Cisco 7604 Configuration Manual page 790
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Understanding NAC
EoU Bypass
The switch can use the EoU bypass feature to speed up posture validation of hosts that are not using the
Cisco Trust Agent. If EoU bypass is enabled, the switch does not contact the host to request the antivirus
condition. Instead, the switch sends a request to the Cisco Secure ACS that includes the IP address, MAC
address, service type, and EAPoUDP session ID of the host. The Cisco Secure ACS makes the access
control decision and sends the policy to the switch.
If EoU bypass is enabled and the host is nonresponsive, the switch sends a nonresponsive-host request
to the Cisco Secure ACS and applies the access policy from the server to the host.
If EoU bypass is enabled and the host uses Cisco Trust Agent, the switch also sends a nonresponsive-host
request to the Cisco Secure ACS and applies the access policy from the server to the host.
EAPoUDP Sessions
If the EoU bypass is disabled, the switch sends an EAPoUDP packet to initiate posture validation. While
posture validation occurs, the switch enforces the default access policy. After the switch sends an
EAPoUDP message to the host and the host responds to the antivirus condition request, the switch
forwards the EAPoUDP response to the Cisco Secure ACS. If no response is received from the host after
the specified number of attempts, the switch classifies the host as nonresponsive. After the ACS validates
the credentials, the authentication server returns an Access-Accept message with the posture token and
the policy attributes to the switch. The switch updates the EAPoUDP session table and enforces the
access limitations, which provides segmentation and quarantine of poorly postured clients, or by denying
network access.
There are two types of policies that apply to ports during posture validation:
•
•
The operation of the URL-Redirect deny ACEs (typically to bypass the redirection of the HTTP traffic
destined to remediation servers) is that the traffic to these ACEs is forwarded in hardware without
applying the default interface and the downloaded host policies. If this traffic (that is, the traffic that
matches the deny URL Redirect ACEs) is required to be filtered, you need to define a VLAN ACL on
the switch port access VLAN.
The URL-Redirect Policy consists of the following:
•
•
The ACL name for the host policy, the redirect URL, and the URL redirect ACL are conveyed using
RADIUS Attribute-Value objects.
If a DHCP snooping binding entry for a client is deleted, the switch removes the client entry in the
Note
session table, and the client is no longer authenticated.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
45-6
Host Policy—The Host policy consists of an ACL that enforces the access limitations as determined
by the outcome of posture validation.
URL Redirect Policy—The URL Redirect policy provides a method to redirect all HTTP or HTTPS
traffic to a remediation server that allows a noncompliant host to perform the necessary upgrade
actions to become compliant.
A URL that points to the remediation server.
An ACL on the switch that causes all HTTP or HTTPS packets from the host other than those
destined to the remediation server address to be captured and redirected to the switch software for
the necessary HTTP redirection.
Chapter 45
Configuring Network Admission Control
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
