Making Sense of All the Cisco NAC Appliance Design Options

In the previous chapter, you explored all the pieces, or building blocks, that can make up a Cisco NAC Appliance deployment. Now you will learn the multiple ways you can manipulate these building blocks so that they best fit into your environment. Given the complexity of today's networks, you need a Network Admission Control (NAC) solution that has options. Cisco NAC Appliance definitely has options. It has so many, in fact, that sometimes it can get confusing as to what to use where and why....

NAC Design Considerations

When working through the design process for Cisco NAC Appliance, you will come up against multiple choices. Understanding what choices are available and how they work is incredibly important. Your environment will most likely use a few different deployment options, not a single one throughout. For example, you might choose to use Single-Sign-On (SSO) for your virtual private network (VPN) users but not for your wireless guest user and public space areas. Knowing how to best match the...

Configuring the Primary Server for High Availability

The principal configuration steps for configuring high availability on the primary NAC Appliance Server are as follows Step 1 Access the primary NAC Appliance Server directly. Step 2 Configure the network and host information for the primary NAC Appliance Server. Step 3 Configure HA-Primary Failover. Step 4 Configure the SSL certificate. Step 5 Reboot the primary NAC Appliance Server. Step 6 Add NAC Appliance Server to NAC Appliance Manager by using the service IP. Step 7 Complete the...

NAC Appliance Server Load Balancing Using Policy Based Routing

The following are the prerequisites for NAC Appliance Server load balancing using policy-based routing The router on the untrusted side and the router on the trusted side of NAC Appliance Server must support policy-based routing. Traffic flow to NAC Appliance Server should be symmetric in both directions. This is not a requirement but a best practice. This load-balancing technique was developed specifically for a centralized NAC Appliance Server deployment model with more than 2500 clients. In...

NAC Appliance and IP Telephony Integration

With careful design and planning, NAC Appliance and IP telephony can coexist harmoniously. This section is dedicated to the design best practices of integrating NAC Appliance into an IP telephony environment. When designing NAC Appliance to work in an IP telephony environment, the ultimate goal is to have clients inspected by NAC Appliance while all voice traffic bypasses NAC Appliance completely. The best practices that help accomplish this goal are most relevant when client PCs plug directly...

Setting Up DHCP Failover on NAC Appliance Servers

When using the DHCP Server mode on a NAC Appliance HA pair, you need to configure DHCP failover. Doing so allows for the constant synchronization of DHCP-related information (for example, active leases, lease expirations, and so on) between the primary and secondary NAC Appliance Servers. As a result, when a failover occurs, the new active NAC Appliance Server picks up exactly where the old active NAC Appliance Server left off. DHCP failover works by setting up an SSH-encrypted tunnel between...

Scalability and Performance of Cisco NAC Appliance

To ensure a good design, understanding the scalability and performance limits of NAC Appliance is important. Table 3-4 depicts the scalability and performance numbers that are relevant to properly designing a NAC Appliance solution. Table 3-4 Scalability and Performance of NAC Appliance Table 3-4 Scalability and Performance of NAC Appliance Maximum Managed Server Pairs Manager Maximum Managed Server Pairs Manager

Common Checks Rules and Requirements

Here are some of the most common checks, rules, and requirements implemented by administrators of the NAC Appliance solution. All the examples given have corresponding built-in checks and rules written and are auto-updated by NAC Appliance. An antivirus program must be installed, running, and up to date. Most organizations specify specific antivirus programs for certain user roles. For example, employee user role clients must use the corporate Trend Micro antivirus client, whereas guest user...

Step 12 Configuring the SNMP Receiver

The SNMP receiver configuration must match the SNMP configuration on the NAC-controlled switches. The SNMP receiver receives and responds to SNMP traps sent by switches. The SNMP receiver page shown in Figure 10-13 can be accessed by navigating to Switch Management > Profiles > SNMP Receiver > SNMP Trap. Figure 10-13 SNMP Receiver Configuration Page Figure 10-13 SNMP Receiver Configuration Page Advanced settings with which you can tweak different timers are also available. They are...

