Phased Approach to Deploying NAC Framework

Every organization faces its own challenges and pitfalls when deploying new technologies, products, and tools. The NAC Framework introduces new technologies that leverage existing network infrastructure. It is important that you create a clear and detailed test and implementation plan to overcome these challenges. Network and security best-practice procedures strongly recommend that any new technology or product be tested first in a lab environment. Subsequently, a pilot within a limited...

About the Technical Reviewers

Darrin Miller is an engineer in Cisco's security technology group. Damn is responsible for systemlevel security architecture. He has worked primarily on policy-based admission and incident response programs within Cisco. Previous to that Darrin conducted security research in the areas of IPv6, SCADA, incident response, and trust models. This work has included protocol security analysis and security architectures for next-generation networks. Darrin has authored and contributed to several books...

Acknowledgments

We would like to thank the technical editors, John Stuppi and Damn Miller, for their time and technical expertise. They verified our work and provided recommendations on how to improve the quality of this manuscript. Special thanks go to Jay Biersbach for reviewing this book before final editing. We would like to thank the Cisco Press team, especially Brett Bartow and Andrew Cupp, for their patience, guidance, and consideration. Their efforts are greatly appreciated. Additionally, special...

Adding External Antivirus Policy Servers in Cisco Secure ACS

Before you add any external antivirus policy server to Cisco Secure ACS, you must import a NAC attribute definition file (ADF) provided by the antivirus vendor. To import the ADF to ACS, complete the following steps Step 1 Copy the ADF file to a directory accessible by the Cisco Secure ACS utility CSUtil.exe. Step 2 On the server running Cisco Secure ACS, open a command prompt and change directories to the directory containing CSUtil.exe. Step 3 Import the ADF to ACS using the command...

Adding Network Access Devices

Before your switches, routers, concentrators, firewalls, and wireless access points can communicate with ACS, you must add them in ACS as network access devices (NADs). (NADs are also commonly referred to as AAA clients.) Adding the device in ACS tells ACS what IP address the device has, what protocol it will be using to communicate, and what key to use to decrypt the messages. Follow these steps to add your NAC enforcement points to ACS Step 1 From the navigation frame on the left, select...

Altiris

Altiris has a very robust software-distribution and remediation solution called the Altiris Quarantine Solution. The Altiris Notification Server plays a crucial role in this solution, as illustrated on Figure 12-1. Figure 12-1 Altiris Quarantine Solution Host with CTA + Altiris Agent + Altiris Network Access Agent The following remediation steps are illustrated in Figure 12-1 1. A host attempts to access the network, and posture validation is started via EAPoUDP or EAP over 802.1X. 2. The...

Altiris Network Discovery

The Altiris Network Discovery is a free plug-in component to the Notification Server that is used to discover all end-user machines connected to the network. NOTE For the Altiris Notification Server installation guidelines and minimum system requirements, refer to Altiris documentation at www.altiris.com. The Altiris Quarantine Solution does not require the use of Network Discovery to function however, it is recommended that you use Network Discovery to have an accurate database of end-user...

Altiris Quarantine Solution Configuration

SecureMe wants to ensure that it has a database of all the end-host machines that exist in its network. Even though the Altiris Quarantine solution is already deployed, SecureMe wants to take advantage of its Network Discovery feature. To enable this feature, consult Chapter 12, Remediation, and follow the steps described in the Altiris Network Discovery section. The Altiris Notification Server determines whether end-user machines are running a specific version of software before being granted...

Antivirus Policy Servers and the Host Credential Authorization Protocol HCAP

Cisco Systems developed the Host Credential Authorization Protocol (HCAP) to provide the communication channel between Cisco Secure Access Control Server (ACS) and third-party posture-validation servers, such as antivirus software. HCAP uses Secure Socket Layer (SSL) as the communication medium to exchange EAP-based credentials between Cisco Secure ACS and the posture-validation servers. ACS forwards client credentials to one or more antivirus vendor servers and receives posture token response...

Antivirus Software Posture Plug Ins

Posture plug-ins enable Cisco Trust Agent (CTA) to retrieve posture credentials from third-party applications (such as antivirus software) installed on a client machine. NOTE Chapter 2, Cisco Trust Agent, covers the installation and configuration of CTA in detail. In most cases, two files make up a posture plug-in. For Windows-based systems, a posture plug-in consists minimally of the following A Dynamic Link Library (.dll) file An Information File (.inf) file On Linux-based systems, posture...

Architectural Overview of NAC for Agentless Hosts

The posture-validation process is crucial in determining the correct status of a network device. When CTA is not present on a device, the NAD can leverage an audit server when an end machine requests access to the network. Figure 11-2 provides a complete flow of the posture-validation process on a Cisco NAD. A Cisco switch is set up for NAC-L2-IP to validate an end host's posture before allowing access to the corporate network. Figure 11-2 Posture-Validation Process for a Host Figure 11-2...

Architectural Overview of NAC on Cisco VPN 3000 Concentrators

The current implementation of NAC provides posture validation (PV) to the remote-access VPN connections, including Cisco remote-access IPSec tunnels and Layer 2 Tunneling Protocol (L2TP) over IPSec tunnels. The PV ensures that VPN clients run the latest patches and antivirus signature files, the most recent personal firewall rules, and updated host-based intrusion-prevention system (HIPS) rules and software. The Cisco VPN 3000 concentrator, as your remote-access solution, allows mobile and home...

Architectural Overview of NAC on Layer 3 Devices

The posture-validation process on a Layer 3 device starts when an end host requests access to the network. Figure 5-1 provides a complete flow of the posture-validation process on a Layer 3 NAD. A Cisco 3845 router is acting as the Layer 3 NAD to validate the end host's posture before allowing access to the corporate network. This assessment is checked against the policies defined on the Cisco Secure Access Control Server (Cisco Secure ACS). Figure 5-1 Layer 3 Posture-Validation Process for a...

