This documentation has been moved
Network Admission Control (NAC) Auth Fail Open
Download this chapter
Network Admission Control (NAC) Auth Fail OpenNetwork Admission Control (NAC) Auth Fail Open
Download the complete book
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4TCisco IOS Security Configuration Guide: Securing User Services, Release 12.4T (PDF - 13 MB)
 Feedback

Table Of Contents

NAC—Auth Fail Open

Finding Feature Information

Contents

Prerequisites for NAC—Auth Fail Open

Restrictions for NAC—Auth Fail Open

Information About Network Admission Control

Controlling Admission to a Network

Network Admission Control When the AAA Server Is Unreachable

How to Configure NAC—Auth Fail Open

Configuring a NAC Rule-Associated Policy Globally for a Device

Prerequisites

Applying a NAC Policy to a Specific Interface

Configuring Authentication and Authorization Methods

Configuring RADIUS Server Parameters

Identifying the RADIUS Server

Determining When the RADIUS Server Is Unavailable

Displaying the Status of Configured AAA Servers

Displaying the NAC Configuration

Displaying the EAPoUDP Configuration

Enabling EOU Logging

Configuration Examples for NAC—Auth Fail Open

Sample NAC—Auth Fail Open Configuration: Example

Sample RADIUS Server Configuration: Example

show ip admission configuration Output: Example

show eou Output: Example

show aaa servers Output: Example

EOU Logging Output: Example

Additional References

Related Documents

Standards

MIBs

Technical Assistance

Feature Information for NAC—Auth Fail Open


NAC—Auth Fail Open

First Published: November 17, 2006
Last Updated: March 30, 2011

In network admission control (NAC) deployments, authentication, authorization, and accounting (AAA) servers validate the antivirus status of clients before granting network access. This process is called posture validation. If the AAA server is unreachable, clients do not have access to the network. The NAC—Auth Fail Open feature enables the administrator to apply a policy that allows users to have network access when the AAA server is unreachable. The administrator can configure a global policy that applies to a device, or a rule-based policy that applies to a specific interface.

When the AAA server returns to a reachable status, the posture validation process resumes for clients that are using the NAC—Auth Fail Open policy.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for NAC—Auth Fail Open" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for NAC—Auth Fail Open

Restrictions for NAC—Auth Fail Open

Information About Network Admission Control

How to Configure NAC—Auth Fail Open

Configuration Examples for NAC—Auth Fail Open

Additional References

"Feature Information for NAC—Auth Fail Open" section

Prerequisites for NAC—Auth Fail Open

You can configure this feature in networks using NAC and an AAA server for security. NAC is implemented on Cisco IOS routers running Cisco IOS Release 12.3(8)T or a later release.

Restrictions for NAC—Auth Fail Open

To apply local policies to a device or an interface when the AAA server is unreachable, you must configure the aaa authorization network default local command.

Information About Network Admission Control

You should understand the following concepts:

Controlling Admission to a Network

Network Admission Control When the AAA Server Is Unreachable

Controlling Admission to a Network

NAC protects networks from endpoint devices or clients (such as PCs or servers) that are infected with viruses by enforcing access control policies that prevent infected devices from adversely affecting the network. It checks the antivirus condition (called posture) of endpoint systems or clients before granting the devices network access. NAC keeps insecure nodes from infecting the network by denying access to noncompliant devices, placing them in a quarantined network segment or giving them restricted access to computing resources.

NAC enables network access devices (NADs) to permit or deny network hosts access to the network based on the state of the antivirus software on the host. This process is called posture validation.

Posture validation consists of the following actions:

Checking the antivirus condition or credentials of the client.

Evaluating the security posture credentials from the network client.

Providing the appropriate network access policy to the NAD based on the system posture.

Network Admission Control When the AAA Server Is Unreachable

Typical deployments of NAC use a AAA server to validate the client posture and to pass policies to the NAD. If the AAA server is not reachable when the posture validation occurs, the typical response is to deny network access. Using NAC—Auth Fail Open, an administrator can configure a default policy that allows the host at least limited network access while the AAA server is unreachable.

This policy offers these two advantages:

While AAA is unavailable, the host continues to have connectivity to the network, although it may be restricted.

When the AAA server is once again reachable, users can be validated again, and their policies can be downloaded from the access control server (ACS).

Note When the AAA server is unreachable, the NAC—Auth Fail Open policy is applied only when there is no existing policy associated with the host. Typically, when the AAA server becomes unreachable during revalidation, the policies already in effect for the host are retained.

How to Configure NAC—Auth Fail Open

You can configure NAC—Auth Fail Open policies per interface, or globally for a device. Configuring NAC—Auth Fail Open is optional, and includes the following tasks:

Configuring a NAC Rule-Associated Policy Globally for a Device

Applying a NAC Policy to a Specific Interface

Configuring Authentication and Authorization Methods

Configuring RADIUS Server Parameters

Displaying the Status of Configured AAA Servers

Displaying the NAC Configuration

Displaying the EAPoUDP Configuration

Enabling EOU Logging

Configuring a NAC Rule-Associated Policy Globally for a Device

This task creates a NAC rule and associates a policy to be applied while the AAA server is unreachable. You can apply a policy globally to all interfaces on a network access device, if you want to provide the same level of network access to all users who access that device.

Prerequisites

An AAA server must be configured and NAC must be implemented on the NAD.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name}] [list {acl | acl-name}] [event] [timeout aaa] [policy identity {identity-policy-name}]

4. ip admission admission-name [event timeout aaa policy identity identity-policy-name]

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name}] [list {acl | acl-name}] [event] [timeout aaa] [policy identity {identity-policy-name}]

Example:

Router (config)# ip admission name greentree event timeout aaa policy identity aaa-down

(Optional) Configures a rule-specific policy globally for the device.

If a rule is configured, then it is applied instead of any other global event timeout policy configured on the device.

To remove a rule that was applied globally to the device, use the no form of the command.

Step 4 

ip admission admission-name [event timeout aaa policy identity identity-policy-name]

Example:

Router (config)# ip admission event timeout aaa policy identity AAA_DOWN

(Optional) Configures the specified IP NAC policy globally for the device.

To remove IP NAC policy that was applied to the device, use the no form of the command.

Note This policy applies only if no rule-specific policy is configured.

Step 5 

end

Example:

Router (config)# end

Exits the global configuration mode.

Applying a NAC Policy to a Specific Interface

An IP admission rule with NAC—Auth Fail Open policies can be attached to an interface. This task attaches a NAC—Auth Fail Open policy to a rule, and applies the rule to a specified interface on a device.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface interface-id

4. ip access-group {access-list-number | name} in

5. ip admission admission-name

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface interface-id

Example:

Router (config)# interface fastEthernet 2/1

Enters interface configuration mode.

Step 4 

ip access-group {access-list-number | name} in

Example:

Router (config-if)# ip access-group ACL15 in

Controls access to the specified interface.

Step 5 

ip admission admission-name

Example:

Router (config-if)# ip admission AAA_DOWN

Attaches the globally configured IP admission rule to the specified interface(s).

To remove the rule on the interface, use the no form of the command.

Step 6 

exit

Example:

Router (config)# exit

Returns to global configuration mode.

Configuring Authentication and Authorization Methods

This task configures the authentication and authorization methods for the device. The access granted using these methods remain in effect for users who attempt reauthorization while the AAA server is unavailable. These methods must be configured before you configure any policy to be applied to users who try to access the network when the AAA server is unreachable.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication eou default group radius

5. aaa authorization network default local

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

aaa new-model

Example:

Router (config)# aaa new-model

Enables AAA.

Step 4 

aaa authentication eou default group radius

Example:

Router (config)# aaa authentication eou default group radius

Sets authentication methods for Extensible Authorization Protocol over User Datagram Protocol (EAPoUDP).

To remove the EAPoUDP authentication methods, use the
use the no form of the command.

Step 5 

aaa authorization network default local

Example:

Router (config)# aaa authorization network default local

Sets the authorization method to local. To remove the authorization method, use the no form of the command.

Configuring RADIUS Server Parameters

This task configures the identity and parameters of the RADIUS server that provides AAA services to the network access device. To configure RADIUS server parameters, you should understand the following concepts:

Identifying the RADIUS Server

Determining When the RADIUS Server Is Unavailable

Identifying the RADIUS Server

A RADIUS server can be identified by:

hostname

IP address

hostname and a specific UDP port number

IP address and a specific UDP port number

The combination of the RADIUS server IP address and a specific UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, authentication—the second host entry configured acts as the backup to the first one. The RADIUS host entries are tried in the order that they were configured.

Determining When the RADIUS Server Is Unavailable

Because the NAC—Auth Fail Open feature applies a local policy when the RADIUS server is unavailable, you should configure "dead criteria" that identify when the RADIUS server is unavailable. There are two configurable dead criteria:

time—the interval (in seconds) without a response to a request for AAA service

tries—the number of consecutive AAA service requests without a response

If you do not configure the dead criteria, they are calculated dynamically, based on the server configuration and the number of requests being sent to the server.

You can also configure the number of minutes to wait before attempting to resume communication with a RADIUS server after it has been defined as unavailable.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server dead-criteria [time seconds] [tries number-of-tries]

4. radius-server deadtime minutes

5. radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds]

6. radius-server attribute 8 include-in-access-req

7. radius-server vsa send [accounting | authentication]

8. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

radius-server dead-criteria [time seconds] [tries number-of-tries]

Example:

Router (config)# radius-server dead-criteria time 30 tries 20


(Optional) Sets the conditions that are used to decide when a RADIUS server is considered unavailable or dead.