Cisco NAC Appliance Updates

Prior to configuring your policy requirements, be certain that you have the most up-to-date checks, rules, and software updates available from the Cisco NAC Appliance Updates Server. You can view the current versions and numbers of each updated object by navigating the NAC Appliance Manager menu under Device Management > Clean Access and then selecting the Updates tab. A sample Updates tab screen is displayed in Figure 9-1. Figure 9-1 Updates Tab Screen as Displayed on the NAC Appliance...

Step 17 Configuring the Web Login Page

You have to configure the web login page for users who don't use NAC Appliance Agent. The Login Page edit screen is shown in Figure 10-56. This design uses ActiveX and Java applet controls for the following two purposes To obtain the MAC address of the user device. This is required for OOB Layer 3 mode to operate. The client's MAC address is used to find the switch port the client is connected to. To trigger an IP release renew when the user is moved from the untrusted VLAN to the trusted VLAN....

XL Edge Layer 2 Switch Configuration

Example 11-4 shows the 3500XL edge Layer 2 switch configuration using software version c3500XL-c3h2s-mz.120-5.3.WC.1.bin. Note that the 3500XL switches have been designated End-Of-Life by Cisco. Although the 3500XL switch is still supported by NAM and NAS, Cisco best practices recommend that customers deploy active Cisco LAN switches that are not on the End-Of-Sale or End-Of-Life list. The current switches support many popular enhanced security features, such as SNMP Version 3. For the...

Enforcement Methods Available with NAC Appliance

Not all enforcement methods supported by NAC Appliance are supported in all modes of operation. This issue applies mostly to the In-Band and Out-of-Band operating modes. Many of the features are not available for out-of-band clients that have passed authentication and posture assessment. This is because once clients are certified, they are moved to the appropriate access VLAN. This access VLAN completely bypasses the NAC Appliance solution, making the use of some enforcement methods unfeasible....

The Basics Principal Configuration Tasks for the NAM and NAS

This chapter explains the basic configuration tasks required to install and configure the NAC Appliance Manager (NAM) and NAC Appliance Server (NAS). The NAM and NAS are software packages that are installed on top of their own dedicated server appliance. The software is built on a hardened Linux kernel and will turn each dedicated server into a Cisco appliance. This means you cannot install any other third-party software on top of the Linux kernel. Prior to 4.0.3, you could buy the software...

Switches Supported by NAC Appliance Outof Band

This section details the Cisco switch models and the required minimum software version you must have in your environment if you plan to use NAC Appliance in Out-of-Band mode. This information is constantly being updated, so be sure to check the latest NAC Appliance Release Notes on http www.cisco.com. Table 4-3 lists the supported switches as of this writing. Table 4-3 Supported Switches for Cisco NAC Appliance Out-of-Band Table 4-3 Supported Switches for Cisco NAC Appliance Out-of-Band Minimum...

LDAP Browser Not Required but Very Helpful

Before configuring an LDAP lookup server in NAM, having a good understanding of Active Directory and LDAP tree structure is helpful. To assist with this learning, an LDAP directory browser is highly recommended. For this exercise, a free LDAP browser from Softerra (http www.softerra.com ) is used to help walk through the LDAP tree and correctly identify user attributes. Softerra is probably not the only free LDAP browser available on the Internet. You can use any other tool you choose to...

Enabling GPO Updates

Starting with NAC software 4.1.0, NAC Agent (4.1.0) can retrigger a GPO update after an AD user has signed in to the network. This is helpful in ensuring that all AD domain users inherit the appropriate user policies as defined by the AD administrator. For example, the administrator can create a policy that prevents the users from changing their desktop wallpaper. With the 4.1.0 release, NAC Agent executes the gpupdate command to retrigger the Group Policy update after login and prevent users...

API for Guest Access

Cisco has additionally provided a web-based API that supports Secure Sockets Layer-based POST requests to complete certain tasks. In relation to guest access, this API can be used to create specific user accounts that are applied to a role that is granted only guest access as well as deleting guest access users. The web API is accessible via the NAM at When using the API for configuring guest accounts and when writing API access scripts, it is recommended that you refer to the current API guide...

