Ankur Bajaj is a senior customer support engineer working with the security team at the Cisco TAC in Bangalore, will present and reply to questions about Network Admission Control (NAC). During the live event he will give information about NAC components and how they fit together in inband/virtual gateway/Layer 2 deployments, with authentication that can be set up locally with Lightweight Directory Access Protocol (LDAP) or RADIUS. In addition, he will address typical troubleshooting issues and some best practices. NAC is a technology framework that allows network access only to the complaint and trusted PC and actions on the noncompliant PC, and hence it goes beyond identity checking and makes the network resistant to attacks. Ankur’s prime area of expertise includes PIX/ASA firewalls, VPNs, and NAC. His daily role includes troubleshooting and filing bugs about these technologies.
Ankur has a computer science and engineering bachelor’s degree and holds CCIE certification in security number 22135.
The following experts were helping Ankur to answer few of the questions asked during the session: Ajit Singh, Manivannan Srinivasan and Srilatha Vemula. All are Cisco Support Engineers and have vast knowledge in security topics, including NAC.
Network Admission Control
Q. Is active directory supported for authentication?
A. Yes Active directory is supported for authentication. We can use LDAP interface to do authentication. Also we have the ability to do ADSSO and once the user logs in to the domain successfully, the NAC agent will popup and uses the same credentials and we don't need to enter the credential again. Once it passes all the checks we will have the access to the network.
Q. Can I enable the provider list only for the user page or for CCA agent as well?
A. You can do it for CCA agent as well.
Q. The testing in the road map is for converge network or for 10G?
A. No there is no testing in road map for OOB deployment if that's the question since these are data center switches hence by design these switches will not be at the access layer and talking to the CAM. Now for In Band deployment all the switches are supported, even 3 party switches.
Q. Is CAM can be integrate with multiple forest environments?
A. Yes it can connect to multiple domains with ADSSO.
For normal AD Authentication we can use LDAP, Kerberose, NT domain and in most popular one is LDAP, and even with multiple domains we can set from where we can start search to query the user and the credentials.
Q. Is logging to external syslog server is possible?
A. Yes it is possible. You can go to Monitoring > Event Logs > Syslog Settings and by default syslog ip address is set to 127.0.0.1, and here you need to set the ip address of the server. Multiple IP addresses are not acceptable.
Q. Is it possible to prevent any end user to uncheck the popup login window for NAC agent?
Q. Are any public CA cert by default available?
A. Not on CAS and CAM. We need to pull them up. Once you initialize CAS and CAM by default we need to put the self sign certs to get the CAM up. Once the CAM GUI is up, then we can put the external CA certificate i.e. both the identity and Root cert to the CAM and CAS.
Q.If a user is unable to log in where can we check the logs in CAM or CAS to check what is wrong?
A. If a user is unable to log in then we can use, tail -f /perfigo/control/tomcat/logs/nac_manager.log, from CLI (and go into NAC_manager logs) and tail -f /perfigo/access/tomcat/logs/nac_server.log (NAC_server logs) on respective CAM and CAS and can generate the logs from there during real time. Also on the agent we can extract the logs from CCA agent what is happing during that time. CCA agent logs need to be send to TAC and we use the tool to decode. CAM and CAS that we need to turn on the logging at trace level to find the real cause. Do a Auth test on CAM and see if CAM config is correct and fine and if the login is successful and what role the user is getting.
Q. What is Out of band log off feature?
A. Out-of-Band Logoff is useful when users are connected behind an IP Phone. When the users disconnect, the managed switch will not send a link down trap to the CAM prompting to remove the user from the Out-of-Band Online Users list.
This feature is disabled in Cisco NAC Appliance by default and is not applicable for the Cisco NAC Web Agent.
There are some feature dependies though like :-
- both the CAM/CAS should be installed with Release 4.8(1) and the client machine should be running the latest Cisco NAC Agent version (4.8.1.x).
- Ensure that the VLANdetectWithoutUI parameter is enabled in the NACAgentCFG.xml Agent
configuration file accordingly. This is enabled for refreshing the IP address in the Authentication VLAN after CAM
clears the user and moves the user from Access VLAN to Authentication VLAN.
-If you want to enforce Agent Passive Re-assessment (PRA) for your Cisco NAC Appliance Out-of-Band deployment, you must enable the Out-of-Band Logoff function.
- Verify that the port profile(s) to which reconnecting users are assigned specify the Authentication VLAN for the Change to [Auth VLAN | Access VLAN] if the device is certified, but not in the Out-of-Band user list.