The range for seconds is from 1 to 120 seconds. The default is that the NAD dynamically determines the seconds value within a range from 10 to 60 seconds.

The range for number-of-tries is from 1 to 100. The default is that the NAD dynamically determines the number-of-tries parameter within a range from 10 to 100.

Step 4 

radius-server deadtime minutes

Example:

Router (config)# radius-server deadtime 60

(Optional) Sets the number of minutes that a RADIUS server is not sent requests after it is found to be dead. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes.

Step 5 

radius-server host ip-address [acct-port udp-port] [auth-port udp-port] [key string] [test username name [idle-time time]

Example: 
Router (config)# radius-server host 10.0.0.2 
acct-port 1550 auth-port 1560 test username 
user1 idle-time 30 key abc1234

(Optional) Configures the RADIUS server parameters by using these keywords:

acct-port udp-port—Specifies the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536. The default is 1646. If the port number is set to 0, the host is not used for accounting.

auth-port udp-port—Specifies the UDP port for the RADIUS authentication server. The range for the UDP port number is from 0 to 65536. The default is 1645. If the port number is set to 0, the host is not used for authentication.

Note You should configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to nondefault values.

key string—Specifies the authentication and encryption key for all RADIUS communication between the NAD and the RADIUS daemon.

Note Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key. This key must match the encryption used on the RADIUS daemon.

test username nameEnables automated testing of the RADIUS server status, and specify the username to be used.

idle-time time—Sets the interval of time in minutes after which the NAD sends test packets to the server. The range is from 1 to 35791 minutes. The default is 60 minutes (1 hour).

To configure multiple RADIUS servers, reenter this command.

Step 6 

radius-server attribute 8 include-in-access-req

Example:

Router (config)# radius-server attribute 8 include-in-access-req

If the device is connected to nonresponsive hosts, configures the device to send the Framed-IP-Address RADIUS attribute (attribute[8]) in access-request or accounting-request packets.

To configure the device to not send the Framed-IP-Address attribute, use the no radius-server attribute 8 include-in-access-req global configuration command.

Step 7 

radius-server vsa send authentication

Example:

Router (config)# radius-server vsa send authentication

Configures the network access server to recognize and use vendor-specific attributes (VSAs).

Step 8 

end

Example:

Router (config)# end

Returns to privileged EXEC mode.

Displaying the Status of Configured AAA Servers

This task displays the status of the AAA servers you have configured for the device.

SUMMARY STEPS

1. enable

2. show aaa servers

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show aaa servers

Example:

Router# show aaa servers

Displays the status of the AAA servers configured for the device.

Displaying the NAC Configuration

This task displays the current NAC configuration for the device.

SUMMARY STEPS

1. enable

2. show ip admission {[cacke] [configuration] [eapoudp]}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show ip admission configuration

Example:

Router# show ip admission configuration

Displays all the IP admission control rules configured for the device.

Displaying the EAPoUDP Configuration

This task displays information about the current EAPoUDP configuration for the device, including any NAC—Auth Fail Open policies in effect.

SUMMARY STEPS

1. enable

2. show eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip {ip-address} | mac {mac-address} | posturetoken {name}} [{begin | exclude | include} expression]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show eou ip 10.0.0.1

Example:

Router# show eou ip 10.0.0.1

Displays information about the EAPoUDP configuration for the specified interface.

Enabling EOU Logging

A set of new system logs is included in Cisco IOS Release 12.4(11)T. These new logs track the status of the servers defined by the methodlist, and the NAC Auth Fail policy configuration. You should enable EOU logging to generate syslog messages that notify you when the AAA servers defined by the methodlist are unavailable, and display the configuration of the NAC—Auth Fail Open policy. The display shows whether a global or rule-specific policy is configured for the NAD or interface. If no policy is configured, the existing policy is retained.

This task enables EOU logging.

SUMMARY STEPS

1. configure terminal

2. eou logging

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 2 

eou logging

Example:

Router (config) # eou logging

Enables EOU logging.

