Configuring NACL28021X on Cisco Wireless Access Points

Wireless networks are being deployed more every day. The increased deployment of these networks has also increased the need to secure them. Several different security methods, such as WEP keys, have classically been used by companies that deploy wireless networks. However, these methods have not been enough. NAC-L2-802.1X not only provides the secure mechanisms to perform authentication and identity, but it also provides advanced admission-control features. This section includes the steps...

Deploying the End User Client

Now you have everything you need to deploy the End-User Client. Follow these steps to push the client out to machines in your network Step 1 Locate the Cisco Secure Services Client .msi installation file. It should have the following naming convention Cisco_SSC-OS-version.msi (this is the same file that was used previously to install the Administrative Client). Push this file out to end clients using your company's standard software-publishing process (Microsoft SMS, Altiris, and so on). Step 2...

Audit Server Configuration

The audit server (QualysGuard Scanner Appliance) needs to be installed on the network before it can be configured for NAC. After installing the appliance, log into it by browsing to the LAN interfaces IP address. Create a new NAC policy by clicking the New Policy icon. Under Policy Title, enter the name of the NAC policy as NAC-Policy and make it the default NAC policy. Configure the polling intervals, APT evaluation method, and validation and revalidation options, as shown in Figure 14-5....

Diagnosing NAC on Catalyst 6500 Switch

Show commands are very useful in determining the current state and posture of an end host. However, they do not provide a historical reference of how (or why) the host ended up there. In the Catalyst 6500 switch running CAT OS, you can verify the NAC Layer 2 IP functionality and posture using the show policy group all command. It shows you the configured NAC group name and the hosts that are bound to each group. In Example 14-1, a Healthy group name is displayed the associated IP address is...

Step 1 Setting Up NAC Global Parameters

The first step in setting up NAC on the security appliances is to ensure that the global NAC parameters are properly configured. You can modify the default values of these parameters from the global configuration mode, as shown in Example 7-19, by using the eou commands. Example 7-19 Available EOU Parameters in Global Configuration Mode Example 7-19 Available EOU Parameters in Global Configuration Mode Enable Disable clientless authentication Set maximum number of times an EAP over UDP message...

Cisco Catalyst Switch Running Cisco IOS or CAT OS

Catalyst switches first supported NAC in the summer of 2005 across various platforms and release trains. One benefit of adding NAC on the switch is enhanced posture-enforcement capabilities through containment. On Cisco IOS routers, policy enforcement was applied with a downloadable ACL on the router's interface. This enabled the administrator to restrict (or even deny) the endpoint's access through the router. However, the endpoint could not be restricted from sending packets to Layer...

Cisco Secure ACS

Install and configure Cisco Secure ACS following the procedure described in Chapter 8, Cisco Secure Access Control Server (ACS). Then follow the steps in this section to create both a NAC-L2-IP profile and an Agentless Host profile (for guests). For the NAC-L2-IP profile, you create policies to validate the requirements listed earlier and then create authorization rules to enforce them. For the Agentless Host profile, you use a default authorization rule, tied to a downloadable ACL to restrict...

Creating Network Access Profiles Using NAC Templates

The NAC configuration on ACS really consists of the following four policies Protocols, Authentication, Posture Validation, and Authorization. Each of these policies can also contain multiple components. The protocols policy separates the authentication requests based on protocol EAP-FAST for NAC-L2-802.1X, and PEAP for NAC-L2-IP and NAC-L3-IP. The authentication policy defines what databases are used for authentication, and it also is used to set up the agentless host configuration. The...

Installation of Qualys Guard Scanner Appliance

The QualysGuard Scanner Appliance is a hardware-based appliance that provides an out-of-the-box integration for the NAC Framework. When you are ready to install the Scanner Appliance into your network, consider the following things first IP address to be assigned to the LAN interface IP address to be assigned to the WAN interface Even though you can assign a DHCP address on the LAN and WAN interfaces, it is highly recommended that you configure static IP addresses on the interfaces. The...

About the Authors

Jazib Frahim, CCIE No. 5459, has been with Cisco Systems for more than seven years. With a Bachelor's degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer with the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers as a team leader in resolving complicated security and VPN technologies. Jazib is currently working as a Senior Network Security...

Remote Access IPSec Tunnel from an Agentless Client

After successfully testing the VPN tunnel, the next step is to configure NAC on the security appliance and then connect from the same test VPN client without installing the CTA agent. This emulates an agentless VPN client scenario. The security appliance enables you to set up NAC logging and or NAC debugging. NAC logging enables you to capture EAPoUDP, EAP, and NAC events such as EAP status query, posture-validation initializations and revalidations, exception list matches, ACS transactions,...

Cisco Trust Agent

Cisco Trust Agent (CTA) is a small software application (approximately 3MB) that is installed locally on a PC and that allows Cisco Secure ACS to communicate directly with the PC to query it for posture credentials. Some common posture credentials are the OS name, the service pack installed, and specific hotfixes applied. Table 1-1 lists the posture credentials that CTA supports or for which CTA is a broker. CTA is a core component of NAC and is the only communications interface between the NAD...

Configuring the Agentless Host Policy on ACS

The steps required to configure the Agentless Host Policy for NAC-L3-IP, NAC-L2-IP, and NAC-L2-802.1X are almost identical. The only difference is the NAC template used to create the policy and the method of enforcement through the authorization policy. Follow these steps to create a NAC Agentless Host Policy using ACS's built-in templates Step 1 From the navigation frame on the left, select Network Access Profiles. Step 2 The Network Access Profiles page appears. Click the Add Template Profile...

