Adaptive security solutions

All rights reserved CANAC v2.1 1-3 Corporate network attacks are so complex that you cannot rely on a single mechanism to maintain security. Until recently, the concept of defending networks was based on proactive defense. Cisco believes in building adaptive solutions in addition to using a proactive defense. Network systems should include these qualities Comprehensive end-to-end security Network security must span the entire network end-to-end, regardless of device,...

Add an Accounting Server to the Cisco NAS

Device Management > Clean Access Servers > 192.168.137.3 Device Management > Clean Access Servers > 192.168.137.3 Accounting Servers Accounting Mapping Active Clients Timeout (seconds) 3 Confirm Shared Secret Description Cisco ASCsetveron Manager PC 2007 Cisco Systems, Inc. All rights re When the VPN concentrator is configured to work with an accounting server, the information for the accounting servers, the associations between users and RADIUS attributes, needs to also be transferred...

Adding a New Radius Attribute

The process used to configure a RADIUS attribute with customized data for a shared event is the same as the process used to customize data for login and logout events. Only the submenu link that you choose changes. To add new data to a RADIUS attribute for a shared event, complete these steps Step 1 Choose User Management > Auth Servers. Step 2 Click the Accounting tab. Step 3 Click the Shared Events (or Login Event or Logout Event) submenu link to bring up the appropriate page. Step 4 Click...

Adding a Reserved IP Address

To add a reserved IP address, complete these steps Step 1 Choose Network > DHCP and click the Reserved IPs tab. Step 2 Click the New link. The New Reserved IP Address form appears. 2-76 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc. Adding a Reserved IP Address (Cont.) 2007 Cisco Systems, Inc. All rights re 2007 Cisco Systems, Inc. All rights re Step 3 In the MAC Address field, enter the MAC address in hexadecimal MAC address format (for example, 00 16 21 11 4D 67) for...

Adding a Trusted DNS Server

User Management > User Roles User Management > User Roles (Corresponding DNS traffic is automatic all y allowed when trusted DNS server is added) (Corresponding DNS traffic is automatic all y allowed when trusted DNS server is added) 1 Allowed Host 1 Match 1 Description 1 Enable 1 Del 1 To add a trusted DNS server, complete these steps Step 1 Choose User Management > User Roles. Click the Traffic Control tab and then click the Host link. Step 2 Choose the role that you want to add a...

Adding an Allowed Host

(Corresponding DNS traffic is automatically allowed when trusted DNS server is added) (Corresponding DNS traffic is automatically allowed when trusted DNS server is added) microsoft.com windowsupdate.com V eup date, sy m anted iveup date, co liveupdate.symantec.com update.symantec.com Microsoft Windows Update Microsoft Windows Update Symantec Antivirus HTTP Update Symantec AntiVirus HTTP Update Symantec AntiVirus FTP Update microsoft.com windowsupdate.com V eup date, sy m anted iveup date, co...

Adding an OOB Cisco NAS to the Cisco NAM Cont

All rights reserved. CANAC v2.1 3-12 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 3-12 To add an out-of-band Cisco NAS to a Cisco NAM, complete these steps Step 1 Go to Device Management > Clean Access Servers and click the New Server tab. Step 2 Select the server type that you want from the Server Type drop-down menu. Step 3 Click the Add Server button. 3-84 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc.

Adding Switches to the Managed Domain Add a Controlled Switch

Switch Profile Switch Group Default Port Profile IP Addresses Switch Profile Switch Group Default Port Profile IP Addresses Enter switch IPs here, one IP per line 2007 Cisco Systems, Inc. All rights re The New page allows you to add switches when exact IP addresses are already known. To add a controlled switch using the New page, complete these steps Step 1 Choose Switch Management > Devices > Switches and click the New link. Step 2 From the Switch Profile drop-down menu, choose the switch...

Adding the Root Global DHCP Option

Device Management > Clean Access Servers > 10.201.240.10 Device Management > Clean Access Servers > 10.201.240.10 I Disable user-Specified DHCP Options I Disable user-Specified DHCP Options 2007 Cisco Systems, Inc. All rights re To add a root global DHCP option, complete these steps Step 1 Choose Network > DHCP and click the Global Options tab. The Root Global Options form provides access to the Root Global, Scoped Global, and Class Option global DHCP options. Step 2 In this example,...

Adding the Root Global DHCP Option Cont

Step 3 In the Root Global Options form, enter the text of the new root global DHCP option in the text field. Step 4 Click Update to save your configuration when you are finished. Note For details on adding a scoped global option or class options, refer to User-Specified DHCP Options in the Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide. 2007 Cisco Systems, Inc. Cisco NAC Appliance Common Elements Configuration 2-81

Administration Console Page Elements

All rights re 2007 Cisco Systems, Inc. All rights re The administration console page is shown in the figure, which identifies components of the Cisco NAC Appliance GUI that are found in the Cisco NAM and the Cisco NAS web-based administration consoles. 1-36 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc.

After Authentication and Certification

All rights re After the client is authenticated and certified (that is, appears on the certified devices list), the Cisco NAM switches the VLAN of the client port to the access VLAN that is specified in the port profile that you configured for the port (VLAN 10 in the figure). After the client is on the access VLAN, the switch no longer directs the client traffic to the untrusted interface of the Cisco NAS. At this point, the client is on the trusted network and is...

Applying Plug Ins

Follow these six steps to apply plug-ins that are used to scan a specified user role and operating system Step 1 Choose the Network Scanner > Scan Setup > Plugins form. Step 2 Choose a User Role and Operating System that the plug-in applies to. Step 3 Check the Enable Scanning with Selected Plugins check box. 4-42 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc. Step 4 Choose All in the Show drop-down menu to display all available plug-ins in the Nessus scan plug-in...

Auto Generating IP Pools and Subnets Cont

Start Generating at IP Number of Subnets to Generate Generate Subnets of Size Default Lease Time (seconds) Max Lease Time (seconds) DNS Suffix DNS Servers Start Generating at IP Number of Subnets to Generate Generate Subnets of Size Default Lease Time (seconds) Max Lease Time (seconds) DNS Suffix DNS Servers Step 4 From the Generate Subnets of Size drop-down menu, choose the size of each subnet. Subnet sizes are presented in classless interdomain routing (CIDR) format (such as 30). The...

Auto Generating IP Pools and Subnets Cont ARP Entries Generated for DHCP

Device Management > Clean Access Servers > 192.168.137.3 Device Management > Clean Access Servers > 192.168.137.3 r Continuously broadcast gratuitous ARP with VLAN ID -1 (-i for non-VLAN) Addfl Entry J lu ARP Cache j ARP entries are automatically created. 2007 Cisco Systems, Inc. All rights re Step 10 ARP entries are automatically created in the Cisco NAS configuration for the generated subnets (under Device Management > Clean Access Servers > IP address > Advanced > ARP)....

Auto Generating IP Pools in a Managed Subnet

You must ensure that the IP pools are in the range of a managed subnet. 2007 Cisco Systems, Inc. All rights re Before you can autogenerate IP addresses, you must ensure that the IP pools that you want to add are in the range of a managed subnet. These steps add the managed subnet Step 1 From the Device Management > Clean Access Server > IP address menu, click the Advanced tab. Step 2 Click the Managed Subnet link. The Managed Subnet form appears. Step 3 Enter values for these fields IP...

Before Authentication and Certification

All rights re The figure shows the basic VLAN traffic flow for an unauthenticated client attached to an out-of-band deployment. When an unauthenticated client first connects to a managed port on a managed switch, the switch assigns the client the authentication VLAN that is specified in the port profile that you configured for this managed port. The switch then sends all traffic from the authentication VLAN client to the untrusted interface of the Cisco NAS. The client...

Change to [Auth VLAN Access VLAN if the device is certified but not in the outofband user list This check box is

Bounce the port after VLAN is changed Check this check box so the client machine will obtain a new IP address after the client machine is switched to the Access VLAN. For virtual gateways, leave this box unchecked. 3-116 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc. Generate event logs when there are multiple MAC addresses detected on the same switch port Check this check box to generate event logs when multiple MAC addresses are found on the same switch port.

Changing Landscape of Security

A network can no longer be secured by simply securing the network perimeter. Wireless and mobility have made network boundaries more ambiguous. E-commerce infrastructure has introduced a new set of vulnerabilities. Viruses and worms and their rate of propagation have enormous impact on businesses. HIPAA has forced fundamental changes in the manner in which corporate networks, servers, databases, and hosts are organized. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 1-2 Security...

Checking Antivirus Product Support Information

All rights re The first task in creating either an antivirus rule or an antispyware rule is to check for the most recent and supported version of the product. Cisco NAC Appliance allows multiple versions of the Cisco NAA to be used on the network. New updates to the Cisco NAA will add support for the latest antivirus or antispyware products as they are released. Cisco NAC Appliance picks the best method to execute antivirus rule or antispyware definition checks based...

Checks Rules and Requirements Example

Message install, update, or start software 2007 Cisco Systems, Inc. All rights reserved CANAC v2.1 4-13 The figure shows an example of a requirement that combines several checks and rules with the Boolean operators and and any. This requirement ensures that client machines have the correct and current antivirus software installed. In the example, the names given to the checks, rules, and requirements were created to explain what each step is responsible for and to provide a single combination...

Choosing Manually Created or Autogenerated Subnets

- When you only need a few IP address pools Automatically generate subnets - When you want to create many IP address pools at a time 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.l 2-7 If you only need a few IP address pools, you can create subnets manually. You can automatically generate subnets to create many IP address pools at one time. Creating a large number of IP pools of a small size, from which only a few addresses can be assigned, will help protect your network. By isolating...

Cisco Host Security Strategy

Endpoint Protection Cisco Security Agent - Alleviates patching and signature update pressure with behavior-based protection technology - Preserves enterprise resilience by auditing and enforcing adherence to corporate endpoint security policies when accessing the network - Limits the severity of infections by reducing the response time spent identifying and isolating infected systems and cleaning traffic The Cisco strategy for addressing host security, and therefore network and enterprise...

Cisco NAC Appliance Components

Optional Windows-based read-only client that validates what must (or must not) be running before a host is allowed access to the network Serves as an in-band or out-of-band device for network access control Centralizes management for administrators, support personnel, and operators The Cisco NAC Appliance solution consists of these three components, one of which is Cisco NAC Appliance Server The Cisco NAC Appliance Server (Cisco NAS) is the gateway server and enforcement engine between the...

Cisco NAC Appliance for Local Users

All rights re The figure shows a Cisco NAC Appliance deployment for remote users. The central site deploys the Cisco NAC Appliance solution behind the IPsec VPN and a switch. The IPsec VPN services support external users such as supply partners and the unmanaged desktops found in home offices. The branch office deploys their own Cisco NAC Appliance solution and uses a multihop IP connection with their central site. The Cisco NAC Appliance Deployment for Remote Users...

Cisco NAC Appliance for Remote Users

All rights reserved. The figure shows some of the many possible applications for Cisco NAC Appliance Endpoint compliance This deployment scenario prevents hosts in nonproduction segments such as labs from connecting to the production environment unless they have the latest required security patches installed. Wireless compliance This deployment scenario prevents noncompliant devices from joining the network over wireless links. Guest compliance This deployment scenario...