Architecture of NACL28021X

The NAC-L2-802.1X feature enables you to perform a security posture assessment of a host using 802.1X proven technologies on a Layer 2 switch port. NAC-L2-802.1X uses EAP-FAST as the transport mechanism to carry identity and security posture information within a Transport Layer Security (TLS) tunnel. Consequently, an 802.1X supplicant that supports EAP-FAST is needed for NAC-L2-802.1X. NOTE The embedded supplicant included with CTA supports EAP-FAST. It also supports EAP-GTC, EAP-MSCHAPv2, and...

Architecture of NACL2IP

NAC-L2-IP uses EAP over UDP (EoU) as the transport mechanism to complete the posture assessment of a device attempting to connect to the corporate network. This is similar to NAC Layer 3 however, the posture is done on a Layer 2 switch port. The posture assessment is triggered when the Cisco Catalyst switch receives a Dynamic Host Configuration Protocol (DHCP) or an Address Resolution Protocol (ARP) request from the device attempting to connect to the network. When the switch detects the DHCP...

Audit Servers

Using the Network Admission Control (NAC) functionality, the Cisco network access devices (NADs) validate endpoint device posture by comparing them with the security policies on the access control server (ACS). However, this requires that you load the Cisco Trust Agent (CTA) on the end hosts. In a typical network topology, some hosts will use nonWindows, non-Linux, or non-MAC-based operating systems. Such devices might include network printers and Solaris-based workstations that cannot run CTA....

Authentication Policy

The Authentication policy contains the credential-validation databases (the databases you want to authenticate the users to), along with the MAC authentication bypass settings for NAC-L2-802.1X agentless hosts. The credential-authentication databases are used to authenticate NAC-L2-802.1X users. The ACS internal database is listed by default. Additional external databases can be configured by clicking the External User Databases button. When configured, the database appears in the Available...

Authorization Policy

The Authorization Policy in the NAP is where you apply authorization rules to limit an end host's access to the network, based on the system posture token returned from posture validation. Again, as with the posture validation rules you looked at in the last section, the authorization rules contain both a condition and an action. The condition consists of a user group and a system posture token. If the condition is met, the action can be to deny access or apply the selected shared RAC and...

Branch Office

The branch office topology is the same described in Chapter 13 for the small business. It consists of one or more switches connected to a router, which, in turn, connects to the New York corporate headquarters through a site-to-site IPsec VPN tunnel. Figure 15-2 shows the topology. The branch office is connected to the Internet through the GW_Router and to SecureMe's New York headquarters through the site-to-site IPsec VPN tunnel. This is done to avoid the use of expensive leased lines and to...

Business Requirements for NAC in a Medium Size Enterprise

SecureMe is concerned about outbreaks of new network worms. A few months ago, the network infrastructure was severely degraded by a number of laptops. During the post-analysis phase of the incident, it was determined that those machines were not using the latest antivirus signature files and did not even have the Cisco Security Agent (CSA) application installed. The chief security officer (CSO) of SecureMe, Inc., is concerned about the findings of the port-analysis report and wants to look into...

C

CA certificates, CTA lab environment deployment, 46 post installation tasks, 47 Windows, 46-47 call centers, headquarter network topology, 458 catalyst switches, NADs (Network Access Devices), 17-20 CatOS (Cisco Catalyst switch), 130 medium enterprise configuration, 427-430 NAC-L2-802.1X configuration, 144 NAC-L2-IP configuration, 130-132 Cisco 5500 series Adaptive Security Appliances NADs (Network Access Devices), 21 Cisco Adaptive Security Appliances. See ASA Cisco Easy VPN Client, VPN...

Call Center

The call center is one of the most populated sections of SecureMe's network. More than 800 contractors handle customer and third-party calls at SecureMe's call center. Each user's desk is equipped with a workstation connected behind a Cisco IP Phone. TIP Cisco IP phones are supported in NAC-L2-IP and NAC-L2-802.1X when Cisco Discovery Protocol (CDP) is enabled to provide a seamless NAC bypass function. SecureMe's network staff enables CDP to allow this functionality. Contractors should have...

Catalyst 6500 CatOS Configuration

To meet the requirements that SecureMe has listed for the NAC Framework solution, the following are the major configuration steps on the Catalyst 6500 switch running CatOS. The solution requires you to configure NAC-L2-IP because you do not have a requirement to authenticate the end users before granting them network access. This way you can rule out NAC-L2-801.X and configure the switch for NAC-L2-IP. Step 1 Configure the RADIUS server information on the switch. The RADIUS server in this...

Centralized Agentless Host Policy for NACL28021X MAC Authentication Bypass

Similar to the agentless host policy for NAC-L3-IP and NAC-L2-IP, ACS provides a NAC template to authenticate and authorize those agentless hosts in NAC-L2-802.1X-enabled networks. The NAC template used for this is titled Agentless Host for L2 (802.1X fallback). The NAC-L2-802.1X Agentless Host Policy enables you to configure exceptions, based on MAC addresses, for hosts without the NAC-enabled 802.1X supplicant to connect to the network. The exceptions authenticate the hosts based on MAC...

Centralized Agentless Host Policy for NACL3IP and NACL2IP

ACS provides a NAC template titled Agentless Host for L3, which covers all agentless hosts that the switch is attempting to posture through EAP over UDP. This includes both NAC-L3-IP and NAC-L2-IP. The Agentless Host for L3 policy provides a way to authorize clientless hosts using a downloadable ACL and RAC, but without posturing them. Thus, these hosts will not be assigned a system posture token. Instead, the show eou all output on the switch router will display the AuthType as CLIENTLESS with...