Q. What is the relevance of different timers in NAC like session timer, heartbeat timer and CDT timer?
A. The Session Timer is an absolute timer that is specific to the user role. If a Session Timer is set for a role, a session for a user belonging to that role can only last as long as the Session Timer setting. For example, if user A logs in at 1:00pm and user B logs in at 1:30pm, and if both belong to role Test with Session Timer set for 2 hours, user A will be logged out at 3:00pm and user B will be logged out at 3:30pm. With session timeouts, the user is dropped regardless of connection status or activity.
The Heartbeat Timer sets the number of minutes after which a user is logged off the network if unresponsive to ARP queries from the Clean Access Server. This feature enables the CAS to detect and disconnect users who have left the network (e.g. by shutting down or suspending the machine) without actually logging off the network. Note that the Heartbeat Timer applies to all users, whether locally or externally authenticated. The connection check is performed via ARP query rather than by pinging. This allows the heartbeat check to function even if ICMP traffic is blocked. The CAS maintains an ARP table for its untrusted side which houses all the machines it has seen or queried for on the untrusted side. ARP entries for machines are timed out through normal ARP cache timeout if no packets are seen from the particular machine. If packets are seen, their entry is marked as fresh. When a machine no longer has a fully resolved entry in the CAS's ARP cache and when it does not respond to ARPing for the length of the Heartbeat Timer setting, the machine is deemed not to be on the network and its session is terminated.
Q. Will ISE replace NAC or is it a compliment?
A. Most of the ISE features are similar as ACS 5.x. For now it will go beyond NAC. The logging feature is very good in ISE but it is on the same road map of ACS 5.x + NAC. Hence it has consolidated functions of NAC Appliance, Profiler, Guest and ACS in one system, though there is no TACACS+ support in ISE 1.0, and maybe there in ISE 2.0.
Q. What is the Best Practice when you would like to deploy NAC between the central site and branch office? Which one you recommend inband or OOB?
A. It depends on requirement. Inband is easiest setup and all traffic goes through CAS. It is easy to deploy and troubleshoot. Whereas in OOB the traffic passes through CAS only at initial stage and after authentication and PA, but after that CAM take over send snmp and change switch port to trusted vlan. The good part in OOB setup is traffic flows directly from access switch into core switch we get high switching speed. So OOB is suggested where we require high switching speed but if you want all traffic should pass through CAS, and then we can go for Inband. For wireless, vpn deployment inband deployment is common.
Q.Can we run dynamic routing protocol on a NAC device?
A. No we can’t run dynamic routing protocol on a NAC device. There are no plans in the road map as of now. For all L3 deployment we do configure static routes be it on trusted or untrusted sites.
Q. I believe CAS and CAM work on MS. Which cert store is used?
A. CAM and CAS work on linux. We use perfigo database.
Q. There are trial versions for licensing CAS and CAM , am I correct?
A. Yes, there are evaluation licenses for CAM and CAS that are valid for 90 days.
Q. What is the difference between the CAS and CAM?
Central Administration, Monitoring and Configuration for Security Policy and Requirement. Centrally Controlling Network Devices and CAS.
Performing automatic download of latest Clean Access Policies and Updates. Responsible for authenticating all users in this deployment either locally or external user database such as LDAP, RADIUS, AD.
It is like a policy firewall between the untrusted and trusted part of the network, by enforcing policies. Though CAS and CAM operate in a team, but CAS is responsible for asking for authentication and posture information from the client pc and the information is passed to the CAM for checking and based on the results, the CAM instructs CAS to start enforcing policies for that client.
Q. Will CAS cache the user credentials if at some time CAS is unable to reach to CAM?
A. No the CAS will not cache the user credentials. Say for example CAS is down due to some reason and is unable to reach CAM then :-
- If CAS is configured in High Availability and if in case the active fails then the standby will become active and take up its role.
- If CAS is standalone then results vary depending if it is an IB or OOB. In In-Band the traffic will not pass through if the box dies. In out-of-band, then all users/machines who have already been authenticated / certified will continue to be able to use the network, but new users will be placed into the authentication vlan and won't be able to be authenticated by the Server.
Q. Here user PC is in vlan 7 is getting IP from vlan 77 from DHCP, How this is happening ?
A. The CAS is in Inline mode, which means traffic will always flow through CAS. The traffic from the client is always routed through the Auth VLAN which in this case is VLAN 7. CAS is configured for VLAN mapping for VLAN 7 to 77 therefore all the traffic from the host PC will be forwarded to the DHCP server hosted in VALN 77, and the DHCP server will assume that the DHCAP discover packet is coming from VLAN 77, and will send a reply and again VLAN mapping will kick and send the DHCP offer to the pc in VLAN 7. More details are referred in the video of this presentation.
