To create an IP network admission control rule, use the ip admission name command in global configuration mode. To remove the network admission control rule, use the no form of this command.
ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag service-policy-name] [list {acl | acl-name}] [event] [timeout aaa] [policy identity identity-policy-name]
no ip admission name admission-name [eapoudp [bypass] | proxy {ftp | http | telnet} | service-policy type tag service-policy-name] [list {acl | acl-name}] [event] [timeout aaa] [policy identity identity-policy-name]
Syntax for Authentication Proxy Consent Webpage
ip admission name admission-name consent [ [absolute-timer minutes] [event] [inactivity-time minutes] [list {acl | acl-name}] [parameter-map consent-parameter-map-name]]
no ip admission name admission-name consent [ [absolute-timer minutes] [event] [inactivity-time minutes] [list {acl | acl-name}] [parameter-map consent-parameter-map-name]]
Syntax Description
admission-name
|
Name of network admission control rule.
|
eapoudp
|
(Optional) Specifies IP network admission control using Extensible Authentication Protocol over UDP (EAPoUDP).
|
bypass
|
(Optional) Admission rule bypasses EAPoUDP communication.
|
proxy
|
(Optional) Specifies authentication proxy.
|
ftp
|
Specifies that FTP is to be used to trigger the authentication proxy.
|
http
|
Specifies that HTTP is to be used to trigger authentication proxy.
|
telnet
|
Specified that Telnet is to be used to trigger authentication proxy.
|
service-policy
type
tag
|
(Optional) A control plane service policy is to be configured.
|
service-policy-name
|
Control plane tag service policy that is configured using the policy-map type control tag {policy name } command, keyword, and argument. This policy map is used to apply the actions on the host when a tag is received.
|
list
|
(Optional) Associates the named rule with an access control list (ACL).
|
acl
|
Applies a standard, extended list to a named admission control rule. The value ranges from 1 through 199.
|
acl-name
|
Applies a named access list to a named admission control rule.
|
event
|
(Optional) Identifies the condition that triggered the application of the policy.
|
timeout
aaa
|
(Optional) Specifies that the AAA server is unreachable.
|
policy
identity
|
Configures the application of an identity policy to be used while the AAA server is unreachable.
|
identity
-policy
-name
|
Specifies the identity policy to apply.
|
consent
|
Associates an authentication proxy consent webpage with the IP admission rule specified via the admission-name argument.
|
absolute-timer
minutes
|
(Optional) Elapsed time, in minutes, before the external server times out.
|
inactivity-time
minutes
|
(Optional) Elapsed time, in minutes, before the external file server is deemed unreachable.
|
parameter-map
|
(Optional) A parameter map policy is to be associated with consent profile.
|
consent-parameter-map-name
|
Specifies the consent profile parameters to apply.
|
Command Default
An IP network admission control rule is not created.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
12.4(6)T
|
The bypass and service-policy type tag keywords and service-policy-name argument were added.
|
12.4(11)T
|
The event , timeout aaa , and policy identity keywords and the identity
-policy
-name argument were added.
|
12.4(15)T
|
The following keywords and arguments were added: consent ,
absolute-timer , minutes , inactivity-time , minutes, parameter-map , and consent-parameter-map-name .
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends
on your feature set, platform, and platform hardware.
|
Usage Guidelines
The admission rule defines how you apply admission control.
You can associate the named rule with an ACL, providing control over which hosts use the admission control feature. If no
standard access list is defined, the named admission rule intercepts IP traffic from all hosts whose connection-initiating
packets are received at the configured interface.
The bypass keyword allows an administrator the choice of not having to use the EAPoUDP-based posture validation for the hosts that are
trying to connect on the port. The bypass can be used if an administrator knows that the hosts that are connected on the port
do not have the Cisco Trust Agent client installed.
The service-policy type tag {service-policy-name } keywords and argument allow you to associate the service policy of the type tag with the IP admission rule. On the network
access device (NAD), a set of policies can be associated with an arbitrary tag string, and if the AAA server sends the same
tag in response to the posture validation or authentication response, the policies that are associated with the tag can be
applied on the host. The service policy keyword is an optional keyword, and if the service policy is not associated with the IP admission name, the policies that
are received from the AAA server are applied on the host.
The list keyword option allows you to apply a standard, extended (1 through 199) or named access list to a named admission control
rule. IP connections that are initiated by hosts in the access list are intercepted by the admission control feature.
