Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Reza Malekzadeh about Network Admission Control (NAC) which uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. Reza Malekzadeh is a product marketing manager for the Security Technology Group at Cisco Systems, focused on the Network Admission Control (NAC) initiative. Prior to joining Cisco, Mr. Malekzadeh was the co-founder of Twingo Systems, a provider of secure desktop solutions for untrusted computers. Twingo Systems was acquired by Cisco in 2004.

 

Remember to use the rating system to let Reza know if you have received an adequate response.

 

Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 9, 2005. Visit this forum often to view responses to your questions and the questions of other community members.

34 REPLIES
New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

I try to identify a machine with CTA 2.0 client and the scripting interface, against an ACS server with an self written posture validation server (Apache/PHP Script). At the client network there is no possibility for NAC Layer 2/802.1x. Used Software NAC Phase 2 with the following versions ACS 4.0.23, CTA 2.0.26.

I have on the client an un-exportable machine certificate installed where I send via the scripting interface the serial number to the ACS. I need the HCAP definition for the different status messages from and to the ACS (certificate is valid = healthy, certificate is invalid = quarantine…). I can already “see” my certificate serial number on the ACS (with my own ADF file imported into ACS with certutil.exe), but there is no documentation about the communication between ACS <-> HCAP <-> External Posture Validation Server.

Script ini file on the client:

[main]

PluginName=ctascriptPP.dll

VendorID=9

VendorIDName=Cisco Systems

Styles=SupportAsync

AppList=cert-check

[cert-check]

AppType=61440

AppTypeName=cert-check

Sample AVP File on ACS:

[attr#0]

vendor-id=9

vendor-name=Cisco

application-id=61440

application-name=cert-check

attribute-id=32768

attribute-name=version

attribute-profile=in

attribute-type=version

attribute-value=2.0

[attr#1]

vendor-id=9

vendor-name=Cisco

application-id=61440

application-name=cert-check

attribute-id=32769

attribute-name=serial

attribute-profile=in

attribute-type=octet-array

attribute-value=0x3f 0xaa 0x91 0xf5 0x00 0x00 0x00 0x00 0x05 0x1f

I hope Cisco publishes this needed information, because I don’t understand the reason for an open script interface on the client side and closed information strategy on the ACS server side.

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

the scrip[ting interface is designed to allow you to write custom scripts and run them out of band. It is designed to help IT Managers run custom checks.

However, the HCAP protocol that allows a third party posture server to talk to ACS is part of the NAC Partner Program. It is not a publicly published interface. It is available to ISVs who participate in the NAC Program at this time.

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

1. For the IT Managers to "use" the custom checks outside of the ACS server (like my certificates) you don't have a chance, checkups inside the ACS are statically

2. I don't think, that Cisco want's for every "small-customer-special-solution” a new ISV participant. If YES, we will apply.

3. Do you see any chance to become a NAC-ISV with our small and very special solution?

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

The NAC Partner Program is open to all ISVs: small and big. If you have a solution that you develop and sell to end users, you are welcome to join the NAC Program. All the program details and online application form are posted at http://www.cisco.com/en/US/partners/pr46/nac/index.html

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Which vendors (within the NAC program) currently support HCAP and can be configured as External Posture Validation Server on ACS 4.0?

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

There is no "exact" list HOW the different vendors implemented there products. Only a list of vendors with a products name, you can search on the vendor homepage for further details. A few of them don't use HCAP (symantec, mcafee,...). There you can only query static parameters directly on the ACS Server. Trend Micro for example uses HCAP (but doesn't work in my test enviroment).

http://www.cisco.com/en/US/partners/pr46/nac/partners.html

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

Today IBM, Trend Micro and CA are shipping complete solutions that include a back end policy server integration. For the latest list of all products integrated in NAC, please visit: http://www.cisco.com/en/US/partners/pr46/nac/partners.html

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hi,

I Have found the CA e-trust installation guide that explain how to deploy di agent with NAC, but I haven't found anything about the Command Centre (the management console of e-Trust) and the possibility to use as an external policy server with ACS. Have you tested it by any chance?

Thank you very much,

Barbara

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

After checking with Computer Associates, this would be explained in the documentation that will come out when they introduce the PVS product for NAC. Hope this answers the question.

Regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

I have been attempting to get NAC 1 to work for the past two months in a very specific, limited scenario. We require any VPN client connecting via a 3005 Concentrator (4.1.7) to be to have Trand Micro OfficeScan client present, running, and up to date.

I have the VPN Concentrastor setup and the clients can connect.

I have the ACS server (3.3) setup and clients can connect.