Certificate IssuesEAPTLS or PEAP Authentication Failed During SSL Handshake in Failed Attempts

If you have a host that is not being postured properly, the first troubleshooting step is to check the Failed Attempts log. If you see the message EAP-TLS or PEAP authentication failed during SSL handshake in the Authen-Failure-Code column, this indicates a problem with the certificates. If other hosts have been postured fine, you know that ACS's certificate is fine. To resolve the problem, you need to check that the correct root CA certificate was installed in the trusted root store on the...

Chapter

After adding any new monitored device into CS-MARS, what must be done before CS-MARS analyzes events sent from that device b. The Activate button must be clicked to synchronize the GUI to the back-end database. c. You must select the Analyze Events button, next to the device on the Report tab. d. Nothing needs to be done after adding the new device through the GUI. Answer B 2. What protocol port do Cisco IOS routers (by default) use to send NetFlow data to CS-MARS 3. What version(s) of NetFlow...

Chapter Summary

This chapter opened with an introduction to CTA, followed by a list of decisions that must be made before deployment. The minimum system requirements were covered next, along with step-by-step instructions for installing CTA in a lab environment. Deploying CTA in a production environment came next. The remainder of the chapter described the various configuration files, along with the options available in each. Quite a bit of time was also spent describing the optional Scripting Interface and...

Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security Appliance

The NAC implementation on the Cisco 5500 series Adaptive Security Appliances (ASA) and PIX 500 series security appliances is identical to the implementation on the VPN 3000 concentrators. NAC-L3-IP is supported starting with Version 7.2(1) on all IPSec and L2TP over IPSec remote-access tunnels. Posture enforcement is provided by way of a downloadable ACL from Cisco Secure ACS. Additionally, just as with the VPN 3000, remote-access clients can be exempted from NAC posture validation based on OS...

Cisco IOS Router

Cisco IOS routers first supported NAC in Cisco IOS Release 12.3(8)T, in the Advanced Security, Advanced IP Services, or Advanced Enterprise Services feature sets. Table 1-2 lists Cisco IOS routers by platform and current NAC capability. NOTE For the most up-to-date list of NAC-enabled routers, check online at http www.cisco.com go nac . Table 1-2 NAC Support in IOS Routers Table 1-2 NAC Support in IOS Routers 1701, 1711, 1712, 1721, 1751, 1751-V, 1760 When NAC is implemented on a router, this...

Cisco Secure Access Control Server

The Cisco Secure Access Control Server (ACS) for Windows is another core required component of NAC. Cisco Secure ACS first supported NAC in Version 3.3, which was launched concurrently with Phase I in the summer of 2004. Cisco Secure ACS 4.0, released in the fall of 2005, added support for NAC Phase II, including all the NADs listed in the previous section. Cisco Secure ACS is the central controller for all NAC policy decisions. It receives posture credentials from all agents and either...

Cisco Secure ACS Configuration

Install and configure ACS following the procedure described in Chapter 8, Cisco Secure Access Control Server. Then follow the next steps to create both a NAC-L2-IP profile and a NAC-L3-IP-VPN profile (for VPN users). For the NAC-L2-IP profile, you will create policies to validate the previously listed requirements and then create authorization rules to enforce them. You will map the audit server to scan the hosts that are not currently running CTA. For the NAC-L3-IP-VPN, you will create...

Cisco Secure ACS Logging

As discussed in Chapter 8, Cisco Secure ACS provides robust NAC logging capabilities with the Passed Authentications and Failed Attempts log files. Enable and configure Cisco Secure ACS logging from System Configuration > Logging. NOTE For detailed steps on configuring logging in Cisco Secure ACS, refer to the Enabling Logging section in Chapter 8. The Cisco Secure ACS log files contain critical information about not only the end host, but also the NAD that the end host is connecting to and...

Cisco Secure Services Client

In Chapter 2, Cisco Trust Agent, we covered CTA and its included 802.1X wired supplicant. In this chapter, we look at the Cisco Secure Services Client. This is a full-featured 802.1X supplicant for wired and wireless interfaces that integrates natively with NAC. This is important because the integration allows the posture validation to take place in the 802.1X exchange itself, within the authentication phase. Thus, posture information can be used along with authentication credentials for VLAN...

Cisco Security Agent

Cisco Security Agent (CSA) is the Cisco award-winning host-based intrusion-prevention system (HIPS) installed on a desktop or server PC that protects it from known and unknown threats. CSA adds a shim into the network layer and into the kernel layer (to watch both network traffic and API calls to kernel). This allows CSA to not only be a personal firewall, but also to protect against buffer-overflow attacks and spyware adware. In addition, it provides file protection, malicious application...

Cisco Security Agent Architecture

In the CSA solution architecture, a central management center maintains a database of policies and information about the workstations and servers that have the Cisco Security Agent software installed. Agents register with CSA MC. Subsequently, CSA MC checks its configuration database and deploys a configured policy for that particular system. NOTE Starting with CSA Version 5.1, the CSA MC is a standalone system. Before Version 5.1, CSA MC was part of the CiscoWorks VPN and Security Management...

Cisco Trust Agent

Cisco Trust Agent (CTA) is a required, integral component of NAC deployments. CTA is a small software application (about 3MB) installed on end-host machines that performs the following functions Provides a secure communications channel between the host and the ACS server through which posture information is transmitted Provides OS and patch information from the host, along with the machine running state, through its included posture plug-in Provides state, version, and status information about...

