ASK THE EXPERT - CISCO NAC APPLIANCE

Unanswered Question
Sep 21st, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about best practices for creating a host security policy for NAC Appliance with Cisco expert Jamey Heary. Jamey, CCIE 7680, is a security consulting systems engineer at Cisco. He leads the Western Security Asset team and is a field advisor for the global security virtual team. Jamey is the author of the recently published "Cisco NAC Appliance: Enforcing Host Security with Clean Access." His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional.

Remember to use the rating system to let Jamey know if you have received an adequate response.

Jamey might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 5, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Manjunatha Jayaram Fri, 09/21/2007 - 21:54

Hi,

I have some basic doubts with respect to NAC

1.How/where a NAC appliance has to be positioned in a network.

2.Is host security the only prime responsibility for this appliance.

3.What is the difference between NAC framework and NAC appliance.

Thanks..Jkannan

jheary Mon, 09/24/2007 - 18:22

HI,

Hopefully I can help put your doubts to rest.

1)The NAC Appliance has an incredibly flexible deployment capability. It can be placed almost anywhere in the network. some examples include behind a VPN concentrator or LWAP wireless controller to NAC users as they come in using those technologies. Additionally, it can be placed centrally to control your campus switch ports to NAC users as they connect to the wired network. For remote offices you have several options, if it is a smaller office the new NAC Appliance network module goes into an existing Cisco 2800/3800 router and supports up to 100 simultaneous users. you can even put a NAC Appliance at HQ that controls wired switch ports at each remote site. Many other options exist. If you have any specific deployment questions just write back and I'd be happy to answer them for you.

2)NAC stands network admission control. so the NAC Appliance, by definition, controlls access to the network. So in effect NACA deals with the security of both the network and the hosts on those networks. From a network standpoint it prevents unknown or unwanted hosts from accessing your network without your permission.

3) Now this is a question worthy of a larger discussion all by itself. However, in the interest of being brief here is my answer. If you would like additional detail don't hesitate to ask.

The main differences between NAC framework and NAC Appliance are:

NAC framework relies on a multi-vendor approach to get the job done. Conversely, NAC Appliance offers an all-in-one solution that does not require any 3rd party integration. Both approaches have merit, so much so that the best of both worlds will be merged together in the future in a project called oneNAC.

Thank You,

Jamey

Kevin Xiong Tue, 09/25/2007 - 10:24

"you can even put a NAC Appliance at HQ that controls wired switch ports at each remote site."

in a real world situation, most WAN-CE circuit/router today are managed by MPLS carrier. enduser can't use PBR/GRE on those routers for NAC. what's the wokaround w/o edge deployment of NAC-CAS.

jheary Thu, 09/27/2007 - 13:04

HI Kaiyu,

PBR is only one of several methods to allow for a central site deployment. One of the more popular ones is using ACL's at the remote site on the Auth VLAN traffic. the ACL will limit the users network access privileges. This access would include the NAC server, DNS, remediation servers, and possible an AD server for SSO. This works great with CCA agents but does require you to hand out a url for non Agent users to login.

Kevin Xiong Fri, 09/28/2007 - 10:29

Thanks jheary!!

So with ACL's on the Auth VLAN at the Remote Office layer 3 switch, you don't need to touch the carrier-owned MPLS-CE router at all, right? Does this ACL solution also work with Data network behind Cisco IP Phone?

If the customer has multiple Data Centers and branches over carrier-managed fully-meshed MPLS cloud, all remote sites need to access all Data centers and all remote sites has Cisco IPT deployed for end users, what would be the best NAC soultion in terms of performance/redundancy/fail-open?(see option A and B below.)

A. Central deployment with Layer 3 OOB: One NAC-CAS-FB at one primary data center, one NAC-CAM-FB at that data center.(Do you need NAC-CAS at each data center?)

