The redirect acl should permit as following: ip access-list extended redirect-acl Permit tcp any host 1.1.1.1 eq 80
With regards Kings On Wed, May 2, 2012 at 2:42 AM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > Based on your e-mail this is what I understood. Is this correct? > > 1. traffic hitting 1.1.1.1:80 should be redirected to the redirect-url > > ip access-list extended redirect-acl > deny tcp any host 1.1.1.1 eq 80 > > > 2. Any TCP/80 traffic will be subject for redirection: > > Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa04ce2 > (per-user) > 10 deny tcp any any eq 80 > > > On Tue, May 1, 2012 at 11:33 AM, Kingsley Charles < > [email protected]> wrote: > >> redirect acls, tells the router/ios which traffic should be redirected. >> >> Once after NAC authentication, any web traffic that is denied by the >> interface ACL (NAC L3) or user ACL (NAC L2) which is subjected to >> redirection. >> >> You can controlled which of the denied traffic can redirected using the >> redirect acl. >> >> >> >> With regards >> >> >> On Tue, May 1, 2012 at 11:30 PM, Imre Oszkar <[email protected]> wrote: >> >>> Hi Kings, >>> >>> >>> It's not working..I think I have tried all the variants and I'm out of >>> ideas..please guide me. >>> >>> SW config: >>> >>> aaa new-model >>> aaa authentication login default none >>> aaa authentication eou default group radius >>> aaa authorization network default group radius >>> >>> >>> interface FastEthernet0/43 >>> switchport access vlan 129 >>> switchport mode access >>> ip access-group filter in >>> spanning-tree portfast >>> ip admission NAC2 >>> >>> ip access-list extended filter <---INTERFACE ACL which denies >>> everything but EOU >>> permit udp any any eq 21862 >>> deny ip any any log >>> >>> ip access-list extended redirect-acl <--- REDIRECT ACL where the >>> traffic should be redirected >>> deny tcp any host 136.1.122.5 eq www >>> >>> >>> >>> radius-server attribute 8 include-in-access-req >>> radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco >>> radius-server vsa send authentication >>> >>> >>> --------------- >>> >>> SW2# sh eou interface fastEthernet 0/43 >>> >>> >>> ---------------------------------------------------------------------------- >>> Address Interface AuthType Posture-Token >>> Age(min) >>> >>> ---------------------------------------------------------------------------- >>> 10.0.0.10 FastEthernet0/43 EAP Healthy 6 >>> >>> >>> >>> SW2#sh eou ip 10.0.0.10 >>> Address : 10.0.0.10 >>> MAC Address : 00e0.4c03.5787 >>> Interface : FastEthernet0/43 >>> AuthType : EAP >>> Audit Session ID : 0000000004DA6D26000000000A00000A >>> PostureToken : Healthy >>> Age(min) : 6 >>> >>> URL Redirect : http://r5.cisco.com >>> URL Redirect ACL : redirect-acl >>> ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 >>> >>> User Name : XXX:oszkari >>> Revalidation Period : 36000 Seconds >>> Status Query Period : 300 Seconds >>> Current State : AUTHENTICATED >>> >>> SW2#sh access-lists >>> xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 >>> <----DOWNLOADABLE ACL >>> Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4fa02071 >>> (per-user) >>> 10 deny tcp any any eq www >>> 20 deny icmp any host 136.1.122.6 >>> 30 permit ip any any >>> >>> >>> From the client PC (10.0.0.10) i'm able to access any website, no sign >>> of redirection attempt (checked with wireshark). >>> What is really driving me crazy is that I have explicitly denied HTTP >>> traffic trough interface ACL + downloadable ACL but I can still browse any >>> page I want like the deny