Hi, I have a few questions concerning NAC and would like to pose them to persons who have implemented NAC appliances.
1) Does the NAC agent tie into the Windows GINA, so the user doesn't have to enter credentials twice? Also, what about MacOS X, does it tie to the system login in any way?
2) Say a user gets authenticated and passed to an Authenticated VLAN. They disconnect their laptop, go to a meeting for 2 hours, come back and dock their machine (they are already logged into their machine) would they be required to go through the authentication phase for NAC again or would it recognize their MAC address or talk to the NAC agent to validate with no interaction from the user?
Thanks in advance for any replies.
I'm going to make an assumption and assume your talking about Cisco Clean Access and not NAC-Framework (Which was the older 802.1x model)
1. No, the agent does not tie into the Windows GINA, the agent runs after the user logs in via the GINA. The clean access server (sitting between the client machine and the AD server) has the kerberos ports open in the NAC authentication vlan to allow the windows machine to first establish a windows login to AD. Remember its a trust model, The CAS trusts the AD to get the auth correct and then uses that info to then allow or deny user onto the network.
Here is a simple order of events of a user can logging in though AD single sign on.
- There is a trust relationship already established between the Clean access server and the AD server. (Look up KTpass for more info)
- Client connects to the network and attempt to log into AD
- The credentials are sent to AD, The AD DC authenticates and gives a Ticket Granting Ticket (TGT) to the client.
- The Clean Access Agent on the client asks the client for a Service Ticket (ST) with the CAS username to communicate with the CAS. (This is done all locally on the client machine, there is communication happening in software between CCA and kerberos)
- The client requests a Service Ticket from the AD
- The AD gives the ST to the client, the client give this ST to the Agent.
- The Clean access Agent is now able to communicate with the CAS.
- The CAS sends back packets and mutually authenticates the client. (because it has a trust relationship with the AD)
- The CAS uses this information to sign the client onto Clean Access and hence SSO (single sign on takes place) authentication takes place.
Its a brain bender, but it just works. CCA uses what is already built into the windows environment, it does not alter windows registry or GINA to mess with the login process. .....so I have learnt :P
2. Keep this in the back of your mind, your not certifying users,... your certifying machines. We authenticate users and based on their user details and we place them in a vlan based on their role. But client machines are tracked and if a laptop has passed a posture check, then it is deemed certified, no matter who logs into it successfully. So there is in effect a time based system that can be adjusted per your security policy as to how long you want to keep a client machine certified. Some of my customers purge their certified list every 24 hours, others do it every 7 days. It also help keep stake entries at a minimum. ie a contractor who connected to your network but wont be back for 3 months.
a) If a user disconnects from a NAC network, a SNMP link down notification is sent to the CAM from the switch informing the switch that a state change happened on the port. Cam instructs that switch to move that port back into the auth vlan.
b) If the user comes back, 2 things might happen,
- if your using SSO (Single sign on), the SSO process will start and the user will be signed back into the network successfully by the posture check will be skipped as the machine was previously certified 2 hours ago. (thats if you didnt purge them from the list).
- if your not using SSO, the user may be forced to log back into the CAA (Clean access Agent) because the port went back to the Auth network once the user disconnected their ethernet interface but once they authenticate, the same thing will happen, their posture check will be bypassed as they were certified 2 hours earlier.
Hope this answers your questions.