Cisco NAC high level flow for Out-of-Band deployments
I've found a lot of good detailed information on configuration of Cisco NAC appliances, and the general functions. But not a good, high-level walk through the steps the appliances/solution handle an OOB deployment for handling new connections to a LAN.
Something along the lines of, a user connects to the LAN, is given addressing from a DHCP server, then <somehow?> the workstation is directed to the NAC appliance, where it checks for the presense of any required agents, checks against security requirements, then..etc. (Remediation servers involved here, etc.)
Is there a high level description of the flow, what/how the NAC appliances intereact with DHCP servers, Remediation servers, and any high-level description of required configurations in AAA servers, DHCP servers, remediation servers in order for them to work with the NAC appliances in this configuration?
Re: Cisco NAC high level flow for Out-of-Band deployments
Here we go:
1) Any managed switches must be built in on the CAM and the required configuration for switch SNMP traps must be used. This is important as it controls the CAM's visibility over user connects.
2) In L3 OOB the CAS can be placed physically anywhere. We have it in our data center.
3) Plan your VLANs. Let's say we have a remote location with 2 VLANs:
VLAN 0005 - NAC Auth
VLAN 0010 - User Access
This is important because in L3 OOB, you control traffic on the layer 3 boundary of the VLAN (i.e. the VLANs default gateway that is typically a router) using ACLs. An ACL on the "auth" VLAN controls where users can access before being certified. Typically this would allow traffic to the CAS, and remediation servers. Then, for the "clean" VLAN the ACL must prevent traffic from flowing to the CAS by denying traffic to it. So you would have a config like:
! Deny will keep the NAC agent from constantly attempting to re-authenticate
deny ip any host
! Then let all other traffic through as we're a "clean" user
permit ip any any
4) Clients will receive all IP addresses from a DHCP server. In our deployment we use the "ip helper-address" command to forward DHCP requests to our DHCP cluster. You'll need a pool for each NAC VLAN you have.
So how does the NAC experience look like? Here's the flow:
1) New user plug into a NAC-managed switch. The switch sends a SNMP trap to the CAM that a new interface has come online.
2) The CAM detects the user is not already authenticated, so it changes the configuration of the port to place the user on VLAN 5. The user receives an IP address from the DHCP cluster.
3) Due to ACL limitation of the NAC-AUTH ACL, the user has limited access. The NAC agent on the workstation continues to poll for a live CAS at a configured address. Since the traffic is permitted the agent prompts for authentication.
4) Depending on your scenario, the user may enter credentials or may not need to if using Active Directory single sign-on.
5) If the user passes authentication, the posture validation of the client begins.
6) If the user does NOT pass posture assessment, they are left on the NAC-AUTH VLAN and are required to update as necessary. The agent will then pop-up again after a defined interval for authentication and the posture assessment will begin again.
7) Once the user is "clean", the CAM now changes the configuration of the switch again and puts the user onto VLAN 10. Once the VLAN is changed the user's client will request a new IP address and receive one from the DHCP cluster.
8) Now the user's traffic is limited by the NAC-CLEAN ACL. Since this ACL blocks access to the CAS, the agent doesn't pop-up and the user is left on the "clean" VLAN.
9) IF the user unplugs or the re-certification timer expires, the port is placed back into VLAN 5 and the next user will go through the same process or the same user will have to re-certify.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...