Chapter 44
Configuring Network Admission Control
•
For more information about AV pairs that are supported by Cisco software, see the documentation for
the releases of software that are implemented on your AAA clients.
Redirection
NAC supports HTTP redirection that redirects any HTTP request from the end-point device to a specified
redirect address. This support mechanism redirects all HTTP requests from a source to a specified web
page (URL) to which the latest antivirus files can be downloaded. You must set the value of the
url-redirect VSA on the ACS and, correspondingly, associate an access control entry in the downloadable
ACL that permits the access of the end-point system to the redirect URL address.
LAN Port IP Posture Validation Summary
LAN port IP allows posture-validating end-user devices to access the network based on their posture.
End-user devices are classified into one of five possible states after posture validation: healthy, checkup,
quarantine, infected, or unknown. Network access is given depending on the device's posture.
LAN port IP enforcement mechanisms include URL redirection and auditing. PBACLs are used for
enforcing network access.
The basic steps in posture validation are as follows:
1.
2.
3.
4.
5.
6.
7.
8.
OL-8978-04
device that is seeking access to the network. Some of these attributes relate to the endpoint
device-type and operating system; other attributes belong to various security applications that might
be present on the endpoint, such as antivirus (AV) scanning software. The posture token is one of
the conditions in the authorization rules for network access. Posture validation, together with
traditional user authentication, provides a complete security assessment of the endpoint device and
the user.
status-query-timeout—Overrides the status-query default value of the AAA client with the value
that you specify, in seconds, as follows:
status-query-timeout=150
The NAD learns the MAC and IP address bindings using ARP inspection and/or DHCP snooping.
If you use DHCP triggering for posture validation, you must also enable ARP inspection. If
Note
ARP inspection is not enabled, the posture validation completes but the session is torn down
within a few minutes because the ARP probe replies from the client are not seen by the EAP
Over UDP (EOU) state machinery.
The NAD sends an EOU hello request to the host.
If the host is running CTA, it responds back with a hello response.
The NAD sends an EOU validate identity request.
The CTA responds back with an EOU validate response.
The NAD extracts the EAP packet from the EOU, embeds it in the RADIUS access request, and
sends it to the authentication server (such as the ACS).
The ACS sends back an access challenge that is relayed back to the CTA in the form of an EOU
validate packet.
Step 6 and Step 7 continue until the ACS sends a success or failure response for the posture
validation session.
Configuring Network Admission Control with LAN Port IP
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
44-5