Hi Kings,
It's not working..I think I have tried all the variants and I'm out of ideas..please guide me. SW config: aaa new-model aaa authentication login default none aaa authentication eou default group radius aaa authorization network default group radius interface FastEthernet0/43 switchport access vlan 129 switchport mode access ip access-group filter in spanning-tree portfast ip admission NAC2 ip access-list extended filter <---INTERFACE ACL which denies everything but EOU permit udp any any eq 21862 deny ip any any log ip access-list extended redirect-acl <--- REDIRECT ACL where the traffic should be redirected deny tcp any host 136.1.122.5 eq www radius-server attribute 8 include-in-access-req radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco radius-server vsa send authentication --------------- SW2# sh eou interface fastEthernet 0/43 ---------------------------------------------------------------------------- Address Interface AuthType Posture-Token Age(min) ---------------------------------------------------------------------------- 10.0.0.10 FastEthernet0/43 EAP Healthy 6 SW2#sh eou ip 10.0.0.10 Address : 10.0.0.10 MAC Address : 00e0.4c03.5787 Interface : FastEthernet0/43 AuthType : EAP Audit Session ID : 0000000004DA6D26000000000A00000A PostureToken : Healthy Age(min) : 6 URL Redirect : http://r5.cisco.com URL Redirect ACL : redirect-acl ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 User Name : XXX:oszkari Revalidation Period : 36000 Seconds Status Query Period : 300 Seconds Current State : AUTHENTICATED SW2#sh access-lists xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 <----DOWNLOADABLE ACL Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 (per-user) 10 deny tcp any any eq www 20 deny icmp any host 136.1.122.6 30 permit ip any any >From the client PC (10.0.0.10) i'm able to access any website, no sign of redirection attempt (checked with wireshark). What is really driving me crazy is that I have explicitly denied HTTP traffic trough interface ACL + downloadable ACL but I can still browse any page I want like the deny statements in ACL wouldn't exist... However ICMP traffic towards 136.1.122.6 is blocked as it should. Please comment! Oszkar On Sat, Apr 28, 2012 at 7:52 AM, Kingsley Charles < [email protected]> wrote: > You won't see the re-direct ACL. If you want to see it, either add along > with "HEALTHY" and you remove HEALTHY. Something like http://1.2.3.4. > Since it is http url, it will shown as an hyper link which you can click. > > One more thing, redirect will happen automatically, if the address is > being blocked by the acl in the nac interface. > > redirect acl is an ACL which tells for which addresses redirect should > happen. > > With regards > Kings > > > On Sat, Apr 28, 2012 at 8:05 PM, Imre Oszkar <[email protected]> wrote: > >> Hi Kings, >> >> This is what I have.. >> In the pop-up I have got "HEALTY" but no redirect-url, and when >> browsing the ip specified on the redirect-acl the redirection does not >> happen.. >> >> Any thoughts? >> >> >> SW2#sh run | i http >> ip http server >> ip http secure-server >> >> SW2#sh eou ip 10.0.0.10 >> Address : 10.0.0.10 >> MAC Address : 00e0.4c03.5787 >> Interface : FastEthernet0/43 >> AuthType : EAP >> Audit Session ID : 000000000BC8503F000000000A00000A >> PostureToken : Healthy >> Age(min) : 2 >> URL Redirect : http://r5.cisco.com >> URL Redirect ACL : redirect-acl >> ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 >> User Name : XXX:oszkari >> Revalidation Period : 36000 Seconds >> Status Query Period : 300 Seconds >> Current State : AUTHENTICATED >> >> >> >> Extended IP access list redirect-acl >> 20 deny tcp any host 136.1.122.6 eq www (192 matches) >> Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 >> (per-user) >> 10 permit ip any any >> >> r5.cisco.com resolves to 136.1.122.5 (which is another IOS box in the >> network with http server enabled) >> >> Oszkar >> >> >> >> On Fri, Apr 27, 2012 at 11:02 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> For url-direct to work, the IP address to which you are browsing should >>> be blocked by the ACL. >>> >>> redirect acl should be a named acl and it has worked for me once that >>> too on switch when configured for NACL L2 IP. >>> >>> With regards >>> Kings >>> >>> >>> On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]> wrote: >>> >>>> Hi Kings, >>>> >>>> Thanks for the reply! Yes, I was trying it for the lab. So for NAH >>>> scenarios the only thing we need to know is the identity profile configured >>>> on the NAD? >>>> >>>> Did you ever make the URL redirect work with NAC? I have seen an older >>>> post of yours about