Cisco NAC Appliance in Action

All rights re This figure shows how each component works when a user attempts to access a network. When an end user attempts to access a web page on the network, Cisco NAC Appliance goes through these four steps to block access until the wired or wireless user provides login Step 1 Cisco NAC Appliance checks only hosts that are not on a certified devices list. You can clear the certified devices list manually or automatically at specified intervals. You can use the...

Cisco NAC Appliance in Action Cont

Connect response (8955, 8956) User login (443) This figure shows a ladder diagram of the protocols used at each step of the interaction between the client machine, the Cisco NAS, and the Cisco NAM. The communication process that the Cisco NAC Appliance components use reveals how difficult it is to undermine the security provided by a Cisco NAC Appliance implementation. Starting at the top left of the ladder diagram and after the client machine attaches to the network, the Cisco NAM and the...

Cisco NAC Appliance InBand Deployment

All traffic passes through the Cisco NAS. Regulates user traffic by using these controls - Traffic policies based on protocol and port, or subnet - Bandwidth policy management based on shared or per-user roles - Time-based sessions and heartbeat controls Supports edge-access devices as long as the client MAC and IP addresses are visible. Used in environments having these characteristics - A requirement for role-based bandwidth throttling - Network infrastructure built with products other than...

Cisco NAC Appliance OOB Deployment

User traffic passes through the Cisco NAS only during authentication, posture assessment, and remediation. After the user successfully logs on and is directly connected to the network, these actions occur - Traffic bypasses the Cisco NAS and goes directly to the destination switch port. - Cisco NAS no longer controls or limits user traffic. - SNMP is used to control switches and VLAN assignments. OOB deployment of the Cisco NAS provides port-level control when needed by assigning ports to...

Cisco NAC Appliance OOB Deployment Cont

Cisco NAC Appliance OOB works with the following switches* Switches must use versions of Cisco IOS software or Cisco Catalyst software supporting MAC-notification or the SNMP linkup SNMP trap commands. OOB requires Cisco NAC Appliance version 3.5 or greater with the Switch Management license option enabled. Client machines must be physically connected to ports of managed switches. * The list of supported switches changes often. Please see the list of supported switches found on the Cisco NAC...

Cisco NAC Appliance Sample Layer 2 Deployment

Authentication Sources (LDAP, RADIUS, Kerberos) 2007 Cisco Systems, Inc. All rights re There are many ways to implement Cisco NAC Appliance. This figure shows an in-band Layer 2 deployment of the components of Cisco NAC Appliance. When a device attempts to log onto the network using a wired or wireless connection, Cisco NAC Appliance consults a certified devices list that contains the MAC and IP addresses of compliant machines. Cisco NAC Appliance scans any machine that is absent from the list....

Cisco NAC Appliance Sample Layer 3 Deployment

All rights reserved. CANAC v2. 1 1 - 7 This figure shows an out-of-band Layer 3 deployment of the components of Cisco NAC Appliance. You can deploy Cisco NAC Appliance behind other Layer 3 network access devices, including VPN concentrators, dialup servers, and other routers. When the Cisco NAS notices a new IP address, it starts the authentication-assessment-remediation process. When deployed out-of-band, Cisco NAC Appliance blocks noncompliant users at a port layer...

Cisco NAC Appliance Solution

This topic describes how the Cisco NAC Appliance solution controls and secures networks. Before allowing users onto a wired or wireless network, Cisco - Identifies security policies and ENFORCES 2007 Cisco Systems, Inc. All rights reserved. Cisco NAC Appliance is part of the Cisco Self-Defending Network initiative to improve the ability of networks to identify, prevent, and adapt to security threats. As the central management point for your network, Cisco NAC Appliance allows you to implement...

Cisco NAS Deployment Options Cont

All rights reserved. CANAC v2.1 1-3 Another way to consider how a Cisco NAS can be deployed is to look at different deployment models. The Cisco NAS Deployment Options table matches types of deployment models with the Cisco NAS deployment options that you should use to accommodate customer network requirements. Virtual gateway (bridged mode) Real IP gateway (routed mode) Layer 2 When the client is adjacent to the Cisco NAS Layer 3 When the client is multiple hops away...

Cisco Nas Dhcp Modes

This topic describes the Cisco NAS modes of operation for a DHCP-enabled network. This topic describes the Cisco NAS modes of operation for a DHCP-enabled network. 2007 Cisco Systems, Inc. All rights reserved. The Cisco NAS provides the services of a full-featured DHCP server when in real-IP gateway mode. The Cisco NAS can allocate addresses from a single IP pool or from multiple pools across many subnets, and can assign static IP addresses to particular client devices. The Cisco NAS can...

Cisco Nas Dhcp Services

Cisco NAS web administration console provides tools for Checking for configuration errors Managing Cisco NAS DHCP settings globally 2007 Cisco Systems, Inc. All rights reserveO. CANAC v2.1 2-3 Extensive configuration checking in the web administration console helps to ensure that you detect configuration errors during configuration rather than during deployment. The administration console includes tools for autogenerating IP address pools, making it easier to create many pools at once....

Communicating Between Cisco NAS and a Microsoft Windows Active Directory Server

This topic describes how a Cisco NAS communicates with a Microsoft Windows Active Directory server. Communicating Between Cisco NASs and a Microsoft Windows Active Directory Server Active Directory domain server (kdc3) I Active Directory domain server (kdc2) Active Directory I domain server (domain controller) 10.201.152.11 Active Directory I domain server (domain controller) 10.201.152.12 kdc.eng.name.domain.com 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 3-5 The slide shows the...

Comparing InBand and OOB Modes

Cisco NAS is always in line with user traffic. Enforcement is achieved because the Cisco NAS is always in line with user traffic. Authenticated traffic does not go through the Cisco NAS. Cisco NAS is only in line with user traffic during authentication, assessment, and remediation. Enforcement is achieved using SNMP to control switches and VLAN assignments to ports. Cisco NAS securely controls authenticated and unauthenticated user traffic by using traffic polices, bandwidth policies, and...

