GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Questions about NAC posted 12/11/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Good Job Maxim,



Now one important missing part in your config is the "identity profile and
policy" part



identity profile eapoudp

 device authorize ip address 30.0.0.1 policy christmas

identity policy christmas

 access-group exempt-acl

ip access-list extended exempt-acl

 permit ip any any



This is the whole essence of NAC my friend, you've got to have a policy to
compare your end device with ... you get?



Many Thanks

_________________________________________________

Olayemi Salau

Network Analyst

I.T. Solutions Division

Southampton City Council

* 023 8083 4070   7  077 8811 2036 3 079 5825 7509

* olayemi.salau@xxxxxxxxxxxxxxxxxx <mailto:olayemi.salau@xxxxxxxxxxxxxxxxxx>

_________________________________________________

This e-mail is intended for the addressee only. If you are not the intended
recipient, please be aware that the unauthorised use or disclosure of the
information it contains, or the unauthorised copying or re-transmission of the
e-mail are strictly prohibited. Such action may result in legal proceedings.
If the e-mail has been sent to you in error, please accept our apologies,
advise the sender as soon as possible and then delete the message. Under the
Freedom of Information Act 2000 / Data Protection Act 1998, the contents of
this e-mail, whether it is marked confidential or otherwise, may be disclosed.
No employee, Councillor or agent is authorised to conclude by e-mail any
binding agreement with another party on behalf of Southampton City Council.
The Council does not accept service by e-mail of court proceedings, other
processes or formal notices of any kind without specific prior written
agreement. E-mails to and from Southampton City Council may be monitored in
accordance with the law

  _____

From: Maxim Kurushkin [mailto:m.kurushkin@xxxxxxxxxxxxxxxxx]
Sent: 11 December 2006 12:27
To: Salau,Olayemi
Cc: Cisco certification
Subject: Re: Questions about NAC



Ok, I have configured next config:

aaa new-model
aaa authentication eou default none ( I have tried none and local )
eou clientless username cisco
eou clientless password cisco
eou allow clientless
eou logging
username cisco privilege 15 password 0 cisco
ip admission name TEST eapoudp inactivity-time 60 list 112
access-list 111 permit udp any any
access-list 111 deny   ip any any
access-list 112 permit ip any any

interface GigabitEthernet0/0
 ip address 30.0.0.2 255.255.255.0
 ip access-group 111 in
 ip admission TEST

And I have pinged from PC (IP 30.0.0.1):
C:\>ping 30.0.0.2
Pinging 30.0.0.2 with 32 bytes of data:
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.2: Destination net unreachable.
Reply from 30.0.0.2: Destination net unreachable.

WBR,
Maxim


Salau,Olayemi PI[ET:

Now, let me try to answer your specific questions;



> Good day, Group.

> Sorry, I have 2 stupid questions:

> How I can configure NAC without the radius server?

  By specifying a aaa configuration: Rack1R6(config)aaa authentication eou
default local

                                     Rack1R6(config)username (username)
password (password)

OR Simply use: Rack1R6(config)aaa authentication eou default local none

This should allow aaa authentication if you don't set up username and password
(but then, is this what you want?)

> I have tried with

> identity profile eapoudp

>  device authorize ip-address x.x.x.x

> but it's not working...

> And question 2 is: what ACL I must configure on interface - permit any

> any or permit only udp? What is NAC doing to permit or deny access? Is

> NAC adding new lines to ACL ?

You'll need to allow only eapoudp traffic(without validation) so as to
exchange the eap protocol traffic between the PCs and Router which transits
through the udp port; Then Block any other traffic until they are Validated



Rack1R6(config)access-list 102 permit udp any any eq 21862
Rack1R6(config)access-list 102 deny   ip any any





> Has somebody configured NAC ? :-)

Ofcourse YES! Welcome to the NAC Freaks Hotspot!