B. Edge deployment with layer 2/3 OOB: each site has a NAC-CAS-FB, one NAC-CAM-FB at one data center.

any other options?

jheary Wed, 10/03/2007 - 10:02

Hi,

Yes that is correct. With this solution you would not need to touch the carrier owned router. And yes it does work with the data vlan behind a ip phone since the ACL is applied to a VLAN.

of the two solutions you laid out, Either solution will work for you. But generally speaking the closer your enforcement point is to the clients you are protecting the better. So B would get that nod. But sometimes this turns out to be prohibitively expensive so option A would be used. Of course you can always mix and match these two. so some larger remote sites might have a CAS local and the smaller ones would be centrallized.

-jamey

shejuckyy Thu, 10/04/2007 - 04:34

Sep 26 23:50:14: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 26 23:50:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0/1:0, changed state to down

Sep 26 23:50:15: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 26 23:50:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0/1:0, changed state to up

Sep 26 23:50:19: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 26 23:50:20: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 27 03:56:25: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 27 03:56:26: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 27 04:21:58: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 27 04:21:59: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 27 04:23:04: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 27 04:23:05: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 27 04:23:22: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 27 04:23:23: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 27 05:55:24: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 27 05:55:25: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 27 06:29:10: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 27 06:29:11: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 00:42:59: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 28 00:43:00: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 10:41:14: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 28 10:41:15: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 10:46:28: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 28 10:46:30: %LINK-3-UPDOWN: Interface Serial5/0/1:0, changed state to down

Sep 28 10:46:30: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 10:46:30: %OSPF-5-ADJCHG: Process 1, Nbr 135.191.30.19 on Serial5/0/1:0 from FULL to DOWN, Neighbor Down: Interface down or detached

Sep 28 10:46:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0/1:0, changed state to down

Sep 28 10:46:32: %LINK-3-UPDOWN: Interface Serial5/0/1:0, changed state to up

Sep 28 10:46:32: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 28 10:46:33: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 10:46:34: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 28 10:46:35: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 10:46:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial5/0/1:0, changed state to up

Sep 28 10:46:38: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to down No Matching CDB found !!

Sep 28 10:46:39: %CONTROLLER-5-UPDOWN: Controller E1 5/0/1, changed state to up No Matching CDB found !!

Sep 28 10:46:46: %OSPF-5-ADJCHG: Process 1, Nbr 135.191.30.19 on Serial5/0/1:0 from LOADING to FULL, Loading Done

QHXN-JTX-R-C7507-02#

Kevin Xiong Mon, 09/24/2007 - 13:16

Can a single NAC-CAS(or bundle) be deployed simultaneously in the following three mode: L2-IB-VG for WLAN, L3-IB-VG for Remote VPN and L2/L3-OOB-VG for LAN? How many combinations of the mode you can deploy on a single CAS or CAS-bundle.

jheary Mon, 09/24/2007 - 18:36

HI,

Short answer is no.

A NAC Appliance Server (CAS) can only be run in one post client certification mode at a time. For example, a single appliance can only either In-band or Out-of-Band. Not both at the same time.

Similarly, a CAS can only be run in one network mode at a time. A network mode is either Virtual gateway (bridging) or Layer 3 (routing) mode.

However, the client adjacency modes, Layer 2 and Layer 3, can be run independantly or together at the same time.

So to make a long story short, client adjaceny modes are the only ones that CAS can run multiple combinations at the same time.

redy.wibisono Mon, 09/24/2007 - 21:44

n join to the network if the CAS down and CAM up, or CAM and CAS down ?

rgds

Redy W

redy.wibisono Mon, 09/24/2007 - 21:54

Dear Jamey, I'm sorry my 1st mail is not finish yet.I had install NAC Appliance without FB with L3 OOB Real IP Gateway. i had tried to shut down the CAS but the CAM is still up, i got the switch wich is controlled by CAM is still change the port to the authentication vlan, so the user can not join to the network because they can not log in. What should i do to solve the probelm so the user still can join to the network even if the CAS down and the CAM up , or if both down

jheary Thu, 09/27/2007 - 13:16

Hi Redy,

We really recommend that you use Fail-over bundles in almost all cases to avoid this situation.

