Table Of Contents
Network Admission Control: Agentless Host Support
Prerequisites for Network Admission Control:
Agentless Host SupportInformation About Network Admission Control:
Agentless Host SupportVendor-Specific Attributes for This Feature
How to Configure Network Admission Control:
Agentless Host SupportConfiguring a NAD to Bypass EAPoUDP Communication
Verifying Agentless Host and EAPoUDP Bypass
Configuration Examples for Network Admission Control: Agentless Host Support
RADIUS Message Exchange url-redirect-acl VSA: Example
Show Output Displaying the Value of a Newly Defined VSA
Feature Information for Network Admission Control: Agentless Host Support
Network Admission Control: Agentless Host Support
First Published: February 27, 2006Last Updated: August 28, 2009The Network Admission Control: Agentless Host Support feature allows for an exhaustive examination of agentless hosts (hosts that are not running the Cisco Trust Agent software). This examination allows customers to build a robust host or examination functionality by integrating any third-party audit mechanisms into the Network Admission Control architecture.
This feature also allows for Extensible Authentication Protocol over UDP (EAPoUDP) bypass, which speeds up the posture validation of hosts that are not using Cisco Trust Agent.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Network Admission Control: Agentless Host Support" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Prerequisites for Network Admission Control: Agentless Host Support
•
•
•
•
Prerequisites for Network Admission Control:
Agentless Host Support•
•
•
Information About Network Admission Control:
Agentless Host SupportTo configure the Network Admission Control: Agentless Host Support feature, you should understand the following concepts:
•
Network Admission Control
The Cisco Network Admission Control functionality enables the credentials of the endpoint device to be checked for compliance with the security policy before the device is granted access to network resources. This checking requires a security application called Cisco Trust Agent (CTA) to be installed on end devices that gather security state information and communicate it to access servers where policy decisions are made and eventually enforced on Cisco network access devices (such as routers and switches).
Agentless Hosts
End devices that do not run CTA cannot provide credentials when challenged by network access devices (NADs). Such hosts are termed "agentless" or "nonresponsive." In the Phase l release of Network Admission Control, agentless hosts were supported by either a static configuration using exception lists (an identity profile) or by using "clientless" username and password authentication on an ACS. These methods are restrictive and do not convey any specific information about the host while making policy decisions.
EAPoUDP Bypass
You can use the EAPoUDP Bypass feature to reduce latency of the validation of hosts that are not using CTA. If EAPoUDP bypass is enabled, the NAD does not contact the host to request the antivirus condition (the NAD does not try to establish an EAPoUDP association with the host if the EAPoUDP Bypass option is configured). Instead, the NAD sends a request to the Cisco Secure ACS that includes the IP address, MAC address, service type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the access control decision and sends the policy to the NAD.
If EAPoUDP bypass is enabled, the NAD sends an agentless host request to the Cisco Secure ACS and applies the access policy from the server to the host.
If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, the NAD also sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host.
Vendor-Specific Attributes for This Feature
The following new attributes are supported for various RADIUS message exchanges:
audit-session-id
The audit-session-id vendor-specific attribute (VSA) is a 32-byte string that uniquely identifies a host session. This identifier is generated by a NAD when the host is detected, and it remains the same until the session is deleted. Session revalidation or reinitialization does not change this identifier. Every time a session is detected, a new identifier is generated. This attribute is included in access requests to the authentication, authorization, and accounting (AAA) server and in web requests to the audit server. The value of this attribute is displayed in show eou command output (using the ip keyword).
url-redirect-acl
The url-redirect-acl VSA string specifies the name of the access control list (ACL) for URL redirection. Any ingress HTTP from the host that matches the access list that is specified by this attribute is subjected to redirection to the URL address specified by the url-redirect VSA. The access list specified in this attribute has to be locally configured on the NAD as an "ip access-list extended" named ACL. This attribute is specified only in RADIUS access-accept messages. The value of the url-redirect-acl attribute is displayed using the show eou command (with the ip keyword).
Note
How to Configure Network Admission Control:
Agentless Host SupportThis section includes the following required and optional tasks.
•
•
Configuring a NAD to Bypass EAPoUDP Communication
To configure a NAD to bypass EAPoUDP, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Verifying Agentless Host and EAPoUDP Bypass
To verify your configuration for Agentless Host and EOUoUDP Bypass, perform the following steps. The debug and show commands can be used independently of each other.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuration Examples for Network Admission Control: Agentless Host Support
This section provides the following configuration examples.
•
•
RADIUS Message Exchange url-redirect-acl VSA: Example
ACS Configuration
url-redirect=http://audit-server.com/host_session_id=$host_session_idurl-redirect-acl=RedirectACLNAD Configuration
Router(config)# ip access-list extended RedirectACLRouter (config-ext-nacl)# permit tcp any 10.0.0.0 0.0.0.255 eq wwwRouter (config-ext-nacl)# endShow Output Displaying the Value of a Newly Defined VSA
The following show eou command output displays EAPoUPD session cache information for a given IP address. The value of the newly defined VSA is also shown.
Router# show eou ip 10.0.0.1Address : 10.0.0.1MAC Address : 0001.027c.f364Interface : FastEthernet1/0/3AuthType : EAPAudit Session ID : 000000001C8A6A330000001812000001PostureToken : InfectedAge(min) : 444URL Redirect : http://wwwin.cisco.comURL Redirect ACL : RedirectACLACL Name : #ACSACL#-IP-Infected-42835ff7User Name : NAC-DEV-PC-3:AdministratorRevalidation Period : 30000 SecondsStatus Query Period : 300 SecondsCurrent State : AUTHENTICATEDAdditional References
The following sections provide references related to Network Admission Control: Agentless Host.
Related Documents
Configuring AAA and RADIUS for EAPoUDP
"Network Admission Control" feature module.
Network Admission Control
Security commands
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Network Admission Control: Agentless Host Support
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
