Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC questions

Hi, I have a few questions concerning NAC and would like to pose them to persons who have implemented NAC appliances.

1) Does the NAC agent tie into the Windows GINA, so the user doesn't have to enter credentials twice? Also, what about MacOS X, does it tie to the system login in any way?

2) Say a user gets authenticated and passed to an Authenticated VLAN. They disconnect their laptop, go to a meeting for 2 hours, come back and dock their machine (they are already logged into their machine) would they be required to go through the authentication phase for NAC again or would it recognize their MAC address or talk to the NAC agent to validate with no interaction from the user?

Thanks in advance for any replies.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: NAC questions

Hi Rossr

I'm going to make an assumption and assume your talking about Cisco Clean Access and not NAC-Framework (Which was the older 802.1x model)

1. No, the agent does not tie into the Windows GINA, the agent runs after the user logs in via the GINA. The clean access server (sitting between the client machine and the AD server) has the kerberos ports open in the NAC authentication vlan to allow the windows machine to first establish a windows login to AD. Remember its a trust model, The CAS trusts the AD to get the auth correct and then uses that info to then allow or deny user onto the network.

Here is a simple order of events of a user can logging in though AD single sign on.

- There is a trust relationship already established between the Clean access server and the AD server. (Look up KTpass for more info)

- Client connects to the network and attempt to log into AD

- The credentials are sent to AD, The AD DC authenticates and gives a Ticket Granting Ticket (TGT) to the client.

- The Clean Access Agent on the client asks the client for a Service Ticket (ST) with the CAS username to communicate with the CAS. (This is done all locally on the client machine, there is communication happening in software between CCA and kerberos)

- The client requests a Service Ticket from the AD

- The AD gives the ST to the client, the client give this ST to the Agent.

- The Clean access Agent is now able to communicate with the CAS.

- The CAS sends back packets and mutually authenticates the client. (because it has a trust relationship with the AD)

- The CAS uses this information to sign the client onto Clean Access and hence SSO (single sign on takes place) authentication takes place.

Its a brain bender, but it just works. CCA uses what is already built into the windows environment, it does not alter windows registry or GINA to mess with the login process. .....so I have learnt :P

2. Keep this in the back of your mind, your not certifying users,... your certifying machines. We authenticate users and based on their user details and we place them in a vlan based on their role. But client machines are tracked and if a laptop has passed a posture check, then it is deemed certified, no matter who logs into it successfully. So there is in effect a time based system that can be adjusted per your security policy as to how long you want to keep a client machine certified. Some of my customers purge their certified list every 24 hours, others do it every 7 days. It also help keep stake entries at a minimum. ie a contractor who connected to your network but wont be back for 3 months.

a) If a user disconnects from a NAC network, a SNMP link down notification is sent to the CAM from the switch informing the switch that a state change happened on the port. Cam instructs that switch to move that port back into the auth vlan.

b) If the user comes back, 2 things might happen,

- if your using SSO (Single sign on), the SSO process will start and the user will be signed back into the network successfully by the posture check will be skipped as the machine was previously certified 2 hours ago. (thats if you didnt purge them from the list).

- if your not using SSO, the user may be forced to log back into the CAA (Clean access Agent) because the port went back to the Auth network once the user disconnected their ethernet interface but once they authenticate, the same thing will happen, their posture check will be bypassed as they were certified 2 hours earlier.

Hope this answers your questions.

Dale

2 REPLIES
Anonymous
N/A

Re: NAC questions

1) In a Microsoft Windows environment two sets of identity credentials can be presented to the network.

The first credential involves the concept of machine authentication where the machine is authenticated before of the user. Microsoft introduced the

machine authentication facility to allow the client system to authenticate by using the identity and credentials of the computer at boot time. The client

can then establish the required secure channel to update and participate in the domain Group Policy Objects (GPO) model.

Machine authentication allows the computer to authenticate itself to the network by using 802.1x, just after a PC loads device drivers at boot time.

The computer can communicate with Windows domain controllers to pull down machine group policies. Domain GPOs are no longer stopped by

the introduction of 802.1x.

The second type of credential used for 802.1x is user authentication. After the GINA (login screen) appears, a user can login to the computer or the

Windows domain, and the username and password used for login can be used as the identity credentials for 802.1x authentication.

2)Once the user is certified, the user VLAN changes from quarantine to access VLAN. The traffic bypasses the NAC server when moved to access VLAN and there is

New Member

Re: NAC questions

Hi Rossr

I'm going to make an assumption and assume your talking about Cisco Clean Access and not NAC-Framework (Which was the older 802.1x model)

1. No, the agent does not tie into the Windows GINA, the agent runs after the user logs in via the GINA. The clean access server (sitting between the client machine and the AD server) has the kerberos ports open in the NAC authentication vlan to allow the windows machine to first establish a windows login to AD. Remember its a trust model, The CAS trusts the AD to get the auth correct and then uses that info to then allow or deny user onto the network.

Here is a simple order of events of a user can logging in though AD single sign on.

- There is a trust relationship already established between the Clean access server and the AD server. (Look up KTpass for more info)

- Client connects to the network and attempt to log into AD

- The credentials are sent to AD, The AD DC authenticates and gives a Ticket Granting Ticket (TGT) to the client.

- The Clean Access Agent on the client asks the client for a Service Ticket (ST) with the CAS username to communicate with the CAS. (This is done all locally on the client machine, there is communication happening in software between CCA and kerberos)

- The client requests a Service Ticket from the AD

- The AD gives the ST to the client, the client give this ST to the Agent.

- The Clean access Agent is now able to communicate with the CAS.

- The CAS sends back packets and mutually authenticates the client. (because it has a trust relationship with the AD)

- The CAS uses this information to sign the client onto Clean Access and hence SSO (single sign on takes place) authentication takes place.

Its a brain bender, but it just works. CCA uses what is already built into the windows environment, it does not alter windows registry or GINA to mess with the login process. .....so I have learnt :P

2. Keep this in the back of your mind, your not certifying users,... your certifying machines. We authenticate users and based on their user details and we place them in a vlan based on their role. But client machines are tracked and if a laptop has passed a posture check, then it is deemed certified, no matter who logs into it successfully. So there is in effect a time based system that can be adjusted per your security policy as to how long you want to keep a client machine certified. Some of my customers purge their certified list every 24 hours, others do it every 7 days. It also help keep stake entries at a minimum. ie a contractor who connected to your network but wont be back for 3 months.

a) If a user disconnects from a NAC network, a SNMP link down notification is sent to the CAM from the switch informing the switch that a state change happened on the port. Cam instructs that switch to move that port back into the auth vlan.

b) If the user comes back, 2 things might happen,

- if your using SSO (Single sign on), the SSO process will start and the user will be signed back into the network successfully by the posture check will be skipped as the machine was previously certified 2 hours ago. (thats if you didnt purge them from the list).

- if your not using SSO, the user may be forced to log back into the CAA (Clean access Agent) because the port went back to the Auth network once the user disconnected their ethernet interface but once they authenticate, the same thing will happen, their posture check will be bypassed as they were certified 2 hours earlier.

Hope this answers your questions.

Dale

281
Views
5
Helpful
2
Replies