I have the Trand Policy Server setup to provide Posture Validation. The certificates are installed. The CTA agent has been deployed to the test machine. (Is there a way to make this part of the VPN CLient install?)

It appears in the logs that everything is happening, yet no matter what I do at the client, it can still connect and the status is placed in Hold-Off.

What I need is a good, detailed set of instractions on how to get this working. I am pretty sure that I have all of the pieces in place, but can't find any docs from Trend or Cisco that takes you from Step 1 all the way through, including some troubleshooting.

Is there such documentation anywhere, and would you let me know how to get it?

Thanks

Bryan Carter

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

We have a number of documents on our site, including a deployment guide with troubleshooting tips. Please visit http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

Is it possible to use Microsoft's IAS server to provide the Radius functionality necessary for NAC to operate? If not, what is unique about ACS that makes NAC possible?

Thanks, Russ

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

ACS is a mandatory component for NAC. It has the smarts to commununicate with our Network Access Devices. It can however be set up as a Radius proxy and not handle the user authentication piece but just the NAC Policy piece and communications.

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hi,

Firstly, could someone point me in the right direction to download CTA 2.0? I am unable to find it anywhere on the Cisco website.

Also, we are in the design phase of deplying NAC in our network and I was hoping someone might be able to let me know of a good document (How-to guide) on deploying NAC? I have read all the 'overviews' but am after a low level deployment guide, especially on how to setup the ACS server for NAC.

Any help would be appreciated! Thanks,

Cam

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hi,

I have been working on NAC for the last two months.The design phase is already complete.I know I'm testing me configuration.I used the following ressources.

www.cisco.com/application/pdf/en/us/ guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf

http://www.cisco.com/en/US/netsol/ns617/networking_solutions_white_paper0900aecd80234ef4.shtml

http://www.cisco.com/en/US/products/ps5923/products_administration_guide_chapter09186a008023fa9e.html

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book09186a00802335e2.html

Ok! I hope it will help. Good luck!

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

CTA can be dowloiaded from the Cisco website at http://www.cisco.com/cgi-bin/tablebuild.pl/cta

Also, we are in the process of finishing up a NAC Deployment guide that will go into the details of configurations and deployment. It should be available in a few weeks on our site at http://www.cisco.com/go/nac.

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hi,

I'm working on NAC I,and I plan to implement NAC II right after the NAC I will end.But I have two concerns.

1. I had configured ACS v 3.3 on the windows 2000 server.The ACS should check the Cisco secure database or a Windows database(active directory) to authenticate users.I had enable PEAP and EAP-TLS on the ACS, with a self signed certificate. The certificate had been succesfully import on the client (Windows XP pro SP2) while installing Cisco Trust Agent v 1.0.55. I had also enable machine authentication with PEAP and EAP-TLS. But I still have the following error:"Auth type not supported by External DB". I would like to have some suggestion to fix that problem.I had attached the failled attemps log that I had.

2. I would like to know how the NAC I and NAC II fit toghter.Which directive I can follow to implement the NAC II when the NAC I is already working.

Regards.

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

It appears that you might be having a separate issue from NAC with this error message. With NAC phase one, any user and/or machine authentication will be a completely separate operation from the actual NACing of the client. It appears that you have ACS set up for doing machine/user auth with certificates (EAP-TLS) and that your AD infrastructure does not do certs, but only AD credentials (EAP-MSCHAPv2). AD credentials are those long crypto numbers AD assigns to machines and users when they become members of an AD domain. This is probably an ACS config issue but not NAC related... I think.

For the second question, NAC2 expands the list of supported Network Access Devices but implementing NAC into our Catalyst Switches and Wireless Solutions. Nac2 can tie into your 802.1x deployment if you have one and be able to do NAC at Layer 2 on the Switch ports and Wireless APs.

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

It have verified that AD support EAP-TLS authentication.

Does it make sens to try to import the certificate that is installed on the ACS to the domain controller; assuming that EAP-TLS required the installation of the same certificete on the each of the machines that are involved in the authentication process.

Regards,

Stan.

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Yes, you can try that. If that fails, please try to contact your Cisco sales engineer to put you in touch with an ACS specific guru. thanks.

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

We are busy implementating NAC phase two. Does this work with ACS 3.3 or do we need to upgrade to 4? We are using 802.1x wired client with CTA 2.0 to make things work with 2950 switches. It seems however that the CTA is not sending any data to our ACS. If an upgrade on ACS is needed I understand this otherwise what could be the problem? We level 15 logging on the CTA 2.0. The logfiles don't say much to me. The only error that I see now and then is:

"Failed to open Registry Key, error code 13"

Kind regards,

Rutger

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Yes, for NAC 2, you will need to upgrade to ACS 4.0.