statements in ACL wouldn't exist... However ICMP >>> traffic towards 136.1.122.6 is blocked as it should. >>> >>> Please comment! >>> >>> Oszkar >>> >>> >>> >>> >>> >>> On Sat, Apr 28, 2012 at 7:52 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> You won't see the re-direct ACL. If you want to see it, either add >>>> along with "HEALTHY" and you remove HEALTHY. Something like >>>> http://1.2.3.4. >>>> Since it is http url, it will shown as an hyper link which you can >>>> click. >>>> >>>> One more thing, redirect will happen automatically, if the address is >>>> being blocked by the acl in the nac interface. >>>> >>>> redirect acl is an ACL which tells for which addresses redirect should >>>> happen. >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Sat, Apr 28, 2012 at 8:05 PM, Imre Oszkar <[email protected]> wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> This is what I have.. >>>>> In the pop-up I have got "HEALTY" but no redirect-url, and when >>>>> browsing the ip specified on the redirect-acl the redirection does not >>>>> happen.. >>>>> >>>>> Any thoughts? >>>>> >>>>> >>>>> SW2#sh run | i http >>>>> ip http server >>>>> ip http secure-server >>>>> >>>>> SW2#sh eou ip 10.0.0.10 >>>>> Address : 10.0.0.10 >>>>> MAC Address : 00e0.4c03.5787 >>>>> Interface : FastEthernet0/43 >>>>> AuthType : EAP >>>>> Audit Session ID : 000000000BC8503F000000000A00000A >>>>> PostureToken : Healthy >>>>> Age(min) : 2 >>>>> URL Redirect : http://r5.cisco.com >>>>> URL Redirect ACL : redirect-acl >>>>> ACL Name : xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 >>>>> User Name : XXX:oszkari >>>>> Revalidation Period : 36000 Seconds >>>>> Status Query Period : 300 Seconds >>>>> Current State : AUTHENTICATED >>>>> >>>>> >>>>> >>>>> Extended IP access list redirect-acl >>>>> 20 deny tcp any host 136.1.122.6 eq www (192 matches) >>>>> Extended IP access list xACSACLx-IP-NAC_SAMPLE_HEALTHY_ACL-4f9a24e4 >>>>> (per-user) >>>>> 10 permit ip any any >>>>> >>>>> r5.cisco.com resolves to 136.1.122.5 (which is another IOS box in the >>>>> network with http server enabled) >>>>> >>>>> Oszkar >>>>> >>>>> >>>>> >>>>> On Fri, Apr 27, 2012 at 11:02 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> For url-direct to work, the IP address to which you are browsing >>>>>> should be blocked by the ACL. >>>>>> >>>>>> redirect acl should be a named acl and it has worked for me once that >>>>>> too on switch when configured for NACL L2 IP. >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Sat, Apr 28, 2012 at 11:16 AM, Imre Oszkar <[email protected]>wrote: >>>>>> >>>>>>> Hi Kings, >>>>>>> >>>>>>> Thanks for the reply! Yes, I was trying it for the lab. So for NAH >>>>>>> scenarios the only thing we need to know is the identity profile >>>>>>> configured >>>>>>> on the NAD? >>>>>>> >>>>>>> Did you ever make the URL redirect work with NAC? I have seen an >>>>>>> older post of yours about this. >>>>>>> I'm facing the same issue..I have the redirect url, redirect-acl >>>>>>> downloaded from the ACS. I have the redirect-acl (with deny statement) >>>>>>> defined on the NAD, but I don't get any URL in the popup screen and the >>>>>>> http redirect does not happen no matter what I'm trying to access. >>>>>>> >>>>>>> Thanks! >>>>>>> Oszkar >>>>>>> >>>>>>> >>>>>>> On Fri, Apr 27, 2012 at 9:57 PM, Kingsley Charles < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> The following requires ACS to be configured: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> - Configure Username/Password for NAH devices on NAD