Acknowledgments

A great big thanks to my wife Becca, for keeping me focused, giving me ideas, and proofreading my work during the whole process. Thank you, Becca, for all the sacrifices you made so that I could complete this book. Thank you to my parents for their never-ending support, prayers, and encouragement with everything I do. Thank you to my sisters for your advice and support over the years. A big thank you to my best man, Mike Ditta, for convincing the prison to let us use his self-portrait for the...

Active Directory or Domain Controller Configuration

The AD server in this deployment is a Windows 2003 Server Enterprise Edition with Service Pack 1. The AD server's FQDN is win2003-ad-ca.selab.net. The computer name of the AD server is win2003-ad-ca. The domain name is selab.net. Figure 11-2 shows the FQDN of the AD server win2003-ad-ca.selab.net. This AD server is also the DNS server for this sample deployment.

Active Directory Single SignOn Overview

Prior to NAC Appliance 4.0, a typical Windows user running NAC Agent would have to manually log in via the NAC Agent prompt to gain access to the network. The NAC Agent login is an additional login step to the Ctrl-Alt-Delete login process that all Windows users go through when booting up their machine. Many users complained that the extra login was a hassle and inconvenient. Starting with 4.0, that extra login step for Windows users logging in to the domain has been removed. Windows users...

Active Directory SSO Prerequisites

The following are prerequisites for Active Directory SSO NAC Appliance Clients must use the Clean Access Agent software. NAC Appliance 4.0 or greater software is required. Time must be synchronized between NAC Appliance and Active Directory servers. The supported AD servers are as follows Windows 2003 Enterprise SP1

Add Exempt Device

The devices in your network that are not capable of authenticating and posturing can be added as exempt devices. The Add Exempt Device page allows you to add MAC addresses of devices that are not required to meet the NAC Appliance requirements. The configuration of such devices is shown in Figure 9-6. After exempt devices are configured, they will be listed as such in the certified list, as illustrated in Figure 9-7. These devices are exempt from all NAS servers. If you want to locally exempt a...

Add Floating Device

Floating devices are one that will be listed as exempt for a single user session. After the user logs out, the system removes the exempt status. Floating device configuration is also used to ensure that systems hidden behind a shared network device, such as a router, virtual private network (VPN) concentrator, or firewall, which would normally share the same MAC address from the NAS perspective, are not considered to be a single device. Using this option, you can opt to identify each session...

Adding a CASigned Certificate to the Primary NAC Appliance Manager

Figure 12-3 shows the certificate configuration page. Remember that the imported certificate must use the service IP address or domain name. Figure 12-3 CA-Signed Certificate Configuration Page Figure 12-3 CA-Signed Certificate Configuration Page Follow these steps to add a CA-signed certificate to the primary NAC Appliance Manager Step 1 On the Primary Cisco NAC Appliance Manager's admin GUI, navigate to Administration > Clean Access Manager > SSL Certificate. Step 2 Select Import...

Adding a Certificate to the Secondary NAC Appliance Manager

Now that the certificate has been added to the primary NAC Appliance Manager, you need to import the private key file and certificate file into the secondary NAC Appliance Manager. The configuration process on the secondary NAC Appliance Manager is the same regardless of whether the primary NAC Appliance Manager used self-signed temporary certificates or Certificate Authority-signed certificates. Use the following steps to configure certificates Step 1 On the Secondary Cisco NAC Appliance...

Adding Additional NAS Appliances

Now that NAM and the first NAS have been configured, they can be added to the network. Both NAM and NAS should be ping-able on the network. NAM will manage the NAS or multiple NAS appliances. Figure 7-12 shows how to add the first NAS. If you need to add more NAS appliances to the network, you can do so by following the explanation accompanying Figure 7-12. Step 1 Select Device Management > CCA Servers. Step 2 Select the New Server tab. Enter the appropriate new NAS information.

Adding an Ldapad External Authentication Source

To add an external authentication mechanism for LDAP AD, you should select LDAP for the authentication type as the following steps illustrate Step 1 Under the Auth Servers tab, click New. Step 2 In the Authentication Type drop-down, select LDAP. Step 3 Enter a provider name that will be advertised to the users as a possible authentication mechanism. Step 4 Enter the server URL in the form of ldap url. Step 5 Select a server version from the Server Version drop-down list, which provides the...

Adding External Authentication Sources

Several external authentication servers are supported. The following protocols are supported Kerberos, RADIUS, Windows NT NTLM, and LDAP. The next section shows how to add a RADIUS authentication server, and the section that follows that gives an example of how to add an LDAP AD server. Adding a RADIUS External Authentication Source To add a new external authentication provider, you must navigate to the Auth Servers menu option under the User Management section. There you will see a list of...

Adding NAC Appliance Managers in High Availability Mode

As you see from the diagram in Figure 12-2, both the serial interface and the ethl interface are used for the heartbeat packets. eth0 link failure-based failover is also being used. Figure 12-2 NAC Appliance Manager in HA Mode The first step in configuring a high-availability pair is adding or modifying their certificates. The certificates of both the primary and secondary Cisco NAC Appliance Managers must be generated using the service IP address or a domain name that DNS resolves to the...