But if no FO then, If both are down in an OOB situation then existing clients that have already been cleared are not affected. the new client will be put on the currently configured VLAN on the switchport they attach to. If that VLAN has access they get in, if not they don't.

If only the CAM goes down then the CAS can failopen so traffic will flow unchecked. Previously cleared users are not affected.

If only the CAS goes down then previously cleared users are not affected. New users or users in the Auth VLAN will loose access unless some sort of hardware bypass tap is in place.

zlabovic Tue, 09/25/2007 - 06:36

Hello,

I have a couple of question regarding implementing NAC in an enviroment with vrf lite. Can a single pair of CAS and CAM be configured for users in L2-OOB mode in such a way that users, after authentication process go into a vlan that is in separate vrf? Do I have to create several auth vlans or is one auth vlan enough?

Another question is this:In a situation when CAS and CAM are communicating through a firewall device, is it possible to implement L2 - OOB mode for NAC?

Generally, what is the best practice of implementing NAC (L2 - OOB specifically) in a multi vrf situation? Putting CAS and CAM in global routing table or having a pair of CAM and CAS in each vrf?

jheary Thu, 09/27/2007 - 13:10

Hi Zlabovic,

the access vlan that users are dropped into after they are "clean" is treated just like any other VLAN is from a vrf perspective. So you can map that VLAN into any VRF you would like. it is not necessary for the clients to have any visibility to the CAM or CAS after they are moved into their Access VLAN.

As for the firewall in the middle of CAM/CAS question. The Layer 2 adjacecny mode is dependent solely on the position of the CAS respective to the clients it will be protecting. so you you can implement L2-OOB in your design question. You of course need to make sure that the correct firewall rules are in place to allow for things like CAM to switch communication, CAM-CAS communication, etc.

reddy_tk98 Thu, 09/27/2007 - 23:23

dear jamey,

i have problem with Clean Access AD SSO, the client does not perform SSO. I have completed the configuration on CAS, CAM and AD (KTPass, etc), the AD SSO service on the CAS has up and running. when i see the ouput of kebtray on client, it doesnt show it has kerberos ticket. What should i do.. ??

note: i don't have problem with AD authentication without SSO

rgds

-reddy-

jheary Sun, 09/30/2007 - 16:17

Hi Reddy,

This sounds like you might not have opened up the necessary AD ports in the unauthenticated role traffic control filter.

the typical standard ports needed are:

TCP 53, 88, 135, 389, 535, 1025, 1026

Sometimes you might need:

UDP 88, 389, 636, icmp

-Jamey

reddy_tk98 Sun, 09/30/2007 - 18:19

Hi Jamey,

i have already open All port (All ip * *), but i still can't login with SSO.

rgds

-reddy-

jheary Mon, 10/01/2007 - 09:16

Hi Reddy,

do you have any ACL's or FW's in place between the CAS and your AD server? If so, make sure the ports are open from CAS to AD as well.

Make sure the time is sync between client, CAS, and AD server.

Check the log on the CAS to see if any errors are being generated. /perfigo/logs/perfigo-redirect-log0.log.0.

And just to be sure, can you double check that you have the box checked next to Enable Agent based Windows SSO. this can be found in the server under windows-auth/AD SSO.

the fact that the SSO service says started means that it is likely a communication issue.

-Jamey

edwardwaithaka Fri, 09/28/2007 - 01:36

Hi Jamey,

Are there any special considerations about Windows XP user rights when installing CCAgent? I am running into this problem where by only the user who installs the Agent can authenticate, other users receive the error "the server response could not be parsed [12152]". When the user is given administrative rights on the machine, then the user connects.

Help, Thanks.

Edd.

jheary Sun, 09/30/2007 - 16:20

The CCA Agent requires admin rights to run. You might consider loading the CCA Agent stub program. That will allow the program to run as administrator regardless of whether the user currently logged in has admin rights or not.

-Jamey

shaun.white Fri, 10/05/2007 - 07:51

Jamey,

If i have a CAS L3OOB centrally located, and i want to control my access switches via VRFs (all on my internal lan, my CAS would be say at the dist layer, and my access switches would be Layer 3 connected to the DS)...how would i use VRFs here without disrupting my whole network??

