Filter
Top Products
CHAPTER
6-1
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
6
Agentless Host Support Configuration Scenario
This chapter describes how to configure the agentless host feature in Cisco Secure Access Control
Server, hereafter referred to as ACS.
Note The procedure in this chapter describes how to configure agentless host support by using ACS with a
Lightweight Directory Access Protocol (LDAP) database. You can also configure agentless host support
by using the ACS internal database: but, using an LDAP database is generally more efficient.
This chapter contains the following sections:
• Overview of Agentless Host Support, page 6-1
• Summary of Configuration Steps, page 6-3
• Basic Configuration Steps for Agentless Host Support, page 6-4
• Configuration Steps for Audit Server Support, page 6-24
Overview of Agentless Host Support
Many hosts that ACS authenticates run agent software that requests access to network resources and
receives authorization from ACS. However, some hosts do not run agent software. For example:
• Many 802.1x port security deployments authenticate hosts that do not have appropriate security
agent software, such as Cisco Trust Agent.
• When an agentless host is connected to a Layer 2 device and an Extensible Authentication Protocol
over User Datagram Protocol timeout (EoU timeout) occurs, in-band posture validation cannot
occur.
ACS solves this problem by using the MAC address of the host device to identify and authenticate the
host. This technique is called MAC authentication bypass (MAB).
1. When an agentless host connects to a network access device (NAD), the NAD detects that the host
does not have an appropriate software agent and uses the host's MAC address to identify it.
2. The NAD sends ACS a RADIUS authorization request with servicetype=10 and the MAC address
of the host contained in the
calling-station-id attribute.