Comparing InBand and OOB Modes Cont

Agnostic to switch and router platform Agnostic to switch and router versions Appropriate for wired and wireless Full network access control Bandwidth management control In-line only for quarantined traffic Full network access control for quarantined traffic Seamless switch control using SNMP Port- or role-based VLAN assignment No switch port level control Switch platform and version dependencies 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 1-6 2007 Cisco Systems, Inc. All rights...

Completing the Secondary Cisco NAS High Availability Configuration

Step 1 Shut down the primary Cisco NAS computer. Step 2 Connect the Cisco NAS machines using - A crossover cable to connect the Ethernet ports Step 3 Open the Cisco NAM Administration console. Step 4 Choose the Device Management > Clean Access Servers page. Step 5 Click the Manage button for the cluster. Step 6 Configure the DHCP settings to match the DHCP settings of the primary Cisco NAS. 2007 Cisco Systems, Inc. All rights reserved CANAC v2.1 4-16 The figure shows the six steps that are...

Configure a Filter for the VPN Concentrator or ASA

By defaultj managed clients must log in to access the network, Set up alternate access policies by subnet here. You can permit access without authentication, block access, or permit access without authentication with a role. If bandwidth management is enabled, devices allowed without specifying a role will use the bandwidth of the Unauthenticated Role, O use role Unauthenticated Role v For the Cisco NAC Appliance to allow the VPN concentrator or ASA onto the trusted side of the network, you...

Configure a Heartbeat Timer User Inactivity Timer

Ujg Out Disconnected Users After 2o ujg Out Disconnected Users After 2o 2007Cisco Systems, Inc. All rights The heartbeat timer sets the number of minutes after which a user will be logged off the network if the user is unreachable through a connection attempt from the Cisco NAS. This feature enables the Cisco NAS to detect and disconnect users who have restarted their computers without logging out of the network. To configure a heartbeat timer for a user role, complete these steps Step 1 Choose...

Configuring a Mapping Rule

User Management > Auth Servers 'QU User Management > Auth Servers 'QU To create a mapping rule, you first add and save conditions to configure a rule expression. After a rule expression is created, you can add the mapping rule to the authentication server. Mapping rules can be cascading. If a source has more than one mapping rule, the rules are evaluated in the order in which they appear in the mapping rules list. The role for the first mapping rule that is found positive is used. After a...

Configuring Active Directory SSO for the Cisco NAM Cisco NAS and Microsoft Windows Active Directory Server

This topic describes the steps that are used to configure Active Directory SSO for the Cisco NAM, Cisco NAS, and Microsoft Windows Active Directory Server. Configuring Active Directory SSO for the Cisco NAM, Cisco NAS, and Microsoft Windows Active Directory Server Know the number of Active Directory servers you will configure. Have the Windows 2000 or Windows 2003 server installation CD for the Active Directory server. Know the IP address of each Active Directory server. Know the FQDN of the...

Configuring Cisco NAC Appliance for VPN Concentrator or ASA Integration

This topic describes how to configure the Cisco NAC Appliance for Cisco VPN SSO device integration. Configuring Cisco NAC Appliance for VPN Concentrator or ASA Integration Configure a filter for the VPN concentrator or ASA. Add a Cisco VPN authentication server to the Cisco NAM. Map VPN users to roles in the Cisco NAM. Add a VPN concentrator or ASA to the Cisco NAS. Add an accounting server to the Cisco NAS. Enable Layer 3 support on the Cisco NAS. Map a VPN gateway to an accounting server. Add...

Configuring Cisco NAMs for High Availability

These four steps configure Cisco NAMs for high availability Step 1 Connect the Cisco NAM machines. Step 2 Set up the primary Cisco NAM. Step 3 Set up the secondary Cisco NAM. Step 4 Verify the configuration. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 4-5 The figure lists the steps (explained in detail in the subsequent topics of this lesson) that are used to configure a pair of Cisco NAMs for high availability. Note For instructions on how to upgrade an existing pair of Cisco...

Configuring Cisco NAS High Availability

Step 1 Configure the primary Cisco NAS. Step 2 Configure the secondary Cisco NAS. Step 3 Complete the secondary Cisco NAS high-availability configuration. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 4-5 These steps are used to configure Cisco NAS high availability Step 1 Configure the primary Cisco NAS. Step 2 Configure the secondary Cisco NAS. Step 3 Complete the secondary Cisco NAS high-availability configuration. Step 4 Test the configuration. Step 5 Configure DHCP failover....

Configuring Device Certification

Consider these points when configuring device certification Exempt devices that are manually added to the list must be manually removed. Use the Certified Devices Timer form to have devices removed from the certified list at regularly scheduled intervals. Removing devices from the certified list causes these three actions 1. Removes in-band clients from the In-Band Online Users list and logs them off the network. 2. Removes out-of-band clients from the Out-of-Band Online Users list and closes...

Configuring DHCP Failover Cont

OBy6VSfNULit842 iCcRzR7xlAt5f DLKalcTJPn0nPT284IAlVtE78NK DHCP Failover is Enabled SSH Client Key Enter peer SSH Client key here OBy6VSfNULit842 iCcRzR7xlAt5f DLKalcTJPn0nPT284IAlVtE78NK 2EAAAAB IviAA VGI ro kAAAB I wAAAI EA1 g 2e YE I Wkz 9 z z Z VG Iro Ov Enter peer SSH Server key here _ Step 4 In the administrator console of the secondary Cisco NAS, click the DHCP Failover tab. Step 5 Click the Enable button to enable DHCP failover on the secondary Cisco NAS (the button now reads Disable)....

