Cisco 7604 Configuration Manual page 791

Chapter 45 Configuring Network Admission Control
Cisco Secure ACS and AV Pairs
When NAC Layer 2 IP validation is enabled, the Cisco Secure ACS provides NAC AAA services by
using RADIUS. Cisco Secure ACS gets information about the antivirus status of the endpoint system
and validates the antivirus condition of the endpoint.
You can set these Attribute-Value (AV) pairs on the Cisco Secure ACS by using the RADIUS
cisco-av-pair vendor-specific attributes (VSAs):
•
•
For more information about AV pairs that are supported by Cisco IOS software, see the ACS
configuration and command reference documentation about the software releases running on the AAA
clients.
Audit Servers
End devices that do not run a Cisco Trust Agent (CTA) will not be able to provide credentials when
challenged by Network Access Devices. These devices are described as agentless or nonresponsive. The
NAC architecture has been extended to incorporate audit servers. An audit server is a third-party server
that can probe, scan, and determine security compliance of a host without the need for presence of Cisco
trust agent on the host. The result of the audit server examination can influence the access servers to
OL-4266-08
CiscoSecure-Defined-ACL—Specifies the names of the downloadable ACLs on the Cisco Secure
ACS. The switch gets the ACL name through the CiscoSecure-Defined-ACL AV pair in this format:
#ACL#-IP-name-number
name is the ACL name and number is the version number, such as 3f783768.
The Auth-Proxy posture code checks if the access control entries (ACEs) of the specified
downloadable ACL were previously downloaded. If they were not, the Auth-Proxy posture code
sends an AAA request with the downloadable ACL name as the username so that the ACEs are
downloaded. The downloadable ACL is then created as a named ACL on the switch. This ACL has
ACEs with a source address of any and does not have an implicit deny statement at the end. When
the downloadable ACL is applied to an interface after posture validation is complete, the source
address is changed from any to the host source IP address. The ACEs are prepended to the
downloadable ACL applied to the switch interface to which the endpoint device is connected. If
traffic matches the CiscoSecure-Defined-ACL ACEs, the appropriate NAC actions are taken.
url-redirect and url-redirect-acl—Specifies the local URL policy on the switch. The switches use
these cisco-av-pair VSAs as follows:
url-redirect = <HTTP or HTTPS URL>
–
url-redirect-acl = switch ACL name or number
–
These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device
and forward the client web browser to the specified redirect address from which the latest antivirus
files can be downloaded. The url-redirect AV pair on the Cisco Secure ACS contains the URL to
which the web browser will be redirected. The url-redirect-acl AV pair contains the name or number
of an ACL that specifies the HTTP or HTTPS traffic to be redirected. The ACL must be defined on
the switch. Traffic that matches a permit entry in the redirect ACL will be redirected.
These AV pairs may be sent if the host's posture is not healthy.
You can redirect the URL for either HTTP or HTTPS but not for both at the same time. This
Note
situation occurs because Cisco IOS on the switch the HTTP server can either listen to the
HTTP port or to the HTTPS port but cannot listen to both at the same time.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding NAC
45-7