Cisco WS-C6506 Software Manual page 1088

Configuring Network Admission Control with LAN Port IP
Cisco Trust Agent
CTA is a specialized software that runs on end-point systems. CTA responds to challenges from the
switch or router about the antivirus state of an end-point system. If an end-point system is not running
the CTA, the network access device (switch or router) classifies the end-point system as "clientless."
Cisco Secure ACS
Cisco Secure ACS provides authentication, authorization, and accounting services for NAC using
RADIUS authentication. Cisco Secure ACS returns access control decisions to the network access
device on the basis of the antivirus credentials of the end-point system.
Using RADIUS cisco_av_pair vendor-specific attributes (VSAs), you can set the following
attribute-value pairs (AV pairs) on the Cisco Secure ACS. These AV pairs are sent to the network access
device with other access-control attributes:
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
44-4
url-redirect—Enables the AAA client to intercept an HTTP request and redirect it to a new URL.
This redirection is useful if the result of posture validation indicates that the network access control
end point requires an update or patch that you have made available on a remediation web server. For
example, a user can be redirected to a remediation web server to download and apply a new virus
Directory Administration Tool (DAT) file or an operating system patch as follows:
url-redirect=http://10.1.1.1
URL-redirect for audit support—The audit function is for hosts that do not have Cisco CTA enabled.
The audit can be triggered by the ACS by sending down a policy required for audit when there is a
clientless authentication done by the network access device (NAD). The audit is accomplished by
sending down the audit server's URL as the URL-redirect policy for the host. When HTTP traffic is
seen from the host, it is given the URL of the audit server. The policy that is configured through
policy-based ACLs (PBACLs) allows communication between the audit server and the host. The
session timeout is typically small for the audit to complete and when this timeout expires, a
revalidation occurs and the NAD sends the previously received state attribute to the ACS to bring
down a new policy. If the audit is not finished during this session timeout, the ACS sends another
short session timeout and this process continues until an audit posture token is received. If the
process never completes or is taking too long, the audit server returns an "error" posture token to
the ACS.
posture-token—Enables Cisco Secure ACS to send a text version of a system posture token (SPT)
that is derived by posture validation. The SPT is always sent in numeric format. Using the
posture-token AV pair makes it easier to view the result of a posture validation request on the AAA
client as follows:
posture-token=Healthy
Valid SPTs, in order from best to worst, are as follows:
Healthy
–
– Checkup
– Quarantine
Infected
–
Unknown
–
Posture validation, or posture assessment, refers to the act of applying a set of rules to posture data
to provide an assessment of the level of trust that you can place in an endpoint. The term posture is
used to refer to the collection of attributes that play a role in the conduct and health of the endpoint
Chapter 44 Configuring Network Admission Control
OL-8978-04