Layer 3 OOB Deployment Considerations

Layer 3 OOB is best used in routed access deployments. Layer 3 OOB can be used for remote WAN sites. Informs the Cisco NAS of the device MAC address no additional configuration needed with Cisco NAA 4.0. Web login page downloads ActiveX control or Java applet to determine device MAC address and report address back to Cisco NAS. For web login, configure the login page. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 3-9 2007 Cisco Systems, Inc. All...

Cisco NAC Appliance Configuration Overview

This topic describes the steps required to configure a Cisco NAC Appliance solution. This topic describes the steps required to configure a Cisco NAC Appliance solution. Configure external authentication service if required. Configure Cisco NAS as DHCP server if required. Configure network-based scanning requirements. Configure agent-based scanning requirements. You have been introduced to the Cisco NAC Appliance solution and you now have an understanding of how a Cisco NAC Appliance solution...

What Is a Certified Device

Certified devices, or clean devices, are computer-based devices that meet your specified authentication and Cisco NAC Appliance requirements. The Cisco NAS automatically adds the MAC address of certified devices to the certified list. A device remains certified as long as the MAC address of the device is in the certified list. Multi-user devices can be configured as floating devices that require recertification at each login. The Cisco NAC Appliance can automatically add devices to the...

Add a VPN Concentrator or ASA as a Floating Device in the Cisco NAM

Certified Devices General Setup Netwur Scanner Clean Access Agent _ Irrtified List Add Exempt Device Add Floating Device Timer Enter a device with tvpe set to to allow it to be certified only for the duration of the user session. After logout, the device will need to be certified again. Set type to 1 to never exempt the device from certification. This is useful for non-user devices that channel traffic from multiple users to the network, such as dial-up routers or VPN concentrators (format <...

Current Supported Hardware and Software

4.0(0)+, 3.6(1)+, 3.6(0)+ 3.5(0)+ ,3.4(0)+ 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1-1-1C 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1-1-1C Both the Cisco NAS and Cisco NAM are delivered as a disc image that must be loaded onto a standard server. Both Cisco components are built on a hardened Linux kernel. The figure shows the currently supported hardware and software that is used to support a Cisco NAC Appliance solution. The server models shown are considered...

Introducing DHCP Failover

Cisco NAS failover peers operating in DHCP server mode exchange DHCP activity information using an SSH connection, which requires that DHCP failover be configured. Four keys for the server and for the account accessing the server are required for the primary and secondary Cisco NASs. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 4-18 Cisco NAS failover peers that operate in DHCP server mode exchange DHCP activity information, such as active leases and lease times, by SSH connection...

Adding an OOB Cisco NAS to the Cisco NAM

Setting up the Cisco NAM and Cisco NAS for OOB is the same as setting up the two components for in-band deployment, except for these four conditions When you add the Cisco NAS, you must choose an OOB gateway type. The Cisco NAM can control in-band and OOB deployments in its domain. Each Cisco NAS must be either in-band or OOB. If you plan to use role-based port profiles, you must specify an access VLAN when you create a new user role. You must configure the Cisco NAM and network to enable...

Configuring Switch Ports to Use Port Profiles to Configure a Port Cont

Switch Management > Devices > Switch 172.16.1.28 Set the initial VLANs for the ports to the current VLAN settings of the switch Set up mac-notification on managed switch ports Save the switch running configuration into non-volatile memory Set the initial VLANs for the ports to the current VLAN settings of the switch Set up mac-notification on managed switch ports Save the switch running configuration into non-volatile memory For trunk ports (blue background ), the VLAN ui FaO 1 FaO 2 FaO 3...

Kerberos Ticket Exchange

I am user Sam and need a Ticket Granting Ticket 2. Here is a TGT if you can decrypt this response with your password hash Client on Cisco NAA-Equipped Machine 2. Here is a TGT if you can decrypt this response with your password hash 3. Here is my TGT, give me a service ticket Client on Cisco NAA-Equipped Machine 5. Here is my service ticket authenticate me 2007 Cisco Systems, Inc. All rights reserved. The figure shows the process that the client machine goes through when Windows Active...

Step 6 Configure the LDAP Lookup Server for Active Directory SSO

Search Filter DerefLink Security Type Search Filter DerefLink Security Type If you plan to map Windows domain SSO users to multiple user roles, you will need to configure a secondary LDAP lookup server so that the Cisco NAM can perform the mapping. You must then specify a secondary LDAP lookup server for the Active Directory SSO authentication provider, as previously described in the Add Active Directory SSO authentication server step. To configure an LDAP lookup server, follow these steps Step...

Step 5 Enable Agent Based Windows SSO with Active Directory Kerberos

Device Management > Clean Access Servers > 10.10.10.4 Device Management > Clean Access Servers > 10.10.10.4 W Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) W Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) Active Directory Server (FQDN) Active Directory Port Active Directory Domain Account Name for CAS Account Password for CAS Active Directory SSO Auth Server (add one in User Management > Auth Servers ) 2007 Cisco Systems, Inc....

OOB Virtual Gateway Deployment Characteristics

With an OOB deployment, there is no need for network configuration changes or DHCP scope change. During the authentication, posture assessment, and remediation process, the Cisco NAS acts as an inline Layer 2 bridge for the managed network in three ways - DHCP or DNS default is enabled via VLAN mapping for authentication to the access VLAN. - User obtains a real DHCP address from the access VLAN. - The Cisco NAS provides access to quarantine or remediation sites only. After a user successfully...

