Table of Contents
Advertisement
This example causes traffic with a destination port 53 (domain) or port 21862
(default EAP-over-UDP) to be exempt from the admission control process:
Router(config)# access-list 102 deny udp any host 10.10.30.10 eq 21862
Router(config)# access-list 102 deny udp any host 10.10.20.10 eq domain
Router(config)# access-list 102 permit ip any any
Router(config)# ip admission name admission-name eapoudp list 102
These packets need a corresponding entry in the interface ACL to be
successfully forwarded without a prior posture validation taking place. No
posture validation triggering occurs if only deny statements are present in the
intercept ACL.
3. (optional) If hosts with a statically configured IP address and no posture agent
installed (non-responsive hosts) are located in the network where posturing is
taking place, they may be exempted from the posturing process.
The following commands configure a policy that enables access defined by
an access list to a host with a static IP address. (Be aware that the four lines
following identity policy NACless are actually part of the identity policy
configuration and not the global router configuration.)
Router(config)# identity profile eapoudp
Router(config)# device authorize ip-address 172.30.40.32 policy NACless
Router(config)# identity policy NACless
Router(config)# access-group clientException
Router(config)# redirect url http://172.30.2.10/update
Router(config)# ip access-list extended clientException
Router(config)# permit ip any host 172.30.1.10
This configuration enables a host with an IP address of 172.30.40.32 to
communicate with the host 172.30.1.10 and no other hosts. This configuration
is useful for IP-connected printers or IP telephony devices.
In the case of networks where only Web clients exist, URL redirection can
point those clients to a server where the appropriate software can be
obtained.
4. This section describes a different exception method for hosts without a
posture agent installed.
In the following example, the eou clientless username command configures
the Cisco IOS Software NAD to insert a user name of clientless for clientless
end stations in the RADIUS protocol. The eou clientless password
command configures the password to be returned. The eou allow
clientless command enables the return of the previous user
name-password combination for all hosts the NAD attempts to posture
without receiving a valid EOU response.
Router(config)# eou clientless username clientless
Router(config)# eou clientless password password
Router(config)# eou allow clientless
300
Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
Advertisement
Table of Contents