which is >>>>>>>> sent to ACS (this has been removed) >>>>>>>> - Audit Server used to audit the NAD devices >>>>>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>>>>> >>>>>>>> >>>>>>>> For your case, you should have an Audit server integrated with the >>>>>>>> ACS. If you are trying this for CCIE lab, then your case is certainly >>>>>>>> out >>>>>>>> of scope. >>>>>>>> >>>>>>>> I have not tried with IP address or MAC address and not sure, if >>>>>>>> bypass can be done locally within ACS. >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Apr 27, 2012 at 11:24 PM, Imre Oszkar <[email protected]>wrote: >>>>>>>> >>>>>>>>> Hi Kings, >>>>>>>>> >>>>>>>>> In which one of the four cases do we have to use the NAC Agentless >>>>>>>>> profile template from ACS? >>>>>>>>> >>>>>>>>> >>>>>>>>> This is what I'm trying to achieve using the eou bypass: >>>>>>>>> "NAD sends a request to the Cisco Secure ACS that includes the IP >>>>>>>>> address, MAC address, service type, and EAPoUDP session ID of the >>>>>>>>> host. The >>>>>>>>> Cisco Secure ACS makes the access control decision and sends the >>>>>>>>> policy to >>>>>>>>> the NAD" >>>>>>>>> >>>>>>>>> Based on the above, my understanding is that if we configure the >>>>>>>>> eou bypass feature the host will not go trough a posture assessment, >>>>>>>>> instead the NAD will send the a request to ACS for a policy for each >>>>>>>>> connected hosts. Something similar as the identitiy profile but >>>>>>>>> centralized >>>>>>>>> on ACS. >>>>>>>>> >>>>>>>>> >>>>>>>>> I have NAC L2 configured which works well for hosts with trust >>>>>>>>> agent installed. >>>>>>>>> Once I enable the eou bypass both type of clients (with CTA or >>>>>>>>> without CTA) fail to download a policy from ACS. >>>>>>>>> >>>>>>>>> SW2# >>>>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025):Orig. component type >>>>>>>>> = EAPOUDP >>>>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Config NAS IP: 0.0.0.0 >>>>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE(00000025): acct_session_id: 37 >>>>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): sending >>>>>>>>> *Mar 2 09:57:29.949: RADIUS/ENCODE: Best Local IP-Address >>>>>>>>> 10.0.0.2 for Radius-Server 10.0.0.100 >>>>>>>>> *Mar 2 09:57:29.949: RADIUS(00000025): Send Access-Request to >>>>>>>>> 10.0.0.100:1645 id 1645/93, len 213 >>>>>>>>> *Mar 2 09:57:29.949: RADIUS: authenticator 80 80 5 >>>>>>>>> SW2#A 90 E5 69 08 D1 - 91 82 D5 18 DE AB F3 22 >>>>>>>>> *Mar 2 09:57:29.949: RADIUS: Service-Type [6] 6 Call >>>>>>>>> Check [10] >>>>>>>>> *Mar 2 09:57:29.949: RADIUS: Called-Station-Id [30] 16 >>>>>>>>> "0019.5670.59af" >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Calling-Station-Id [31] 16 >>>>>>>>> "001c.230a.4f38" >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Framed-IP-Address [8] 6 >>>>>>>>> 169.254.138.118 >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 32 >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 26 "aa >>>>>>>>> SW2#a:service=ip_admission" >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Vendor, Cisco [26] 57 >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Cisco AVpair [1] 51 >>>>>>>>> "audit-session-id=000000000749572500000000A9FE8A76" >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type [61] 6 >>>>>>>>> Ethernet [15] >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: Message-Authenticato[80] 18 >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: 02 16 5E BF CF 62 FE C2 1A D6 D4 >>>>>>>>> 8E E6 01 3C 39 [ ^b<9] >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Type >>>>>>>>> SW2#[61] 6 Async [0] >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port [5] 6 0 >>>>>>>>> >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-Port-Id [87] 18 >>>>>>>>> "FastEthernet0/43" >>>>>>>>> *Mar 2 09:57:29.957: RADIUS: NAS-IP-Address [4] 6 >>>>>>>>> 10.0.0.2 >>>>>>>>> *Mar 2 09:57:29.965: RADIUS: Received from id 1645/93 >>>>>>>>> 10.0.0.100:1645, Access-Reject, len 50 >>>>>>>>> *Mar 2 09:57:29.974: RADIUS: authenticator CC 75 E3 C9 F6 39 A8 >>>>>>>>> D7 - CC 5D CF 91 8D 98 33 DF >>>>>>>>> *Mar 2 09:57:29.974 >>>>>>>>> SW2#: RADIUS: Reply-Message [18] 12 >>>>>>>>> *Mar 2 09:57:29.974: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D >>>>>>>>> [ Rejected] >>>>>>>>> *Mar 2 09:57:29.974: RADIUS: Message-Authenticato[80] 18 >>>>>>>>> *Mar 2 09:57:29.974: RADIUS: 48 3D CB 32 FC 1C A6 D3 7C 25 90 >>>>>>>>> 90 31 53 73 A6 [ H=2|?1Ss] >>>>>>>>> *Mar 2 09:57:29.974: RADIUS(00000025): Received from id 1645/93 >>>>>>>>> *Mar 2 09:57:29.974: RADIUS/DECODE: Reply-Message fragments, 10, >>>>>>>>> total 10 bytes >>>>>>>>> SW2# >>>>>>>>> *Mar 2 09:57:35.955: %EOU-6-CTA: IP=169.254.138.118| >>>>>>>>> CiscoTrustAgent=NOT DETECTED >>>>>>>>> >>>>>>>>> >>>>>>>>> SW2#sh eou all >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------------------- >>>>>>>>> Address Interface AuthType Posture-Token >>>>>>>>> Age(min) >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------------------- >>>>>>>>> 169.254.138.118 FastEthernet0/43 UNKNOWN ------- >>>>>>>>> 1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ACS failed logs: Authen failed 001c.230a.4f38 Default Group >>>>>>>>> 001c.230a.4f38 (Default) External DB user invalid or bad password. >>>>>>>>> >>>>>>>>> In case I create user 001c.230a.4f38 with password >>>>>>>>> 001c.230a.4f38 ACs will complain for invalid password. >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> Oszkar >>>>>>>>> >>>>>>>>> On Fri, Apr 27, 2012 at 9:31 AM, Kingsley Charles < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> The following are various methods that we can use for dealing >>>>>>>>>> with Agentless hosts. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> - Static policy based on IP address or MAC configured on NAD >>>>>>>>>> - Configure Username/Password for NAH devices on NAD which is >>>>>>>>>> sent to ACS (this has been removed) >>>>>>>>>> - Audit Server used to audit the NAD devices >>>>>>>>>> - MAC bypass (applicable to 802.1x L2 NAC) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ip admission name *admission-name* eapoudp bypass enables us to >>>>>>>>>> authenticate the end host by using some of it's unique parameters. >>>>>>>>>> audit-session-id is the key. An audit server then validates the >>>>>>>>>> host. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Snippet from >>>>>>>>>> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_nac/configuration/12-4t/sec-net-adm-cah-sup.html >>>>>>>>>> Agentless Hosts >>>>>>>>>> >>>>>>>>>> End devices that do not run CTA cannot provide credentials when >>>>>>>>>> challenged by network access devices (NADs). Such hosts are termed >>>>>>>>>> "agentless" or "nonresponsive." In the Phase l release of Network >>>>>>>>>> Admission >>>>>>>>>> Control, agentless hosts were supported by either a static >>>>>>>>>> configuration >>>>>>>>>> using exception lists (an identity profile) or by using "clientless" >>>>>>>>>> username and password authentication on an ACS. These methods are >>>>>>>>>> restrictive and do not convey any specific information about the >>>>>>>>>> host