Configuring General Setup

The General Setup tab allows you to enable the various warning pages that pop up as the client system proceeds through Cisco NAC Appliance certification. Follow these three steps to configure network scanning user page options on the General Setup tab Step 1 Choose Device Management > Clean Access and click the General Setup tab. Scanning must be configured for both the user role and the operating system of a user. Choose the desired role from the User Role drop-down box. Step 2 From the...

Configuring Group Profiles Add a Group Profile

When you first add a switch to the Cisco NAM domain, a group profile is applied to the new switch. The figure shows a predefined group profile called default. All switches are automatically put in the default group when you add them. You can leave this default group profile setting, or you can create additional group profiles as needed. If you are adding and managing a large number of switches, creating multiple group profiles allows you to filter which sets of devices you want to display from...

Configuring IP Ranges IP Address Pools

Can be from multiple pools and subnets Must be within the range managed by the Cisco NAS - The address space of the Cisco NAS managed network, or Can be generated manually or automatically 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 2-6 To set up the Cisco NAS to provide DHCP services, you must first configure the range of IP addresses to be allocated to clients (the IP address pool). In addition, you can specify the types of network information, such as DNS addresses, that is...

Configuring Port Profiles

You must add a port profile for each set of authentication and access VLANs that you configure on the switch. There are three types of port profiles Used for switch ports that are not connected to clients, such as printers and servers Used for switch ports that are connected to clients Port is set to the access VLAN specified in the port profile - Controlled using role settings Used for client-connected ports when role-based port mapping is configured Port is set to the VLAN ID specified in...

Configuring Port Profiles Add a Port Profile

To add a port profile, complete these steps Step 1 Choose Switch Management > Profiles and click the Port tab. Step 2 Click the New link. 3-114 Implementing Cisco NAC Appliance (CANAC) v2.1 Supported VLAN Name format abc, *abc, abc + , *abc*. The switch will use the first match for wildcard VLAN Ni 2007 Cisco Systems, Inc. All rights Step 3 Type a single word for the Profile Name. You can use digits and underscores, but no spaces. The name should reflect whether the Port profile is controlled...

Configuring Port Profiles Add a Port Profile Cont

The device is considered disconnected after SNMP linkdown trap received, CCA Agent logout, we b user logout, or admin removal of user. Additional configuration options are l Remove out-of-band online user when SNMP linkdown trap is received. Ensure Access VLAN client is removed from OOB online user list if disconnecting reconnecting to same port. Remove out-of-band online user without bouncing the port. This prevents port bouncing for IP phone connected users. Step 7 The figure shows the bottom...

Configuring Primary Network and Failover Settings

Follow these seven steps to configure primary network and failover settings Step 1 Choose Administration > Clean Access Manager and click the Network & Failover tab. The figure shows a dashed box around the failover setting you will configure. Choose the HA-Primary option from the High-Availability Mode dropdown menu. The high-availability settings appear inside the dashed box in the figure.

Configuring Primary Network and Failover Settings Cont

Administration > Clean Access Manager IP Address Subnet Mask Default Gateway et up the primary server before the IP Address Subnet Mask Default Gateway Peer Host Name HSSrffleS iJDPWSffS fe Heartbeat Serial Interface COMI port 3F8Jrq 4 Crossover Network l 0.10.10 ,252 Crossover Netmask 255,255.255.252 et up the primary server before the Peer Host Name HSSrffleS iJDPWSffS fe Heartbeat Serial Interface COMI port 3F8Jrq 4 Crossover Network l 0.10.10 ,252 Crossover Netmask 255,255.255.252 Step 3...

Configuring Switch Ports to Use Port Profiles

After switches are added to the domain, you must complete the following tasks - Configure the switch ports to use the correct port profiles. - Initialize the switch ports if using MAC notification. Only the running configuration of the switch is changed. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 3-25 Switch ports typically use the uncontrolled port profile if they are not connected to clients. Switch ports that are connected to clients use controlled port profiles. After...

Configuring Switch Profiles Add a Switch Profile

To add a switch profile, complete these steps Step 1 Choose Switch Management > Profiles and click the Switch tab. The list of defined switch profiles appears. Step 2 Click the New link. The switch profile Add form appears. 2007 Cisco Systems, Inc. Cisco NAC Appliance Implementation 3-111 Configuring Switch Profiles Add a Switch Profile (Cont.) (These settings must match the switch setup to ensure that the CI * Profile Name Switch Model SNMP Port Description I SNMP Read Settings SNMP Version...

Configuring Switch Profiles Example Switch Profile

(These settings must match the switch setup to ensure that the Clean Access Manager can read write to the swtch correctly) Switch Ulodel Cisco Catalyst2950 series (These settings must match the switch setup to ensure that the Clean Access Manager can read write to the swtch correctly) Switch Ulodel Cisco Catalyst2950 series Description Catalyst29ECI R2W2 SIMMP Reed Settings 2007 Cisco Systems, Inc. All rights reservecl.CANAC v2.1 3-11 You must first create and apply a switch profile when you...

Configuring the Cisco NAA Temporary Role

Any user who fails a system requirement is assigned to the Cisco NAA temporary role. Session timeouts and traffic control policies must be configured to allow users time to access required software. One Cisco NAA temporary role is allowed. Users who fail a system check are assigned to the Cisco NAA temporary role, which provides users limited network access to find and retrieve the resources that are needed to comply with Cisco NAA requirements. The temporary role can be fully edited. It acts...

Configuring the Cisco NAA Temporary Role Cont

All rights re 2007 Cisco Systems, Inc. All rights re To configure the session timeout and traffic policies for the Cisco NAA temporary role, you must first adjust the session timer value and then configure traffic policies. Follow these steps Step 1 Choose User Management > User Roles > Schedule > Session Timer. The Step 2 Click the Edit button for the Temporary Role. The Session Timer form appears. Step 3 Check the Session Timeout check box and enter the number...

