Thursday, July 2, 2009

NAC Version 4.6.1 - Now Available

NAC Appliance Version 4.6.1 was release yesterday.

Some of the new features:

Posture Assessment Support for 64-Bit Windows Operating Systems

The new NAC Agent can be installed and launched on 64-bit versions of Windows XP and Windows Vista, and can perform posture assessment and remediation on client machines. Earlier releases of Cisco NAC Appliance provided only authentication support for 64-bit client operating systems.

Agent Configuration XML File Upload Enhancement

This XML configuration file method of setting up Agents on client machines replaces the previous Clean Access Agent configuration schema requiring Windows registry setting manipulation for custom parameters. No more registry changes, hooray!

If you previously employed Windows registry settings to adjust Clean Access Agent behavior on client machines, you must specify the same settings in the XML Agent configuration file to preserve Agent behavior using the Cisco NAC Agent.
This upgrade has a ton of new agent features, as you can see in the above images, so make sure to check out the release notes and read for yourself.

4.6.1 Release Notes

And to configure these features, please reference the configuration guides:

NAC Manager Config Guide
NAC Server Config Guide
Posted by Jamie R. Sanbower at 9:09 AM 0 comments Links to this post
Labels: ,

Thursday, March 19, 2009

Cisco NAC Guest Server 2.0

NAC Guest Server has changed significantly with the latest 2.0 release. From External Portal Support to AD SSO, this revision has added some key enterprise features.

The features that have hit home the most for myself and my customers have been:

Active Directory Single Sign On

Cisco NAC Guest Server 2.0 can be joined to an Active Directory Domain and then automatically authenticate Internet Explorer browsers using Integrated Windows Authentication. This removes the need for sponsors to enter their username and password.

For details on configuration of ADSSO, see the Configuration of Active Directory Single Sign-On for NAC Guest Server Configuration Example

Credit Card Billing Support

Cisco NAC Guest Server 2.0 provides the ability for guests to purchase accounts via credit card support.

This means that you can now use NGS to provide ROI for guest internet access.

Management Reports

Management reports are enhanced to provide the following guest network usage information:

•Total Guest Accounts Created
•Total Authenticated Guests
•Total Cumulative Connect Time
•Sponsor Usage Reporting
•Access Summaries by Device

To See a list of all the new features in NAC Guest Server 2.0, please read the the release notes:

http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/20/gsrn20.html#wp65354

And to configure these features, please reference the configuration guide:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/nacguestserver.html
Posted by Jamie R. Sanbower at 10:16 AM 0 comments Links to this post
Labels: , ,

Thursday, January 22, 2009

NAC NEWS UPDATES

The following is a list of new things out there in the Cisco NAC World. The NAC Market is continuing to grow in 2009 and with the growth the products will continue to evolve, get better and have more options.

Security Options Abound: New NAC Release

My friends over at TechWiseTV are a huge multi-media machine, producing video, audio and podcasts. Well this PodCast is on NAC 4.5, Alok Agrawal of the NAC Business Unit and Myself dive into some of the cool features of 4.5. All of the podcasts can be subscribed to through iTunes.

To access the NAC podcast go to:

http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns719/html_TW/tw_episode_198.html

And to get more information on all the great stuff coming from Techwise TV visit:
http://www.mytechwisetv.com/
or
http://cisco.com/go/interact

NAC Layer 3 Out of Band Design Guide That Uses VRF-Lite for Traffic Isolation

Cisco wrote a new configuration guide on using VRF-Lite for traffic isolation. This is a great configuration option for NAC, but with that said never re-design your network just for NAC. VRFs can become very complex and introducing new technology into the network should be carefully planned. Using VRFs in a enterprise network does make sense, but the reasons for moving to the new network design should be a combination of the added features/benefits for Security(NAC, Guest Access, Wireless, etc.) and Network managebility, throughput, and scalability.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a3a8a7.shtml

New NAC Profiler Release

Last month a new maintenance release of Cisco NAC Profiler came out. 2.1.8-38 brings a good list of BugFixes and minor enhancements.

One Minor Enhancement that made it was Endpoint and Directory Timeout Unified Into Endpoint Timeout, which gives us more control on how to age out endpoints out of the database.

Find all the Fixes and information in the Release Notes.