The event keyword option allows you to specify the condition that triggered application of an identity policy.
The timeout aaa keyword option specifies that the AAA server is unreachable, and this condition is triggering the application of an identity
policy.
The policy identity keyword and the identity
-policy
-name argument
allow you to configure application of an identity policy and specify the policy type to be applied while the AAA server is
unreachable.
The consent keyword and the parameter-map consent-parameter-map-name keyword and argument allow you to associate the authentication proxy consent feature with an IP admission rule. The consent
feature enables customers to display a consent webpage to an end user, providing access to wireless services only after the
end user accepts the agreement.
Examples
The following example shows that an IP admission control rule is named "greentree" and that it is associated with ACL "101."
Any IP traffic that is destined to a previously configured network (using the access-list command) will be subjected to antivirus state validation using EAPoUDP.
Router (config)# ip admission name greentree eapoudp list 101
The following example shows that EAPoUDP bypass has been configured:
Router (config)# ip admission name greentree eapoudp bypass list 101
In the following service policy example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy
map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."
Examples
Router (config)# class-map type tag healthy_class
Router(config-cmap)# match tag healthy
Router(config-cmap)# end
Examples
Router (config)# class-map type tag non_healthy_class
Router (config-cmap)# match tag non_healthy
Router (config-cmap)# end
Examples
! The following line will be associated with the IP admission name.
Router (config)# policy-map type control tag global_class
! The following line refers to the healthy class map that was defined above.
Router (config-pmap)# class healthy_class
Router (config-pmap-c)# identity policy healthy_policy
Router(config-pmap-c)# exit
The following line refers to the non_healthy class that was defined above.
Router (config-pmap)# class non_healthy_class
Router(config-pmap-c)# identity policy non_healthy_policy
Router (config-pmap-c)# end
Examples
Router (config)# identity policy healthy_policy
! The following line is the IP access list for healthy users.
Router (config-identity-policy)# access-group healthy
Router (config-identity-policy)# end
Router (config)# identity policy non_healthy_policy
Router (config-identity-policy)# access-group non_healthy
Router (config-identity-policy)# end
Examples
Router (config)# ip access-list extended healthy_class
! The following line can be anything, but as an example, traffic is being allowed.
Router (config-ext-nacl)# permit ip any any
Router (config-ext-nac)# end
Router (config)# ip access-list extended non_healthy_class
! The following line is only an example. In practical cases, you could prevent a user from accessing specific networks.
Router (config-ext-nacl)# deny ip any any
Router (config-ext-nac)# end
Examples
Router (config)# ip admission name greentree service-policy type tag global_class
! In the next line, the admission name can be associated with the interface.
Router (config)# interface fastethernet 1/0
Router (config-if)# ip admission greentree
In the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that
are associated with the appropriate identity policy will be applied on the host.
Examples
The following example shows how to define an IP admission control rule named "samplerule" and attach it to a specific interface:
Router (config)# ip admission name samplerule eapoudp list 101 event timeout aaa policy identity aaa_fail_policy
Router (config)# interface fastethernet 1/1
Router (config-if)# ip admission samplerule
Router (config-if)# end
In the above configuration, if the specified interface is not already authorized when the AAA server becomes unreachable,
it will operate under the specified policy until revalidation is possible.
Examples
The following example shows how to configure an IP admission consent rule and associate the consent rule with the definitions
of the parameter map "consent_parameter_map":
ip admission name consent-rule consent inactivity-time 204 absolute-timer 304 parameter-map consent_parameter_map list 103
ip admission consent-banner file flash:consent_page.html
ip admission consent-banner text ^C Consen-Page-Banner-Text ^C
ip admission max-login-attempts 5
ip admission init-state-timer 15
ip admission auth-proxy-audit
ip admission inactivity-timer 205
ip admission absolute-timer 305
ip admission ratelimit 100
ip http server
ip http secure-server
!
interface FastEthernet 0/0
description ### CLIENT-N/W ###
ip address 192.168.100.170 255.255.255.0
ip access-group 102 in
ip admission consent-rule
no shut
exit
!
interface FastEthernet 0/1
description ### AAA-DHCP-AUDIT-SERVER-N/W ###
ip address 192.168.104.170 255.255.255.0
no shut
exit
!
line con 0
exec-timeout 0 0
login authentication noAAA
exit
!
line vty 0 15
exec-timeout 0 0
login authentication noAAA
exit
!