Configuring the Cisco NAM to Implement the Cisco NAA on Client Machines

Step 2 Require the use of the Cisco NAA. Step 3 Configure session timeout and traffic policies for the temporary role. Step 8 Apply requirements to a role. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 4-2 The Cisco NAM manages the installation and upgrade of the Cisco NAA on Cisco NAC Appliance Servers (Cisco NASs) and client machines. The eight steps that are used to configure the Cisco NAM to implement the Cisco NAA on client machines are listed in the figure. 4-56 Implementing...

Configuring the Cisco NAS for InBand Deployment

Step 1 Add the Cisco NAS to the Cisco NAM managed domain. Step 2 Configure the Cisco NAS interfaces. Step 3 Add managed subnets (if needed). Step 4 Configure Cisco NAS VLAN settings. 2007 Cisco Systems, Inc. All rights reserveO. CANAC v2.1 3-12 To configure the Cisco NAS for in-band deployment, follow these steps, which are described in Step 1 Add the Cisco NAS to the Cisco NAM managed domain The Cisco NAS receives its runtime parameters from the Cisco NAM and cannot operate until it is added...

Configuring the Quarantine Role

To configure the quarantine role Step 1 Create additional quarantine roles (if needed). Step 2 Configure session timeout. Step 3 Configure traffic control policies for the quarantine role. Cisco NAC Appliance can assign a user to a quarantine role if a vulnerability is discovered in the client system. Quarantining a vulnerable user is an option. Alternatives to quarantine include blocking the user or providing the user with a warning. The quarantine role is a mechanism that gives the user...

Configuring the Quarantine Role Configure Session Timeout

These five steps are used to configure the session timeout for a given quarantine role Step 1 Choose User Management > User Roles and click the Schedule tab. Step 2 Click the Session Timer option to view a list of roles. Step 3 Choose the role that you want by clicking Edit at the end of the line next to the desired quarantine role. This opens the Session Timer form. 2007 Cisco Systems, Inc. Cisco NAC Appliance Implementation Options 4-35

Configuring the Quarantine Role Configure Session Timeout Cont

All rights re Step 4 In the Session Timer form, complete these tasks Check the Session Timeout check box. Enter the number of minutes that you want the user session to last. Choose an amount that allows the user enough time to download the files that are needed to correct problems in the system. Optionally, enter a description for the session timeout requirement. An example of a description that you can use is heartbeat timer. Step 5 Click the Update button. The...

Configuring Traffic Policies for User Roles

Default traffic filtering policy for a newly created user role - Deny all For traffic moving from untrusted side to trusted side - Allow all For traffic moving from trusted side to untrusted side Configure traffic policies to allow the appropriate traffic for the new role. Configure traffic policies for the Cisco NAA temporary and NAC Appliance quarantine roles - Prevent general access to the network. - Allow access to web resources or remediation sites so that the user can meet NAC Appliance...

Configuring User Roles to Specify Access VLANs for Role Based Port Profiles

Disable this role Role Name Role Description Role Type *VPN Policy *Dynamic IPSec Key *Max Sessions per User Account ( D Case-Insensitive ) Disable this role Role Name Role Description Role Type *VPN Policy *Dynamic IPSec Key *Max Sessions per User Account ( D Case-Insensitive ) Retag Trusted-side Egress Traffic with VLAN (InI Band) Add access VLAN here to use role-based port profiles To configure user roles to specify access VLANs for role-based port profiles, follow these steps Step 1 Go to...

Configuring User Session Timeouts

This topic describes how to configure user session timeouts for user roles. Enforce limited access for NAC Appliance user roles Limit exposure of network to potential vulnerabilities - Size of download packages required 2007Cisco Systems, Inc. All rights reserved. To enforce limited access for the Cisco NAS temporary role and the NAC Application quarantine role, configure both roles to have brief session timeout periods and few traffic policy privileges. Use special care in determining the...

Configuring User Specified DHCP Options

DHCP options can be specified as follows - Appear at the root level or at the top of the DHCP configuration file - Apply to all DHCP subnet declarations - Are inherited by everything in the file - Are added to each subnet definition - Can be enabled whether or not a subnet inherits the option - Apply only to the subnet for which they are entered 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 2-24 The Global Options tab allows advanced users to modify the DHCP configuration directly....

Configuring Vulnerability Handling

Scan Setup Plugin U dates Reports Plugins I Options Vulnerabilities User Agreement Test (By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified,) Opera web browser 14245 address bar spoofing eakness(2) 12022 phpShop 1 H0LE,WARN,INFQ Vulnerabilities If scanning detects a vulnerability on the user system, the user can be blocked from the network, quarantined, or warned about the vulnerability. When client scan reports are enabled, a client scan...

Confirming Cisco NAS Kerberos Ticket

Kerberos Service Ticket with Cisco NAS Server Name Kerberos Service Ticket with Cisco NAS Server Name The figure shows a dialog box of the Microsoft utility called Kerbtray running on a client machine. The dialog box shows a Kerberos service ticket with the username of the Cisco NAS, ccasso. Recall that the Cisco NAA asks the client machine to request a Kerberos service ticket from the Active Directory server with the Cisco NAS username. The Cisco NAA uses the Kerberos service ticket to...

Connecting Two Cisco NAMs

Follow these two steps to connect Cisco NAMs Step 1 For the heartbeat interface and data exchange, use a crossover cable to connect the eth1 Ethernet ports. Step 2 For the additional optional heartbeat serial exchange between the failover peers, connect the serial ports. 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 4-6 Follow these two steps to physically connect two Cisco NAMs Step 1 Use a crossover cable to connect the eth1 Ethernet ports of the Cisco NAM machines. This connection...

