Hi Kings,
Based on your e-mail this is what I understood. Is this correct?
1. traffic hitting 1.1.1.1:80 should be redirected to the redirect-url
ip access-list extended redirect-acl
deny tcp any host 1.1.1.1 eq 80
2. Any TCP/80 traffic will be subject for redirection:
Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa04ce2
(per-user)
10 deny tcp any any eq 80
On Tue, May 1, 2012 at 11:33 AM, Kingsley Charles <
[email protected]> wrote:
> redirect acls, tells the router/ios which traffic should be redirected.
>
> Once after NAC authentication, any web traffic that is denied by the
> interface ACL (NAC L3) or user ACL (NAC L2) which is subjected to
> redirection.
>
> You can controlled which of the denied traffic can redirected using the
> redirect acl.
>
>
>
> With regards
>
>
> On Tue, May 1, 2012 at 11:30 PM, Imre Oszkar <[email protected]> wrote:
>
>> Hi Kings,
>>
>>
>> It's not working..I think I have tried all the variants and I'm out of
>> ideas..please guide me.
>>
>> SW config:
>>
>> aaa new-model
>> aaa authentication login default none
>> aaa authentication eou default group radius
>> aaa authorization network default group radius
>>
>>
>> interface FastEthernet0/43
>> switchport access vlan 129
>> switchport mode access
>> ip access-group filter in
>> spanning-tree portfast
>> ip admission NAC2
>>
>> ip access-list extended filter <---INTERFACE ACL which denies
>> everything but EOU
>> permit udp any any eq 21862
>> deny ip any any log
>>
>> ip access-list extended redirect-acl <--- REDIRECT ACL where the
>> traffic should be redirected
>> deny tcp any host 136.1.122.5 eq www
>>
>>
>>
>> radius-server attribute 8 include-in-access-req
>> radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco
>> radius-server vsa send authentication
>>
>>
>> ---------------
>>
>> SW2# sh eou interface fastEthernet 0/43
>>
>>
>> ----------------------------------------------------------------------------
>> Address Interface AuthType Posture-Token
>> Age(min)
>>
>> ----------------------------------------------------------------------------
>> 10.0.0.10 FastEthernet0/43 EAP Healthy 6
>>
>>
>>
>> SW2#sh eou ip 10.0.0.10
>> Address : 10.0.0.10
>> MAC Address : 00e0.4c03.5787
>> Interface : FastEthernet0/43
>> AuthType : EAP
>> Audit Session ID : 0000000004DA6D26000000000A00000A
>> PostureToken : Healthy
>> Age(min) : 6
>>
>> URL Redirect : http://r5.cisco.com
>> URL Redirect ACL : redirect-acl
>> ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071
>>
>> User Name : XXX:oszkari
>> Revalidation Period : 36000 Seconds
>> Status Query Period : 300 Seconds
>> Current State : AUTHENTICATED
>>
>> SW2#sh access-lists
>> xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071
>> <----DOWNLOADABLE ACL
>> Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071
>> (per-user)
>> 10 deny tcp any any eq www
>> 20 deny icmp any host 136.1.122.6
>> 30 permit ip any any
>>
>>
>> From the client PC (10.0.0.10) i'm able to access any website, no sign
>> of redirection attempt (checked with wireshark).
>> What is really driving me crazy is that I have explicitly denied HTTP
>> traffic trough interface ACL + downloadable ACL but I can still browse any
>> page I want like the deny statements in ACL wouldn't exist... However ICMP
>> traffic towards 136.1.122.6 is blocked as it should.
>>
>> Please comment!
>>
>> Oszkar
>>
>>
>>
>>
>>
>> On Sat, Apr 28, 2012 at 7:52 AM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> You won't see the re-direct ACL. If you want to see it, either add along
>>> with "HEALTHY" and you remove HEALTHY. Something like http://1.2.3.4.
>>> Since it is http url, it will shown as an hyper link which you can click.
>>>
>>> One more thing, redirect will happen automatically, if the address is
>>> being blocked by the acl in the nac interface.
>>>
>>> redirect acl is an ACL which tells for which addresses redirect should
>>> happen.
