 Feedback
|
Table Of Contents
Network Admission Control: Agentless Host Support
Prerequisites for Network Admission Control:
Agentless Host SupportInformation About Network Admission Control:
Agentless Host SupportVendor-Specific Attributes for This Feature
How to Configure Network Admission Control:
Agentless Host SupportConfiguring a NAD to Bypass EAPoUDP Communication
Verifying Agentless Host and EAPoUDP Bypass
Configuration Examples for Network Admission Control: Agentless Host Support
RADIUS Message Exchange url-redirect-acl VSA: Example
Show Output Displaying the Value of a Newly Defined VSA
Feature Information for Network Admission Control: Agentless Host Support
Network Admission Control: Agentless Host Support
First Published: February 27, 2006Last Updated: February 27, 2006The Network Admission Control: Agentless Host Support feature allows for an exhaustive examination of agentless hosts (hosts that are not running the Cisco Trust Agent software). This examination allows customers to build a robust host or examination functionality by integrating any third-party audit mechanisms into the Network Admission Control architecture.
This feature also allows for Extensible Authentication Protocol over UDP (EAPoUDP) bypass, which speeds up the posture validation of hosts that are not using Cisco Trust Agent.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Network Admission Control: Agentless Host Support" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Network Admission Control: Agentless Host Support
•
•
•
•
Prerequisites for Network Admission Control:
Agentless Host Support•
•
•
Information About Network Admission Control:
Agentless Host SupportTo configure the Network Admission Control: Agentless Host Support feature, you should understand the following concepts:
•
Network Admission Control
The Cisco Network Admission Control functionality enables the credentials of the endpoint device to be checked for compliance with the security policy before the device is granted access to network resources. This checking requires a security application called Cisco Trust Agent (CTA) to be installed on end devices that gather security state information and communicate it to access servers where policy decisions are made and eventually enforced on Cisco network access devices (such as routers and switches).
Agentless Hosts
End devices that do not run CTA cannot provide credentials when challenged by network access devices (NADs). Such hosts are termed "agentless" or "nonresponsive." In the Phase l release of Network Admission Control, agentless hosts were supported by either a static configuration using exception lists (an identity profile) or by using "clientless" username and password authentication on an ACS. These methods are restrictive and do not convey any specific information about the host while making policy decisions.
EAPoUDP Bypass
You can use the EAPoUDP Bypass feature to reduce latency of the validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, the NAD does not contact the host to request the antivirus condition (the NAD does not try to establish an EAPoUDP association with the host if the EAPoUDP Bypass option is configured). Instead, the NAD sends a request to the Cisco Secure ACS that includes the IP address, MAC address, service type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the access control decision and sends the policy to the NAD.
If EAPoUDP bypass is enabled, the NAD sends an agentless host request to the Cisco Secure ACS and applies the access policy from the server to the host.
If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, the NAD also sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host.
Vendor-Specific Attributes for This Feature
The following new attributes are supported for various RADIUS message exhanges:
audit-session-id
The audit-session-id vendor-specific attribute (VSA) is a 32-byte string that uniquely identifies a host session. This identifier is generated by a NAD when the host is detected, and it remains the same until the session is deleted. Session revalidation or reinitialization does not change this identifier. Every time a session is detected, a new identifier is generated. This attribute is included in access requests to the authentication, authorization, and accounting (AAA) server and in web requests to the audit server. The value of this attribute is displayed in show eou command output (using the ip keyword).
url-redirect-acl
The url-redirect-acl VSA string specifies the name of the access control list (ACL) for URL redirection. Any ingress HTTP from the host that matches the access list that is specified by this attribute is subjected to redirection to the URL address specified by the url-redirect VSA. The access list specified in this attribute has to be locally configured on the NAD as an "ip access-list extended" named ACL. This attribute is specified only in RADIUS access-accept messages. The value of the url-redirect-acl attribute is displayed using the show eou command (with the ip keyword).
Note
How to Configure Network Admission Control:
Agentless Host SupportThis section includes the following required and optional tasks.
•
•
Configuring a NAD to Bypass EAPoUDP Communication
To configure a NAD to bypass EAPoUDP, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Verifying Agentless Host and EAPoUDP Bypass
To verify your configuration for Agentless Host and EOUoUDP Bypass, perform the following steps. The debug and show commands can be used independently of each other.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuration Examples for Network Admission Control: Agentless Host Support
This section provides the following configuration examples.
