The Cisco Secure ACS then issues a token according to the group in which a user with the clientless user name is placed. This configuration is useful for PCs and workstations that receive their IP addresses through DHCP and do not have the posture agents installed.

5.(optional) The following commands configure the timers for the EOU posturing processes. These timers are shown with their default settings:

Router(config)# eou timeout hold-period 60 Router(config)# eou timeout revalidation 1800 Router(config)# eou timeout status-query 300

The eou timeout hold-periodcommand specifies a hold period in seconds for ignoring packets from a host that has just unsuccessfully authenticated. The eou timeout revalidation command sets the global revalidation period for all clients. This may be overridden by a RADIUS AV pair from the Cisco Secure ACS. The eou timeout status-querycommand sets the global status query period. This may also be overridden by an AV pair received from the Cisco Secure ACS.

6.The network interface configuration consists of two commands that must be configured on the interface facing the hosts to be posture-validated.

Router(config)# access-list 101 permit udp any host 172.30.40.1 eq 21862 Router(config)# access-list 101 deny ip any any

Router(config)# interface FastEthernet0/0 Router(config-if)# ip address 172.30.40.1 255.255.255.0 Router(config-if)# ip access-group 101 in Router(config-if)# ip admission admission-name

The ip access-group 101 in command places an ACL on the interface in the inbound direction that blocks all traffic, unless expressly permitted, from entering the interface. This ACL, called the interface ACL, is useful for creating pin holes that allow certain kinds of inbound traffic before subjecting that device to the posturing process.

For example, an access control element (ACE) permitting UDP packets equal to domain enables DNS queries to be sent successfully without being postured. The interface ACL at a minimum must permit inbound UDP communication destined to port 21862. The first permit ACE enables this UDP traffic into the NAD. This is necessary for the EOU communications. The ip admission admission-namecommand applies the previously configured NAC policy to the interface.

The traffic specifically permitted by access list 102 is subject to the posturing process.

Important: Remember the importance of permitting UDP port 21862 in the Interface ACL. Without this access, NAC will not function.

Chapter 7. Network enforcement subsystem implementation

301

Page 319
Image 319
IBM Tivoli and Cisco manual 301