Adding NAC Appliance Servers in High Availability Mode

When configuring HA on NAC Appliance Servers, it is recommended that you first configure the primary NAC Appliance Server and test it with clients. After successful testing is done, add the secondary server to the system. Testing with only the primary NAC Appliance Server active first will make it easier to troubleshoot any issues. When you add the secondary NAC Appliance Server to the mix, you know you are adding it to a known good working NAC Appliance configuration. As a result,...

Additional Outof Band Considerations

Here is a list of other considerations worth noting in regard to the sample setup you just ran through The previous steps covered a scenario in which users have NAC Appliance Agent and the agent is able to discover NAC Appliance Server. Users who don't have NAC Appliance Agent have to be given a URL to which they can go for authentication. That URL should resolve to the untrusted port IP of NAC Appliance Server. Therefore, guest users who want to get network access can be given a URL, for...

Advanced Cisco NAC Appliance Design Topics

This chapter will build on the basic NAC Appliance design concepts covered in the preceding chapter. It focuses on those advanced features essential to designing the most secure, user-friendly, scalable, and fault-tolerant NAC Appliance environment possible. This chapter by no means covers all the advanced features available, but instead focuses on the most widely deployed, or popular, advanced options. You will undoubtedly use most of these options in your design. The use of external...

Advantages of Using InBand Mode

When designing any security solution, it is important to understand the advantages and disadvantages of the various product features and modes of operation. There are several compelling reasons to use In-Band instead of Out-of-Band mode. The following is a list of the major advantages In-Band has to offer It is the easiest mode to design, configure, deploy, and troubleshoot. It is less intrusive in environments with IP phones. It is the only mode that allows you to use bandwidth rate-limiting...

Advantages of Using Outof Band Mode

When designing any security solution, it is important to understand the advantages and disadvantages of the various product features and modes of operation. There are several compelling reasons to use Out-of-Band mode instead of In-Band mode. The following is a list of Out-of-Band mode's major advantages Typically the biggest advantage OOB has over IB is that client traffic no longer flows through NAC Appliance after authentication and certification are complete. OOB provides true switch...

Agent Distribution

After Clean Access Agent is deployed, you can force the users to automatically upgrade to the latest version. Additionally, you can upload the necessary patches to NAM when necessary. To perform these tasks, you must navigate to Device Management > Clean Access > Clean Access Agent > Distribution. From here, you can configure the distribution using the following options as displayed in Figure 9-17 Current Clean Access Agent Patch Is a Mandatory Upgrade Selecting this option and clicking...

Agent Host Security Posture Assessment Steps for OOB

The agent host security posture assessment steps for OOB are as follows 1 After user authentication succeeds, NAC Appliance Manager moves to stage two host security posture assessment. The user group that Liam is a member of determines the login role he is in. The user's login role determines what host security checks will be performed. 2 NAC Appliance Manager tells NAC Appliance Server to tell Clean Access Agent what security checks to perform on the host. 3 Optionally, the user is shown the...

Agent Installation Process

Each NAS will obtain the latest copy of Cisco Clean Access Agent from NAM when it becomes available. The users required to use Clean Access Agent are asked on initial install to download and install the agent. In addition, if desired, Clean Access Agent can be distributed via any number of other methods, such as login script, manual installation, or software distribution systems such as BigFix or Microsoft System Management Server (SMS). After installation, Clean Access Agent can automatically...

Agent Login

The Agent Login page of the General Setup tab provides the ability to configure how users authenticating via the CCA Agent will be processed and what options they will have and be able to see on this page. Figure 9-4 shows the configuration options. The following explains the options on this page User Role Select the appropriate user role from the drop-down selection tool to choose what role to apply. Operating System Select the operating system from the drop-down to ensure that only users with...

Agent Policy Enforcement

After Clean Access Agent authenticates to NAC Appliance, it is interrogated using mechanisms available to the current Clean Access Agent. The system will either have to meet the requirements or be brought into compliance in order to access the network. If the system does not meet requirements, access will be prevented or degraded if the administrator has configured the system for such access. The following sections cover the configuration of requirements, rules, and checks that will interrogate...

Agent Post Certification Steps

The Clean Access Agent post-certification steps are as follows 1 The host is now considered certified or clean and is put into its proper normal login role. 2 Optionally, the user is shown the acceptable use policy for the normal login role. 3 After the policy is accepted, NAC Appliance Manager adds the user and host to the certified devices list. 4 Any network bandwidth limits or network access lists configured for this normal login role take effect on the host traffic as it flows through NAC...

Agent Post Certification Steps for OOB

The agent post-certification steps for OOB are as follows 1 The host is now considered certified or clean and is put into its proper normal login role. 2 At this point, NAC Appliance Manager instructs the switch to move the client's switch port from the authentication VLAN 200 to the access VLAN 100. The access VLAN value is specified in the port profile. 3 The client is now considered out-of-band. This is because the client's traffic no longer flows through NAC Appliance. It is routed and...

Alternative Agent Installation Methods

Another alternative to installing Clean Access Agent via the web authentication page is to distribute it through your typical software delivery mechanism, such as login scripts, BigFix, or Microsoft SMS. To retrieve the installer files from NAM, you must navigate to the Installation option under the Clean Access Agent tab. At the bottom of this configuration page, you can download either the CCAA MSI Stub or the CCAA EXE Stub file as necessary for your software distribution mechanism. After it...