>>>
>>> With regards
>>> Kings
>>>
>>>
>>> On Sat, Apr 28, 2012 at 8:05 PM, Imre Oszkar <[email protected]> wrote:
>>>
>>>> Hi Kings,
>>>>
>>>> This is what I have..
>>>> In the pop-up I have got "HEALTY" but no redirect-url, and when
>>>> browsing the ip specified on the redirect-acl the redirection does not
>>>> happen..
>>>>
>>>> Any thoughts?
>>>>
>>>>
>>>> SW2#sh run | i http
>>>> ip http server
>>>> ip http secure-server
>>>>
>>>> SW2#sh eou ip 10.0.0.10
>>>> Address : 10.0.0.10
>>>> MAC Address : 00e0.4c03.5787
>>>> Interface : FastEthernet0/43
>>>> AuthType : EAP
>>>> Audit Session ID : 000000000BC8503F000000000A00000A
>>>> PostureToken : Healthy
>>>> Age(min) : 2
>>>> URL Redirect : http://r5.cisco.com
>>>> URL Redirect ACL : redirect-acl
>>>> ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4
>>>> User Name : XXX:oszkari
>>>> Revalidation Period : 36000 Seconds
>>>> Status Query Period : 300 Seconds
>>>> Current State : AUTHENTICATED
>>>>
>>>>
>>>>
>>>> Extended IP access list redirect-acl
>>>> 20 deny tcp any host 136.1.122.6 eq www (192 matches)
>>>> Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4
>>>> (per-user)
>>>> 10 permit ip any any
>>>>
>>>> r5.cisco.com resolves to 136.1.122.5 (which is another IOS box in the
>>>> network with http server enabled)
>>>>
>>>> Oszkar
>>>>
>>>>
>>>>
>>>> On Fri, Apr 27, 2012 at 11:02 PM, Kingsley Charles <
>>>> [email protected]> wrote:
>>>>
>>>>> For url-direct to work, the IP address to which you are browsing
>>>>> should be blocked by the ACL.
>>>>>
>>>>> redirect acl should be a named acl and it has worked for me once that
>>>>> too on switch when configured for NACL L2 IP.
>>>>>
>>>>> With regards
>>>>> Kings
>>>>>
>>>>>
>>>>> On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]>wrote:
>>>>>
>>>>>> Hi Kings,
>>>>>>
>>>>>> Thanks for the reply! Yes, I was trying it for the lab. So for NAH
>>>>>> scenarios the only thing we need to know is the identity profile
>>>>>> configured
>>>>>> on the NAD?
>>>>>>
>>>>>> Did you ever make the URL redirect work with NAC? I have seen an
>>>>>> older post of yours about this.
>>>>>> I'm facing the same issue..I have the redirect url, redirect-acl
>>>>>> downloaded from the ACS. I have the redirect-acl (with deny statement)
>>>>>> defined on the NAD, but I don't get any URL in the popup screen and the
>>>>>> http redirect does not happen no matter what I'm trying to access.
>>>>>>
>>>>>> Thanks!
>>>>>> Oszkar
>>>>>>
>>>>>>
>>>>>> On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> The following requires ACS to be configured:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> - Configure Username/Password for NAH devices on NAD which is
>>>>>>> sent to ACS (this has been removed)
>>>>>>> - Audit Server used to audit the NAD devices
>>>>>>> - MAC bypass (applicable to 802.1x L2 NAC)
>>>>>>>
>>>>>>>
>>>>>>> For your case, you should have an Audit server integrated with the
>>>>>>> ACS. If you are trying this for CCIE lab, then your case is certainly
>>>>>>> out
>>>>>>> of scope.
>>>>>>>
>>>>>>> I have not tried with IP address or MAC address and not sure, if
>>>>>>> bypass can be done locally within ACS.
>>>>>>>
>>>>>>> With regards
>>>>>>> Kings
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]>wrote:
>>>>>>>
>>>>>>>> Hi Kings,
>>>>>>>>
>>>>>>>> In which one of the four cases do we have to use the NAC Agentless
>>>>>>>> profile template from ACS?
