Chapter 41
Configuring MAC Authentication Bypass
When configuring the switch, follow these guidelines:
•
•
•
Configuring the Cisco Secure ACS Server
For auditing agentless hosts, the switch must be connected to a Cisco Secure ACS server and a
third-party NAC audit server such as Qualys. When the audit server is installed and running, configure
the audit server information on the ACS server. Cisco Secure ACS server 4.1 or later is required for this
feature to function properly.
To configure the ACS server with NAC agentless hosts and NAC audit server information, perform these
steps:
Import the NAC audit vendor trusted root CA to the certificate store on ACS by using the CSUtil tool.
Step 1
Import an audit device-type attribute file for the NAC audit server by using CSUtil.
Step 2
Import NAC attribute-value pairs for the audit vendor by using CSUtil.
Step 3
Enable posture validation on the ACS.
Step 4
Step 5
Configure the external audit server on ACS using the external posture validation audit server setup page
on the ACS.
Define shared profile components.
Step 6
Step 7
Configure network access profile (NAP) authorization policy.
Note
Configure the hosts to be audited, and device-type retrieval and mapping for audit vendors who have a
Step 8
device attribute in the RADIUS dictionary using the external audit server posture validation setup page
on the ACS.
Set up a device group policy on the ACS.
Step 9
For more information about auditing agentless hosts, and detailed steps to complete each of these tasks,
refer to the following documents:
•
•
•
OL-8978-04
The switch must have a RADIUS configuration and be connected to the Cisco Secure ACS server.
If the audit configuration is removed from the network access profile (NAP) of MAB, the port needs
to be reinitialized.
The session-timeout value must be greater than the time required for the DACL to download all the
ACLs and it must be determined based on other audit requirements.
In the NAP profile, configure MAB, specify the audit server, DACL or shared RAC policies to
be applied for the various posture tokens, and the fail open policy to be applied when the audit
server cannot communicate with the host.
Configuration Guide for CISCO Secure ACS
NAC Framework Configuration Guide
NAC Audit Vendor Configuration Guide
Configuring Agentless Hosts for NAC Auditing with MAB
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
41-15