•
•
RADIUS Message Exchange url-redirect-acl VSA: Example
ACS Configuration
url-redirect=http://audit-server.com/host_session_id=$host_session_idurl-redirect-acl=RedirectACLNAD Configuration
Router(config)# ip access-list extended RedirectACLRouter (config-ext-nacl)# permit tcp any 10.0.0.0 0.0.0.255 eq wwwRouter (config-ext-nacl)# endShow Output Displaying the Value of a Newly Defined VSA
The following show eou command output displays EAPoUPD session cache information for a given IP address. The value of the newly defined VSA is also shown.
Router# show eou ip 10.0.0.1Address : 10.0.0.1MAC Address : 0001.027c.f364Interface : FastEthernet1/0/3AuthType : EAPAudit Session ID : 000000001C8A6A330000001812000001PostureToken : InfectedAge(min) : 444URL Redirect : http://wwwin.cisco.comURL Redirect ACL : RedirectACLACL Name : #ACSACL#-IP-Infected-42835ff7User Name : NAC-DEV-PC-3:AdministratorRevalidation Period : 30000 SecondsStatus Query Period : 300 SecondsCurrent State : AUTHENTICATEDAdditional References
The following sections provide references related to Network Admission Control: Agentless Host.
Related Documents
Configuring AAA and RADIUS for EAPoUDP
"Configuring AAA for EAPoUDP" section of the Network Admission Control feature guide.
Security commands
Network Admission Control
Network Admission Control feature guide
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents modified commands only.
eou clientless
Note
To set user group credentials for clientless hosts, use the eou clientless command in global configuration mode. To remove the user group credentials, use the no form of this command.
eou clientless {password password | username username}
no eou clientless {password | username}
Syntax Description
Defaults
Username and password values are clientless.
Command Modes
Global configuration
Command History
12.3(8)T
This command was introduced.
12.4(6)T
This command is removed effective with Cisco IOS Release 12.4(6)T.
Usage Guidelines
For this command to be effective, the eou allow command must also be enabled.
Examples
The following example shows that a clientless host with the username "user1" has been configured:
Router (config)# eou clientless username user1The following example shows that a clientless host with the password "user123" has been configured:
Router (config)# eou clientless password user123Related Commands
ip admission name
To create an IP network admission control rule, use the ip admission name command in global configuration mode. To remove the network admission control rule, use the no form of this command.
ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name}] [list {acl | acl-name}]
no ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name}] [list {acl | acl-name}]
Syntax Description
Defaults
An IP network admission control rule is not created.
Command Modes
Global configuration
Command History
12.3(8)T
This command was introduced.
12.4(6)T
The bypass and service-policy type tag keywords and service-policy-name argument were added.
Usage Guidelines
The admission rule defines how you apply admission control.
You can associate the named rule with an ACL, providing control over which hosts use the admission control feature. If no standard access list is defined, the named admission rule intercepts IP traffic from all hosts whose connection-initiating packets are received at the configured interface.
The bypass keyword allows an administrator the choice of not having to use the EAPoUDP-based posture validation for the hosts that are trying to connect on the port. The bypass can be used if an administrator knows that the hosts that are connected on the port do not have the Cisco Trust Agent client installed.
The service-policy type tag {service-policy-name} keywords and argument allow you to associate the service policy of the type tag with the IP admission rule. On the network access device (NAD), a set of policies can be associated with an arbitrary tag string, and if the AAA server sends the same tag in response to the posture validation or authentication response, the policies that are associated with the tag can be applied on the host. The service policy keyword is an optional keyword, and if the service policy is not associated with the IP admission name, the policies that are received from the AAA server are applied on the host.
The list keyword option allows you to apply a standard, extended (1 through 199) or named access list to a named admission control rule. IP connections that are initiated by hosts in the access list are intercepted by the admission control feature.
Examples
The following example shows that an IP admission control rule is named "greentree" and that it is associated with ACL "101." Any IP traffic that is destined to a previously configured network (using the access-list command) will be subjected to antivirus state validation using EAPoUDP.
Router (config)# ip admission name greentree eapoudp list 101The following example shows that EAPoUDP bypass has been configured:
Router (config)# ip admission name greentree eapoudp bypass list 101In the following service policy example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."