Cisco VPN 3000 Series Concentrator

NAC support for the VPN 3000 series concentrators was first added in Release 4.7. The concentrator is a Layer 3 NAD and postures remote-access IPSec (or Layer 2 Tunneling Protocol L2TP over IPSec) clients. The posturing process is almost identical to that of NAC-L3-IP, described previously in the section NAC Phase I (refer to Figure 1-1). The only difference is that the router is replaced with a VPN 3000 concentrator, and an IPSec tunnel is first established to the concentrator before the...

Cisco Wireless Devices

NAC Framework support for wireless devices is available on autonomous Access Points (AP), lightweight access points running the Lightweight Access Point Protocol (LWAPP), and the Wireless LAN Services Module (WLSM) for the Catalyst 6500. Table 1-4 lists the wireless devices and minimum supported software. Table 1-4 NAC Support in Wireless Devices Table 1-4 NAC Support in Wireless Devices Aironet 1100, 1130AG, 1200, 1230AG, 1240AG, 1300 IOS-based access points Cisco IOS Release 12.3(7)JA or...

Client Does Not Prompt for Password

One common reason the user is never presented with a password dialogue box is if the ACS server is not in the Trusted Server list or if none of the rules can validate ACS's certificate. When this happens, if the user clicks the Connect button in the client GUI, the connection fails and the icon changes to red. In addition, in the bottom of the client window reads the message Connection failed The server is not trusted. If you see this message, follow the instructions in the Defining Trusted...

Client GUI Does Not Start

If you receive an error when you attempt to start the client GUI, run the System Report utility. In the .zip archive that it creates, open the clientDebug_current.txt file and scroll down to the bottom to read the most current events. Most errors are printed in plain English (not encoded hex strings) and are, therefore, straightforward to understand and diagnose. Note that installation of the client over Remote Desktop (RDC) is not supported. If attempted, upon reboot and logon via RDC, the...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars (I) separate alternative, mutually exclusive elements. Square...

Communication Issues

CTA communicates on UDP port 21862 with the NAD. If you are experiencing communication issues, ensure that this port is not blocked by a host-based firewall or an ACL on a device between your client and the NAD. Take a sniffer trace on the client and verify that you are seeing two-way communications. You can also use the ctastat utility to view the current status of CTA. This executable is located in the default CTA installation directory. When run, the command returns the session type, the...

Conference Center

The first floor has the conference center, where SecureMe's customers and visitors can attend meetings and presentations. NAC-L2-802.1X is enabled at each port of the conference center. Guest machines are assigned to VLAN 60. Guests assigned to VLAN 60 have access to the Internet only via HTTP and HTTPS. SecureMe's partners and guests are required to have access to the Internet because they are allowed to connect to their corporate VPN devices using IPsec. The following ports and protocols are...

Configuration Guidelines

Chapter 3 Cisco Secure Services Client Chapter 4 Configuring Layer 2 NAC on Network Access Devices Chapter 5 Configuring Layer 3 NAC on Network Access Devices Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances Chapter 8 Cisco Secure Access Control Server Chapter 10 Antivirus Software Integration This chapter covers the following topics Preparing for deployment of CTA Deploying CTA in a lab environment Understanding...

Configuration Steps of NAC on Cisco Security Appliances

Figure 7-1 illustrates a network topology in which a Cisco ASA 5500 appliance is terminating VPN client sessions from Cisco VPN clients. The public IP address of the appliance is 209.165.202.130 the private IP address is 10.10.0.2. The security appliance leverages a Cisco Secure ACS server for user authentication. The Cisco Secure ACS also participates in the client's posture validation and applies appropriate policies. The appliance is set up with a pool of addresses from the 10.10.200.0 24...

Configuration Steps of NAC on Cisco VPN 3000 Concentrators

Figure 6-4 illustrates a network topology in which a Cisco VPN 3000 concentrator is terminating VPN sessions from Cisco VPN clients. The public IP address of the concentrator is 209.165.201.2, and the private IP address is 172.18.0.2. The concentrator leverages a Cisco Secure Access Control Server (CS-ACS) for user authentication. The CS-ACS also participates in the client's posture validation and applies appropriate policies. The concentrator is set up with a pool of addresses from the...

Configuration Steps of NAC on Layer 3 Devices

Figure 5-2 illustrates a network topology in which a Cisco IOS 3845 router is acting as a NAD. Two Cisco Secure ACS servers are connected to the GigabitEthernet0 0 interface. These servers are used for EAPoUDP sessions and posture validation. On the GigabitEthernet0 1 interface, two end machines are connected. One is running the Cisco Trust Agent (CTA) the other acts as an agentless machine. Figure 5-2 Network Topology for Layer 3 NAC Figure 5-2 Network Topology for Layer 3 NAC The...

Configure Authorization Rules for NAPs

Complete the following steps to configure authorization rules for NAPs Step 1 Configure the authorization rules for the NAC-L2-IP profile by selecting the Authorization link next to the profile and configuring the rules according to Table 14-12. Table 14-12 L2-IP Authorization Rules Table 14-12 L2-IP Authorization Rules Table 14-12 L2-IP Authorization Rules (Continued) Table 14-12 L2-IP Authorization Rules (Continued) If a condition is not defined or there is no matched condition Step 2...

Configure Network Access Filters

NAFs are used to separate NAC-L3-IP devices from NAC-L2-IP devices, thus enabling you to apply a different network access profile to each. Create a NAF named NAF-L2 that will include the Catalyst 6500 switch and a NAF named NAF-L3 to include the VPN 3000 concentrator. These NAFs will be mapped to the network access profiles (NAPs) so that inbound RADIUS requests are processed by the profile for only the devices you selected in the NAF. Follow these steps to create NAPs Step 1 Create an L2-IP...

