >>>>> >>>>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 10.0.0.100:1645, >>>>> Access-Reject, len 50 >>>>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 - >>>>> CC 5D CF 91 8D 98 33 DF >>>>> *Mar 2 09:57:29.974 >>>>> SW2#: RADIUS: Reply-Message [18] 12 >>>>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D >>>>> [ Rejected] >>>>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 >>>>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 31 >>>>> 53 73 A6 [ H=2|?1Ss] >>>>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 >>>>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, >>>>> total 10 bytes >>>>> SW2# >>>>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| >>>>> CiscoTrustAgent=NOT DETECTED >>>>> >>>>> >>>>> SW2#sh eou all >>>>> >>>>> ---------------------------------------------------------------------------- >>>>> Address Interface AuthType Posture-Token >>>>> Age(min) >>>>> >>>>> ---------------------------------------------------------------------------- >>>>> 169.254.138.118 FastEthernet0/43 UNKNOWN ------- 1 >>>>> >>>>> >>>>> >>>>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group >>>>> 001c.230a.4f38 (Default) External DB user invalid or bad password. >>>>> >>>>> In case I create user 001c.230a.4f38 with password 001c.230a.4f38 >>>>> ACs will complain for invalid password. >>>>> >>>>> Thanks! >>>>> Oszkar >>>>> >>>>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> The following are various methods that we can use for dealing with >>>>>> Agentless hosts. >>>>>> >>>>>> >>>>>> - Static policy based on IP address or MAC configured on NAD >>>>>> - Configure Username/Password for NAH devices on NAD which is >>>>>> sent to ACS (this has been removed) >>>>>> - Audit Server used to audit the NAD devices >>>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>>> >>>>>> >>>>>> ip admission name *admission-name* eapoudp bypass enables us to >>>>>> authenticate the end host by using some of it's unique parameters. >>>>>> audit-session-id is the key. An audit server then validates the host. >>>>>> >>>>>> >>>>>> >>>>>> Snippet from >>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >>>>>> Agentless Hosts >>>>>> >>>>>> End devices that do not run CTA cannot provide credentials when >>>>>> challenged by network access devices (NADs). Such hosts are termed >>>>>> "agentless" or "nonresponsive." In the Phase l release of Network >>>>>> Admission >>>>>> Control, agentless hosts were supported by either a static configuration >>>>>> using exception lists (an identity profile) or by using "clientless" >>>>>> username and password authentication on an ACS. These methods are >>>>>> restrictive and do not convey any specific information about the host >>>>>> while >>>>>> making policy decisions. >>>>>> EAPoUDP Bypass >>>>>> >>>>>> You can use the EAPoUDP Bypass feature to reduce latency of the >>>>>> validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, >>>>>> the NAD does not contact the host to request the antivirus condition (the >>>>>> NAD does not try to establish an EAPoUDP association with the host if the >>>>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a request to >>>>>> the Cisco Secure ACS that includes the IP address, MAC address, service >>>>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the >>>>>> access control decision and sends the policy to the NAD. >>>>>> >>>>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host request >>>>>> to the Cisco Secure ACS and applies the access policy from the server to >>>>>> the host. >>>>>> >>>>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, >>>>>> the NAD also sends a nonresponsive-host request to the Cisco Secure ACS >>>>>> and >>>>>> applies the access policy from the server to the host. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]>wrote: >>>>>> >>>>>>> Hi Kings, >>>>>>> >>>>>>> As far as I know identity profile is locally configured on the NAD >>>>>>> and works even if you don't use the eou bypass. >>>>>>> >>>>>>> For eou bypass the config guide shows the steps only for the NAD >>>>>>> side (see below). >>>>>>> >>>>>>> Configuring a NAD to Bypass EAPoUDP Communication >>>>>>> >>>>>>> To configure a NAD to bypass EAPoUDP, perform the following steps. >>>>>>> *SUMMARY STEPS* >>>>>>> >>>>>>> *1.* enable >>>>>>> >>>>>>> *2.* configure terminal >>>>>>> >>>>>>> *3.* ip admission name *admission-name* eapoudp bypass >>>>>>> >>>>>>> *4.* eou allow clientless >>>>>>> >>>>>>> *5.* interface type *slot* / *port* >>>>>>> I assume there are some steps which has to be done on the ACS side >>>>>>> as well but I couldn't find any doc about this. >>>>>>> There is a NAC L2 Agentless profile template in the ACS, I have >>>>>>> tried to use that but couldn't make it work. >>>>>>> >>>>>>> Any thoughts? >>>>>>> >>>>>>> Thanks! >>>>>>> Oszkar >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> You can configure an identity profile. >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]>wrote: >>>>>>>> >>>>>>>>> hi, >>>>>>>>> >>>>>>>>> Does anybody know the configuration steps for NAC L2 Agentless >>>>>>>>> support using the EOU bypass feature? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Oszkar >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>> please visit www.ipexpert.com >>>>>>>>> >>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>> www.PlatinumPlacement.com >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