Installing a Certificate from a CA

ACS supports Base64-encoded X.509 certificates. Before receiving a certificate from a CA, you need to generate a certificate-signing request (CSR). The CSR is then supplied to the CA to generate ACS's identity (or server) certificate. Follow these steps to create the CSR Step 1 From the navigation frame on the left, select System Configuration. Step 2 Select ACS Certificate Setup and then Generate Certificate Signing Request. Step 3 Under the Generate New Request section, fill in the...

VPN 3000 Concentrator Configuration

Based on the requirements put forward by SecureMe, the VPN 3000 concentrator is set up for two user groups SecureMe This group is used by SecureMe employees when they need access to the corporate network over the remote-access VPN tunnel. All employee machines are required to run CTA. If their machines are Healthy, they get full access to the network. If their machines are not compliant, they are quarantined until they update their software and apply appropriate patches to become compliant....

Configuring NACL2IP

This section guides you on how to configure NAC-L2-IP on Cisco Catalyst switches running Cisco IOS and CatOS. Figure 4-2 illustrates the topology used in the following examples. Figure 4-2 Configuring NAC-L2-IP Example Network VLAN110 The following steps are necessary to configure NAC-L2-IP on a Cisco Catalyst running Step 1 Enable Authentication, Authorization, and Accounting (AAA) services 6503-A(config) aaa new-model Step 2 Enable EAPoUDP RADIUS authentication 6503-A(config) aaa...

Step 3 Address Assignment

After a successful user authentication, the VPN client requests an IP address to be assigned to the VPN adapter on the workstation. The VPN client uses this address to source the clear-text traffic to be sent over the tunnel. For a Cisco VPN client, this address is assigned to the IPSec VPN adapter, while for the L2TP over IPSec client, this IP address is assigned to the L2TP VPN adapter. The Cisco VPN 3000 concentrator supports four different methods to assign an IP address to the client Use...

System Logs

Enabling logging is also a great way to troubleshoot any problem on CTA after installation. Logging can be enabled quickly and easily just by executing the following two commands clogcli enable -t clogcli loglevel 3 This set of commands enables logging temporarily (using the -t variable), until the next reboot, at an Informational level (using the loglevel 3 variable). Some example log messages follow. The following error indicates that CTA was unable to retrieve a key from the Windows Registry...

Cisco Software Clients

The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates...

Configuration of Qualys Guard Scanner Appliance

After setting up the Scanner Appliance, you can access it through the Qualys website, at http qualysguard.qualys.com. The web page prompts you to specify a username and a password. When your authentication credentials are successful, the Qualys website shows all the options to manage your Scanner Appliance. Browse to Preferences > Account and click the Edit icon for your Scanner Appliance. A new browser window pops up showing the Scanner Appliance Information. Make sure that Enable NAC is...

Radius Authorization Components

RADIUS authorization components, or RACs, as they are more commonly referred to, are groupings of RADIUS attributes that map back to a NAC policy and are applied to a NAD during the posture-enforcement phase. These attributes apply NAC timers, assign ports to the specified VLAN, enforce policy-based ACLs, and apply URL redirect ACLs. Table 8-5 lists the NAC method along with the mandatory RADIUS attributes on the right. Table 8-5 RADIUS Attributes Used in NAC RADIUS Authorization Components...

Configuration of Csacs Server

Follow these steps to configure the CS-ACS server Step 1 Load the ADF. Step 2 Define the QualysGuard Scanner Appliance. Step 3 Set up network access profiles for the audit server. Step 4 Configure shared profiles. Step 5 Set up authorization policy for network access profiles. Step 6 (Optional) Install QualysGuard Root CA into CS-ACS. The following sections cover these steps. Before you configure the audit server on CS-ACS, you need to import the attribute definition file (ADF) for the...

Cisco Secure ACS Database Replication

This section covers how to configure database replication on Cisco Secure ACS. Database replication enables an administrator to duplicate parts of the primary Cisco Secure ACS configuration to one or more secondary Cisco Secure ACS servers. In this case, you can configure the NAC network access devices (NADs) to use these secondary Cisco Secure ACS servers if the primary server is not reachable. When you configure database replication, you can select the specific functionality of the primary...

Csmars Overview

CS-MARS is a hardware appliance solution that you plug into your network and then forward network events to it from your network devices. It acts as an information sink, absorbing all the events thrown at it. CS-MARS correlates and then sessionizes these events across all devices. Thus, it can recognize malicious activity taking place anywhere in the network. It can then alert you to not only the attack, but also the attacker, the victim, and the path the attack is taking through the network....

Step 6 Setting Up the Exception Policies Optional

If you are not using an audit server in your environment, you must install the CTA application in all your networking devices. However, in many instances installing CTA is not possible on all devices. As discussed in Chapter 2, Cisco Trust Agent, CTA is currently available for the Windows, Linux, and Macintosh platforms. Therefore, if you have other operating systems or network printers, you need to exempt them so that they are not subject to the posture-validation process. You can except these...

Installing the pnlog Agent on ACS

ACS currently does not have a mechanism to forward events to CS-MARS. Instead, CS-MARS receives events from ACS through the pnlog agent. The pnlog agent is an application that you install on the ACS machine or, if using an ACS Appliance, install the pnlog agent on the same machine as the Remote Agent. The pnlog agent monitors the log files ACS (or the Remote Agent) writes to disk, and then forwards events in the log files as syslog messages to CS-MARS. CS-MARS receives these syslog messages and...

Remote Access IPSec Tunnel Without NAC

If you are setting up a new group on the concentrator that will validate the posture on the VPN clients, follow the first two configuration stages, as discussed earlier in the section Configuration Steps of NAC on Cisco VPN 3000 Concentrators. The next step is to make a VPN tunnel from a test VPN client machine to ensure that you do not run into any misconfigurations. If you want to enable logging on the concentrator, navigate to Configuration > System > Events > Classes and add the...