Chapter 45
Configuring Network Admission Control
•
•
•
•
•
Posture Validation
NAC Layer 2 IP supports the posture validation of multiple hosts on the same switch port, as shown in
Figure
When you enable NAC Layer 2 IP validation on a switch port to which hosts are connected, the switch
can use DHCP snooping and Address Resolution Protocol (ARP) snooping to identify connected hosts.
The switch initiates posture validation after receiving an ARP packet or creating a DHCP snooping
binding entry. When you enable NAC Layer 2 IP validation, ARP snooping is the default method to
detect connected hosts. If you want the switch to detect hosts when a DHCP snooping binding entry is
created, you must enable DHCP snooping.
When DHCP snooping occurs initiating posture validation, it takes precedence over initiating posture
validation when ARP snooping occurs. If only dynamic ARP inspection is enabled on the access VLAN
assigned to a switch port, posture validation is initiated when ARP packets pass the dynamic ARP
inspection validation checks. However, if DHCP snooping and dynamic ARP inspection are enabled,
when you create a DHCP snooping binding entry, posture validation is initiated through DHCP.
When posture validation is initiated, the switch creates an entry in the session table to track the posture
validation status of the host and follows this process to determine the NAC policy:
1.
2.
3.
Exception Lists
An exception list has local profile and policy configurations. Use the identity profile to statically
authorize or validate devices based on the IP address, MAC address, or device type. An identity profile
is associated with a local policy that specifies the access control attributes.
You can bypass posture validation of specific hosts by specifying those hosts in an exception list and
applying a user-configured policy to the hosts. After the entry is added to the EAPoUDP session table,
the switch compares the host information to the exception list. If the host is in the exception list, the
switch applies the configured NAC policy to the host. The switch also updates the EAPoUDP session
table with the validation status of the client as POSTURE ESTAB.
OL-4266-08
Cisco Secure ACS and AV Pairs, page 45-7
Audit Servers, page 45-7
ACLs, page 45-8
NAC Timers, page 45-8
NAC Layer 2 IP Validation and Redundant Supervisor Engines, page 45-11
45-2.
If the host is in the exception list, the switch applies the user-configured NAC policy to the host.
If EoU bypass is enabled, the switch sends a nonresponsive-host request to the Cisco Secure ACS
and applies the access policy from the server to the host. The switch inserts a RADIUS AV pair to
the request to specify that the request is for a nonresponsive host.
If EoU bypass is disabled, the switch sends an EAPoUDP hello packet to the host, requesting the
host antivirus condition. If no response is received from the host after the specified number of
attempts, the switch classifies the host as clientless, and the host is considered to be a nonresponsive
host. The switch sends a nonresponsive-host request to the Cisco Secure ACS and applies the access
policy from the server to the host.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding NAC
45-5