Q. What are the other ports for?
A. The ports udp 8905 and 8906 are used for the SWISS communication between the CAS and the NAC agent.
Q. Sometimes I see TCP 8905 connection between the NAC Agent and CAS. It is normal?
A. From 4.7 onward, the Server discovery was done using https and hence we are using the TCP port. One of the reasons for this was because during the Discovery process in pre 4.7 when the agent exchanges information with the NAC Server during Server Discovery, there was no way for the agent to
Authenticate the server. Post this discovery, the SWISS process will fall back to using udp and will encrypt the data using 3DES instead of RC4.
Q. where can i get more info on ISE solution?
A. You can find more info on ISE from the link below:‑
Q. What safeguards are in place to make sure the Agent can't be spoofed?
A. First, everything is encrypted between a CAS and a Client with SSL, so MITM isn't a viable means of attack. In addition to SSL, the reports are encrypted locally before they are sent. The XML report is encrypted before its sent using SSL again. So, even if you break SSL, you will still not be able to read the report.
Furthermore, the report needs to be sent in a specific format that is understood by the CAM as well. No one knows this format unless they decrypt and look at the XML. The local agent logs cannot be decrypted without a special tool and hence there is no way to get that report locally.
On the end station side you are also dealing with certificates. The CAM packages up its cert into the installation package, so someone trying to make a fake CCA agent would also have to make a perfect copy of the cert signed from the CAM. Each customer’s cert is unique, so you could only go down this path if you were targeting a specific organization and had all the right information about their cert infrastructure to make it work.
Killing the agent does nothing; the CAS still won’t let you through. Even duping a fake agent still doesn't buy you anything; you still have to have the answers that the CAS will consider correct.
Q. How many NAC servers do i need if i have 8 core locations connected each other with L3 link and all the 8 core are collapsed core?
A. Well it depends on the requirement in the end, now say if you want to deploy NAC for Posture only, then you can deploy CAM and CAS at the central site. Typically used when the resources are at the central site, now the agent on the remote sites will discover CAS and posture assessment will happen after this discovery.
If you want NAC Posture with Port Control then you can either deploy CAS at the central site or at the remote sites. You can also deploy NAC for ISR's 28xx, 38xx (ISR NME) which is designed for remote branch offices and offer same deployment flexibility. CAM will manage remote switches for port control. Remote segmentation can be controlled through PBR, VRF, tunnel etc. It is recommended to have remote CAS at each site for this.
For NAC Posture with Traffic control you can have NAC manager and Server at central site, and have NAC server in inband, and hence no access to the resources without meeting the policy.
Q. With ADSSO will a complete GPO update work?
A. When a user is not yet authenticated/certified by Cisco NAC Appliance (or is on the Authentication VLAN), access to the Windows Domain Controller is limited; and as a result, a complete group policy update might not finish. When a user is not yet authenticated / certified by Cisco NAC Appliance (or is on the Authentication VLAN), access to the Windows Domain Controller is limited; and as a result, a complete group policy update might not finish. There is a option Refresh Windows domain group policy after login under Device Management > Clean Access > General Setup > Agent Login, and if this is selected the NAC admin can force a group policy refresh for the Agent user immediately after AD SSO login. For ex - GPO update object such as running login script in a Windows environment prior to login will fail because users do not have access to drive mappings to the AD server. Hence I have seen deployment where there is artificial delay in the script to run during authentication and then they work fine, and this delay can be by use of ping, telnet, or any check action that fails until authentication finishes.
Q. Can we do accounting on NAC if we have integrated with ACS/Radius server ?Activities done by administrators when he logged on on CAM?
A.No, you cannot do accounting on NAC for the requirement posted by you.
Q. What permissions do you need to install the agent?
A. It required Admin rights till 4.6 but with newer codes you do not require it.
Q. Can I run the NAC in monitor mode and what is best practice to switch over one branch after the other in a centralized, layer-3 deployment?
A. Yes. You can run in monitor mode.You need to make the requirement as Audit. Make sure that any changes are done during the maintenance hours and try adding one branch at a time.
Q. What if I need to upgrade NAC solution from 4.1.3 to 4.7.2. What happened with CCA Agent while NAC is in this process is it sending SWISS packets?
A. You will need to schedule a down time. If NAC is upgraded, its recommended that all (CAS/CAm and agents are upgraded) . Swiss packets will be sent but they will not be responded during that time.