Cisco NAS Operating Modes

All rights reserved. CANAC v2.1 1-12 There are two in-band operating modes Real-IP gateway Operates as the default gateway for the untrusted network Virtual gateway Operates as a Layer 2 transparent bridge The out-of-band server types appear in the drop-down menu when you apply an out-of-band-enabled (switch management) license to a Cisco NAC Appliance deployment. There are two out-of-band operating modes Out-of-band real-IP gateway Operates as a real-IP gateway while...

Example Configuring a Kerberos Authentication Provider

All rights re You must configure the server that you want Cisco NAC Appliance to use as an authentication provider. The authentication type that you choose brings up the form appropriate to that type. To configure a Kerberos provider for Cisco NAC Appliance users, complete these steps Step 1 Choose User Management > Auth Servers > New. Step 2 From the Authentication Type drop-down menu, choose Kerberos. Step 3 In the Provider Name field, enter a name that is unique...

What Is a User Role

A classification scheme for users that persists for the duration of a user session A mechanism that determines policies and restrictions within NAC Appliance for particular groups of users A setup that reflects the shared needs of distinct groups of users in your network 2007Cisco Systems, Inc. All rights re User roles are integral to how Cisco NAC Appliance functions and can be described as follows A classification scheme for users that persists for the duration of a user session A mechanism...

Creating IP Pools Manually

All rights 2007 Cisco Systems, Inc. All rights To create an IP pool manually, you must also define the subnet in which the pool resides. There are these three ways to configure the subnet address and netmask values for a manually Enter the subnet address directly, as an IP address and netmask. Have the administration console generate the smallest possible subnet based on the IP range that you enter. Have the administration console calculate the values from the list of...

Cisco NAC Products

Cisco NAC Framework Traditional Cisco NAC Software module embedded within NAC-enabled products In-band NAC Appliance solution can be used on any switch or router Integrated framework leveraging multiple Cisco and NAC-aware vendor products Self-contained, turnkey solution Offers customers a deployment timeframe choice Adapts to customer investment protection requirements 2007 Cisco Systems, Inc. All rights Cisco NAC products come in two general categories NAC framework The NAC framework uses the...

Cisco NAC Appliance Agent Cisco NAA The Cisco NAA software resides on

Microsoft Windows systems and can verify if an application or service is running and if a registry key exists or if the value of a registry key is known. The Cisco NAA is referred to as a read-only agent the Cisco NAA does not alter client system information, but reads the information and reports this information to the Cisco NAC Appliance Manager (Cisco NAM). The Cisco NAA ensures that, for example, a corporate laptop has an up-to-date configuration of the standard corporate software before...

Step 3 Configure Active Directory SSO on the Cisco NAS

Device Management > Clean Access Servers > 10.10.10.4 Device Management > Clean Access Servers > 10.10.10.4 1 Status Network Filter Advanced 1 Lo in Page VPN Auth Windows Auth OS Detection i Active Directory SSO 1 NetBIOS SSO V Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) Active Directory Server (FQDN) Active Directory Port Active Directory Domain pcount Name for CAS Account Password for CAS Active Directory SSO Auth Server V Enable Agent-Based Windows...

Configuring the SNMP Receiver SNMP Trap Settings

All rights reserved CANAC v2.1 3-19 Settings in the SNMP Receiver tab configure the SNMP receiver that is running on the Cisco NAM. The SNMP receiver receives MAC notification or linkup SNMP trap notifications from the controlled switches and sets the VLAN on the corresponding switch ports. The configuration on the switch must match the SNMP receiver settings to be able to send traps to the Cisco NAM. To configure the SNMP receiver module on the Cisco NAM, complete...

Evolution of Cisco Security Strategy

SDN Phase I Integrated Security M Make every network element a point of defense routers, switches, appliances, and endpoints Secure connectivity, threat defense, trust, and identity Network foundation protection ISDN Phase II Collaborative Security Systems Security becomes a network-wide system endpoints + network + policies Multiple services and devices work in coordination to thwart attacks with active management NAC, Identity-Based Network Services, Cisco Structured Wireless-Aware Network...

Enable Vpn Sso in the Cisco NAS

Device Management gt Clean Access Servers gt 192.168.137.3 Device Management gt Clean Access Servers gt 192.168.137.3 VPN Auth Windows Auth OS Detection 2007 Cisco Systems, Inc. All rights re To enable VPN SSO in the Cisco NAS, follow these steps Step 1 Using the Cisco NAM administration console, go to Device Management gt Clean Access Servers gt IPaddress gt Authentication gt VPN Auth gt General. Step 2 Check the Single Sign-On check box to set the Cisco NAS to process the user login via...

Student Guide

Editorial, Production, and Web Services 02.26.07 Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel 408 526-4000 800 553-NETS 6387 Fax 408 527-0883 Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel 31 0 8000200791 Fax 31 0 20 357 1100 Cisco Systems, Inc. 168 Robinson Road 28-01 Capital Tower Singapore 068912 www.cisco.com Tel 65 6317 7777 Fax 65 6317 7799 Cisco has more than 200...

Auto Generating IP Pools and Subnets Cont

Warning messages will appear if there are errors in the configuration. Step 7 The warning messages that appear provide instructions to correct errors in the settings. When you correct all errors, a preliminary list of IP ranges appears, allowing you to review the results. Click Commit Subnet List to save the IP ranges. 2-68 Implementing Cisco NAC Appliance CANAC v2.1 2007 Cisco Systems, Inc.