TIA

sfanayei Mon, 10/01/2007 - 22:17

Hi,

I am new in this discussion and I would very much to know that how many components the NAC Appliance cosists of? I am running a Cisco switched network and how can I prepare my network environment to NAC?

Thanks

Sfanayei

jheary Wed, 10/03/2007 - 09:58

Hi Sfanayei,

The NAC Appliance solution is pretty simple. It consists of one NAC manager, one or more NAC servers, and optionally a NAC profiler server.

The job of the manager is to centrally control the NAC servers. This is where you setup your NAC security policies, roles, checkes, etc.

The job of the server is to be the enforcer. YOu can think of it as a NAC firewall of sorts. It controls client access, quarantines clients, helps client remediate, does AD authentication, etc.

The job of the optional profiler server is to control non-user devices like printers, ip phones, scanners, bio med devices, etc. It does this my profiling the non-user devices to determine what they are. It uses things like MAC address, dhcp requests, netflow, span captured data flows, etc. to fingerprint a device. It is also network aware so it can give you location information.

For the switches, they must be cisco switches to work with our out-of-band (vlan changing)solution. Almost all of our switches going back years are supported. See here for a complete list http://www.cisco.com/en/US/partner/products/ps6128/products_device_support_table09186a008075fff6.html

sfanayei Wed, 10/03/2007 - 22:21

Hi Hheary,

Tanks for your reply but what a bout installing a NAC egent in clients and licens expense. And out-of-band, is they the only requirement for Cisco net devices?

Thanks again

Sfanayei

jheary Fri, 10/05/2007 - 08:23

We recommend that you install agents but they are optional.

binelipetrov Mon, 10/01/2007 - 23:57

Hi,

I have a question regarding Clean Access Updates on NAC Manager.

Current Version of Cisco Checks & Rules: 0

Current Version of CCA Agent Upgrade Patch: 4.0.0.0

Current Version of Supported AV/AS Product List: 0

Current Version of Default Host Policies: 0

Current Version of OS Detection Fingerprint: 0

Current Version of L3 Java Applet Web Client: 0.0.0.0

Current Version of L3 ActiveX Web Client: 0.0.0.0

Is there any possibility to Upgrade all rules and checks via some upgrade file, or NAM have to have Internet connection? What is upgrade procedure? NAM is connecting directly to Cisco website?

Thanks in advance

jheary Wed, 10/03/2007 - 10:07

You configure automatice updating via the Device management > Clean access > Updates > settings menu. It goes back to cisco for the updates. It does support going through a proxy if you need this.

No offline update file is available.

-Jamey

pgrichmondbell Tue, 10/02/2007 - 17:56

Hello Jamey,

My question is centered around the ability of the CAS to support both layer 2 and 3 in-band simultaneouly, when using the clean access agent. To do so would one implement several VLANs into the untrusted side of the CAS - some VLANs that have the clients that are layer 2 adjacent, and other vlans that would lead to clients multiple hops away?

thanks, Paul

jheary Wed, 10/03/2007 - 10:09

yes that is correct, the NAC Server supports dot1Q trunking. You could also do it with just a single vlan however. For example, That vlan might have clients on it and another router(s) that has access to other networks.

andersok Wed, 10/03/2007 - 09:53

Hi Jamey,

I have a few more questions further that were asked about the CAM updates for the AV/AS rules and DAT revisions updates.

1.) Is there a spot on Cisco's website that can tell us what the latest revision number is and when it was posted?

2.) My CAM appears to have an issue regarding these updates and getting them automatically, is there a log file I can look at to see if and where they are failing?

Scenario is that the CAM has Internet access and DNS is set correctly but the updates are not happening for some reason - either automatically or manual update.

Thanks,

Kevin

jheary Wed, 10/03/2007 - 10:25

Hi Kevin,

The failures should show up in the event log under monitoring. It could be that your firewall is dropping the packets.

I am not aware of a external spot that lists latest revision numbers so am checking into that.