>>>>>>>>
>>>>>>>>
>>>>>>>> This is what I'm trying to achieve using the eou bypass:
>>>>>>>> "NAD sends a request to the Cisco Secure ACS that includes the IP
>>>>>>>> address, MAC address, service type, and EAPoUDP session ID of the
>>>>>>>> host. The
>>>>>>>> Cisco Secure ACS makes the access control decision and sends the
>>>>>>>> policy to
>>>>>>>> the NAD"
>>>>>>>>
>>>>>>>> Based on the above, my understanding is that if we configure the
>>>>>>>> eou bypass feature the host will not go trough a posture assessment,
>>>>>>>> instead the NAD will send the a request to ACS for a policy for each
>>>>>>>> connected hosts. Something similar as the identitiy profile but
>>>>>>>> centralized
>>>>>>>> on ACS.
>>>>>>>>
>>>>>>>>
>>>>>>>> I have NAC L2 configured which works well for hosts with trust
>>>>>>>> agent installed.
>>>>>>>> Once I enable the eou bypass both type of clients (with CTA or
>>>>>>>> without CTA) fail to download a policy from ACS.
>>>>>>>>
>>>>>>>> SW2#
>>>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type
>>>>>>>> = EAPOUDP
>>>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0
>>>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37
>>>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): sending
>>>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address 10.0.0.2
>>>>>>>> for Radius-Server 10.0.0.100
>>>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to
>>>>>>>> 10.0.0.100:1645 id 1645/93, len 213
>>>>>>>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5
>>>>>>>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22
>>>>>>>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call
>>>>>>>> Check [10]
>>>>>>>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16
>>>>>>>> "0019.5670.59af"
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16
>>>>>>>> "001c.230a.4f38"
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6
>>>>>>>> 169.254.138.118
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa
>>>>>>>> SW2#a:service=ip_admission"
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51
>>>>>>>> "audit-session-id=000000000749572500000000A9FE8A76"
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6
>>>>>>>> Ethernet [15]
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 8E
>>>>>>>> E6 01 3C 39 [ ^b<9]
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type
>>>>>>>> SW2#[61] 6 Async [0]
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0
>>>>>>>>
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18
>>>>>>>> "FastEthernet0/43"
>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6
>>>>>>>> 10.0.0.2
>>>>>>>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93
>>>>>>>> 10.0.0.100:1645, Access-Reject, len 50
>>>>>>>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8
>>>>>>>> D7 - CC 5D CF 91 8D 98 33 DF
>>>>>>>> *Mar 2 09:57:29.974
>>>>>>>> SW2#: RADIUS: Reply-Message [18] 12
>>>>>>>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D
>>>>>>>> [ Rejected]
>>>>>>>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18
>>>>>>>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 90
>>>>>>>> 31 53 73 A6 [ H=2|?1Ss]
>>>>>>>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93
>>>>>>>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10,
>>>>>>>> total 10 bytes
>>>>>>>> SW2#
>>>>>>>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118|
>>>>>>>> CiscoTrustAgent=NOT DETECTED
>>>>>>>>
>>>>>>>>
>>>>>>>> SW2#sh eou all
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------------
>>>>>>>> Address Interface AuthType Posture-Token
>>>>>>>> Age(min)
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------------------
>>>>>>>> 169.254.138.118 FastEthernet0/43 UNKNOWN -------
>>>>>>>> 1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group
>>>>>>>> 001c.230a.4f38 (Default) External DB user invalid or bad password.
>>>>>>>>
>>>>>>>> In case I create user 001c.230a.4f38 with password 001c.230a.4f38
>>>>>>>> ACs will complain for invalid password.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Oszkar
>>>>>>>>
>>>>>>>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> The following are various methods that we can use for dealing with
>>>>>>>>> Agentless hosts.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> - Static policy based on IP address or MAC configured on NAD
>>>>>>>>> - Configure Username/Password for NAH devices on NAD which is
>>>>>>>>> sent to ACS (this has been removed)
>>>>>>>>> - Audit Server used to audit the NAD devices
>>>>>>>>> - MAC bypass (applicable to 802.1x L2 NAC)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ip admission name *admission-name* eapoudp bypass enables us to
>>>>>>>>> authenticate the end host by using some of it's unique parameters.