Class Map Definition for the "healthy class" Type Tag
Router (config)# class-map type tag healthy_classRouter(config-cmap)# match tag healthyRouter(config-cmap)# endClass Map Definition for the "non_healthy_class" Type Tag
Router (config)# class-map type tag non_healthy_classRouter (config-cmap)# match tag non_healthyRouter (config-cmap)# endPolicy Map Is Defined
! The following line will be associated with the IP admission name.Router (config)# policy-map type control tag global_class! The following line refers to the healthy class map that was defined above.Router (config-pmap)# class healthy_classRouter (config-pmap-c)# identity policy healthy_policyRouter(config-pmap-c)# exitThe following line refers to the non_healthy class that was defined above.Router (config-pmap)# class non_healthy_classRouter(config-pmap-c)# identity policy non_healthy_policyRouter (config-pmap-c)# endIdentity Policy Can Be Defined As Follows
Router (config)# identity policy healthy_policy! The following line is the IP access list for healthy users.Router (config-identity-policy)# access-group healthyRouter (config-identity-policy)# endRouter (config)# identity policy non_healthy_policyRouter (config-identity-policy)# access-group non_healthyRouter (config-identity-policy)# endAccess Lists Can Be Defined As Follows
Router (config)# ip access-list extended healthy_class! The following line can be anything, but as an example, traffic is being allowed.Router (config-ext-nacl)# permit ip any anyRouter (config-ext-nac)# endRouter (config)# ip access-list extended non_healthy_class! The following line is only an example. In practical cases, you could prevent a user from accessing specific networks.Router (config-ext-nacl)# deny ip any anyRouter (config-ext-nac)# endPolicy Map That Was Defined Above Is Associated with the IP Admission Name
Router (config)# ip admission name greentree service-policy type tag global_class! In the next line, the admission name can be associated with the interface.Router (config)# interface fastethernet 1/0Router (config-if)# ip admission greentreeIn the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that are associated with the appropriate identity policy will be applied on the host.
Related Commands
show eou
To display information about Extensible Authentication Protocol over UDP (EAPoUDP) global values or EAPoUDP session cache entries, use the show eou command in privileged EXEC mode.
show eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip {ip-address} | mac {mac-address} | posturetoken {name}} [{begin | exclude | include} expression]
Syntax Description
all
Displays EAPoUDP information about all clients.
authentication
Authentication type.
clientless
Authentication type is clientless, that is, the endpoint system is not running Cisco Trust Agent (CTA) software.
eap
Authentication type is EAP.
static
Authentication type is statically configured.
interface
Provides information about the interface.
interface-type
Type of interface (see Table 1 for the interface types that may be shown).
ip
Specifies an IP address.
ip-address
IP address of the client device.
mac
Specifies a MAC address.
mac-address
The 48-bit address of the client device.
posturetoken
Displays information about a posture token name.
name
Name of the posture token.
begin
(Optional) Display begins with the line that matches the expression argument.
exclude
(Optional) Display excludes lines that match the expression argument.
include
(Optional) Display includes lines that match the specified expression argument.
expression
(Optional) Expression in the output to use as a reference point.
Defaults
If no keywords are listed, all global EAPoUDP global values are displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear.
Expressions are case sensitive. For example, if you enter "exclude output," the lines that contain "output" are not displayed, but the lines that contain "Output" appear.
Table 1 lists the interface types that may be used for the interface-type argument.
Examples
The following output displays information about a global EAPoUDP configuration. The default values can be changed or customized using the eou default, eou max-retry, eou revalidate, or eou timeout commands, depending on whether you configure them globally or as interface specific.
Router# show eouGlobal EAPoUDP Configuration----------------------------EAPoUDP Version = 1EAPoUDP Port = 0x5566Clientless Hosts = DisabledIP Station ID = DisabledRevalidation = EnabledRevalidation Period = 36000 SecondsReTransmit Period = 3 SecondsStatusQuery Period = 300 SecondsHold Period = 180 SecondsAAA Timeout = 60 SecondsMax Retries = 3EAPoUDP Logging = DisabledClientless Host Username = clientlessClientless Host Password = clientlessInterface Specific EAPoUDP Configurations-----------------------------------------Interface Ethernet2/1No interface specific configuration
Table 2 describes the significant fields shown in the display
Related Commands
Feature Information for Network Admission Control: Agentless Host Support
Table 3 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