Configure Posture Validation Rules for NAPs

Complete the following steps to configure posture-validation rules for NAPs Step 1 Configure the posture-validation rules for the NAC-L2-IP profile by selecting the appropriate link under Network Access Profiles. Step 2 No modifications are needed for the required credential types. In the Action section, select the following internal posture-validation policies CTA-Policy, Windows-SP-Policy, and Windows-Hotfix-Policy. Step 3 Under Select External Posture Validation Server, select Altiris. As a...

Configure Shared Components Profile

Complete the following steps to configure shared components on the Cisco Secure ACS server Step 1 Create the downloadable IP ACLs shown in Table 14-10. Remember that downloadable IP ACLs are under Shared Profile Components. These downloadable ACLs are mapped to the VPN sessions on the VPN 3000 concentrator. remark If host is Quarantine restrict network access remark Allow access to Quarantine network remark Allow access to Quarantine network Table 14-10 Downloadable IP ACLs (Continued) Table...

Configuring 8021X NADs in ACS to Report to CSMARS

Chapter 8, Cisco Secure Access Control Server, covered how to add the NADs as AAA clients in ACS. For NADs that are performing 802.1X authentication, CS-MARS needs to receive the incremental 802.1X update messages. Enable this within ACS under Network Configuration > AAA Clients. Select the specific AAA client and configure it to authenticate using the RADIUS (Cisco IOS PIX 6.0) or RADIUS (IETF) dictionary. In addition, make sure Log Update Watchdog Packets from This AAA Client is checked....

Configuring Audit Servers

The NAC Framework solution supports a number of audit servers QualysGuard Scanner Appliance Altiris SecurityExpressions This chapter focuses on the configuration of QualysGuard Scanner Appliance because it is the most commonly used audit server in the NAC Framework environments. The integration of QualysGuard Scanner Appliance into CS-ACS server can be divided into three stages Step 1 Installation of QualysGuard Scanner Appliance Step 2 Configuration of QualysGuard Scanner Appliance Step 3...

Configuring Csa Nacrelated Features

CSA MC comes with numerous predefined agent kits, groups, policies, and configuration variables that are designed to offer high-level security measures for end-user systems and servers. You can use these default agent kits, groups, policies, rule modules, and configuration variables as a baseline and then monitor for possible tuning to your environment. Cisco Trust Agent (CTA) can be bundled with CSA agent installations. This section guides you on how to configure an agent kit that will also...

Configuring CSA to Send Events to CSMARS

Individual CSA agents send events to the CSA-MC that they are registered with. The CSA-MC can, in turn, forward the events to CS-MARS through SNMP traps. As CS-MARS receives the traps, it recognizes the individual CSA agent and associates it with the corresponding CSA-MC. Complete the following tasks for CS-MARS to receive and understand events sent from CSA-MC 1. Define CSA-MC as a reporting device within CS-MARS. 2. Configure CSA-MC to forward events to CS-MARS. In the next two sections, we...

Configuring CSAMC to Forward Events to CSMARS

CSA-MC is capable of forwarding all received agent events as SNMP traps. CS-MARS can receive these traps and determine the agent that generated the event, automatically add the agent as a reporting device under the CSA-MC, and analyze the event. Complete the following steps to configure CSA-MC to forward events to CS-MARS Step 1 Log in to the Cisco Works Desktop and launch CSA-MC. Step 2 Select the Events link at the top and then Alerts. Step 3 Create a new alert by clicking the New button at...

Configuring Failed Attempts Logging

In this section, you will enable logging of failed attempts and add NAC-specific attributes to the Failed Attempts log. Doing so will aid in debugging NAC-related configuration errors. If an end host does not match any of the posture-validation rules, the result is logged in the Failed Attempts log file. Complete these steps to accomplish these tasks Step 1 From the navigation frame on the left, select System Configuration > Logging. Step 2 The Logging Configuration page appears. Click the...

Configuring Global Authentication Protocols

Out of the box, ACS will not authenticate NAC-enabled clients because the authentication protocols they use (PEAP or EAP-FAST) are not enabled by default. ACS provides the option of globally enabling or disabling authentication protocols from the System Configuration > Global Authentication Setup page. Later, in the Protocols Policy section, you will see that these protocols can also be selectively enabled or disabled on a per-profile basis. In this section, we walk you through the steps of...

Configuring Layer 2 NAC on Network Access Devices

The Cisco Catalyst switches are capable of enforcing device security policy compliance when local-area network (LAN) users attempt to access the network. Switches that support NAC Framework features are capable of denying access to noncompliant devices and placing them in a quarantined area and allowing restricted access to network resources for remediation purposes. This posture validation is done at the Layer 2 network edge using two different technologies NAC Layer 2 802.1X (NAC-L2-802.1X)...

Configuring Layer 3 NAC on Network Access Devices

The Layer 3 NAC solution ensures that posture validation is done before packets are allowed to pass through the Cisco IOS network-access devices (NADs). A number of Cisco IOS routers support this solution. This way, the NADs apply appropriate access restrictions when an end host tries to access network resources. These restrictions are based on the end hosts' state, such as the information about their antivirus software and their signature definitions. The Layer 3 NAC solution is useful in...

Configuring Logging on ACS

In this section, we walk through the steps needed to configure the logging attributes on ACS that CS-MARS needs to monitor the NAC implementation. Keep in mind that you will most likely want to log additional attributes (other than those mentioned here) to the log files to assist in troubleshooting client connectivity issues. CS-MARS can receive these additional attributes without any issues. NOTE If you are using an ACS appliance, the following steps apply to the Remote Agent logging...