Course Flow

Cisco NAC Endpoint Security Solutions Cisco NAC Appliance Common Elements Configuration Cisco NAC Appliance Monitoring and Administration Cisco NAC Appliance Common Elements Configuration (Cont.) Cisco NAC Appliance Implementation Options 2007 Cisco Systems, Inc. All rights reserved CANAC v2.1 5 2007 Cisco Systems, Inc. All rights reserved CANAC v2.1 5 The schedule reflects the recommended structure for this course. This structure allows enough time for the instructor to present the course...

Course Goal and Objectives

This topic describes the course goal and objectives. Upon completion of this course, you will have the skills and knowledge to implement a Cisco NAC Appliance solution into a network equipped with Cisco products. 2007 Cisco Systems, Inc. All rights re Upon completing this course, you will be able to meet these objectives Given network security requirements, select the appropriate NAC endpoint security deployment scenario that will meet or exceed network security requirements Configure the...

Creating a Check

All rights re Follow these eight steps to create a check Step 1 In the Clean Access Agent tab, click the Rules submenu and then click the New Check option. Step 2 Choose a check category from the Check Category drop-down menu. The choices are Registry Check, File Check, Service Check, and Application Check. Step 3 Choose a check type from the Check Type drop-down menu and fill in the form fields for parameters, operator, and (if the check type is a value comparison)...

Creating a Custom Requirement

Network Scanner Clean Access Agent Role-Requirements Reports Updates Requirement Type Link Distribution v Do not enforce requirement Priority 10 v. File Link URL Requirement Name Manage system startup files (Optional) Description Our security policy suggests you download this Ope ratings y stem D Windows All O Windows XP Windows 2000 Requirement Type Link Distribution v Do not enforce requirement Priority 10 v. File Link URL Requirement Name Manage system startup files (Optional) Description...

Creating an Antivirus Update Requirement

Requirement Type AV Definition Update v Do not enforce requirement Priority 10 v Note Vendors without products sup portel perating System Windows All Windows XP Windows 2000 Windows ME Windows Add Requirement . 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 4-22 Follow these seven steps to create an antivirus update requirement Step 1 In the Device Management > Clean Access > Clean Access Agent tab, choose Requirements > New Requirement. Step 2 Choose AV Definition Update in...

Creating an IPBased Traffic Control Policy Cont

Add Policy for Temporary Role Untrusted-> Trusted Untrusted (IP Mask Port) Trusted (IP Mask Port) Description Allow O Block Enabled O Disabled _I (ex *, 21,1024-1100, I (ex *, 21,1024-1100, 2007Cisco Systems, Inc. All rights re Step 4 For a new policy, set the priority of the policy from the Priority drop-down menu. By default, the form displays a lower priority than all existing priorities when a new policy is created. For example, if you are creating the very first policy for the role, a...

Customizing the User Agreement Page

Complete these six steps to customize the User Agreement page Step 1 Choose Device Management > Clean Access > Network Scanner > Scan Setup > User Agreement. The configuration form for the User Agreement page appears. Step 2 Choose the user role and operating system from the User Role and Operating System drop-down menus. The Cisco NAM determines the operating system of the user system at login time and serves the page that you have specified for that operating system. Note If you...

Deleting a Role

All rights re To delete a role, choose User Management > User Roles and click the List of Roles tab. Click the Delete button next to the role that you want to delete. Users actively connected to the network in the deleted role will be unable to use the network. However, their connection will remain active. Such users should be logged off the network manually by clicking the Kick User button next to the user in the Monitoring > Online Users > View Online Users...

Device access method

All rights reserved. CANAC v2.1 1-3 Cisco NAC Appliance can apply posture assessment and remediation services to all devices, Device type Cisco NAC Appliance can enforce security policies on all networked devices, including Windows, Mac, or Linux machines, laptops, desktops, personal digital assistants (PDAs), and corporate assets such as printers and IP phones. Device ownership Cisco NAC Appliance can apply security policies to systems owned by the corporation,...

Differentiating NAC Products Cont

Policy Server Decision Points and Remediation (Windows. Symantec, McAfee, Trend, Sophos, Zone, CA, etc.) (Windows. Symantec, McAfee, Trend, Sophos, Zone, CA, etc.) The top of the figure shows the components of a Cisco NAC framework that provide compliance-based access control. NAC functions, including AAA, scanning, and remediation, are performed by other Cisco products (for example, the Cisco ACS provides AAA) or partner products (for example, TrendMicro provides antivirus updates). Cisco NAC...

Editing a Subnet Cont

Step 5 To modify the lease time, DNS or WINS server information, and VLAN ID restriction of the subnet list, enter the new values in the corresponding fields. Step 6 For autogenerated subnets, you can disable a particular subnet by clicking the Disabled check box next to it. This step allows you to disable the IP range associated with a particular generated subnet so that the IP addresses in the range are not leased. This feature can be particular useful if you have one or two servers in the...

Enable Layer 3 Support on the Cisco NAS

The Enable L3 support option must be checked on the Cisco NAS for the Cisco NAA to work in VPN tunnel mode. Layer 3 and Layer 2 strict options are mutually exclusive. Enabling one option disables the other option. Enable Layer 3 support on the Cisco NAS as follows Note The Clean Access Server Type, Trusted Interface, and Untrusted Interface settings should already be correctly configured from when the Cisco NAS was added. Step 1 Go to Device Management > Clean Access Servers > IP Address...

Enabling Radius Accounting for Users

You can configure the Cisco NAM to send accounting messages to a RADIUS accounting server. The Cisco NAM sends a Start accounting message when a user logs in to the network and sends a Stop accounting message when the user logs out of the system (or is logged out or timed out). This feature allows you to account for user time and other attributes on the network. Cisco NAC Appliance Release 3.5 added additional control over which data is sent in accounting packets. You can customize the data to...

