Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual

Models: Tivoli and Cisco

1 516
Download 516 pages 58.69 Kb
Page 318
Image 318

This example causes traffic with a destination port 53 (domain) or port 21862 (default EAP-over-UDP) to be exempt from the admission control process:

Router(config)# access-list 102 deny udp any host 10.10.30.10 eq 21862 Router(config)# access-list 102 deny udp any host 10.10.20.10 eq domain Router(config)# access-list 102 permit ip any any

Router(config)# ip admission name admission-nameeapoudp list 102

These packets need a corresponding entry in the interface ACL to be successfully forwarded without a prior posture validation taking place. No posture validation triggering occurs if only deny statements are present in the intercept ACL.

3.(optional) If hosts with a statically configured IP address and no posture agent installed (non-responsive hosts) are located in the network where posturing is taking place, they may be exempted from the posturing process.

The following commands configure a policy that enables access defined by an access list to a host with a static IP address. (Be aware that the four lines following identity policy NACless are actually part of the identity policy configuration and not the global router configuration.)

Router(config)# identity profile eapoudp

Router(config)# device authorize ip-address 172.30.40.32 policy NACless Router(config)# identity policy NACless

Router(config)# access-group clientException Router(config)# redirect url http://172.30.2.10/update Router(config)# ip access-list extended clientException Router(config)# permit ip any host 172.30.1.10

This configuration enables a host with an IP address of 172.30.40.32 to communicate with the host 172.30.1.10 and no other hosts. This configuration is useful for IP-connected printers or IP telephony devices.

In the case of networks where only Web clients exist, URL redirection can point those clients to a server where the appropriate software can be obtained.

4.This section describes a different exception method for hosts without a posture agent installed.

In the following example, the eou clientless username command configures the Cisco IOS Software NAD to insert a user name of clientless for clientless end stations in the RADIUS protocol. The eou clientless password command configures the password to be returned. The eou allow clientless command enables the return of the previous user name-password combination for all hosts the NAD attempts to posture without receiving a valid EOU response.

Router(config)# eou clientless username clientless Router(config)# eou clientless password password Router(config)# eou allow clientless

300Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 317 Page 319
Page 318
Image 318
IBM Tivoli and Cisco manual
Page 317 Page 319