Configuring NAC in a Large Enterprise

In this section, we cover the configuration needed to meet the requirements listed in the section Business Requirements for Deploying NAC in a Large Enterprise section. NOTE The switch, routers, and VPN concentrator configurations at the branch and regional offices are identical to the ones described in Chapters 13 and 14. The only changes are in the configuration of the Cisco Secure ACS for database replication. Additionally, the Cisco Secure ACS server at the branch office connects to...

Configuring NAC in a Small Business

In this section, we cover the configuration needed to meet the requirements listed in the section NAC Requirements for a Small Business. However, before you can start configuring the individual components, you must decide on the type of NAC to deploy NAC-L3-IP, NAC-L2-IP, or NAC-L2-802.1X. Because you do not have a requirement to authenticate the end users before granting them network access, you can rule out NAC-L2-801.X. Now the choice remains between NAC-L3-IP and NAC-L2-IP. This is actually...

Configuring NAC on Cisco ASA and PIX Security Appliances

Similar to the Cisco VPN 3000 series concentrators discussed in Chapter 6, Configuring NAC on Cisco VPN 3000 Series Concentrators, the Cisco security appliances provide a complete solution for the site-to-site as well as remote-access VPN tunnels. Cisco security appliances consist of Cisco Adaptive Security Appliances (ASA) and the Cisco PIX Security Appliance. The NAC functionality on the Cisco security appliances enhances security of the IPSec tunnels. This chapter focuses on NAC...

Configuring NAC on Cisco VPN 3000 Series Concentrators

The Cisco VPN 3000 series concentrators provide a scalable, reliable, and flexible solution for the site-to-site as well as remote-access VPN tunnels. In the site-to-site IPSec tunnel, network professionals can reduce the high maintenance cost of point-to-point WAN links by connecting branch offices to the corporate network resources. The remote-access VPN tunnels provide a way to connect home and mobile users to the corporate network by leveraging dialup, wireless hotspots, digital subscriber...

Configuring NACL28021X

This section guides you on how to configure NAC-L2-802.1X on Cisco Catalyst switches. NAC-L2-802.1X Cisco IOS Configuration The following steps are necessary to configure NAC-L2-802.1X on a Cisco Catalyst switch running Cisco IOS. Step 1 VLAN assignment is the method used in NAC-L2-802.1X for policy enforcement. In this example, the following VLANs are used VLAN 10 Healthy Employees Configure the appropriate VLANs as follows 6503-A configure terminal Enter configuration commands, one per line....

Configuring Network Device Groups Optional

Network Device Groups (NDGs) enable an administrator to group similar network devices in a group. Each group is assigned a name, and the administrator can refer to all devices in the group by the network device group name. This greatly simplifies the administration of large amounts of network devices. Three key reasons exist for creating NDGs They help simplify the administration of large amounts of network devices by dividing them into logical groups. All network devices in a NDG can share a...

Configuring Passed Authentications Logging

In this section, you will enable logging of passed authentications and add NAC-specific attributes to the Passed Authentications log. ACS logs all posture-validation credentials to this log unless access is strictly denied. In that case, ACS logs the result in the Failed Attempts log. Adding the posture attributes to this log enables you to see what posture credentials the end host is sending to ACS. This will help you further define your posture-validation rules. Complete these steps to...

Configuring Qualys Guard to Send Events to CSMARS

Qualys provides network security audits and vulnerability assessments of your network using the QualysGuard solution. When used with the NAC Framework, QualysGuard can receive messages from ACS to scan nonresponsive hosts to assist in determining their system posture token. If you have a subscription with QualysGuard, you can configure CS-MARS to connect to the QualysGuard API server and retrieve the vulnerability analysis reports. These reports are then parsed and inserted into the CS-MARS...

Configuring Radius Accounting Logging

Complete these steps to configure RADIUS accounting logging Step 1 From the navigation frame on the left, select System Configuration > Logging. Step 2 The Logging Configuration page appears. Click the Configure link in the CSV column for the RADIUS Accounting report. Step 3 Verify that the Log to CSV RADIUS Accounting Report check box is selected. Step 4 In the Select Columns to Log section, verify that the following attributes appear in the right column (Logged Attributes). If any item is...

Configuring Radius Attributes and Advanced Options

After adding your RADIUS network devices, you need to globally add the RADIUS attributes that are used with NAC. Follow these steps to complete this task Step 1 From the navigation frame on the left, select Interface Configuration. Step 2 Select the RADIUS (IETF) link and verify that the following attributes are selected 029 Termination-Action 0 064 Tunnel-Type NOTE The RADIUS dictionaries appear in the Interface Configuration section only if ACS has at least one RADIUS NAD defined. Step 4...

Configuring the Adaptive Security Appliance and PIX Security Appliance to Send Events to CSMARS

The ASA and PIX security appliances support NAC-L3-IP NAC for remote access VPN clients starting with Version 7.2. This includes the username and IP address of the client who is connecting to the appliance, along with the host OS and the duration of the connection. This information assists with the end-to-end attack path for attacks destined to or from VPN users. This enables you to single out a specific user's machine instead of just an IP address from a DHCP pool. Besides the NAC-specific...

Configuring the Asapix Appliance to Forward Events to CSMARS

Now that the ASA or PIX appliance has been added into CS-MARS as a monitored device, it needs to be configured to forward events to CS-MARS. The ASA or PIX uses syslogs as the mechanism to generate and forward events. CS-MARS prefers to see a high level of syslogs (levels 6 or 7) to properly sessionize events in the network. Configure the ASA or PIX to send syslogs to CS-MARS by adding the following commands logging host interface> CS-MARS-IP logging trap level logging enable NOTE On highly...

