Configuring Agentless Hosts For Nac Auditing With Mab; Nac Agentless Hosts Auditing Overview; Configuring The Switch - Cisco WS-C6506 Software Manual

Configuring Agentless Hosts for NAC Auditing with MAB

Configuring Agentless Hosts for NAC Auditing with MAB
Catalyst 6500 series software release 8.7(1) and later releases support NAC auditing for agentless hosts
Note
with MAC authentication bypass enabled. This feature is not supported on Supervisor Engine 2 and for
agentless hosts with 802.1X enabled on other supervisor engines.
These sections describe how to audit agentless hosts with MAC authentication bypass enabled:
•
•
•
•
•
•

NAC Agentless Hosts Auditing Overview

Network Admission Control (NAC) enables the posture of an endpoint device to check for compliance
with the security policy before the device accesses the protected areas of a network. NAC allows the host
posture to be determined using either the Posture Agent (PA), or using the audit server for agentless hosts
if the PA is not installed on the host.
Several methods in NAC allow network access to hosts that cannot perform authentication because of
the lack of posture agent. Agentless hosts are such as printers, scanners, and hosts with unsupported
operating systems. One method is to use an external audit server with agentless hosts connected to MAC
authentication bypass-enabled NAD ports. To determine the posture, the MAC address must be
registered, and shared profiles and admission policies must be created on a centralized ACS server.
Audit servers have the ability to probe and scan the clientless devices for security compliance,
vulnerabilities, and threats. The result of the audit sever can influence access servers to make host
specific network access policy decisions rather than enforce a common restrictive policy for all
nonresponsive hosts.

Configuring the Switch

For the NAC audit server to determine the posture of agentless hosts, perform these tasks in privileged
mode:
Task
Step 1 Enable MAC authentication bypass globally on
the switch.
Step 2 Enable MAC authentication bypass
reauthentication on the switch.
Step 3
Enable MAC authentication bypass on a per-port
basis.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
41-14
NAC Agentless Hosts Auditing Overview, page 41-14
Configuring the Switch, page 41-14
Configuring the Cisco Secure ACS Server, page 41-15
Installing and Configuring the NAC Audit Server, page 41-16
Displaying the Agentless Host Posture Tokens, page 41-16
Interaction of Agentless Host Audit with Security Features, page 41-17
Chapter 41 Configuring MAC Authentication Bypass
Command
set mac-auth-bypass enable
set mac-auth-bypass reauthentication enable
set port mac-auth-bypass mod/port enable
OL-8978-04