Both NAC Layer 2 IP and Layer 3 IP use downloadable IP ACLs as the enforcement mechanism. After the posture-validation process, the resultant SPT is mapped to a downloadable IP ACL (in the Authorization policy of the network access profile), which is then pushed out to the NAD. The NAD then appends this ACL to the top of the interface ACL to further restrict (or permit) access to the network. If the SPT returned for the endhost is Healthy, the downloaded ACL is generally permit ip any any. However, if the SPT returned is Quarantine, you most likely want to restrict that host's access to a limited set of remediation servers or a quarantine network. Likewise, additional posture tokens can each have their own unique downloadable ACL.
NOTE The Catalyst 6500 running CatOS (Hybrid mode) does not support downloadable IP ACLs for NAC-L2-IP. Instead, policy-based ACLs are used. See the section "Policy-Based ACLs," later in this chapter, for more information on this feature.
Before continuing on, decide what ACL you want to apply to Healthy end hosts and what ACL to apply to Quarantined end hosts. Examples 8-1 and 8-2 provide sample Healthy and Quarantine ACLs to assist you in this process.
Example 8-1 Sample—Healthy Downloadable IP ACL
remark If host is Healthy allow full network access permit ip any any
Example 8-2 Sample—Quarantine Downloadable IP ACL
remark If host is Quarantine restrict access network remark Allow DHCP and DNS
permit udp any any eq 67
permit udp any any eq 53
remark Allow EAPoUDP for CTA client permit udp any any eq 21862
remark Allow access to Quarantine network permit ip any 192.168.15.0 0.0.0.255
NOTE In the examples in this section, you might have noticed that the source address used in the downloadable IP ACL definitions was always any. However, when ACS pushes the ACL to the NAD, the NAD changes the source IP address to the IP of the end host. Thus, the NAD personalizes the ACL for that host.
NOTE If you make a mistake entering an ACL into ACS and that ACL is downloaded to the NAD, the authorization policy will most likely fail. Most switches will fail the authorization if the ACL is invalid.
When you have decided on the content of the ACLs, proceed with these steps to create them within ACS:
Step 1 From the navigation frame on the left, select Shared Profile Components.
Step 2 The Shared Profile Components page appears. Click the Downloadable IP ACLs link and then the Add button at the bottom of the page.
NOTE If you do not see the link Downloadable IP ACLs off the Shared Profile Components page, you are skipping sections of this chapter. (Shame on you.) Go back and read the section titled "Configuring RADIUS Attributes and Advanced Options."
Step 3 In the Name field, fill in a name for the Healthy downloadable IP ACL (example: NAC_Healthy_ACL).
Step 4 Optionally, add a description to further explain the purpose of this downloadable IP ACL.
Step 5 Click the Add button to define elements in the ACL. The Downloadable IP ACL Content page appears.
Step 6 In the Name field, fill in the name of the ACL content (example: Healthy_ACL).
Step 7 In the ACL Definitions box, fill in the contents of the ACL. See Example 8-1 for a sample Healthy downloadable ACL.
Step 8 Click the Submit button to return to the Downloadable IP ACLs page. Then click Submit again to return to the Shared Profile Components— Downloadable IP ACLs page.
Step 9 Click the Add button to create the Quarantine downloadable ACL.
Step 10 In the Name field, fill in a name for the Quarantine downloadable IP ACL (example: NAC_Quarantine_ACL).
Step 11 Optionally, add a description to further explain the purpose of this downloadable IP ACL.
Step 12 Click the Add button to define elements in the ACL. The Downloadable IP ACL Content page appears.
Step 13 In the Name field, fill in the name of the ACL content (example: Quarantine_ACL).
Step 14 In the ACL Definitions box, fill in the contents of the ACL. See Example 8-2 for a sample Quarantine downloadable ACL.
Step 15 Click the Submit button to return to the Downloadable IP ACLs page. Then click Submit again to return to the Shared Profile Components— Downloadable IP ACLs page.
Because you previously created network access profiles from NAC templates, you should also see a few sample downloadable IP ACLs. These ACL names have the format NAC_SAMPLE_TMen_ACL. If you created a network access profile from the Agentless Host for L3 template, you will notice that one of the ACLs has the name NAC_SAMPLE_TRANSITION_ACL. As you can guess, this ACL is tied to the Transition SPT. If you have not yet created a network access profile for agentless hosts, you can go back and do so now. Alternatively, you can skip the steps in this section and proceed to the next section.
The Transition SPT is typically used only if you are also using an external audit server (such as QualysGuard) to scan nonresponsive hosts (or hosts without CTA installed). ACS assigns the Transition token to the host (and, correspondingly, the Transition ACL) while the audit is performed. This provides the host with limited access to the network until the results of the full audit can be analyzed.
In the following steps, you rename the NAC_SAMPLE_TRANSITION_ACL and edit its contents to make them applicable to your network:
Step 1 From the Shared Profile Components—Downloadable IP ACLs page, click the NAC_SAMPLE_TRANSITION_ACL link.
Step 2 Modify the text in the Name field to read NAC_Transition_ACL.
Step 3 In the ACL Contents column, select the L3_EXAMPLE link to edit it. The Downloadable IP ACL Content page appears.
Step 4 In the Name field, replace L3_EXAMPLE with Transition_ACL.
Step 5 In the ACL Definitions box, fill in the contents of the Transition ACL. This can be as permissive as the Healthy ACL or as restrictive as the Quarantine ACL. It all depends on how much access you want an agentless host to have while it is being scanned. The default ACL is permit ip any any. Make your changes and then click Submit.
Step 6 Click the Submit button again to return to the Downloadable IP ACLs page.
Your screen should look similar to the one shown in Figure 8-11. You can delete the other sample ACLs by clicking their links, and then clicking the Delete button. You might receive a warning indicating that the ACL might be referenced by groups or users. This is because the sample RAC policy is referencing the ACL (which we have not covered yet). You can go ahead and click OK to remove the ACL. You will edit the RAC policy later.
Figure 8-11 Downloadable IP ACLs Page
Figure 8-11 Downloadable IP ACLs Page
Was this article helpful?