Table of Contents
Advertisement
The Cisco Secure ACS then issues a token according to the group in which a
user with the clientless user name is placed. This configuration is useful for
PCs and workstations that receive their IP addresses through DHCP and do
not have the posture agents installed.
5. (optional) The following commands configure the timers for the EOU
posturing processes. These timers are shown with their default settings:
Router(config)# eou timeout hold-period 60
Router(config)# eou timeout revalidation 1800
Router(config)# eou timeout status-query 300
The eou timeout hold-period command specifies a hold period in seconds
for ignoring packets from a host that has just unsuccessfully authenticated.
The eou timeout revalidation command sets the global revalidation period
for all clients. This may be overridden by a RADIUS AV pair from the Cisco
Secure ACS. The eou timeout status-query command sets the global status
query period. This may also be overridden by an AV pair received from the
Cisco Secure ACS.
6. The network interface configuration consists of two commands that must be
configured on the interface facing the hosts to be posture-validated.
Router(config)# access-list 101 permit udp any host 172.30.40.1 eq 21862
Router(config)# access-list 101 deny ip any any
Router(config)# interface FastEthernet0/0
Router(config-if)# ip address 172.30.40.1 255.255.255.0
Router(config-if)# ip access-group 101 in
Router(config-if)# ip admission admission-name
The ip access-group 101 in command places an ACL on the interface in the
inbound direction that blocks all traffic, unless expressly permitted, from
entering the interface. This ACL, called the interface ACL, is useful for
creating pin holes that allow certain kinds of inbound traffic before subjecting
that device to the posturing process.
For example, an access control element (ACE) permitting UDP packets equal
to domain enables DNS queries to be sent successfully without being
postured. The interface ACL at a minimum must permit inbound UDP
communication destined to port 21862. The first permit ACE enables this
UDP traffic into the NAD. This is necessary for the EOU communications. The
ip admission admission-name command applies the previously configured
NAC policy to the interface.
The traffic specifically permitted by access list 102 is subject to the posturing
process.
Important: Remember the importance of permitting UDP port 21862 in the
Interface ACL. Without this access, NAC will not function.
Chapter 7. Network enforcement subsystem implementation
301
Advertisement
Table of Contents