Configuring the Cisco IOS Router to Forward Events to CSMARS

Now that the Cisco IOS router has been added into the CS-MARS GUI interface, it needs to be configured to forward events to CS-MARS. First, configure the router to send syslogs to CS-MARS by adding the following commands logging source-interface interface NOTE To be most effective, CS-MARS needs to receive a high level of logging. This corresponds to a logging level of 6 (Informational) on the router. Although sending NetFlow events to CS-MARS is not required to monitor the NAC solution, it is...

Configuring the Cisco Switch to Forward Events to CSMARS

With the switch added to CS-MARS, the next step is to configure the switch to forward events to CS-MARS. First, configure the switch to send syslogs to CS-MARS by adding the following commands logging source-interface interface set logging server severity level NOTE To be most effective, CS-MARS needs to receive a high level of logging. This corresponds to a logging level of 6 (Informational) on the switch. The last step is to enable the generation of NAC L2-IP and L3-IP specific events. They...

Configuring the VPN 3000 Concentrator to Forward Events to CSMARS

With the VPN 3000 concentrator added in CS-MARS, the next task is to configure it to send syslog events to CS-MARS. Follow these steps to accomplish this Step 1 Log in to the VPN 3000 GUI interface and navigate to Configuration > System > Events > General. Step 2 Set the Save Log Format to Multiline. Step 3 Set Syslog Format to Original. Step 4 Under Events to Log, select Severities 1-5. Step 5 Under Events to Syslog, select Severities 1-5. Step 6 Under Events to Trap, select Severities...

Configuring VPN 3000 Concentrators to Send Events to CSMARS

The VPN 3000 concentrator can forward events to CS-MARS relating to client access. This includes the username and IP address of the client who is connecting to the concentrator, along with the host OS and the duration of the connection. This information assists with the end-to-end attack path for attacks destined to or from VPN users. This enables you to single out a specific user's machine instead of just an IP address from a DHCP pool. Complete the following tasks for CS-MARS to receive and...

Contents

Chapter 1 NAC Solution and Technology Overview 5 Network Admission Control 5 NAC Phase I 7 NAC Phase II 9 Periodic Revalidation 11 NAC Agentless Hosts 11 NAC Program Participants 12 Components That Make Up the NAC Framework Solution 12 Cisco Trust Agent 12 Cisco Security Agent 14 Network-Access Devices 15 Cisco IOS Router 16 Cisco Catalyst Switch Running Cisco IOS or CAT OS 17 Cisco VPN 3000 Series Concentrator 20 Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security...

Contents at a Glance

Chapter 1 NAC Solution and Technology Overview 5 Part II Configuration Guidelines 27 Chapter 3 Cisco Secure Services Client 91 Chapter 4 Configuring Layer 2 NAC on Network Access Devices 123 Chapter 5 Configuring Layer 3 NAC on Network Access Devices 155 Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators 175 Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances 211 Chapter 8 Cisco Secure Access Control Server 241 Chapter 9 Cisco Security Agent 323 Chapter 10 Antivirus...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales otuside the U.S. please contact International Sales international pearsoned.com Cisco Representative Cisco Press Program Manager Executive Editor Production Manager Development Editor Project Editor Copy Editor Technical Editors Publishing Coordinator Book...

Create Posture Validation Policies

Complete the following steps to create posture-validation policies Step 1 Navigate to Posture Validation > Internal Posture Validation Setup. Step 2 Edit the existing posture-validation policy, NAC-SAMPLE-CTA- POLICY, to check whether the version of CTA is greater than or equal to 2.0.0.30. Also rename the policy to just CTA-Policy. Step 3 Create a new internal posture-validation policy named Windows-SP-Policy that will checked if the latest service pack is installed for that OS. Add the...

Creating a ctalogdini File

The ctalogd.ini file defines the configuration of the logging service. It includes parameters for enabling disabling logging, log retention policies, and the logging levels for each CTA component. A sample ctalogd.ini file (named ctalogd.tmp) is created when CTA is installed and can be found in the Logging directory. Edit this file to meet your logging needs, and then save it as ctalogd.ini in the same directory. Example 2-6 shows a sample ctalogd.ini file with all options listed and all...

Creating a Customized Deployment Package

Before deploying the CTA 802.1X wired client to your network, you will most likely want to customize the client's policies. The option to edit the client's default policies is available only through the creation of a custom deployment package. However, before a custom deployment package can be created, you must decide which of the following authentication methods the client should support User authentication only The network connection is established only after the user logs on to the machine...

Creating a Network Profile

With the Administrative Client installed, follow these steps to create a network profile Step 1 Right-click the Cisco Secure Services Client tray icon and choose Open from the pop-up menu, as shown in Figure 3-1. Cisco Secure Services Client Tray Status Icon Step 2 You will see a screen similar to the one in Figure 3-2. However, you might see more or fewer networks listed, depending on the number of interfaces on your device and the number of wireless networks detected. Figure 3-2 Cisco Secure...

Creating a Policy to Check for a Specific Windows Hotfix

To reinforce what you have already learned, you will create one more policy to check for the presence of a specific Windows hotfix. Microsoft released hotfix KB912812 to protect against a critical remote code execution vulnerability in Internet Explorer. Your task is to create a Posture Validation policy to check for this specific hotfix. If the hotfix exists on the end host, return the Healthy posture token. Otherwise, return Quarantine. I encourage you to attempt this one on your own. When...