Configuration Examples for NAC—Auth Fail Open

This section contains the following examples:

Sample NAC—Auth Fail Open Configuration: Example

Sample RADIUS Server Configuration: Example

show ip admission configuration Output: Example

show eou Output: Example

show aaa servers Output: Example

EOU Logging Output: Example

Sample NAC—Auth Fail Open Configuration: Example

The example below shows how to configure the NAC—Auth Fail Open feature: 

Switch# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip admission name AAA_DOWN eapoudp event timeout aaa policy identity 

global_policy

Switch(config)# aaa new-model

Switch(config)# aaa authorization network default local

Switch(config)# aaa authentication eou default group radius

Switch(config)# identity policy global_policy

Switch(config-identity-policy)# ac

Switch(config-identity-policy)# access-group global_acl

Switch(config)# ip access-list extended global_acl

Switch(config-ext-nacl)# permit ip any any

Switch(config-ext-nacl)# exit

Sample RADIUS Server Configuration: Example

The example below shows that the RADIUS server is considered unreachable after 3 unsuccessful tries: 

Switch(config)# radius-server host 10.0.0.4 test username administrator idle-time 1 key 

sample

Switch(config)# radius-server dead-criteria tries 3

Switch(config)# radius-server deadtime 30

Switch(config)# radius-server vsa send authentication

Switch(config)# radius-server attribute 8 include-in-access-req

Switch(config)# int fastEthernet 2/13

Switch(config-if)# ip admission AAA_DOWN

Switch(config-if)# exit

show ip admission configuration Output: Example

The following example shows that a policy called "global policy" has been configured for use when the AAA server is unreachable: 

Switch# show ip admission configuration 


Authentication global cache time is 60 minutes Authentication global absolute time is 0 

minutes Authentication global init state time is 2 minutes Authentication Proxy Watch-list 

is disabled



Authentication Proxy Rule Configuration


 Auth-proxy name AAA_DOWN


    eapoudp list not specified auth-cache-time 60 minutes


    Identity policy name global_policy for AAA fail policy

show eou Output: Example

The example below shows the configuration of the AAA servers defined for a NAC—Auth Fail policy configuration: 

Router# show eou ip 10.0.0.1

 
Address : 10.0.0.1 
MAC Address : 0001.027c.f364 
Interface : Vlan333 
! Authtype is show as AAA DOWN when in AAA is not reachable.

AuthType : AAA DOWN  
! AAA Down policy name:

AAA Down policy : rule_policy  
Audit Session ID : 00000000011C11830000000311000001 
PostureToken : ------- 
Age(min) : 0 
URL Redirect : NO URL REDIRECT 
URL Redirect ACL : NO URL REDIRECT ACL 
ACL Name : rule_acl 
Tag Name : NO TAG NAME 
User Name : UNKNOWN USER 
Revalidation Period : 500 Seconds 
Status Query Period : 300 Seconds 
Current State : AAA DOWN

show aaa servers Output: Example

The example below shows sample status information for a configured AAA server: 

Switch# show aaa servers


RADIUS: id 1, priority 1, host 10.0.0.4, auth-port 1645, acct-port 1646


     State: current UP, duration 5122s, previous duration 9s


     Dead: total time 79s, count 3


     Authen: request 158, timeouts 14


             Response: unexpected 1, server error 0, incorrect 0, time 180ms


             Transaction: success 144, failure 1


     Author: request 0, timeouts 0


             Response: unexpected 0, server error 0, incorrect 0, time 0ms


             Transaction: success 0, failure 0


     Account: request 0, timeouts 0


             Response: unexpected 0, server error 0, incorrect 0, time 0ms


             Transaction: success 0, failure 0


     Elapsed time since counters last cleared: 2h13mS

EOU Logging Output: Example

The example below shows the display when EOU logging is enabled: 

Router (config)# eou logging

EOU-5-AAA_DOWN: AAA unreachable. 

METHODLIST=Default| HOST=17.0.0.1| POLICY=Existing policy retained. 

EOU-5-AAA_DOWN: AAA unreachable. 

METHODLIST=Default| HOST=17.0.0.1| POLICY=aaa_unreachable_policy

Additional References

Related Documents

Related Topic
Document Title

Configuring NAC

"Network Admission Control" module.

Security commands

Cisco IOS Security Command Reference


Standards

Standard
Title

IEEE 802.1x

IEEE Standard 802.1X - 2004
Port-Based Network Access Control


MIBs

MIB
MIBs Link

None.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for NAC—Auth Fail Open

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for NAC—Auth Fail Open 

Feature Name
Releases
Feature Information

NAC—Auth Fail Open

12.3(8)T

In network admission control (NAC) deployments, authentication, authorization, and accounting (AAA) servers validate the antivirus status of clients before granting network access. This process is called posture validation. If the AAA server is unreachable, clients do not have access to the network. The NAC—Auth Fail Open feature enables the administrator to apply a policy that allows users to have network access when the AAA server is unreachable. The administrator can configure a global policy that applies to a device, or a rule-based policy that applies to a specific interface.

When the AAA server returns to a reachable status, the posture validation process resumes for clients that are using the NAC—Auth Fail Open policy.

This feature was introduced in Cisco IOS Release 12.3(8)T.

The following commands were introduced or modified: ip admission, ip admission name, show eou, show ip admission


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2006-2011 Cisco Systems, Inc. All rights reserved.