while >>>>>>>>>> making policy decisions. >>>>>>>>>> EAPoUDP Bypass >>>>>>>>>> >>>>>>>>>> You can use the EAPoUDP Bypass feature to reduce latency of the >>>>>>>>>> validation of hosts that are not using CTA. If EAPoUDP bypass is >>>>>>>>>> enabled, >>>>>>>>>> the NAD does not contact the host to request the antivirus condition >>>>>>>>>> (the >>>>>>>>>> NAD does not try to establish an EAPoUDP association with the host >>>>>>>>>> if the >>>>>>>>>> EAPoUDP Bypass option is configured). Instead, the NAD sends a >>>>>>>>>> request to >>>>>>>>>> the Cisco Secure ACS that includes the IP address, MAC address, >>>>>>>>>> service >>>>>>>>>> type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes >>>>>>>>>> the >>>>>>>>>> access control decision and sends the policy to the NAD. >>>>>>>>>> >>>>>>>>>> If EAPoUDP bypass is enabled, the NAD sends an agentless host >>>>>>>>>> request to the Cisco Secure ACS and applies the access policy from >>>>>>>>>> the >>>>>>>>>> server to the host. >>>>>>>>>> >>>>>>>>>> If EAPoUDP bypass is enabled and the host uses the Cisco Trust >>>>>>>>>> Agent, the NAD also sends a nonresponsive-host request to the Cisco >>>>>>>>>> Secure >>>>>>>>>> ACS and applies the access policy from the server to the host. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With regards >>>>>>>>>> Kings >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Apr 27, 2012 at 8:56 PM, Imre Oszkar >>>>>>>>>> <[email protected]>wrote: >>>>>>>>>> >>>>>>>>>>> Hi Kings, >>>>>>>>>>> >>>>>>>>>>> As far as I know identity profile is locally configured on the >>>>>>>>>>> NAD and works even if you don't use the eou bypass. >>>>>>>>>>> >>>>>>>>>>> For eou bypass the config guide shows the steps only for the >>>>>>>>>>> NAD side (see below). >>>>>>>>>>> >>>>>>>>>>> Configuring a NAD to Bypass EAPoUDP Communication >>>>>>>>>>> >>>>>>>>>>> To configure a NAD to bypass EAPoUDP, perform the following >>>>>>>>>>> steps. >>>>>>>>>>> *SUMMARY STEPS* >>>>>>>>>>> >>>>>>>>>>> *1.* enable >>>>>>>>>>> >>>>>>>>>>> *2.* configure terminal >>>>>>>>>>> >>>>>>>>>>> *3.* ip admission name *admission-name* eapoudp bypass >>>>>>>>>>> >>>>>>>>>>> *4.* eou allow clientless >>>>>>>>>>> >>>>>>>>>>> *5.* interface type *slot* / *port* >>>>>>>>>>> I assume there are some steps which has to be done on the ACS >>>>>>>>>>> side as well but I couldn't find any doc about this. >>>>>>>>>>> There is a NAC L2 Agentless profile template in the ACS, I have >>>>>>>>>>> tried to use that but couldn't make it work. >>>>>>>>>>> >>>>>>>>>>> Any thoughts? >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> Oszkar >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Fri, Apr 27, 2012 at 2:40 AM, Kingsley Charles < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> You can configure an identity profile. >>>>>>>>>>>> >>>>>>>>>>>> With regards >>>>>>>>>>>> Kings >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Apr 27, 2012 at 9:17 AM, Imre Oszkar <[email protected] >>>>>>>>>>>> > wrote: >>>>>>>>>>>> >>>>>>>>>>>>> hi, >>>>>>>>>>>>> >>>>>>>>>>>>> Does anybody know the configuration steps for NAC L2 Agentless >>>>>>>>>>>>> support using the EOU bypass feature? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Oszkar >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> For more information regarding industry leading CCIE Lab >>>>>>>>>>>>> training, please visit www.ipexpert.com >>>>>>>>>>>>> >>>>>>>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>>>>>>> www.PlatinumPlacement.com >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
