redirect acls, tells the router/ios which traffic should be redirected. Once after NAC authentication, any web traffic that is denied by the interface ACL (NAC L3) or user ACL (NAC L2) which is subjected to redirection.
You can controlled which of the denied traffic can redirected using the redirect acl. With regards On Tue, May 1, 2012 at 11:30 PM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > > It's not working..I think I have tried all the variants and I'm out of > ideas..please guide me. > > SW config: > > aaa new-model > aaa authentication login default none > aaa authentication eou default group radius > aaa authorization network default group radius > > > interface FastEthernet0/43 > switchport access vlan 129 > switchport mode access > ip access-group filter in > spanning-tree portfast > ip admission NAC2 > > ip access-list extended filter <---INTERFACE ACL which denies > everything but EOU > permit udp any any eq 21862 > deny ip any any log > > ip access-list extended redirect-acl <--- REDIRECT ACL where the > traffic should be redirected > deny tcp any host 136.1.122.5 eq www > > > > radius-server attribute 8 include-in-access-req > radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco > radius-server vsa send authentication > > > --------------- > > SW2# sh eou interface fastEthernet 0/43 > > > ---------------------------------------------------------------------------- > Address Interface AuthType Posture-Token Age(min) > > ---------------------------------------------------------------------------- > 10.0.0.10 FastEthernet0/43 EAP Healthy 6 > > > > SW2#sh eou ip 10.0.0.10 > Address : 10.0.0.10 > MAC Address : 00e0.4c03.5787 > Interface : FastEthernet0/43 > AuthType : EAP > Audit Session ID : 0000000004DA6D26000000000A00000A > PostureToken : Healthy > Age(min) : 6 > > URL Redirect : http://r5.cisco.com > URL Redirect ACL : redirect-acl > ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 > > User Name : XXX:oszkari > Revalidation Period : 36000 Seconds > Status Query Period : 300 Seconds > Current State : AUTHENTICATED > > SW2#sh access-lists > xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 > <----DOWNLOADABLE ACL > Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 > (per-user) > 10 deny tcp any any eq www > 20 deny icmp any host 136.1.122.6 > 30 permit ip any any > > > From the client PC (10.0.0.10) i'm able to access any website, no sign of > redirection attempt (checked with wireshark). > What is really driving me crazy is that I have explicitly denied HTTP > traffic trough interface ACL + downloadable ACL but I can still browse any > page I want like the deny statements in ACL wouldn't exist... However ICMP > traffic towards 136.1.122.6 is blocked as it should. > > Please comment! > > Oszkar > > > > > > On Sat, Apr 28, 2012 at 7:52 AM, Kingsley Charles < > [email protected]> wrote: > >> You won't see the re-direct ACL. If you want to see it, either add along >> with "HEALTHY" and you remove HEALTHY. Something like http://1.2.3.4. >> Since it is http url, it will shown as an hyper link which you can click. >> >> One more thing, redirect will happen automatically, if the address is >> being blocked by the acl in the nac interface. >> >> redirect acl is an ACL which tells for which addresses redirect should >> happen. >> >> With regards >> Kings >> >> >> On Sat, Apr 28, 2012 at 8:05 PM, Imre Oszkar <[email protected]> wrote: >> >>> Hi Kings, >>> >>> This is what I have.. >>> In the pop-up I have got "HEALTY" but no redirect-url, and when >>> browsing the ip specified on the redirect-acl the redirection does not >>> happen.. >>> >>> Any thoughts? >>> >>> >>> SW2#sh run | i http >>> ip http server >>> ip http secure-server >>> >>> SW2#sh eou ip 10.0.0.10 >>> Address : 10.0.0.10 >>> MAC Address : 00e0.4c03.5787 >>> Interface : FastEthernet0/43 >>> AuthType : EAP >>> Audit Session ID : 000000000BC8503F000000000A00000A >>> PostureToken : Healthy >>> Age(min) : 2 >>> URL Redirect : http://r5.cisco.com >>> URL Redirect ACL : redirect-acl >>> ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 >>> User Name : XXX:oszkari >>> Revalidation Period : 36000 Seconds >>> Status Query Period : 300 Seconds >>> Current State : AUTHENTICATED >>> >>> >>> >>> Extended IP access list redirect-acl >>> 20 deny tcp any host 136.1.122.6 eq www (192 matches) >>> Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 >>> (per-user) >>> 10 permit ip any any >>> >>> r5.cisco.com resolves to 136.1.122.5 (which is another IOS box in the >>> network with http server enabled) >>> >>> Oszkar >>> >>> >>> >>> On Fri, Apr 27, 2012 at 11:02 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> For url-direct to work, the IP address to which you are browsing should >>>> be blocked by the ACL. >>>> >>>> redirect acl should be a named acl and it has worked for me once that >>>> too on switch when configured for NACL L2 IP. >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]>wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> Thanks