>>>>>>>>> audit-session-id is the key. An audit server then validates the
>>>>>>>>> host.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Snippet from
>>>>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html
>>>>>>>>> Agentless Hosts
>>>>>>>>>
>>>>>>>>> End devices that do not run CTA cannot provide credentials when
>>>>>>>>> challenged by network access devices (NADs). Such hosts are termed
>>>>>>>>> "agentless" or "nonresponsive." In the Phase l release of Network
>>>>>>>>> Admission
>>>>>>>>> Control, agentless hosts were supported by either a static
>>>>>>>>> configuration
>>>>>>>>> using exception lists (an identity profile) or by using "clientless"
>>>>>>>>> username and password authentication on an ACS. These methods are
>>>>>>>>> restrictive and do not convey any specific information about the host
>>>>>>>>> while
>>>>>>>>> making policy decisions.
>>>>>>>>> EAPoUDP Bypass
>>>>>>>>>
>>>>>>>>> You can use the EAPoUDP Bypass feature to reduce latency of the
>>>>>>>>> validation of hosts that are not using CTA. If EAPoUDP bypass is
>>>>>>>>> enabled,
>>>>>>>>> the NAD does not contact the host to request the antivirus condition
>>>>>>>>> (the
>>>>>>>>> NAD does not try to establish an EAPoUDP association with the host if
>>>>>>>>> the
>>>>>>>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a
>>>>>>>>> request to
>>>>>>>>> the Cisco Secure ACS that includes the IP address, MAC address,
>>>>>>>>> service
>>>>>>>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes
>>>>>>>>> the
>>>>>>>>> access control decision and sends the policy to the NAD.
>>>>>>>>>
>>>>>>>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host
>>>>>>>>> request to the Cisco Secure ACS and applies the access policy from the
>>>>>>>>> server to the host.
>>>>>>>>>
>>>>>>>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust
>>>>>>>>> Agent, the NAD also sends a nonresponsive-host request to the Cisco
>>>>>>>>> Secure
>>>>>>>>> ACS and applies the access policy from the server to the host.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> With regards
>>>>>>>>> Kings
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar <[email protected]>wrote:
>>>>>>>>>
>>>>>>>>>> Hi Kings,
>>>>>>>>>>
>>>>>>>>>> As far as I know identity profile is locally configured on the
>>>>>>>>>> NAD and works even if you don't use the eou bypass.
>>>>>>>>>>
>>>>>>>>>> For eou bypass the config guide shows the steps only for the NAD
>>>>>>>>>> side (see below).
>>>>>>>>>>
>>>>>>>>>> Configuring a NAD to Bypass EAPoUDP Communication
>>>>>>>>>>
>>>>>>>>>> To configure a NAD to bypass EAPoUDP, perform the following steps.
>>>>>>>>>> *SUMMARY STEPS*
>>>>>>>>>>
>>>>>>>>>> *1.* enable
>>>>>>>>>>
>>>>>>>>>> *2.* configure terminal
>>>>>>>>>>
>>>>>>>>>> *3.* ip admission name *admission-name* eapoudp bypass
>>>>>>>>>>
>>>>>>>>>> *4.* eou allow clientless
>>>>>>>>>>
>>>>>>>>>> *5.* interface type *slot* / *port*
>>>>>>>>>> I assume there are some steps which has to be done on the ACS
>>>>>>>>>> side as well but I couldn't find any doc about this.
>>>>>>>>>> There is a NAC L2 Agentless profile template in the ACS, I have
>>>>>>>>>> tried to use that but couldn't make it work.
>>>>>>>>>>
>>>>>>>>>> Any thoughts?
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>> Oszkar
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles <
>>>>>>>>>> [email protected]> wrote:
>>>>>>>>>>
>>>>>>>>>>> You can configure an identity profile.
>>>>>>>>>>>
>>>>>>>>>>> With regards
>>>>>>>>>>> Kings
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar
>>>>>>>>>>> <[email protected]>wrote:
>>>>>>>>>>>
>>>>>>>>>>>> hi,
>>>>>>>>>>>>
>>>>>>>>>>>> Does anybody know the configuration steps for NAC L2 Agentless
>>>>>>>>>>>> support using the EOU bypass feature?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Oszkar
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> For more information regarding industry leading CCIE Lab
>>>>>>>>>>>> training, please visit www.ipexpert.com
>>>>>>>>>>>>
>>>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>>>>>>>>>> www.PlatinumPlacement.com
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
