Cisco WS-SUP32-GE-3B - Supervisor Engine 32 Software Configuration Manual page 696

Understanding NAC
the policy attributes to the switch. The switch updates the EAPoUDP session table and enforces the
access limitations, which provides segmentation and quarantine of poorly postured clients, or by denying
network access.
There are two types of policies that apply to ports during posture validation:
•
•
The operation of the URL-Redirect deny ACEs (typically to bypass the redirection of the HTTP traffic
destined to remediation servers) is that the traffic to these ACEs is forwarded in hardware without
applying the default interface and the downloaded host policies. If this traffic (that is, the traffic that
matches the deny URL Redirect ACEs) is required to be filtered, you need to define a VLAN ACL on
the switch port access VLAN.
The URL-Redirect Policy consists of the following:
•
•
The ACL name for the host policy, the redirect URL, and the URL redirect ACL are conveyed using
RADIUS Attribute-Value objects.
If a DHCP snooping binding entry for a client is deleted, the switch removes the client entry in the
Note
session table, and the client is no longer authenticated.
Cisco Secure ACS and AV Pairs
When NAC Layer 2 IP validation is enabled, the Cisco Secure ACS provides NAC AAA services by
using RADIUS. Cisco Secure ACS gets information about the antivirus status of the endpoint system
and validates the antivirus condition of the endpoint.
You can set these Attribute-Value (AV) pairs on the Cisco Secure ACS by using the RADIUS
cisco-av-pair vendor-specific attributes (VSAs):
•
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
41-6
Host Policy—The Host policy consists of an ACL that enforces the access limitations as determined
by the outcome of posture validation.
URL Redirect Policy—The URL Redirect policy provides a method to redirect all HTTP or HTTPS
traffic to a remediation server that allows a noncompliant host to perform the necessary upgrade
actions to become compliant.
A URL that points to the remediation server.
An ACL on the switch that causes all HTTP or HTTPS packets from the host other than those
destined to the remediation server address to be captured and redirected to the switch software for
the necessary HTTP redirection.
CiscoSecure-Defined-ACL—Specifies the names of the downloadable ACLs on the Cisco Secure
ACS. The switch gets the ACL name through the CiscoSecure-Defined-ACL AV pair in this format:
#ACL#-IP-name-number
name is the ACL name and number is the version number, such as 3f783768.
The Auth-Proxy posture code checks if the access control entries (ACEs) of the specified
downloadable ACL were previously downloaded. If they were not, the Auth-Proxy posture code
sends an AAA request with the downloadable ACL name as the username so that the ACEs are
downloaded. The downloadable ACL is then created as a named ACL on the switch. This ACL has
ACEs with a source address of any and does not have an implicit deny statement at the end. When
the downloadable ACL is applied to an interface after posture validation is complete, the source
address is changed from any to the host source IP address. The ACEs are prepended to the
downloadable ACL applied to the switch interface to which the endpoint device is connected. If
traffic matches the CiscoSecure-Defined-ACL ACEs, the appropriate NAC actions are taken.
Chapter 41 Configuring Network Admission Control
OL-11439-03