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

- Is there also an ACS 4.0 (final,eval?) download already available?

- Where can I find the TrendMicro AVP file for the ACS 4.0? At the TrendMicro website i can't find it. I use the following file (got it from the BETA ACS 4.0 documentation). The values dosen't appear at the ACS server logfile :(. On the new CTA 2.0.30 i can see in the log that the information is sent to the ACS.

[attr#0]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00001

attribute-name=Application-Posture-Token

attribute-profile=out

attribute-type=unsigned integer

[attr#1]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00002

attribute-name=System-Posture-Token

attribute-profile=out

attribute-type=unsigned integer

[attr#2]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00003

attribute-name=Software-Name

attribute-profile=in out

attribute-type=string

[attr#3]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00004

attribute-name=Software-ID

attribute-profile=in out

attribute-type=unsigned integer

[attr#4]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00005

attribute-name=Software-Version

attribute-profile=in out

attribute-type=version

[attr#5]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00006

attribute-name=Scan-Engine-Version

attribute-profile=in out

attribute-type=version

[attr#6]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00007

attribute-name=Dat-Version

attribute-profile=in out

attribute-type=version

[attr#7]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00008

attribute-name=Dat-Date

attribute-profile=in out

attribute-type=date

[attr#8]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00009

attribute-name=Protection-Enabled

attribute-profile=in out

attribute-type=unsigned integer

[attr#9]

vendor-id=6101

vendor-name=Trend

application-id=3

application-name=AV

attribute-id=00010

attribute-name=Action

attribute-profile=out

attribute-type=string

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

ACS 4.0 is shipping as of yesterday. The full version is available through Cisco Sales. It is not yet available in eval version but should be posted on our website soon.

For the Trend Micro file, you will need to contact Trend Micro directly.

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

I have a VPN 3005 concentrator running 4.7 code with ACS 4.0 as the RADIUS server, performing NAC with a test client running CTA 2.0 and Cisco VPN client 4.7. I had this working under ACS 3.3/CTA1.0 but with the new Network Access Profiles in ACS 4.0 I am having some difficulty with the Downloadable ACLs. I am using a group/password (preshared key) to connect to the IPSec session, followed by Windows Database authentication. This is working, as well as the Posture Validation which is checking Cisco:PA:PA-Version > 2.0.0.0. What I am encountering is that the Windows authentication occurs seperately from the Posture Validation, so I am essentially running through the Network Access Profiles twice, and being assigned a different Downloadable ACL each time. The effect is that I can not apply an ACL to a Group without it being overwritten by the ACL assigned to the Posture event. Is there a way to merge the events so that I can assign the ACL by a combination of Group and SPT?

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hello,

In theory, the NAC ACL will override the user ACL. The folks in the VPN3K team indicated that this has been the behavior since the introduction of the 4.7 code. I think you are hitting a bug that we would need to try to reproduce. Can you please open a case with Cisco TAC?

regards

reza

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Good morning Reza Malekzadeh,

I have a very simple question. What would you recommand or what is todays most secure way of accessing devices such as routers, switches to be able to manage them ?

This by using telnet ? SSH ? TACAS ?

SNMP with Ciscoworks, is safe ? Should we be using something else than SNMP for management through CiscoWorks ?

Many thansk for your quick response.

New Member

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Tricky question :) - It will depend on your setup and how much you trust the network to your access device. Obviously, SSH is much prefered over Telnet. I believe SNMP with CiscoWorks is safe.

hope this helps.

reza

Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

Hi,

Just encountered this problem, when tried to replicated GUEST server, we received following messages:

get the message "An error
occured while configuring replication"

the application logs shows the following
2010-08-03 07:51:12 CDT LOG    +-------------------------------------
2010-08-03 07:51:12 CDT LOG    twin 1.2 starting up...
2010-08-03 07:51:12 CDT LOG     log mode is 0
2010-08-03 07:51:12 CDT LOG     local port=5432
2010-08-03 07:51:12 CDT LOG     local database=gapdb
2010-08-03 07:51:12 CDT LOG     log_table_max_size=1000
2010-08-03 07:51:12 CDT LOG     sleeptime=1000
2010-08-03 07:51:12 CDT LOG     use_timestamps=f
2010-08-03 07:51:12 CDT LOG    done
2010-08-03 07:51:12 CDT LOG    local config status is 0
2010-08-03 07:51:12 CDT FATAL  application has not yet configured twin
2010-08-03 07:51:12 CDT LOG    shutting down...
2010-08-03 07:51:12 CDT LOG    shutdown complete

also I could not find what the twin is and how to config it.

Any help will be appreciated

- Angela Yan

464
Views
3
Helpful
34
Replies
CreatePlease to create content