The Release Notes can be found:
http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/218/218rn.html#wp101317

The new software can be download at:
http://www.cisco.com/cgi-bin/tablebuild.pl/nacprofiler-2.1.8 (Requires Valid Smartnet Contract)
Posted by Jamie R. Sanbower at 9:13 AM 0 comments Links to this post
Labels: , , , , ,

Wednesday, November 19, 2008

Layer 3 Out-of-Band

Background:

As NAC is deployed in larger environments the need for flexibility goes up. Cisco has given customers the ability to deploy NAC in a central deployment for users multiple layer 3 hops away from the CAS... Hence Layer 3 OOB. Layer 3 Out of Band has rapidly become one of the most popular deployment methodologies for NAC. This shift in popularity is based on several dynamics. The first is better utilization of hardware resources. By deploying NAC in a L3 OOB methodology a single NAC Appliance can be made to scale to accommodate more users. It also allows the NAC Appliances to be centrally located rather than distributed across the campus or organization. Thus, L3 OOB deployments are much more cost effective both from a Capital and Operational expense standpoint. From the CAS Admin Guide:

Multi-hop L3 support for out-of-band (wired) deployments enables administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind WAN routers in some instances. With L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go through Cisco NAC Appliance for authentication/posture assessment only.

With the benefits of L3 OOB comes a few challenges.

Path Isolation & Quarantine Control:

Because the CAS is multiple hops away, traffic from each user must be engineered to either go through the CAS forcefully(VRF,GRE, L2TP,PBR) or perform the quarantine or isolation closer to the user. Below is the 3 most common deployment options and the pros and cons of each.

Policy Based Routing (PBR)
  • Pros - Forces traffic to go through the CAS, easy to configure
  • Cons - PBR must be configured on every hop between the user and the CAS
Virtual Routing and Forwarding (VRF)
  • Pros - If you have an existing MPLS topology, it is easy to create a VRF for NAC.
  • Cons - VRF must be configured on every hop between the user and the CAS
Access Control Lists (ACL)
  • Pros - Everyone knows how to configure ACLs, ACLs are written closest to the user, no changes to every device
  • Cons - Management of the ACLs can be difficult without an enterprise tool such as Network Compliance Manager or Cisco Security Manager. Because the user is not inline with the CAS, user must use a URL or have an embedded discovery host to find the CAS.
Layer 3 Subnet Requirement:

In Layer 2 deployments, isolation takes place on an Authentication or Quarantine network that is only a layer 2 vlan. With L3 OOB, the authentication network used to require a seperate Layer 3 subnet for the authentication network. This caused many challenges during design, because for each user network in the environment(could be hundreds or even thousands) a new layer 3 ip subnet is required. The other problem associated with this option is each user must change their IP Address when going through the NAC process, slowing the process a little and also causing the online users list in the NAC manager to contain the previous (Authentication Network) IP vs. the Data Network(real ip) of the user.

As a result of this challenge, comes a deployment option that is not highly publicized. L3 OOB with no IP changes. But how, you may ask. If you must create a seperate authentication network with a seperate IP space, how can we keep the same IP Address?

L3 OOB with ACLs - IP CHANGE REQUIRED

Interface Vlan 10
description User Network
ip address 192.168.10.1 255.255.255.0
ip access-group NAC-ACCESS in
!
Interface Vlan 110
description NAC Authentication Network
ip address 192.168.110.1 255.255.255.0
ip access-group NAC-AUTH in
!
ip access-list extended NAC-AUTH
permit udp any eq bootpc any eq bootps <--- DHCP
permit udp any host 192.168.1.50 eq 53 <--- DNS
permit ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any host 192.168.1.25 <--- AD SERVER
permit tcp any host 192.168.1.10 eq 443 <--- REMEDIATION SERVER
!
ip access-list extended NAC-ACCESS
deny ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any any <--- ALLOW ALL TRAFFIC