Creating a Policy to Validate the Windows Service Pack

Now that you have modified an existing policy, you go one step further by creating a new policy to check to make sure the hosts running Windows have the latest service packs installed. Complete this task by following these steps Step 1 From the navigation frame on the left, select Posture Validation. Step 2 The Posture Validation Components Setup page appears. Click the Internal Posture Validation Setup button and then Add Policy. Step 3 In the Name field, type Windows-SP-Policy. Optionally,...

Creating Agent Kits

As previously mentioned, CSA MC comes with preconfigured agent kits that can be used to fulfill initial security needs. However, CSA MC enables you to create custom agent kits to fit your specific requirements. To create a new agent kit, complete the following steps Step 1 Choose Systems > Agent Kits from the CSA MC console. Step 2 Click New at the bottom of the page displayed. A dialog box appears asking you which operating system this agent kit will be applied to, as shown in Figure 9-9....

Creating an ACS Administrator Account

To access ACS from any machine other than the one it is installed on, an administrator account must be created. Follow these steps to create one or more administrator accounts. Step 1 Double-click the ACS Admin icon on the desktop. Step 2 From the navigation frame on the left, click the Administration Control button. Step 3 The Administration Control configuration appears in the middle frame. Click the Add Administrator button. Step 4 The Add Administrator frame appears. Fill in the new...

Creating End User Client Configuration Files

When you are ready to create End-User Client configuration files, select the Create Deployment Package item from the Administration menu. This launches a wizard that walks you through the process. Along the way, you create client policies and network profiles, which you package into a distribution along with the End-User Client (supplicant). Follow these steps to create the client-configuration files Step 1 After selecting the Administration > Create Deployment Package option, the Enterprise...

Creating Groups

CSA MC comes with a list of predefined groups that you can use to meet initial needs. A group is the only element required to build an agent kit. Using groups eases the management of a large number of agents. When using groups, you can consistently apply the same policy to a number of hosts. Agent kits are the configuration and installation packages of the agent software to be deployed to end-user machines. Agent kits must be associated with configured groups. Agents installed on end-user hosts...

Creating Posture Policies on the Altiris Notification Server

This section shows you how to create a posture policy on the Altiris Notification Server to determine whether end-user machines are running a specific version of software before being granted access to the network. If the end-user machine does not meet minimum requirements, a client message can direct users to a URL for more instructions or can start the automatic installation of software on such machines. Complete the following steps to configure posture policies on the Altiris Notification...

Creating Scheduled NAC Reports

Running these on-demand style reports is neat, but the real beauty is configuring CS-MARS to e-mail you the reports at the schedule you specify. For example, you might find it useful to receive a report every morning of the hosts that are Infected or in a Quarantine state. To create a scheduled report, follow these steps Step 1 Log in to the CS-MARS GUI and click the Query Reports tab at the top of the page. Step 2 In the Load Report as On-Demand Query with Filter section, choose System...

CSA Management

Chapter 9, Cisco Security Agent, discusses the installation and configuration of the Cisco Security Agent Management Center (CSA MC). This section provides a series of tips on how to plan, deploy, and maintain CSA MC and the agent software. CSA MC provides a central policy-management and distribution point for the CSA agent kits. It is recommended that you place the CSA MC server on your management network (management VLAN). When doing this, you need to understand how the agents communicate...

Csa Mc Rule Definitions

CSA MC takes a structured, hierarchical approach to applying rules to the agents. Individual rules are created and applied to a rule module. One or more rule modules are then applied to a policy. Policies are then attached to a group, which contains one or more agents. Figure 9-3 illustrates the hierarchical nature of CSA MC. Figure 9-3 Relationship Between Rules and Agents Olf Rule Any change to a rule is applied to any agent that is part of a group, to which a policy is attached, which...

CTA Client Fails to Receive a Posture Token

You can quickly validate the posture token a client receives by checking either the NAD (for NAC-L2-IP and NAC-L3-IP) or the Passed and Failed attempts logs on ACS. The following output from a Cisco IOS switch shows a client that failed to receive a posture token. Next, if the NAD device does not have too many clients, we can enable debug radius authentication to watch the authentication debugs. Once enabled, we will force a re-posturing of the client by issuing the following command on the NAD...

CTA Linux Installation

Installation of CTA on Linux requires superuser privileges. In addition, the RPM Package Manager (RPM) must be installed. To begin the installation of CTA on a Linux machine, Step 1 Download the ctaadminex-linux-version.tar.gz administrative archive file to the machine on which you want to install CTA. Step 2 Open a terminal window and change to the directory where you saved the ctaadminex-linux-version.tar.gz archive file. Step 3 Expand the compressed archive by typing the following command...

CTA Logging Service

CTA includes its own logging service, ctalogd, for recording events and troubleshooting issues with CTA and posture plug-ins. Because CTA is designed to be a silent application on the end host, logging is disabled by default. However, logging can be enabled through one of two methods Creating a ctalogd.ini file With logging enabled, CTA saves the log files in the following directories by default Windows C Program Files Cisco Systems CiscoTrustAgent Logging Logs Mac and Linux var log...

CTA Mac Installation

The Cisco Trust Agent first supported Macintosh operating systems starting with Version 2.1 of CTA and Version 10.3.9 (or higher) of OS X. Installation of CTA on the Mac can be accomplished one of the following ways Installation with the installation wizard Custom installation from the command line In this section, we cover the installation of CTA using the installation wizard. Later, in the Deploying CTA in a Production Network section, we cover the installation of CTA using the command line....

CTA Scripting Interface

CTA provides an optional Scripting Interface as a way for non-NAC-aware applications to provide CTA with posture information about that application. Cisco Secure ACS can then combine this additional posture information with the posture information received from NAC-aware applications and use it in determining the overall posture of the host. Although this is not a commonly used feature, it might be useful for companies that have a requirement to validate a specific attribute before making a...