Cisco Cisco IOS Software Release 12.4(6)T
Network Admission Control: Agentless Host Support
Information About Network Admission Control: Agentless Host Support
3
Cisco IOS Security Configuration Guide
EAPoUDP Bypass
You can use the EAPoUDP Bypass feature to reduce latency of the validation of hosts that are not using
CTA. If EAPoUDP bypass is enabled, the NAD does not contact the host to request the antivirus
condition (the NAD does not try to establish an EAPoUDP association with the host if the EAPoUDP
Bypass option is configured). Instead, the NAD sends a request to the Cisco Secure ACS that includes
the IP address, MAC address, service type, and EAPoUDP session ID of the host. The Cisco Secure ACS
makes the access control decision and sends the policy to the NAD.
CTA. If EAPoUDP bypass is enabled, the NAD does not contact the host to request the antivirus
condition (the NAD does not try to establish an EAPoUDP association with the host if the EAPoUDP
Bypass option is configured). Instead, the NAD sends a request to the Cisco Secure ACS that includes
the IP address, MAC address, service type, and EAPoUDP session ID of the host. The Cisco Secure ACS
makes the access control decision and sends the policy to the NAD.
If EAPoUDP bypass is enabled, the NAD sends an agentless host request to the Cisco Secure ACS and
applies the access policy from the server to the host.
applies the access policy from the server to the host.
If EAPoUDP bypass is enabled and the host uses the Cisco Trust Agent, the NAD also sends a
nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the
host.
nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the
host.
Vendor-Specific Attributes for This Feature
The following new attributes are supported for various RADIUS message exhanges:
•
•
audit-session-id
The audit-session-id vendor-specific attribute (VSA) is a 32-byte string that uniquely identifies a host
session. This identifier is generated by a NAD when the host is detected, and it remains the same until
the session is deleted. Session revalidation or reinitialization does not change this identifier. Every time
a session is detected, a new identifier is generated. This attribute is included in access requests to the
authentication, authorization, and accounting (AAA) server and in web requests to the audit server. The
value of this attribute is displayed in show eou command output (using the ip keyword).
session. This identifier is generated by a NAD when the host is detected, and it remains the same until
the session is deleted. Session revalidation or reinitialization does not change this identifier. Every time
a session is detected, a new identifier is generated. This attribute is included in access requests to the
authentication, authorization, and accounting (AAA) server and in web requests to the audit server. The
value of this attribute is displayed in show eou command output (using the ip keyword).
url-redirect-acl
The url-redirect-acl VSA string specifies the name of the access control list (ACL) for URL redirection.
Any ingress HTTP from the host that matches the access list that is specified by this attribute is subjected
to redirection to the URL address specified by the url-redirect VSA. The access list specified in this
attribute has to be locally configured on the NAD as an “ip access-list extended” named ACL. This
attribute is specified only in RADIUS access-accept messages. The value of the url-redirect-acl attribute
is displayed using the show eou command (with the ip keyword).
Any ingress HTTP from the host that matches the access list that is specified by this attribute is subjected
to redirection to the URL address specified by the url-redirect VSA. The access list specified in this
attribute has to be locally configured on the NAD as an “ip access-list extended” named ACL. This
attribute is specified only in RADIUS access-accept messages. The value of the url-redirect-acl attribute
is displayed using the show eou command (with the ip keyword).
Note
Phase 1 of the Network Admission Control feature introduced the url-redirect VSA that allowed the
HTTP sessions of users to be redirected to the address specified by the url-redirect VSA. This redirection
is useful if you want to remediate hosts that do not comply to network security policy. However, to
determine to which users HTTP requests are to be redirected, Phase 1 of Network Admission Control
assumed that any HTTP traffic that was intercepted and denied by the host policy ACL (the access
control server ACL) was subjected to redirection. The url-redirect-acl VSA provides an option so that
users can customize the redirect criteria. The url-redirect-acl VSA supports backward compatibility. If
the url-redirect-acl is specified in the access-accept message for the host, any user HTTP sessions that
HTTP sessions of users to be redirected to the address specified by the url-redirect VSA. This redirection
is useful if you want to remediate hosts that do not comply to network security policy. However, to
determine to which users HTTP requests are to be redirected, Phase 1 of Network Admission Control
assumed that any HTTP traffic that was intercepted and denied by the host policy ACL (the access
control server ACL) was subjected to redirection. The url-redirect-acl VSA provides an option so that
users can customize the redirect criteria. The url-redirect-acl VSA supports backward compatibility. If
the url-redirect-acl is specified in the access-accept message for the host, any user HTTP sessions that