Enabling the DHCP Module

Device Management > Clean Access Servers > 192.168.137.3 Device Management > Clean Access Servers > 192.168.137.3 2007 Cisco Systems, Inc. All rights re To enable the DHCP operation mode on a per-Cisco NAS basis, complete these steps Step 1 From Device Management > Clean Access Servers > List of Servers, click the Manage button next to the Cisco NAS that you want to enable for DHCP operation. Step 2 In the Network tab, click the DHCP link to open the DHCP form. Step 3 From the DHCP...

Enabling User Specified DHCP Options

Device Management > Clean Access Servers > 10.201.240.10 Status Network Filter J Advanced Authentication IP DHCP DNS Certs IPSec L2TP PPTP PPP Status Network Filter J Advanced Authentication IP DHCP DNS Certs IPSec L2TP PPTP PPP Disable I User-Specified DHCP Options 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 2-25 To enable user-specified DHCP options, complete these steps Step 1 Choose Network > DHCP and click the Global Options tab. Step 2 Click the Enable button. This...

Enforcing Rules and Requirements

The Cisco NAC Appliance uses the Cisco NAA to inform the client that their machine is not in compliance with configured requirements. The figure shows the Cisco NAA dialog box that appears when a client machine does not have antivirus software installed. Notice how the client is given a time limit to remediate this issue. There is also a command button that takes the user to the location described in the dialog box. The next series of slides show examples of Cisco NAA dialog boxes that appear...

Enforcing Rules and Requirements Cont

The figure shows a dialog box that appears to the user when the Cisco NAC Appliance determines that an antivirus update is missing. Again, a time limit is included to let the user know how much time there is to perform the update. In this dialog box, an Update button appears. Cisco NAC Appliance can be configured to take the client to a remediation site to download the required software update. Caution Not all product versions of a selected vendor support automatic updates via the Cisco NAA....

Establishing a Serial Connection Between Cisco NAMs

Follow these five steps to establish an optional serial connection between failover peers Step 1 From an SSH client, access the Cisco NAM as the root user. Step 2 Edit etc lilo.conf and remove or comment out this last line Step 3 Edit etc inittab and remove or comment out this last line co 2345 respawn vt100 Step 4 At the command prompt, enter the lilo command and press Enter. Step 5 Reboot the computer by entering the reboot command. If the computer that is running the Cisco NAM software has...

Example Addresses for Auto Generated Subnets

Automatically Generated IP Range of Four 30 Subnets 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 2-16 The figure shows the addressing for an automatically-generated IP range of four 30 subnets starting at address 192.168.2.12. 2-70 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc.

Example Configuring a Windows NT Authentication Provider

All rights re To configure a Windows NT provider for Cisco NAC Appliance users, complete these steps Step 1 Choose User Management > Auth Servers > New. Step 2 From the Authentication Type drop-down menu, choose Windows NT. The Windows NT form appears. Step 3 In the Provider Name field, enter a name that is unique for the authentication provider. If you intend to provide your users with the ability to select providers from the login page, be sure to use a name that...

Example Layer 2 InBand Central RealIP Gateway

Default Gateway for Cisco NAS Trusted Network Side Default Gateway for Cisco NAS Trusted Network Side In a routed central deployment, the Cisco NAS is configured to act as the real-IP gateway for each of the subnets that you want to manage. In a VLAN-enabled environment, you can trunk multiple VLANs through a single Cisco NAS. Aggregating multiple VLANs that are organized by location, wiring, or shared needs of users through a single Cisco NAS (by VLAN trunking) can help simplify your...

Example Layer 2 InBand Edge

All rights re 2007 Cisco Systems, Inc. All rights re In Layer 2 in-band edge deployment, the Cisco NAS is placed between each managed subnet and router in the network and can act as either a virtual bridge or a real-IP gateway. 3-12 Implementing Cisco NAC Appliance (CANAC) v2.1 2007 Cisco Systems, Inc.

Example Layer 2 InBand Edge Virtual Gateway

Cisco NAS interfaces should be on a separate VLAN from manager VLAN and access VLANs. 2007 Cisco Systems, Inc. All rights reservecl.CANAC v2.1 3-11 The topology shows a Layer 2 in-band edge virtual gateway Cisco NAS deployment. Consider these aspects of this configuration example VLAN for the Cisco NAM In the figure, the management VLAN for the Cisco NAM is VLAN 2. VLAN for the Cisco NAS This VLAN must be different from the VLAN for the Cisco NAM. In the figure, the management VLAN for the...

Example Layer 2 OOB Central Virtual Gateway

All rights re The figure shows an example Cisco NAC Appliance Layer 2 out-of-band topology. The posture assessment is completed in-band with the Cisco NAS on the authentication VLAN 110. After the client has been successfully assessed, the client can access the network on VLAN 10. 2007 Cisco Systems, Inc. Cisco NAC Appliance Implementation 3-79

Example Layer 2 OOB Central Virtual Gateway with IP Phones

Cisco NAS IP Address 10.91.1.2 Management Only Cisco NAS IP Address 10.91.1.2 Management Only Auxiliary VLAN 700 Access VLAN 10 Authentication VLAN 110 Cisco NAS DHCP Server Client Machine VLAN 10 Scope IP Address 10.1.1.5 -10.1.1.100 2007 Cisco Systems, Inc. All rights The Cisco NAC Appliance Layer 2 out-of-band central virtual gateway solution works well with VoIP solutions. In the figure, the authorization VLAN is 110 and the access VLAN is 10. The auxiliary VLAN 700 is used by the Cisco IP...