>

Also, for your setup, don't forget to config the clientless username and
password if you don't install CTA

Rack1R6(config) eou clientless username (username)

Rack1R6(config) eou clientless password (password)



> WBR,

> Maxim



Many Thanks

_________________________________________________

Olayemi Salau

Network Analyst

I.T. Solutions Division

Southampton City Council

( 023 8083 4070   7  077 8811 2036 3 079 5825 7509

* olayemi.salau@xxxxxxxxxxxxxxxxxx

_________________________________________________



The CTA basically resides on these PCs and sends information about Antivirus,
patches, OS fixes etc (The main essence of NAC) to the Cisco Network Access
Device (In your case the Router)



Check out the Pre-requisite aspect of the page:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
part15/h_nac.htm#wp1043332



You'll see that a CTA is listed as required to be installed on the PC. >From
my understanding (CTA is a free download on Cisco website, you might need a
CCO account though)



Let me know how you get on



Many Thanks

_________________________________________________

Olayemi Salau

Network Analyst

I.T. Solutions Division

Southampton City Council

( 023 8083 4070   7  077 8811 2036 3 079 5825 7509

* olayemi.salau@xxxxxxxxxxxxxxxxxx

_________________________________________________



-----Original Message-----
From: Maxim Kurushkin [mailto:m.kurushkin@xxxxxxxxxxxxxxxxx]
Sent: 11 December 2006 11:09
To: Salau,Olayemi
Subject: Re: Questions about NAC



Hello

I mean Network Admission Control.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/
part15/h_nac.htm

I am preparing for RS lab. I understand for what NAC is, but I dont

understand how it works...

For preparing, I have tried configuring NAC on router. But I have not

RADIUS, Cisco Trust Agents or etc...

I have configured something like this:



PC0 <->  (gig0/0)ROUTER(gig0/1) <-> switch <-> PC1 , PC2



I have tried to ping from PC1 and PC2 to PC0. But it does not (ACL on

gig0/1 in with permit only udp - i configured as in guide).

Then I tried to allaw PC1 to ping PC0. For static permit (because I

havn't Radius and CTA) I have written on Router:



identity profile eapoudp

 device authorize ip-address x.x.x.x (PC1 IP)

and it does not ping too...



WBR,

Maxim



Salau,Olayemi wrote:

> Hello Maxim,

>

> I was wondering if you mean a Network Admission Control Appliance, if

> yes, are you talking about a NAC Server or a NAC Manager Configuration.

>

> Sorry about my silly questions too, but would like to know about your

> design around this NAC.

>

> Many Thanks

> _________________________________________________

> Olayemi Salau

> Network Analyst

> I.T. Solutions Division

> Southampton City Council

> ( 023 8083 4070   7  077 8811 2036 3 079 5825 7509

> * olayemi.salau@xxxxxxxxxxxxxxxxxx

> _________________________________________________

> This e-mail is intended for the addressee only. If you are not the

> intended recipient, please be aware that the unauthorised use or

> disclosure of the information it contains, or the unauthorised copying

> or re-transmission of the e-mail are strictly prohibited. Such action

> may result in legal proceedings. If the e-mail has been sent to you in

> error, please accept our apologies, advise the sender as soon as

> possible and then delete the message. Under the Freedom of Information

> Act 2000 / Data Protection Act 1998, the contents of this e-mail,

> whether it is marked confidential or otherwise, may be disclosed. No

> employee, Councillor or agent is authorised to conclude by e-mail any

> binding agreement with another party on behalf of Southampton City

> Council. The Council does not accept service by e-mail of court

> proceedings, other processes or formal notices of any kind without

> specific prior written agreement. E-mails to and from Southampton City

> Council may be monitored in accordance with the law

> -----Original Message-----

> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of

> Maxim Kurushkin

> Sent: 10 December 2006 17:22

> Cc: ccielab@xxxxxxxxxxxxxx

> Subject: Questions about NAC

>

> Good day, Group.

> Sorry, I have 2 stupid questions:

> How I can configure NAC without the radius server?

> I have tried with

> identity profile eapoudp

>  device authorize ip-address x.x.x.x

> but it's not working...

> And question 2 is: what ACL I must configure on interface - permit any

> any or permit only udp? What is NAC doing to permit or deny access? Is

> NAC adding new lines to ACL ?

> Has somebody configured NAC ? :-)

>

> WBR,

> Maxim

>

> _______________________________________________________________________

> Subscription information may be found at:

> http://www.groupstudy.com/list/CCIELab.html