this. >>>> I'm facing the same issue..I have the redirect url, redirect-acl >>>> downloaded from the ACS. I have the redirect-acl (with deny statement) >>>> defined on the NAD, but I don't get any URL in the popup screen and the >>>> http redirect does not happen no matter what I'm trying to access. >>>> >>>> Thanks! >>>> Oszkar >>>> >>>> >>>> On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> The following requires ACS to be configured: >>>>> >>>>> >>>>> >>>>> - Configure Username/Password for NAH devices on NAD which is sent >>>>> to ACS (this has been removed) >>>>> - Audit Server used to audit the NAD devices >>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>> >>>>> >>>>> For your case, you should have an Audit server integrated with the >>>>> ACS. If you are trying this for CCIE lab, then your case is certainly out >>>>> of scope. >>>>> >>>>> I have not tried with IP address or MAC address and not sure, if >>>>> bypass can be done locally within ACS. >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]>wrote: >>>>> >>>>>> Hi Kings, >>>>>> >>>>>> In which one of the four cases do we have to use the NAC Agentless >>>>>> profile template from ACS? >>>>>> >>>>>> >>>>>> This is what I'm trying to achieve using the eou bypass: >>>>>> "NAD sends a request to the Cisco Secure ACS that includes the IP >>>>>> address, MAC address, service type, and EAPoUDP session ID of the host. >>>>>> The >>>>>> Cisco Secure ACS makes the access control decision and sends the policy >>>>>> to >>>>>> the NAD" >>>>>> >>>>>> Based on the above, my understanding is that if we configure the eou >>>>>> bypass feature the host will not go trough a posture assessment, instead >>>>>> the NAD will send the a request to ACS for a policy for each connected >>>>>> hosts. Something similar as the identitiy profile but centralized on ACS. >>>>>> >>>>>> >>>>>> I have NAC L2 configured which works well for hosts with trust agent >>>>>> installed. >>>>>> Once I enable the eou bypass both type of clients (with CTA or >>>>>> without CTA) fail to download a policy from ACS. >>>>>> >>>>>> SW2# >>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = >>>>>> EAPOUDP >>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 >>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 >>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): sending >>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 >>>>>> for Radius-Server 10.0.0.100 >>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to >>>>>> 10.0.0.100:1645 id 1645/93, len 213 >>>>>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 >>>>>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 >>>>>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call >>>>>> Check [10] >>>>>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 >>>>>> "0019.5670.59af" >>>>>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 >>>>>> "001c.230a.4f38" >>>>>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 >>>>>> 169.254.138.118 >>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 >>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa >>>>>> SW2#a:service=ip_admission" >>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 >>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 >>>>>> "audit-session-id=000000000749572500000000A9FE8A76" >>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 Ethernet >>>>>> [15] >>>>>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 >>>>>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E >>>>>> E6 01 3C 39 [ ^b<9] >>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type >>>>>> SW2#[61] 6 Async [0] >>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 >>>>>> >>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 >>>>>> "FastEthernet0/43" >>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 10.0.0.2 >>>>>> >>>>>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 >>>>>> 10.0.0.100:1645, Access-Reject, len 50 >>>>>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 >>>>>> - CC 5D CF 91 8D 98 33 DF >>>>>> *Mar 2 09:57:29.974 >>>>>> SW2#: RADIUS: Reply-Message [18] 12 >>>>>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D >>>>>> [ Rejected] >>>>>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 >>>>>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 >>>>>> 31 53 73 A6 [ H=2|?1Ss] >>>>>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 >>>>>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, >>>>>> total 10 bytes >>>>>> SW2# >>>>>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| >>>>>> CiscoTrustAgent=NOT DETECTED >>>>>> >>>>>> >>>>>> SW2#sh eou all >>>>>> >>>>>> ---------------------------------------------------------------------------- >>>>>> Address Interface AuthType Posture-Token >>>>>> Age(min) >>>>>> >>>>>> ---------------------------------------------------------------------------- >>>>>> 169.254.138.118 FastEthernet0/43 UNKNOWN ------- 1 >>>>>> >>>>>> >>>>>> >>>>>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group >>>>>> 001c.230a.4f38 (Default) External DB user invalid or bad password. >>>>>> >>>>>> In case I create user 001c.230a.4f38 with password 001c.230a.4f38 >>>>>> ACs will complain for invalid password. >>>>>> >>>>>> Thanks! >>>>>> Oszkar >>>>>> >>>>>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> The following are various methods that we can use for dealing with >>>>>>> Agentless hosts. >>>>>>> >>>>>>> >>>>>>> - Static policy based on IP address or MAC configured on NAD >>>>>>> - Configure Username/Password for NAH devices on NAD which is >>>>>>> sent to ACS (this has been removed) >>>>>>> - Audit Server used to audit the NAD devices >>>>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>>>> >>>>>>> >>>>>>> ip admission name *admission-name* eapoudp bypass enables us to >>>>>>> authenticate the end host by using some of it's unique parameters. >>>>>>> audit-session-id is the key. An audit server then validates the host. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Snippet from >>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >>>>>>> Agentless Hosts >>>>>>> >>>>>>> End devices that do not run CTA cannot provide credentials when >>>>>>> challenged by network access devices (NADs). Such hosts are termed >>>>>>> "agentless" or "nonresponsive." In the Phase l release of Network >>>>>>> Admission >>>>>>> Control, agentless hosts were supported by either a static configuration >>>>>>> using exception lists (an identity profile) or by using "clientless" >>>>>>> username and password authentication on an ACS. These methods are >>>>>>> restrictive and do not convey any specific information about the host >>>>>>> while >>>>>>> making policy decisions. >>>>>>> EAPoUDP Bypass >>>>>>> >>>>>>> You can use the EAPoUDP Bypass feature to reduce latency of the >>>>>>> validation of hosts that are not using CTA. If EAPoUDP bypass is >>>>>>> enabled, >>>>>>> the NAD does not contact the host to request the antivirus condition >>>>>>> (the >>>>>>> NAD does not try to establish an EAPoUDP association with the host if >>>>>>> the >>>>>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a request >>>>>>> to >>>>>>> the Cisco Secure ACS that includes the IP address, MAC address, service >>>>>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the >>>>>>> access control decision and sends the policy to the NAD. >>>>>>> >>>>>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host >>>>>>> request to the Cisco Secure ACS and applies the access policy from the >>>>>>> server to the host. >>>>>>> >>>>>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust >>>>>>> Agent, the NAD also sends a nonresponsive-host request to the Cisco >>>>>>> Secure >>>>>>> ACS and applies the access policy from the server to the host. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]>wrote: >>>>>>> >>>>>>>> Hi Kings, >>>>>>>> >>>>>>>> As far as I know identity profile is locally configured on the NAD >>>>>>>> and works even if you don't use the eou bypass. >>>>>>>> >>>>>>>> For eou bypass the config guide shows the steps only for the NAD >>>>>>>> side (see below). >>>>>>>> >>>>>>>> Configuring a NAD to Bypass EAPoUDP Communication >>>>>>>> >>>>>>>> To configure a NAD to bypass EAPoUDP, perform the following steps. >>>>>>>> *SUMMARY STEPS* >>>>>>>> >>>>>>>> *1.* enable >>>>>>>> >>>>>>>> *2.* configure terminal >>>>>>>> >>>>>>>> *3.* ip admission name *admission-name* eapoudp bypass >>>>>>>> >>>>>>>> *4.* eou allow clientless >>>>>>>> >>>>>>>> *5.* interface type *slot* / *port* >>>>>>>> I assume there are some steps which has to be done on the ACS side >>>>>>>> as well but I couldn't find any doc about this. >>>>>>>> There is a NAC L2 Agentless profile template in the ACS, I have >>>>>>>> tried to use that but couldn't make it work. >>>>>>>> >>>>>>>> Any thoughts? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Oszkar >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> You can configure an identity profile. >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> hi, >>>>>>>>>> >>>>>>>>>> Does anybody know the configuration steps for NAC L2 Agentless >>>>>>>>>> support using the EOU bypass feature? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Oszkar >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>> >>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