Cisco Content Switching Module or Standalone Content Services Switch

The following are the prerequisites for Cisco Content Switching Module or standalone Content Services Switch Must have either two CSS or one CSM Appliance. NAC Appliance servers must be in Real-IP Gateway mode. The CSM and CSS are advanced Layer 4-to-Layer 7 load-balancing appliances. Using CSM or CSS load balancing allows you to scale NAC Appliance protection by distributing traffic across multiple NAC Appliance Servers on a per-client basis. The CSS and CSM are capable of providing both...

Client Authentication and PBR Steps in L3 OOB

The client authentication and PBR steps in L3 OOB are as follows 1 The client's Clean Access Agent, noticing the network connectivity, begins to send Layer 2 UDP port 8905 SWISS discovery packets to its default gateway. The agent is trying to locate a NAC Appliance Server. 2 Because there is no NAC Appliance Server between the Clean Access Agent and its default gateway, it does not get a response. 3 Clean Access Agent then tries Layer 3 SWISS discovery. Clean Access Agent sends UDP port 8906...

Host Security Policy Checklist

Here is a checklist of the most common steps considered necessary to create a NAC Appliance host security policy. Each checklist item will be explained in detail in the subsequent sections of this chapter. Use this checklist, along with the detailed explanations, to give you a head start in the creation of your own unique host security policy. Obtain senior management sponsors who will support you through the creation of the host security policy and the deployment of the NAC Appliance solution....

NAC as an Embedded Solution

The initial Cisco vision of NAC, first introduced in 2003, leverages the Cisco IOS in Cisco routers and switches to deliver the NAC functionality. Also referred to as NAC Framework, it comprises Cisco Access Control Server (ACS), Cisco routers and switches, and an end point software agent called Cisco Trust Agent (CTA). To assist with posture assessment, device auditing, and software remediation, the embedded NAC solution relies on third-party software via application program interfaces (API)....

Spanning Tree N1

The following are the prerequisites for Spanning Tree N+1 NAC Appliance Server must be in In-Band Virtual Gateway mode. NAC Appliance Server must not be configured for 802.1q trunking with VLAN mapping or with VLAN interfaces. You must use either Per VLAN Spanning Tree Plus (PVST+) or Multiple Instance Spanning Tree Protocol (MISTP) as the Spanning Tree Protocol (STP) algorithm. It is possible to use the network to bypass a failed NAC Appliance Server and provide per-network load distribution...

Adding an AD Server as an Ad Sso Auth Server

The following steps show how to add an AD server in NAS as an AD SSO authentication server Step 1 In NAM, go to User Management > Auth Servers > New. Step 2 Select the authentication type Active Directory SSO. Step 3 Enter the provider name ADSSO. Step 4 Leave the default role as Unauthenticated Role. This is the default user assigned role unless it is overridden by the LDAP Lookup Server field. Step 5 For now, leave the LDAP lookup server as NONE. This step will be created later. Step 6 In...

User Attributes in Active Directory

Active Directory tree structure can be multilevel and quite complex. Therefore, it is important that the NAC Appliance administrator work with the AD server administrators to coordinate the user-role-to-AD-attribute mapping effort. The scope of this book is not to discuss how to correctly configure and deploy AD in an enterprise environment. Therefore, the test lab used in this exercise is simplified to demonstrate the technique of how to map AD user attributes to NAC mapping rules. Earlier,...

Login Steps for OOB in L3 Adjacency Real IP Mode

These certification steps are based on the perspective of the host and user in Figure 4-15. The traffic control method used is policy-based routing. The host has Clean Access Agent installed and is multiple Layer 3 hops from NAC Appliance Server. NAC Appliance Server is in Real IP Gateway mode and routing between the untrusted and trusted networks. NAC Appliance is not configured for network scanning, only Clean Access Agent posture assessment. The Cisco LAN switch is configured to send both...

NAC Licensing

After setting up NAM and accessing the GUI (https NAM_IP) for the first time, you will be prompted to enter a valid product license. Without it, you cannot proceed with further NAC configurations. See Figure 7-1 for initial license installation. Figure 7-1 NAC Manager Licensing Page The product license for this Installation (MAC Address 0Q 30 48 80 43 D6) Is either Invalid, expired, or not yet set. Please choose the correct license that you will need Product Evaluation If you are evaluating the...

Configuring NAS to Support Vpn Sso

After the user authenticates to the concentrator, it sends a RADIUS accounting start packet to NAS. NAS then completes the SSO process with NAC Agent and adds that host to the certified device list. The same process applies when a user terminates a VPN tunnel. The concentrator sends a RADIUS accounting stop packet to NAS, and NAS removes that user from the certified device list. The final step is to enable VPN SSO capabilities within NAS. Follow these steps to do so Step 1 Go to the NAS-VPN...

Commonly Used Network Access Policies

In short, a network access policy defines what a host can and cannot do on the network. The exact rules that make up any network access policy are customized for a particular environment but, nevertheless, there are some commonalities between organizations. This section will focus on those common elements. The network access policy defined in your HSP will typically cover all the enforcement methods that NAC Appliance supports. To review, those enforcement methods are VLAN segmentation, traffic...

Configuring Single SignOn for VPN

Single Sign-On for NAC + Cisco VPN provides a similar user login experience to AD SSO. However, in IPsec or SSL VPN access, the user is typically prompted with a VPN username and password login. After the users enter their username and password, NAC Appliance can assign the appropriate user role based on RADIUS accounting information received from the RADIUS authentication server used by the VPN concentrator. Figure 11-34 shows the NAC Appliance and Cisco VPN test network diagram. Active...

Configuring the AD Server and Running the ktpass Command

The following is how to prepare and configure the AD server for AD SSO Step 1 Create the NAS user account in AD. Step 2 Install the support tools from the Windows 2003 Server CD. Step 3 Run the ktpass.exe command. Use the following steps to create the NAS user account in the AD server Step 1 In the AD server, go to Start > Administrative Tools > Active Directory Users and Computers. Step 2 Go to the Users folder under the AD domain. In this example, the AD domain is selab.net. Step 3...

Hard Outer Shell with a Chewy Inside Dealing with Internal Security Risks

Ninety-nine percent of all networks today have a firewall in place to filter traffic coming from the Internet. In fact, most organizations have a robust set of outer defenses. These typically include one or more demilitarized zones, intrusion detection system or intrusion prevention system, spam filters, VPN concentrators, and antivirus scanners. These outer defenses are in place to protect the organization from very high-risk environments such as the Internet. The problem is that these...

The Blueprint Designing a Cisco NAC Appliance Solution

Chapter 3 The Building Blocks in a Cisco NAC Appliance Design Chapter 4 Making Sense of All the Cisco NAC Appliance Design Options Chapter 5 Advanced Cisco NAC Appliance Design Topics This chapter covers the following topics Cisco NAC Appliance Solution Components Cisco NAC Appliance Minimum Requirements Scalability and Performance of Cisco NAC Appliance

Step 1 Configuring the Switches

The sample topology (see Figure 10-35) has a central switch and an edge switch, both of which are Catalyst 3750 series switches running code 12.2 (25) SEE or later. The first step is configuring the central switch. You have to complete the following configuration steps at a minimum Configure Virtual LAN Trunking Protocol (VTP) and VLANs Configure the ports that NAC Appliance Manager and NAC Appliance Server connect to After these steps are completed, you might have to configure additional...

Discovered Clients Page

The Discovered Clients page displays all the clients discovered from SNMP MAC-notification or linkup and linkdown traps sent from controlled switch ports. It serves as a location database, letting NAC Appliance Manager know which switch port a particular client (MAC address) is plugged into. The Manager uses this list when it needs to set a VLAN (authentication or access VLAN) for an out-of-band client. When a client first connects to a switch port, the switch sends an SNMP MAC-notification or...

Sample Design and Configuration for Layer 3 Outof Band Deployment

For Layer 3 out-of-band deployment, consider the topology in Figure 10-35. Figure 10-35 Sample Layer 3 OOB Network Topology 10.10.20.1 (NAS Trusted) 10.10.21.1 (NAS Untrusted) 10.10.30.1 (NAM Management) v10 10.10.10.1 (Guest) v11 10.10.11.1 (Consultant) v12 10.10.12.1 (Employee) v110 10.10.110.1 (Auth Untrusted) v22 10.10.22.1 (Switch Management) NOTE Figure 10-35 is the basis for this example and is referred to several times throughout the following text. It will be helpful to bookmark this...

Outof Band Mode

Out-of-Band mode was created to fill some of the perceived gaps of In-Band mode operating in a LAN environment. OOB is designed for one purpose to control hosts that connect directly to Cisco LAN switches. It is not capable of operating in wireless or VPN environments or those with non-Cisco switches. Businesses wanted true switch port-level network admission control, and they did not want the appliance to be a bottleneck on their high speed LANs. To accomplish this, OOB uses switch port-level...

WLC Setup

The goal of this chapter is not to teach you how to configure and deploy Wireless LAN Controller. Therefore, only relevant screenshots are shown in the following steps Step 1 Figure 11-52 shows the basic IP address and software version of WLC. Figure 11-52 WLC Software and IP Summary Figure 11-52 WLC Software and IP Summary Step 2 Under the Controller > General menu, LWAPP transport mode must be enabled for Layer 3. In addition, enter a mobility domain name. A sample domain name used is...

Configuring Traffic Policies and Ports in the Unauthenticated Role for AD Authentication

By default, NAS permits only DNS and DHCP traffic in the Unauthenticated role. For AD users to authenticate via Kerberos to the AD domain, ports must be opened on NAS to allow the authentication process to pass through in the Unauthenticated role. This will also allow GPO and scripts to run after the user authentication. The required TCP and User Datagram Protocol (UDP) ports are listed next. TCP 135 (remote-procedure call RPC ) TCP 389 (LDAP) or TCP 535 (LDAP with Secure Sockets Layer SSL )...

Performing Initial NAM Configurations

If your NAM is preinstalled with the NAM software from Cisco, you may skip the manual installation that follows and proceed from Example 7-3. From the CLI, simply type in service perfigo config to run the setup script. If your NAM is not preinstalled with the NAM software from Cisco, you will need to manually install the NAM software via the Cisco NAC Appliance - Clean Access CD. Insert the NAC installation CD into the CD-ROM drive of the NAM appliance and reboot the appliance. Your NAC...

NAM Configuration

From the command-line interface (CLI) of NAM, use the service perfigo config command to set up the NAM IP info. The CCA software used is version 4.1.0. Example 11-1 shows the configuration setup script. Example 11-1 Configuring NAM via CLI Fedora Core release 4 (Stentz) Kernel 2.6.11-perfigo on an i686 root cam1 service perfigo config Welcome to the Cisco Clean Access Manager quick configuration utility. Note that you need to be root to execute this utility. The utility will now ask you a...

Layer 2 Versus Layer 3 Client Adjacency Overview

Layer 2 Adjacency means that NAC Appliance Server is a Layer 2 hop from hosts on its untrusted networks side. This allows NAC Appliance Server to see the real MAC address of every client it is controlling. In Layer 2 mode, a host's unique identity is defined using its MAC address only. Layer 3 Adjacency means NAC Appliance Server is one or more Layer 3 network hops from the hosts on its untrusted networks side. In this mode, NAC Appliance Server cannot see the real MAC address of the host. In...

Configuring Single SignOn for Cisco Wireless LAN Controller

Configuring Single Sign-On for Cisco Wireless LAN Controller WLC, from Airespace acquisition is similar to configuring SSO for Cisco VPN SSO. From the NAS and NAM perspectives, WLC functions as if it were a VPN concentrator. In fact, adding WLC through the NAM GUI is done by adding a VPN concentrator logically. WLC communicates with NAM through RADIUS accounting, and NAM assigns user roles based on default rules or mapping rules you create. The WLC SSO setup in this test network consists of the...