Assigning a Role by External Authentication Source Attributes

Although you have covered a few very simple role mapping methods up to this point, the most complex and comprehensive for role mapping is using an external authentication source's extended attributes. As an example, RADIUS provides to NAM some extremely detailed attributes that you can use for granular role assignment, including NAS IP address and Cisco avpair matching as well as role mapping based on the Lightweight Directory Access Protocol (LDAP). Another example external authenticator is a...

Assigning a Role by MAC and IP Address

Occasionally you will want to define a filter that allows certain MAC addresses and possibly the corresponding IP address to be assigned a user role based on that information alone. This sort of filter can be created at either the global level in NAC Appliance Manager or at the local level in a single NAC Appliance Server. Global policies are automatically distributed to every managed NAS, but if there is a conflicting local policy, the local policy prevails. To configure a global filter for...

Assigning a Role by Subnet

An alternative method to assigning a role by MAC or IP address is to assign it by subnet of the device. On the NAM, under Device Management, select the Filters option and proceed as follows Step 2 Enter the classless interdomain routing block you want to match, such as 10.5.30.0 24. Step 4 Select Use Role and then select the role you want to use from the dropdown selection box. Step 5 Verify the configuration, as in Figure 8-15, and then click the Add button. Figure 8-15 Configuration of a...

Assigning a Role by VLAN

When attempting to assign a user role, another option is to utilize the user VLAN ID. To create this sort of mapping, you are required to utilize an external authentication server. After you select the authentication server for which you want to add the VLAN ID-to-role mapping, you must select the appropriate Mapping icon associated with that authentication server. The list of authentication servers and the Mapping icon are displayed in Figure 8-5. After you click the Mapping icon for the...

Bandwidth Policies

In addition to limiting access by IP addressing, related information, and hostname resolution, you can limit the number of bandwidth systems in a given role. After selecting the Bandwidth tab on the User Roles page, you can select the Edit icon next to the corresponding role for which you want to control bandwidth. Selecting the Edit icon presents the bandwidth configuration form for that role. You can control the following options, which are shown in Figure 8-29 Upstream Bandwidth Amount of...

Basic Ad Sso Configuration Steps

Before configuring AD SSO, you should have a good understanding of the AD domain structure. The following are several items that you will need to prepare Windows 2000 or Windows 2003 Server installation CD. This CD is required to install the support tools needed for the ktpass command. The ktpass command is required to be run on the AD server or domain controller that the NAS is logging in. The fully qualified domain name (FQDN) of the AD server that the NAS logs in to. NAC Appliance Server...

Beginning Overall Setup

In any NAC deployment, a single NAM (primary) or a pair of NAMs (active and standby) can manage up to 40 NAS appliances. This means that nearly all the NAS configurations can be performed within the NAM GUI. But first, NAS has to be added to NAM. The following steps detail how to add NAS to the NAM Step 1 Go to Device Management > CCA Servers > New Server. Step 2 Enter the server IP of the NAS 192.168.10.10. Step 3 Enter the server location SE Lab. Step 4 Select the server type Out-Of-Band...

Building a Cisco NAC Appliance Host Security Policy

For any host-centric security solution to be successful, a solid host security policy (HSP) must first be in place. After a policy is in place, NAC Appliance enforces that policy networkwide. A host security policy defines, in as much detail as is practical, the protection strategy for the different clients within an organization. Given that host security threats are constantly changing, a host security policy must also be a living, changeable document. This book does not attempt to assemble an...

Business Drivers for Deployment

To make informed decisions regarding what the goals and scope of the deployment will be, it is important to understand the business drivers and priorities of the project. NAC Appliance has a multitude of features that you could use. The challenge will be in deciding which features you will enable and at what phase they should be tested and implemented. Typically, these feature decisions are based on the business drivers for the project in the first place. This section should include what those...

Central Deployment Mode or Edge Deployment Mode

Here the terms central and edge deployment refer to the physical configuration of NAC Appliance Server. Central Deployment mode means that both the trusted interface and the untrusted interface of NAC Appliance Server (NAS) are plugged in to the same physical switch. Edge Deployment mode means that the interfaces are plugged in to two separate switches. Out-of-band deployments use Central Deployment mode. This is because in an out-of-band deployment, NAC Appliance Servers are almost always...

Certified Devices

After configuring the authentication options for your users, you may begin to think about the other devices in your network that might not be able to run the agent but will require access to the network through the NAC Appliance. Devices you might consider are printers and video conference systems as well as select other user-based systems. The Certified Devices tab on the NAC Appliance menu allows you to configure the exemptions for these devices. Additionally, you can view the currently...

Certified List

The Certified List option (see Figure 9-5) on the Certified Devices menu allows the administrator to view and search for the devices that have been granted access to the network. Figure 9-5 Certified List of Devices Figure 9-5 Certified List of Devices This list is filterable by NAS or globally if desired. The list includes the following information Switch to which the system is connected There is also an option per device to kick the user and remove it from the list. In addition to kicking a...

Checks Rules and Requirements to Consider

This section covers how to include the host posture assessment and remediation checks, rules, and requirements into an organization's host security policy document. One of the major benefits to using Clean Access Agent is its capability to perform granular host posture assessments and remediation on Windows hosts. Therefore, your host security policy should contain the checks, rules, and requirements that NAC Appliance should look for, enforce, and remediate on Windows hosts. Because Clean...

Cisco Clean Access Agent Requirements

The Cisco Clean Access Agent currently runs on Windows and Macintosh operating systems. Table 3-3 provides details as to the host requirements needed to run the Agent. Be sure to check Cisco.com to see whether additional operating systems or requirements have been added. Table 3-3 Clean Access Agent Requirements Table 3-3 Clean Access Agent Requirements Microsoft Vista (all versions, including Japanese), Windows XP Professional, Windows XP Home, Windows XP MCE, Windows XP Tablet PC, Windows...

Cisco NAC Appliance Configuration

Chapter 7 The Basics Principal Configuration Tasks for the NAM and NAS Chapter 8 The Building Blocks Roles, Authentication, Traffic Policies, and User Pages Chapter 9 Host Posture Validation and Remediation Cisco Clean Access Agent and Network Scanner Chapter 10 Configuring Out-of-Band Chapter 11 Configuring Single Sign-On Chapter 12 Configuring High Availability This chapter covers the following topics Understanding the Basic Cisco NAC Appliance Concepts Configuring NAS Deployment Mode...

Cisco NAC Appliance Manager

The roles of NAC Appliance Manager are as follows Central administration and monitoring Management of up to 40 NAC Appliance Server pairs Central configuration of security policy and requirements Performing automatic download of the latest Clean Access policies and updates Centrally controlling network devices Central user authentication to back-end authentication sources such as Lightweight Directory Access Protocol (LDAP), RADIUS, and Kerberos NAC Appliance Manager is the administration...

Cisco NAC Appliance Manager and Server Requirements

Cisco NAC Appliance is sold as software only or as an appliance with hardware and software preinstalled. If you go the software-only route, you have to provide your own hardware. This hardware must be on the current supported server configurations list. Hardware not on the list will not be supported by Cisco Technical Assistance Center. To obtain the current supported server list, go to http www.cisco.com and search for supported server configurations nac. After you select a supported server...

Cisco NAC Appliance Minimum Requirements

Cisco NAC Appliance Manager and NAC Appliance Server can be purchased two ways. You can buy only the software from Cisco and buy the hardware somewhere else, or you can buy the hardware and the software together in one of several appliance models available from Cisco. Typically, the term appliance means that the hardware and software come as a unit and you don't have the flexibility to buy your own hardware. That is not the case with NAC Appliance. The NAC Appliance software-only option is...

Cisco NAC Appliance Monitoring and Troubleshooting

Chapter 14 Understanding Cisco NAC Appliance Monitoring Chapter 15 Troubleshooting Cisco NAC Appliance This chapter covers the following topics Understanding the Various Monitoring Pages and Event Logs Understanding Monitoring of Web Login and Clean Access Agents Monitoring the Status of NAC Appliance Manager and NAC Appliance Servers

Cisco NAC Appliance Network Scanner

Network Scanner allows you to scan hosts to check for known vulnerabilities. Network Scanner is integrated into the NAC Appliance Manager and NAC Appliance Server software and is not a standalone piece. Network Scanner uses Nessus to scan hosts. You add in the Nessus plug-ins of your choice. For example, you can add the plug-ins that check to see whether music file-sharing applications are running on the host. If such programs are running, you could notify the end users that they must disable...

Cisco NAC Appliance Overview

The leading Cisco NAC offering is Cisco NAC Appliance (formerly known as Cisco Clean Access). Cisco NAC Appliance is the focus of this book. Cisco NAC Appliance is an easily deployable NAC solution that leverages the existing Cisco network infrastructure to enforce network security policies and software compliance. NAC Appliance can authenticate a user or device and perform posture assessment before granting access to the network. Devices such as PCs found to be missing the latest required OS...

Cisco NAC Appliance Server

The roles of the NAC Appliance Server are as follows Security policy enforcement NAC Appliance Server is the policy enforcer, or the policy firewall, between the untrusted networks and the trusted networks. NAC Appliance Server's job is to enforce the security policies created in NAC Appliance Manager. NAC Appliance Server, in conjunction with NAC Appliance Manager, actively checks the identity of users and the security posture of their host when they try to obtain access to the network. Based...

Cisco NAC Appliance Solution Components

A NAC Appliance solution is made up of the following components Cisco NAC Appliance Manager (Clean Access Manager) Cisco NAC Appliance Server (Clean Access Server) Cisco NAC Appliance Network Scanner Each piece has a distinct role to play in the solution. In this section, you examine the roles of each in more detail. NOTE Cisco NAC Appliance was formerly known as Cisco Clean Access. The legacy name Clean Access is still widely used in the industry, but this book will use the new name Cisco NAC...

Cisco NAC Integrated Implementation

Cisco recently finalized a roadmap for an integrated implementation that enables both the NAC Appliance and embedded NAC approaches to interoperate within the same network. An existing example of this model is the Cisco firewall offering in both Cisco IOS routers and switches and dedicated appliances. Some customers deploy both IOS firewalls and dedicated firewall appliances as part of their defense-in-depth strategy. The integrated NAC implementation allows existing NAC appliance or embedded...

Cisco NAC Return on Investment

Many Cisco customers who have deployed the NAC appliance solution have quickly realized the immediate return on investment (ROI) of the NAC appliance. There are many references listed on the Cisco website at http www.cisco.com go nac appliance under Case Studies. The following four case studies give you an example of how a higher-education institute, healthcare medical center, clinical research lab, and local city agency are using the Cisco NAC solution to improve their overall endpoint...

Cisco Wireless SSO

In a supported wireless environment, it is recommended that the NAC Appliance perform SSO. This means that the end user will have to enter credentials into only the wireless client. These same credentials will then be used transparently to log on the user to NAC Appliance, thus bypassing the manual user authentication step. NAC Appliance performs wireless single sign-on in just about the same manner as it does VPN single sign-on. It uses a trust relationship between the Airespace wireless LAN...

Cisco Wireless SSO Prerequisites

For wireless SSO to work, NAC Appliance Server must be running in In-Band mode. It is recommended, although not required, that the NAC Appliance Server be placed Layer 2 adjacent to the WLC. NAC Appliance supports wireless SSO with Cisco Airespace 4400 Series Wireless LAN Controllers. NOTE Be sure to check the NAC Appliance release notes at http www.cisco.com for the latest details about the devices and codes supported with wireless SSO.

Clean Access Agent and Web Login with Network Scanner

This section will deal with how to best use the web login with Network Scanner and Clean Access Agent in your Cisco NAC Appliance design. Understanding where and when to use Clean Access Agent or web login is critical to producing a successful design. For this discussion, it should always be assumed that web login will include the Network Scanner function. The Network Admission Control Appliance solution has three main functions authentication, posture assessment, and remediation. Each of these...

Clean Access Agent Authentication Steps

The Clean Access Agent authentication steps are as follows 1 The host is now a member of the NAC Appliance Unauthenticated role. By default, hosts in this role will not be allowed to send any traffic, except DHCP and Domain Name System (DNS) queries, through their local NAC Appliance Server. You can modify the allowed traffic list as necessary for your environment. 2 Clean Access Agent, noticing the network connectivity, begins to send SWISS discovery packets to its default gateway. The SWISS...

Clean Access Agent Authentication Steps in OOB

The Clean Access Agent authentication steps in OOB are as follows 1 The client is now a member of the NAC Appliance Unauthenticated role. By default, hosts in this role are not allowed to send any traffic, except DHCP and DNS queries, through their local NAC Appliance Server. You can modify the allowed traffic list as necessary for your environment. 2 Clean Access Agent, noticing the network connectivity, begins to send SWISS discovery packets to its default gateway. The agent is trying to...

Clean Access Agent Host Security Posture Assessment Steps

The Clean Access Agent host security posture assessment steps are as follows 1 After user authentication succeeds, NAC Appliance Manager moves to stage two host security posture assessment. The user group that Liam is a member of determines his login role. The user's login role establishes what host security checks will be performed. 2 NAC Appliance Manager tells Clean Access Agent what security checks to perform on the host. 3 Clean Access Agent performs these checks and sends the results back...

Clean Access Agent Network Scanner Steps

The Clean Access Agent network scanner steps are as follows 1 If no network scans are configured for the user's role, skip this section and go to the Agent Post-Certification Steps section. 2 If network scans (Nessus scans) are configured for the user's role, they are now performed. The host's local NAC Appliance Server is responsible for performing the network Nessus scans. 3 If any vulnerabilities are found on the host, Clean Access Agent displays them. This informs the user of the...

Client Certification and Post Certification Steps in L3 OOB

The client certification and post-certification steps in L3 OOB are as follows 1 After the user passes authentication, client certification is performed. This process is almost identical to the in-band certification process found in the Agent Host Security Posture Assessment Steps for OOB section. The one difference is that in L3 OOB mode, policy-based routing is used to ensure that NAC Appliance Server is in-band for all client traffic in and out of the authentication VLAN. This is regardless...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Common High Level Host Security Goals

Here are some examples of host security goals that are frequently instituted in organizations that deploy a NAC Appliance solution. These examples are meant to be a sampling and not a comprehensive list. Protect the network from unauthorized access, both internally and externally originated. Authenticate all users attempting access to the network. Authorize all users attempting access to the network. Restrict access for nonemployees and guests. All users must acknowledge an acceptable use...

Commonly Used Roles and Their Purpose

This section will focus on the normal login roles commonly found in the host security policies of organizations that use the NAC Appliance solution. The goal is to present you with a solid starting point on which to base the user role needs of your organization's host security policy. Start with the built-in user roles. As discussed previously, it is mandatory that you use the Unauthenticated user role. Therefore, make certain that your HSP has a section that addresses the Unauthenticated role....

Configuring Ad Sso Settings in NAS

To configure AD SSO Settings in NAS, do the following Step 1 Go to Device Management > CCA Servers > List of Servers > Manage(icon)_192.168.10.10. Step 2 Select Authentication > Windows Auth > Active Directory SSO. Step 3 Account for CAS For smaller networks where a single Active Directory server is deployed, click the Single Active Directory Server option. For large enterprise networks where multiple AD servers are deployed, click the Domain (All Active Directory Servers) option. For...

Configuring and Creating Traffic Policies

After a system is authenticated and posture assessed, it will quite possibly be allowed on the network. Based on the results of the authenticated users or systems role assignment and the current status or ultimate outcome of the assessment of the system, it is very likely that the administrator will want to enforce some sort of IP access policy to limit the system's view of the trusted networks behind the local NAS. To accomplish this, you can use a combination of IP-based policies, host-based...

Configuring Fa101The Interface Connecting the NAC Appliance Manager eth0 Port

Next you must configure the switch port that the eth0 interface of NAC Appliance Manager plugs into. The eth0 interface of NAC Appliance Manager resides on a VLAN on the trusted side. If NAC Appliance Server is running in Virtual Gateway mode, its VLAN must not be the same as the VLAN of NAC Appliance Server management. In the sample network topology (see Figure 10-1), the NAC Appliance Manager eth0 interface connects to the switch's Fa1 0 1 and resides in VLAN 30. Example 10-4 shows this...

Configuring Fa103The Interface Connecting the Trusted Port eth0 of NAC Appliance Server

The switch port that the eth0 interface plugs into will be configured as a trunk link forwarding traffic for the mapped authentication VLANs and the NAC Appliance Server management VLAN. The trunk's native VLAN should be set to something that is not used anywhere else in the network, essentially making it a black hole. Example 10-5 shows the switch configuration for the sample topology (see Figure 10-1). In the sample topology, VLAN 10 is the mapped authentication VLAN, and VLAN 20 is the NAC...

Configuring Fa104The Interface Connecting the Untrusted Port eth1 of NAC Appliance Server

The switch port that the eth1 interface plugs into will be configured as a trunk link forwarding traffic for the authentication VLAN on the untrusted side. Example 10-6 shows the switch configuration based on the sample network topology. Example 10-6 Cisco Switch Configuration for the NAC Appliance Server eth0 Port When configuring the switch port connecting the trusted and untrusted ports of the NAC Appliance Server, please note the following Always ensure that no common VLANs are being...

Configuring High Availability for NAC Appliance Managers

Figure 12-5 is a screen shot of the High Availability configuration on the Primary Manager. Figure 12-5 Primary NAC Appliance Manager High Availability Configuration Cisco Clean Access Standard Manager .< .l> .i Figure 12-5 Primary NAC Appliance Manager High Availability Configuration Cisco Clean Access Standard Manager .< .l> .i The following are some of the key configuration steps shown in Figure 12-5 Step 1 Set the High-Availability Mode field to HA-Primary. This setting makes this...

Configuring LDAP Lookup Server in NAM

Description (optional) LDAP Lookup for ADSSO Search(Admin) Password Cisco123 Search Filter sAMAccountName user Step 2 Click Add Server. See Figure 11-13 for a screen shot of adding an LDAP Lookup server. Figure 11-13 LDAP Lookup Server Configuration for AD SSO Figure 11-13 LDAP Lookup Server Configuration for AD SSO Step 3 Now that the LDAP lookup server has been added, the AD SSO auth server configured earlier (see Figure 11-4) needs to reference the LDAP lookup server for the role mapping....

Configuring Outof Band

This chapter covers the configuration of the Out-of-Band (OOB) mode in both Layer 2 (where users are Layer 2 adjacent to NAC Appliance Server) and Layer 3 (where users are one or more hops away from NAC Appliance Server) scenarios. For detailed information explaining what OOB is and how it compares to In-Band (IB) mode, see Chapter 4, Making Sense of All the Cisco NAC Appliance Design Options, earlier in this book. This book does not include a chapter on configuring In-Band mode. The main...

Configuring Role Assignment

After you have created roles for use in your deployment, you have to appropriately configure role assignment. This can occur in the following ways Create a local user account and assign a role Assign by MAC and IP address Use external authentication source attributes Any of these assignment methods can be used to ensure that a user or system is appropriately placed into the correct role.

Configuring Simple Network Management Protocol

The switch and NAC Appliance communicate via Simple Network Management Protocol (SNMP). For this to work, the switch must be set up for SNMP. Example 10-8 configures the switch with SNMP MAC-notification traps and linkdown traps. The MAC-notification trap detects a new user on the network and triggers the NAC process. The linkdown trap detects that the user is disconnected from the network. The read-only community string public is used with an access list 10, which allows access only by NAC...

Configuring Single SignOn for Windows AD

This section provides a step-by-step configuration example of how to configure AD SSO. The example chosen here is a Layer 2 Out-Of-Band (OOB) Real-IP deployment. This model is used because most high-speed LAN deployments will be OOB for performance reasons. In addition, Real-IP has the capability to provide a 30 or 30-bit mask address that will quarantine an infected end host before accessing the network. Note that most enterprise networks already have a DHCP infrastructure in place. Therefore,...

Configuring SVIs

The next step is to configure the Layer 3 interfaces (SVIs) on the switch. Example 10-2 shows the SVI configurations for the sample network (see Figure 10-1). Note that all these SVIs reside only on the trusted side of NAC Appliance Server. For a client on VLAN 110 (the untrusted side) to reach them, it is forced to go through NAC Appliance Server. The other SVIs are used as default gateways for the different user access VLANs. Remember that after a client is considered clean, its switch port...

Configuring the eth2 Interfaces

If you are using eth2 as your heartbeat interface, you will have to configure it manually. This will have to be completed on both the primary and secondary NAC Appliance Servers before HA can be configured. To do this, use the following steps Step 1 Use Secure Shell (SSH) to connect to NAC Appliance Server's trusted-side interface. Log in as root. Step 2 Type cd etc sysconfig network-scripts. Step 3 List the directory's contents by typing ls. Step 4 If you do not see a file named ifcfg-eth2,...

Configuring the Secondary Server for High Availability

The principal configuration steps for configuring high availability on the Secondary Server are as follows Step 1 Access the Secondary Server directly. Step 2 Configure the network and host information for the secondary NAC Appliance Server. Step 3 Configure HA-secondary failover. Step 4 Configure the SSL certificate. Step 5 Reboot the secondary NAC Appliance Server. Step 6 Complete the cable connections and DHCP settings. Accessing the Secondary Server Directly The NAC Appliance secondary...

Configuring the Switch as a DHCP Server

NAC Appliance Server running in Virtual Gateway mode cannot act as the DHCP server for its untrusted-side networks. NAC Appliance Server functionality is disabled when running in this mode. Therefore, you must provide a DHCP server. Many organizations use the DHCP server functionality built into most Cisco switches. However, any DHCP server will work. If NAC Appliance Server is running in Real-IP Gateway mode, using the built-in DHCP server functionality of NAC Appliance Server is recommended....

Configuring User Roles

User roles are an extremely important concept that you must completely understand before attempting to deploy Cisco NAC Appliance. Roles are used by NAC Appliance Manager in the same way that groups are used by Microsoft Active Directory (AD). They allow you to group settings that will be applied to user sessions. The settings that can be applied to the various user roles created in NAC Appliance Manager can allow for the control of traffic policies, VLAN assignment, session duration,...

Contents at a Glance

Part I The Host Security Landscape 3 Chapter 1 The Weakest Link Internal Network Security 5 Chapter 2 Introducing Cisco Network Admission Control Appliance 13 Part II The Blueprint Designing a Cisco NAC Appliance Solution 21 Chapter 3 The Building Blocks in a Cisco NAC Appliance Design 23 Chapter 4 Making Sense of All the Cisco NAC Appliance Design Options 35 Chapter 5 Advanced Cisco NAC Appliance Design Topics 87 Part III The Foundation Building a Host Security Policy 121 Chapter 6 Building a...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 For sales outside the United States, please contact International Sales international pearsoned.com Paul Boger Dave Dusthimer Anthony...

Creating a Custom Rule

Creating a custom rule is slightly more complex than creating an antivirus or antispyware rule because you are required to understand rule logical operators. In the previous example, you dynamically created a rule from a new check. A custom rule, as displayed in Figure 9-25, can be simple and require matching a single check or can be complex and use logical application of multiple checks. When creating a custom rule, you are required to enter a rule expression as the matching parameters. These...

Creating a Local User and Assigning a Role

You have the ability to create local user accounts on the NAC Appliance Manager when necessary. It is not the recommended user-store and should typically be used only during testing and for guest accounts due to scale and other factors, such as local users' inability to change their passwords. To create a local user and assign a role, perform the following steps Step 1 Select Local Users from the navigation options on the left of the screen located under the User Management section. Step 2...

Creating Admin Users and Groups

Administrators requiring access to the NAC Appliance configuration and reporting options must be created on the NAC Appliance Manager server. The admin accounts can belong to three default admin groups Read-Only, Add-Edit, and Full-Control. In addition, you can create custom groups with special permissions as necessary for your environment. To create an admin group that more adequately matches your internal support roles in your organization, you will need to open the Admin Users option of the...

Creating and Enforcing a Requirement

The following seven types of definable requirements are available The seven options define what outcome will occur when a requirement is not met. After the necessary configuration between rules and requirements is defined, the administrator can assign the requirement to a specific normal login user role. At this point, on authentication, users are placed into the Temporary role until they meet the requirements tied to their specific normal login role. A common requirement configured in a...

Creating Custom Roles

The base installation of NAC Appliance Manager includes three default roles Unauthenticated, Temporary, and Quarantine. These three roles provide a starting framework for your NAC Appliance testing and implementation. When you are ready to begin deeper configuration of NAC roles and policies, you will most likely need to create custom roles to provide the top-level role groupings for application of various configuration parameters and policies. To configure a custom role, you must first log in...

Customizing User Pages and Guest Access

The web page that users see when they are redirected to the NAS web login authentication page is fully customizable. The customization can be a complete rewrite or require only simple editing via the form-based tool provided on the configuration pages. These user pages can also include a guest access option that is relatively simple to configure. If the guest access option is too difficult to manage or not granular enough from a user-tracking perspective, Cisco has provided a web API that...

Dedications

This book is dedicated to my wife Becca and two sons, Liam and Conor, without whose love and support little else would matter. A special thanks to my wife who continually motivated, encouraged, and supported me throughout this process. Jamey I would like to dedicate this book to my wife Christine, for supporting me through the last few weeks of completing this book. She gave me the boost of confidence to write about a special technology that I was passionate about. I truly enjoyed every minute...

Defining the Security Domains

A security domain is used to group network areas, host types, and locations under a common host security policy. The goal of creating security domains for a NAC Appliance solution is to define which networks and locations will require hosts to use the NAC Appliance solution and which locations will not. It is also necessary to define the devices that will require exemption from the NAC Appliance solution within a given security domain. Figure 6-2 shows an example of security domains. Most...

Deploying Cisco NAC Appliance

Cisco Nac Deployment

This chapter focuses on how to develop a deployment plan for a NAC Appliance solution rollout. This deployment plan focuses on larger-sized deployments, but it can be tailored to fit just about any size environment. It cannot be stressed enough how important it is to have a solid, well thought-out deployment plan in place before you start any rollout of the solution. A good deployment plan should result in a good deployment experience for all involved. In most cases, a NAC Appliance deployment...

Deployment Options

Always keep in mind that every NAC Appliance Server must have three distinct deployment modes defined before it will operate. Together, these three modes define how NAC Appliance Server interacts with hosts and the rest of the network. The first mode is Client Server Adjacency. This mode defines whether NAC Appliance Server and the clients on the untrusted interface are on the same network or multiple Layer 3 hops from each other. The second mode is Post-Client Certification mode. This mode...

Deployment Plan Overview

The deployment plan is broken up into three main phases. Each phase has several sections. A sample deployment plan outline follows. 1.1 Determine Goal of the Proof of Concept 1.2 Determine Scope of the Proof of Concept 1.3 Determine Criteria for Success 1.4 Work Assignments 1.5 Document Test Plan and Results 1.6 Post-Deployment Review 2 Pilot Phase 2.1 Determine Goal of the Pilot Phase 2.2 Determine Scope of the Pilot Phase 2.3 Determine Criteria for Success 2.4 Work Assignments 2.5 Document...

Deployment Schedule

A realistic deployment schedule should be included as a part of the pre-deployment plan. Be sure to give realistic estimates of the time it will take to roll out a production NAC deployment. Keep this section brief and high level detailed deployment schedules for each deployment phase will be included separately in the plan. For this reason, it is sometimes best to complete the detailed schedules before attempting to complete this high-level deployment schedule. The sample time frames below are...

Determining the High Level Goals for Host Security

Determining what your high-level goals are for host security is a critical step toward the completion of a comprehensive host security policy. These high-level goals will serve as your benchmarks and guides throughout the HSP creation process. The final HSP document should represent a detailed plan that achieves these high-level goals. It is important to periodically refer to these high-level goals to ensure that your HSP remains focused and on target to meet your stated security goals. The...

Disadvantage of Using Outof Band Mode

Out-of-Band mode has a few disadvantages when compared to In-Band mode. These disadvantages should be checked against your security policy and network environment requirements for relevancy. The following is a list of the major disadvantages Out-of-Band requires specific Cisco switches and software versions be used. See the Switches Supported by NAC Appliance Out-of-Band section in this chapter for details. OOB works only in wired LAN environments where VLANs can be used. Wireless and VPN...

Disadvantages of Using InBand Mode

In-Band mode has a few disadvantages when compared to Out-of-Band mode. You should check these disadvantages against your security policy and network environment requirements for relevancy. The following is a list of the major disadvantages of using In-Band mode In-Band does not provide true switch port-level host control. In certain situations, it is possible for an unauthenticated host to talk to other hosts in the same Layer 2 domain (VLAN) without first passing NAC Appliance assessment....

Discovered Clients and Online Users Pages

The View Online Users page is actually broken down into two separate pages an In-Band page and an Out-of-Band page. Each page shows the users who are online and using the respective mode of operation. When trying to track down an online user in an out-of-band environment, it is important to understand where a client can be monitored at each stage of its certification. For monitoring OOB clients, you need to be aware of three stages. Each stage requires you to view a different monitoring page to...

Editing or Deleting a Custom Role

After a role is created, you are allowed to return to the role configuration page to edit the role as necessary. In the User Management section of the user roles page, you will see a list of available roles for your deployment, which includes the default and custom roles configured. Next to each role name are several options and icons. Selecting the icon in the Edit column corresponding to the role you want to modify returns you to the role configuration page. In addition, should you want to...

Enabling Agent Based Windows AD SSO

Now that the AD server has been configured, you need to enable the Agent-based Windows SSO service in the NAS by doing the following Step 1 Go to Device Management > CCA Servers > Manage icon > NAS_IP > Authentication > Windows Auth > Active Directory SSO. Step 2 Click the Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) check box. Step 3 Click Update. If there have not been any typos or misconfigurations along the way, the AD SSO service on the NAS should...

Enabling DHCP in NAS

For this sample deployment, NAS is the DHCP server providing a 30 or 30-bit subnet mask for each user in the authentication VLAN 99. The advantage of a 30-bit mask is that an infected host cannot reach any other hosts while in the auth VLAN. The infected host is essentially quarantined. NAS performs a posture assessment of that host and, if certified, the host is switched to the access VLAN 20 with another IP address assigned to access VLAN 20. In a real-world deployment where a corporate DHCP...

Establishing Acceptable Use Policies

A network acceptable use policy is a clear and concise document that defines what users can and cannot do on a network. However, the focus of the AUP is on communicating to users what they cannot do. It also lays out the penalties for noncompliance and gives contact information. Ideally, before users are granted network access, they must first accept the organization's AUP. The problem has always been enforcing this requirement. Without some kind of network admission control system, ubiquitous...

Establishing Criteria to Determine the Validity of a Security Check Rule or Requirement in Your Organization

A host security policy should have a section that documents the criteria to be used to decide whether a proposed security check, rule, or requirement needs to be added to NAC Appliance. The establishment of set criteria will serve to improve the accuracy of the decision process. The criteria used should be tailored for your specific environment and should refrain from using generalities whenever possible. The more fine-grained the criteria used, the more informed the decision process will be....