for the reply! Yes, I was trying it for the lab. So for NAH >>>>> scenarios the only thing we need to know is the identity profile >>>>> configured >>>>> on the NAD? >>>>> >>>>> Did you ever make the URL redirect work with NAC? I have seen an older >>>>> post of yours about this. >>>>> I'm facing the same issue..I have the redirect url, redirect-acl >>>>> downloaded from the ACS. I have the redirect-acl (with deny statement) >>>>> defined on the NAD, but I don't get any URL in the popup screen and the >>>>> http redirect does not happen no matter what I'm trying to access. >>>>> >>>>> Thanks! >>>>> Oszkar >>>>> >>>>> >>>>> On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> The following requires ACS to be configured: >>>>>> >>>>>> >>>>>> >>>>>> - Configure Username/Password for NAH devices on NAD which is >>>>>> sent to ACS (this has been removed) >>>>>> - Audit Server used to audit the NAD devices >>>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>>> >>>>>> >>>>>> For your case, you should have an Audit server integrated with the >>>>>> ACS. If you are trying this for CCIE lab, then your case is certainly out >>>>>> of scope. >>>>>> >>>>>> I have not tried with IP address or MAC address and not sure, if >>>>>> bypass can be done locally within ACS. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]>wrote: >>>>>> >>>>>>> Hi Kings, >>>>>>> >>>>>>> In which one of the four cases do we have to use the NAC Agentless >>>>>>> profile template from ACS? >>>>>>> >>>>>>> >>>>>>> This is what I'm trying to achieve using the eou bypass: >>>>>>> "NAD sends a request to the Cisco Secure ACS that includes the IP >>>>>>> address, MAC address, service type, and EAPoUDP session ID of the host. >>>>>>> The >>>>>>> Cisco Secure ACS makes the access control decision and sends the policy >>>>>>> to >>>>>>> the NAD" >>>>>>> >>>>>>> Based on the above, my understanding is that if we configure the eou >>>>>>> bypass feature the host will not go trough a posture assessment, >>>>>>> instead >>>>>>> the NAD will send the a request to ACS for a policy for each connected >>>>>>> hosts. Something similar as the identitiy profile but centralized on >>>>>>> ACS. >>>>>>> >>>>>>> >>>>>>> I have NAC L2 configured which works well for hosts with trust >>>>>>> agent installed. >>>>>>> Once I enable the eou bypass both type of clients (with CTA or >>>>>>> without CTA) fail to download a policy from ACS. >>>>>>> >>>>>>> SW2# >>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type = >>>>>>> EAPOUDP >>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 >>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 >>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): sending >>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2 >>>>>>> for Radius-Server 10.0.0.100 >>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to >>>>>>> 10.0.0.100:1645 id 1645/93, len 213 >>>>>>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 >>>>>>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 >>>>>>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call >>>>>>> Check [10] >>>>>>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 >>>>>>> "0019.5670.59af" >>>>>>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 >>>>>>> "001c.230a.4f38" >>>>>>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 >>>>>>> 169.254.138.118 >>>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 >>>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa >>>>>>> SW2#a:service=ip_admission" >>>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 >>>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 >>>>>>> "audit-session-id=000000000749572500000000A9FE8A76" >>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 >>>>>>> Ethernet [15] >>>>>>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 >>>>>>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E >>>>>>> E6 01 3C 39 [ ^b<9] >>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type >>>>>>> SW2#[61] 6 Async [0] >>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 >>>>>>> >>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 >>>>>>> "FastEthernet0/43" >>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 >>>>>>> 10.0.0.2 >>>>>>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 >>>>>>> 10.0.0.100:1645, Access-Reject, len 50 >>>>>>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 D7 >>>>>>> - CC 5D CF 91 8D 98 33 DF >>>>>>> *Mar 2 09:57:29.974 >>>>>>> SW2#: RADIUS: Reply-Message [18] 12 >>>>>>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D >>>>>>> [ Rejected] >>>>>>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 >>>>>>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90 >>>>>>> 31 53 73 A6 [ H=2|?1Ss] >>>>>>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 >>>>>>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, >>>>>>> total 10 bytes >>>>>>> SW2# >>>>>>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| >>>>>>> CiscoTrustAgent=NOT DETECTED >>>>>>> >>>>>>> >>>>>>> SW2#sh eou all >>>>>>> >>>>>>> ---------------------------------------------------------------------------- >>>>>>> Address Interface AuthType Posture-Token >>>>>>> Age(min) >>>>>>> >>>>>>> ---------------------------------------------------------------------------- >>>>>>> 169.254.138.118 FastEthernet0/43 UNKNOWN ------- >>>>>>> 1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group >>>>>>> 001c.230a.4f38 (Default) External DB user invalid or bad password. >>>>>>> >>>>>>> In case I create user 001c.230a.4f38 with password 001c.230a.4f38 >>>>>>> ACs will complain for invalid password. >>>>>>> >>>>>>> Thanks! >>>>>>> Oszkar >>>>>>> >>>>>>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> The following are various methods that we can use for dealing with >>>>>>>> Agentless hosts. >>>>>>>> >>>>>>>> >>>>>>>> - Static policy based on IP address or MAC configured on NAD >>>>>>>> - Configure Username/Password for NAH devices on NAD which is >>>>>>>> sent to ACS (this has been removed) >>>>>>>> - Audit Server used to audit the NAD devices >>>>>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>>>>> >>>>>>>> >>>>>>>> ip admission name *admission-name* eapoudp bypass enables us to >>>>>>>> authenticate the end host by using some of it's unique parameters. >>>>>>>> audit-session-id is the key. An audit server then validates the >>>>>>>> host. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Snippet from >>>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >>>>>>>> Agentless Hosts >>>>>>>> >>>>>>>> End devices that do not run CTA cannot provide credentials when >>>>>>>> challenged by network access devices (NADs). Such hosts are termed >>>>>>>> "agentless" or "nonresponsive." In the Phase l release of Network >>>>>>>> Admission >>>>>>>> Control, agentless hosts were supported by either a static >>>>>>>> configuration >>>>>>>> using exception lists (an identity profile) or by using "clientless" >>>>>>>> username and password authentication on an ACS. These methods are >>>>>>>> restrictive and do not convey any specific information about the host >>>>>>>> while >>>>>>>> making policy decisions. >>>>>>>> EAPoUDP Bypass >>>>>>>> >>>>>>>> You can use the EAPoUDP Bypass feature to reduce latency of the >>>>>>>> validation of hosts that are not using CTA. If EAPoUDP bypass is >>>>>>>> enabled, >>>>>>>> the NAD does not contact the host to request the antivirus condition >>>>>>>> (the >>>>>>>> NAD does not try to establish an EAPoUDP association with the host if >>>>>>>> the >>>>>>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a request >>>>>>>> to >>>>>>>> the Cisco Secure ACS that includes the IP address, MAC address, service >>>>>>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes >>>>>>>> the >>>>>>>> access control decision and sends the policy to the NAD. >>>>>>>> >>>>>>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host >>>>>>>> request to the Cisco Secure ACS and applies the access policy from the >>>>>>>> server to the host. >>>>>>>> >>>>>>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust >>>>>>>> Agent, the NAD also sends a nonresponsive-host request to the Cisco >>>>>>>> Secure >>>>>>>> ACS and applies the access policy from the server to the host. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]>wrote: >>>>>>>> >>>>>>>>> Hi Kings, >>>>>>>>> >>>>>>>>> As far as I know identity profile is locally configured on the >>>>>>>>> NAD and works even if you don't use the eou bypass. >>>>>>>>> >>>>>>>>> For eou bypass the config guide shows the steps only for the NAD >>>>>>>>> side (see below). >>>>>>>>> >>>>>>>>> Configuring a NAD to Bypass EAPoUDP Communication >>>>>>>>> >>>>>>>>> To configure a NAD to bypass EAPoUDP, perform the following steps. >>>>>>>>> *SUMMARY STEPS* >>>>>>>>> >>>>>>>>> *1.* enable >>>>>>>>> >>>>>>>>> *2.* configure terminal >>>>>>>>> >>>>>>>>> *3.* ip admission name *admission-name* eapoudp bypass >>>>>>>>> >>>>>>>>> *4.* eou allow clientless >>>>>>>>> >>>>>>>>> *5.* interface type *slot* / *port* >>>>>>>>> I assume there are some steps which has to be done on the ACS side >>>>>>>>> as well but I couldn't find any doc about this. >>>>>>>>> There is a NAC L2 Agentless profile template in the ACS, I have >>>>>>>>> tried to use that but couldn't make it work. >>>>>>>>> >>>>>>>>> Any thoughts? >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> Oszkar >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> You can configure an identity profile. >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kings >>>>>>>>>> >>>>>>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar >>>>>>>>>> <[email protected]>wrote: >>>>>>>>>> >>>>>>>>>>> hi, >>>>>>>>>>> >>>>>>>>>>> Does anybody know the configuration steps for NAC L2 Agentless >>>>>>>>>>> support using the EOU bypass feature? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Oszkar >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>> >>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
