in

IEOC - Internetwork Expert's Online Community

Welcome to Internetwork Expert's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and Internetwork Expert's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Scott Morris - Quad CCIE #4713, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, Anthony Sequeira - CCIE #15626, Keith Barker - Dual CCIE #6783, and Marvin Greenlee - Triple CCIE #12237.
Forums » Internetwork Expert Products » CCIE R&S Lab Workbook Volume II Version 4.1 » IEWB-RS Volume 2 Version 4.1 Lab 17 » Task 9.3
Latest post 06-25-2009 9:22 AM by federic0. 5 replies.
Page 1 of 1 (6 items)
Sort Posts: Previous Next

  • 10-18-2008 9:29 AM

    Task 9.3

    Reply Contact

    Ok, I must really be missing something on this one.


    Based on the information on the doc site, I would have configured the solution like this:

    access 102 permit udp any any

    access 102 deny ip any any

    aaa new-model
    aaa authen eou default enable group radius
    aaa autoriz network default group radius
    radius-server host 173.1.137.252
    radius-server key cisco

    ip radius source-interface lo0

    ip addmission name cisco eapoudp

    int e0
    ip addmission cisco
    ip access 102 in

    Obviously, from the solution guide my configuration is incorrect. Unfortunately, there is no explanation and the solution example is missing the acl. Can someone please give an explanation of the configuration provided in the solution guide? I've read through the NAC section of the doc site twice now and I don't understand how anyone would know to configure the inactivity timeout or the auth and acct ports.

    Also, if someone does manage to authenticate to the radius server, wouldn't acl 102 still block traffic? In other words, if someone authenticates, how does the router know to let traffic pass instead of blocking it with acl 102?

    I might be making this a lot more complicated than it is, but it would be very helpful if the solution guide actually had an explanation.

    -Bobby
    • Post Points: 35

  • 10-24-2008 6:13 PM In reply to

    Re: Task 9.3

    Reply Contact

    hoodooman211:

     

    Obviously, from the solution guide my configuration is incorrect. Unfortunately, there is no explanation and the solution example is missing the acl. Can someone please give an explanation of the configuration provided in the solution guide? I've read through the NAC section of the doc site twice now and I don't understand how anyone would know to configure the inactivity timeout or the auth and acct ports.

    Also, if someone does manage to authenticate to the radius server, wouldn't acl 102 still block traffic? In other words, if someone authenticates, how does the router know to let traffic pass instead of blocking it with acl 102?

    I might be making this a lot more complicated than it is, but it would be very helpful if the solution guide actually had an explanation.

    -Bobby

    http://forum.internetworkexpert.com/ubbthreads.php/ubb/showflat/Number/16513/page/2#Post16513
    • Post Points: 20

  • 11-01-2008 2:24 AM In reply to

    Re: Task 9.3

    Reply Contact

    on this link there is no mentioning that we need to overcome AAA issues which come into play when we activate 'aaa new-model'. I'm talking about changing access methods to both console and vty's lines.
    • Post Points: 5

  • 11-09-2008 12:02 PM In reply to

    Re: Task 9.3

    Reply Contact

    To find more information regarding this task...the key is the term "Cisco Trusted Agent"

    Doc CD/IOS Security/Traffic Filtering, Firewalls.../Network Admission Control (NAC)

    r/

    Tammy
    • Post Points: 20

  • 05-20-2009 10:49 PM In reply to

    Re: Task 9.3

    Reply Contact

    Thanks for the link, Tammy!

    Since they changed the documentation structure, NAC can be found in the Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4.

    best regards

    Matthias
    • Post Points: 20

  • 06-25-2009 9:22 AM In reply to

    Re: Task 9.3

    Reply Contact

    some open (not ended) question still remains :

    1) access list 102 no there in the SG, even if it could be a simple list permitting only udp traffic sourced from vlan4.

    2) radius ports not standard, why do they changed from 1812/1813? they changed also the authorization port even if authorization is not enabled.

    3) 60 minutes for the inactivity time is the default value.

    it looks like a copy'n'paste from the doc-cd Tongue Tied

     

    /R
    • Post Points: 5
Page 1 of 1 (6 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved