I have network with inside LAN users and Remote Sites users connected through Site to Site VPN with ASA.
I want to implemet the NAC so that I can Authenticate, Check and Authorize the Inside LAN users as well as the Remote Sites users (which connected through site to site VPN). Is this requirements is applicable or not? If yes, what is the best implementation design?
You will be able to authenticate and authorize both Inside LAN users and VPN users, but you will need a seperate CAS on each network to accomplish this. Below is a link with regards to VPN usage.
You also have a number of options for users on the LAN side. You can get away with one CAS for that, but they will need to be placed in L2/L3 mode. In our implementation we are using an OOB Real IP-gateway setup for our LAN users. Out-of-Band allows scalability to support multiple sites because the users are only passing through the CAS during authentication and posture assessment. Once this is complete they are placed on an access VLAN that does not force traffic to the CAS.
So you are saying that you CANNOT use a single NAS (in L2/L3 In-Band Real-IP G/W mode) to manage/monitor an inside network and a VPN? In other words, VPN implementation always requires a dedicated NAS? I am in the process of working on a NAC implementation that needs to do just that ...
Any guidance is appreciated!
That's correct. To implement NAC on an inside network and a VPN requires two NAS boxes. The NAS for the VPN must be in-band. The NAS for the inside network can be in-band or out-of-band.
Hope this helps.
Thanks for your support and explanation.
Do you have any design or configuration documentation for the IB mode implementation with Site-to-Site VPN terminated on ASA.
These are the resources I consult for all design and implementation questions:
These are the Web Sites and Blogs:
This is an excellent reference book:
Cisco NAC Appliance: Enforcing Host Security with Clean Access by Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal. (2007)
Hope this helps.
Does anyone have a link to the documentation that specifically states that the VPN requires its own NAS? I have looked and cannot find anything. I know that it must be in-band, but other than that, I have seen no additional restriction. This little gotcha has created a rather nice customer sat issue, so any help is appreciated.
You do not need two CAS's for LAN and Remote Access. I have deployed NAC internally and for Remote Access users with only 1 CAS. You will have to configure the CAS to be In-Band because Remote Access is dependent on that but VGW or Real-IP is up too you. Also you will need to be running 8.0 on either the ASA or PIX, but with the PIX going EOS you really should be using ASA's. I have been able to successfully configure SSO VPN with 1 CAM / CAS and an ASA running 8.0.3 but for some reason SSO VPN is not working with a PIX but I can use the CCA agent and login just fine.
Let me restate, if you have configured NAC as out of band, then yes you will need another CAS. If you have configured NAC as In-Band then no you can use the same CAS. The CAS can only be configure one way, either Out of Band or In-Band not both.
Here is a great resource if you are starting out with Cisco NAC:
Cisco's Main Page for CCA NAC:
This book is really good:
Cisco NAC Appliance
Enforcing Host Security with Clean Access
Hi i had other question in a nac vpn implementation in VG band or Real Ip gateway is possible to place an L2 switch between Cisco ASA and CAS?
I hope your help, thanks.