-jamey

andersok Thu, 10/04/2007 - 06:12

Hi Jamey,

I looked in the logs and didn't any error messages relating to this under the category of Monitoring - is there any other places like on the CAM itself I can find some error logs or perhaps other areas to troubleshoot this.

Thanks,

Kevin

jheary Thu, 10/04/2007 - 08:43

If you ssh into the manager you can pull another log. /var/log/messages and /perfigo/logs/perfigo-redirect-log0.log.0

My guess would be you either a routing issue or you have an ACL somewhere that is preventing either outbound or return traffic from the CAM to cisco.

-Jamey

ciscors Wed, 10/03/2007 - 14:55

Hey James, thanks for holding this session. I'm deploying wireless in-band w/wireless controllers in an AD environment

1) do typical deployments use AD authentication if one exists? Is that what you recommend? Is authentication even required?

2) I know SSO is supported between AD and NAC and NAC and the wireless controllers via dot1x but is it supported between all three? How should I design it? Will user login first using AD credentials onto the laptop and these credentials would get sent to the dot1x server and then also to NAC? Or is there a better way to do it? There aren't any particular requirements for this project hence I'm open to doing anything you recommend. I don't need to have the 'best' security but an average level of security. Also, I'm guessing dot1x would require ACS. Right?

Thank you

jheary Wed, 10/03/2007 - 16:18

HI,

You will want to use the wireless SSO, not the AD SSO.

ciscors Thu, 10/04/2007 - 05:38

Do you have a link for the Wireless SSO? Also, will I need an ACS server for all of this to seamlessly work?

Thx

jheary Thu, 10/04/2007 - 08:13

You can use any authentication server that the wireless controllers support. NAC Appliance will receive the radius accounting packets directly from the controller itself, not the authentication server.

I have a chapter on how to configure this in my book "Cisco NAC Appliance" but also

here is a link to the configuration guides

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca41/index.htm

-Jamey

ciscors Thu, 10/04/2007 - 09:45

Ok great

Now, since I'm using NAC to map my roles to groups using AD attributes, I just need to use a single SSID for all employees. Right? Or do you suggest I use different ones for finance, marketing, etc?

Also, the client wants to be able to disallow wireless access to certain AD groups. How would I accomplish this?

Thank you

ciscors Thu, 10/04/2007 - 13:24

I'm trying to get role mapping to work. In my

Attribute name: memberOf

Attribute value:

CN=net admin,OU=ServerAccounts,OU=Corpname - Site01,OU=LK Institute,DC=domain,DC=com

I pulled the above directly using an LDAP browser

Then, I mapped this to role 'Guestusers' When I do an auth-test, it puts me into the default role of the auth server and not Guestusers. Can you suggest something?

ciscors Fri, 10/05/2007 - 06:53

I tested my CAS failover and it takes 16 seconds. Can I reduce my heartbeat timeout to 3-4 seconds? Why does Cisco recommend over 15 seconds?

If I reduce this timer, should I change any other values too?

Thank you

dougpyle1 Fri, 10/05/2007 - 06:57

My core IT requires CCA for all VPN access. I want to run another instance of CCA configured to point to my NAC MGR on my stand-alone network (non IT), for local laptop/desktop connections. How can this be accomplished?

jheary Fri, 10/05/2007 - 08:47

You would buy another NAC Appliance Server to cover your non IT and your current manager will control it.

ciscors Fri, 10/05/2007 - 07:09

For guest users, I would like to create a hotspot but would also want them to go through my proxy server so that they are only allowed access to certain websites.

Can CAS somehow redirect guest user traffic to a proxy server or automatically configure the user's browser with the proxy server settings?

Thank you

jheary Fri, 10/05/2007 - 09:39

You can control what websites by name or IP that guests can get to using NAC Appliance only. You can even use wildcards for example *.cisco.com. So that might be your first option.

Also, you can redirect guest users after web authentication to NAC Appliance is completed to any URL you decide or to the url they previously entered. We can't auto configure proxy setting for users.

-jamey

Actions

This Discussion