Chapter30 Network Admission Con trol
Create NAC Tab
30-6
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Note When performing a ping test, enter the IP address of the RADIUS source interface
in the source field in the ping dialog. If you chose Router chooses source, you
need not provide any value in the ping dialog source field.
The Edit and Ping buttons are disabled when no RADIUS server information is
available for the chosen interface.
Interface Selection
Choose the interface on which to enable NAC in this window. Choose the
interface through which network hosts connect to the network.
Click the Details button to display the policies and rules associated with the
interface you choose. The window displays the names of the ACLs applied to
inbound and to outbound traffic on this interface.
If an inbound ACL is already present on the interface, Cisco SDM uses that ACL
for NAC by adding appropriate permit statements for EAPoUDP traffic. If the IP
address of the interface on which NAC is being applied were 192.55.22.33, a
sample permit statement might be the following:
access-list 100 permit udp any eq 21862 192.55.22.33
The permit statement that Cisco SDM adds uses the port number 21862 for the
EAPoUDP protocol. If the network hosts run EAPoUDP on a custom port number,
you must modify this ACL entry to use the port number th at the hosts use.
If no inbound ACL is configured on the interface you specify, you can have Cisco
SDM apply an ACL to the interface. You can choose a recommended policy, or a
policy that simply monitors reported NAC postures.
Strict Validation (Recommended)—Cisco SDM applies an ACL that denies
all traffic (deny ip any any). Admission to the network is determined by the
NAC validation process. By default, all traffic is denied except the traffic
found to be valid based on the policy configured on the NAC policy server.
Monitor NAC Postures—Cisco SDM applies an ACL that permits all traffic
(permit ip any any). After the NAC validation process, the router may
receive policies from the NAC server that deny access to certain hosts. You
can use the Monitor NAC Postures setting to determine the impact of NAC
configuration on the network. After you have done so, you can modify the