Q. Do we have the opportunity to check Smartphone’s ( connected to the network with wireless ) with NAC?
A. We have web login and auth support for most smart phones but posture assessment is not available so far.
Q. if I connect heart beat on back to back interface also with the trusted interface on CAS will it take effect when trusted interface went down ?
A. yes, the failover takes place when the trusted interface goes down
Q. can i apply NAC PV to users who want to go to Internet from my intranet, means if user is in trusted vlan then still the checks will be done before allowing user to go to Internet & if some check is negative then it should be denied ?
A. This is not possible. NAC works purely by network design.. CAS needs to know that clients are in untrusted network for it to take any kind of action.
Q. What is achieved by enabling CCA server authorization option ?
A. By default this option is not selected, and this is used to authorize what all CAS can communicate to the CAM. If selected and nothing specified then none of the CAS will be able to talk to the CAM. Hence on each CAs go to Administration > SSL > X509 certificates and copy the complete CN and exact names and paste it to the CAM's authorization page.
Q. In In-band/L2 deployment how is user session quantified?
A. The user session is based on client MAC and IP address and persist until either:-
- The user logs out of the network through either the web user logout page or the agent logout option.
- or an administrator manually removes the user from the network.
- or the session times out, as configured in the Session Timer for the user role.
- or the CAS can determine that the user is no longer connected using the Heartbeat timer and the CAM terminates the session.
- if the certified device list is cleared either if the its time expires or manually and the user is removed from the network.
Q. How can I exclude phones, printers and thin clients in a centralized, in-band, layer-3 deployment.
A. You need to create filters for the dumb devices like phones, printers either using mac address or the ip address
Q. Can the agent discovery address be changed on the client?
A. Yes - there are 2 methods:-
1. By editing the following registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Clean Access Agent\ServerUrl
2. Right click on Agent and choose Properties
Q. Does the Web Agent have same capabilities as the persistent agent?
A. Unlike the Cisco NAC Agent, the Cisco NAC Web Agent is not a “persistent” entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, an ActiveX control or Java applet initiates a self-extracting Agent installer on the client machine to install Agent files in a client’s temporary directory. You specify the preferred method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration page.
The Web agent has the same posture assessment capabilities as the persistent agent.
The Web Agent does not have auto-remediation capabilities and Users must adhere to NAC Appliance requirement guidelines independent of the Web Agent session to ensure compliance before they can gain access to the internal network. If users are able to correct/update their client machine to be compliant before the Temporary Role time-out expires, they can choose to “Re-scan” the client machine and successfully log in to the network.
Out of band logoff feature is not applicable to Cisco NAC web agent.
Q. What is NACAgentCFG.xml file?
A. It is the NAC agent configuration XML file and you can enable various Cisco NAC agent features by specifying setting within this file, and some of the topics I can recall are to manage the Cisco nac agent discovery host address, additional Swiss discovery customization , or vlandetectinterval and others and these are documented in the config guide of CAM and CAS.
Q. What considerations should be taken into account when configuring switches for OOB?
A. Best practice is updating the switch OIDs on the CAM via the Device Management > Clean Access > Updates > Update web console page to ensure you have the most up-to-date switch support available.
- ensure the uplink ports for managed switches are configured as “unmanaged” ports.
- Switch cluster is not supported and instead assign ip to each switch.
- turn on portfast on the access ports.
- set the mac address aging time to minimum of 3600 sec.
- enable ifindex persistence on the switches.
Q. If swiss packets are not responded or intercepted by CAS then the PC is not authenticated
Q. We have a Nac appliance 3315 based IBM X server. At 3355 there is no problem with ILO (out-band server management) , we can configure, and we can use. But at smaller 3315 the ILO is not working, not show as linked at connected switch. Is it possible to?
A.Please open a TAC case or post your Q in support community as this needs troubleshooting
Q. Which is the new NAC product from Cisco to be released?
A. There is a Cisco ISE solution coming up.
Q. which is the new NAC product from Cisco to be released?
A. There is a Cisco ISE solution coming up which integrates NAC, NAC Profiler, ACS and dot1x‑
Q. Can CAM and CAS can reside on same server?
A. CAS and CAM cannot reside on the same servers. They should be on separate appliances
Q. If we have a version 4.7.2. Can we push the CCA Agent upgrade (suppose that they have 4.5.x) to all of our clients?
A. If CAM is running version 4.7.2 then go to Device Management > Clean Access > Clean Access Agent > Distribution And check Windows NAC agent version and logically in this case it should be 4.7.2. If this is the case then see to it that there is a check for Current NAC Agent is a mandatory upgrade and that should do.