beautypg.com

IBM Tivoli and Cisco User Manual

Page 319

background image

Chapter 7. Network enforcement subsystem implementation

301

The Cisco Secure ACS then issues a token according to the group in which a
user with the clientless user name is placed. This configuration is useful for
PCs and workstations that receive their IP addresses through DHCP and do
not have the posture agents installed.

5. (optional) The following commands configure the timers for the EOU

posturing processes. These timers are shown with their default settings:

Router(config)# eou timeout hold-period 60
Router(config)# eou timeout revalidation 1800
Router(config)# eou timeout status-query 300

The

eou timeout hold-period

command specifies a hold period in seconds

for ignoring packets from a host that has just unsuccessfully authenticated.
The

eou timeout revalidation

command sets the global revalidation period

for all clients. This may be overridden by a RADIUS AV pair from the Cisco
Secure ACS. The

eou timeout status-query

command sets the global status

query period. This may also be overridden by an AV pair received from the
Cisco Secure ACS.

6. The network interface configuration consists of two commands that must be

configured on the interface facing the hosts to be posture-validated.

Router(config)# access-list 101 permit udp any host 172.30.40.1 eq 21862
Router(config)# access-list 101 deny ip any any
Router(config)# interface FastEthernet0/0
Router(config-if)# ip address 172.30.40.1 255.255.255.0
Router(config-if)# ip access-group 101 in
Router(config-if)# ip admission admission-name

The

ip access-group 101

in

command places an ACL on the interface in the

inbound direction that blocks all traffic, unless expressly permitted, from
entering the interface. This ACL, called the interface ACL, is useful for
creating pin holes that allow certain kinds of inbound traffic before subjecting
that device to the posturing process.

For example, an access control element (ACE) permitting UDP packets equal
to domain enables DNS queries to be sent successfully without being
postured. The interface ACL at a minimum must permit inbound UDP
communication destined to port 21862. The first permit ACE enables this
UDP traffic into the NAD. This is necessary for the EOU communications. The

ip admission admission-name

command applies the previously configured

NAC policy to the interface.

The traffic specifically permitted by access list 102 is subject to the posturing
process.

Important: Remember the importance of permitting UDP port 21862 in the
Interface ACL. Without this access, NAC will not function.

See also other documents in the category IBM Hardware: