NAC Agent Download and Login

To take advantage of AD SSO, the end-user machine Windows XP or Windows 2000 must first download NAC Agent. There are multiple ways to download NAC Agent:

• Manually download NAC Agent from the NAM GUI and install NAC Agent on each end-user machine—not an easily scalable solution.

• Use a software distribution application such as Altiris, PatchLink, and so on, to push NAC Agent down to each user machine.

• Force the end users to download NAC agent when they try to browse the Internet. NAC appliance will intercept the HTTP request and present the user with a login prompt and then the NAC Agent download screen.

The following is a demonstration of the last option from the preceding list:

Step 1 The user first logs in to a machine in the SELAB.net domain. Figure 11-27 shows user student1 logging in to the SELAB domain.

Figure 11-27 Main Windows XP Login for the User studentl

LogOn to Windows

Copyright® 1965-2001 rtcrwoft Corporation

Mitrowff

WindowsBa

Microsoft

User name: | studentl

k 1

»1 1

Log on to: | SELAB

ai

1 1 Log on

using dial-up connection

OK

[ Cancel ] [shut Down.,. ] [ Options << ]

Step 2 After signing on, verify that the IP address of the Windows XP machine is in VLAN 99 with a 192.168.99.x/30 subnet. Figure 11-28 shows that the XP machine is in VLAN 99 with 192.168.99.18 255.255.255.252 IP and subnet mask.

Figure 11-28 Verifying Initial User IP Address in Authentication VLAN 99

Figure 11-28 Verifying Initial User IP Address in Authentication VLAN 99

Step 3 Launch a browser and try to connect to the NAM. Mostly likely, a security alert will pop up regarding a new security certificate. This is normal because the client has never trusted NAC Appliance's digital certificate. Click Yes. As an option, you can click View Certificate and install the certificate so that you won't be prompted to accept the NAC certificate again in the future.

Step 4 Next, the user's HTTP request is intercepted and redirected to the NAC authentication page. Another security alert pops up regarding untrusted digital certificates. Click Yes to proceed. Figure 11-29 shows the NAC redirect page during initial user login.

Figure 11-29 Initial Security Alert for an Untrusted Digital Certificate

| Address https://naml.selab.net

m

You are being redirected to the network authentication page. If you are not redirected automatically, then please click HERE.

Security Alert fx|

j£?t\ Information you exchange with this site cannot be viewed or 'TT changed by others. However, there is a problem with the site's security certificate.

The security certificate was issued by a company you have not chosen to trust. View the certificate (o determine whether you want to trust the certifying authority.

^ The security certificate date is valid.

@ The security certificate has a valid name matching the name of the page you are trying (o view.

Do you want to proceed?

Yes ] 1, No j [ View Certificate ]

I

Step 5 Next is the Cisco Clean Access Authentication Login page. Because this lab network was not configured with an LDAP authentication server (for web login), the Guest user account in the NAM local database can be used to log in. A guest user account was already created in the local database. Figure 11-30 shows the NAC web login page.

Figure 11-30 NAC Web Login Page

Figure 11-30 NAC Web Login Page

Step 6 After login, the user is prompted to download NAC Agent. Figure 11-31 shows the NAC 4.1.0 Agent download page via web login.

Step 7 Open or save CCAAgent_Setup.exe from NAS1.selab.net and install. Be sure that you have administrative privileges to install NAC Agent. Simply follow the typical Windows installation process and click Finish when the installation is complete.

Step 8 After the installation, NAC Agent should automatically discover NAS Appliance on the network and initiate the Single Sign-On process. You might be prompted with a security alert because of the unknown certificate from NAC Appliance. Click Yes and proceed. Figure 11-32 shows the AD SSO process.

Figure 11-31 Web User Being Directed to Download NAC Agent 4.1.0

Address https://nasl selati.net/auth/perFlga_[:rn_valldatH.]5p

Go Links

Network Security Notice: This network is protected by the Clean Access Agent, a component of the Cisco Clean Access Suite. The Clean Access Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure arid up-to-date.

Please use the Clean Access Agent to log in to the network.

If you don't have the Clean Access Agent software yet, download it by clicking the button below. After downloading the installation file, run it to complete the installation

If you have already downloaded and installed the Clean Access Agent, please close this window and right-click the Clean Access Agent icon In the system tray and choose Login from the menu. Enter your usual network user name and password In the login window c

Download Clean Access Agent A.] .0.0

Note: If you are already running the Clean Access Agent and you are connected through a slower connection (such as VPN or dial-up), please wait as It might take a few moments for the Agent to pop up

Figure 11-32 Performing Windows AD SSO Automatic Login

Figure 11-32 Performing Windows AD SSO Automatic Login

Alert Client And Server For Windows

Step 9 Finally, after authentication (and posture assessment, if it is configured), NAM switches the client PC from the auth VLAN 99 to the access VLAN 20. NAC Agent issues a "Refreshing IP . . ." message and the client acquires a new IP address, 192.168.20.x /24, within access VLAN 20. Figure 11-33 shows a successful OOB logon with the new IP in access VLAN 20.

Figure 11-33 Successful User Login to Access VLAN 20; the User Also Acquires a New IP Address for Access VLAN 20

Figure 11-33 Successful User Login to Access VLAN 20; the User Also Acquires a New IP Address for Access VLAN 20

Clean Access Agent

Clean Access Agent

Successfully logged in to the network!

Refreshing IP succeeded.

Was this article helpful?

0 -1

Post a comment