Cisco 7604 Configuration Manual page 792
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Understanding NAC
make host-specific network access policy decisions instead of enforcing a common restrictive policy for
all nonresponsive hosts. You can build more robust host audit and examination functionality by
integrating any third-party audit operations into the NAC architecture.
Figure 45-3
Figure 45-3
Endpoint
device
The architecture assumes that the audit server can be reached so that the host can communicate with it.
When a host (endpoint device) makes network access through the NAD configured for posture
validation, the network access device eventually requests the AAA server (Cisco Secure ACS) for an
access policy to be enforced for the host. The AAA server can be configured to trigger a scan of the host
with an external audit server. The audit server scan happens asynchronously and can take several seconds
to complete. During the time of the audit server scan, the AAA server conveys a minimal restrictive
security policy to NAD for enforcement along with a short poll timer (session-timeout). The NAD polls
the AAA sever at the specified timer interval until the result is available from the audit server. After the
AAA server receives the audit result, it computes an access policy based on the audit result and is sent
down to NAD for enforcement on its next request.
ACLs
If you configure NAC Layer 2 IP validation on a switch port, you must also configure a default port ACL
on a switch port. You should also apply the default ACL to IP traffic for hosts that have not completed
posture validation.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to
the switch, the switch applies the policy to traffic from the host connected to a switch port. If the policy
applies to the traffic, the switch forwards the traffic. If the policy does not apply, the switch applies the
default ACL. However, if the switch gets an host access policy from the Cisco Secure ACS but the default
ACL is not configured, the NAC Layer 2 IP configuration does not take effect.
If the Cisco Secure ACS sends the switch an downloadable ACL that specifies a redirect URL as a
policy-map action, this ACL takes precedence over the default ACL already configured on the switch
port. The redirect URL ACL policy also takes precedence over the policy already configured on the host.
If the default port ACL is not configured on the switch, the switch can still apply the downloadable ACL
from the Cisco Secure ACS.
NAC Timers
The switch supports these timers:
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
45-8
shows how audit servers fit into the typical topology.
NAC Device Roles
Audit mechanisms
e.g. port scan
IP traffic
NAD
Intercept IP traffic
from new endpoint
Chapter 45
Audit server
GAMEP
Radius
AAA server
Configuring Network Admission Control
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