L3 OOB with ACLs - NO IP CHANGE REQUIRED

Interface Loopback 0
ip address 192.168.10.1 255.255.255.0
!
Interface Vlan 10
description User Network
ip unnumbered loopback 0
ip access-group NAC-ACCESS in
!
Interface Vlan 110
description NAC Authentication Network
ip unnumbered loopback 0
ip access-group NAC-AUTH in
!
ip access-list extended NAC-AUTH
permit udp any eq bootpc any eq bootps <--- DHCP
permit udp any host 192.168.1.50 eq 53 <--- DNS
permit ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any host 192.168.1.25 <--- AD SERVER
permit tcp any host 192.168.1.10 eq 443 <--- REMEDIATION SERVER
!
ip access-list extended NAC-ACCESS
deny ip any host 192.168.1.100 <--- CAS UNTRUSTED INTERFACE
permit ip any any <--- ALLOW ALL TRAFFIC

Using an existing R&S feature gives us the ability to have a user keep the same IP Address on the authentication and access network. The disadvantage of deploying this way is that all existing data networks must be moved to loopbacks and it add complexity to the design, but the advantages are clear.

Summary:

L3 OOB is a increasing common deployment method of cisco nac. With all the benefits comes a few decisions and challenges, but at the end of the day it is still preferred. Obviously you will not learn everything about L3 OOB in this short post and it should be expected that without some existing background with NAC and R&S some or all of this might not make sense, but good luck and happy NACing.
Posted by Jamie R. Sanbower at 8:18 AM 0 comments Links to this post
Labels: , ,

Tuesday, November 18, 2008

NAC Support Logs in 4.5

Many people might be wondering what happen to the handy dandy support logs that used to be located in the "/perfigo/logs/" directory in previous NAC versions. Well in version 4.5 there were some enhancements to the logging and with those enhancements came new placement of the logs.

These logs are most commonly used to troubleshoot NAC during deployments. Please do not turn on advanced logging without reading the documentation fully or with the assistance of Cisco TAC.

The CAM log can be found at:

/perfigo/control/tomcat/logs/nac_manager.log

The CAS log can be found at:

/perfigo/access/tomcat/logs/nac_server.log

For those of you not familiar with what the logs contain, please feel free to reference the CAM and CAS Configuration Guides:

CAM Admin Guide - Support Logs
CAS Admin Guide - Support Logs
Posted by Jamie R. Sanbower at 11:17 AM 0 comments Links to this post
Labels: ,

Thursday, November 13, 2008

NAC Version Matrix

In June of 2006, NAC Version 4.0.0 was released. Since then, Cisco has released numerous updates and features to the NAC Appliance line! Recently a member of the NAC Mailing List posted the following request:

Is there a feature matrix to compare the various versions/tracks of
Cisco NAC?

So that is exactly what this posts answers. It is long, but I know at least one person appreciates it!

I will explore 3 major lines of code.. 4.0.X, 4.1.X and 4.5.X. Realistically all new deployments should be using 4.1.X or 4.5.X, but I wanted to give a good overview for everyone on older codes.

4.0.X

4.0.0
  • Support for Active Directory (Windows Domain) Single Sign-On (SSO)
  • Corporate Asset Authentication and Posture Assessment by MAC Address
  • Support for Layer 3 Out-of-Band (OOB) Deployment
  • New Windows Update Requirement Type
  • SMP Kernel Support for Super CAM
  • Support for Assigning VLANs by VLAN Name in OOB Deployments
  • Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
  • Ability to Change Priority of Wildcard/Range Global Device Filters
  • Ability to View or Search Active L2 Devices in Device Filter List
  • Ability to Test MAC Addresses Against Device Filters
  • Support for Relay IP Class Restrictions on DHCP Server
  • Support for DHCP Global Actions
  • New "service perfigo maintenance" CLI Command for CAS
  • Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
  • Support for Stub Installation/Update of the Clean Access Agent
  • OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
  • SNMP Enhancements for CAM
  • CAS Host-Based Traffic Policy Enhancements for Proxy Servers
  • Enhancements for DHCP Option Configuration Forms
  • Authentication Cache Timeout
4.0.1
  • Enable L3 Strict Mode
  • OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
  • Link-Failure Based Failover in CAS HA
  • Upgrade Enhancements
  • CAM Disable Serial Login
  • CAM Admin Console Login Enhancements
  • Client OS Detection Signature Lookup
  • Start Timer Specification for Cisco Updates
  • API Enhancements
  • Enhancements for Windows XP Media Center Edition/Tablet PC
4.0.3
  • Restricted Network Access Option for Clean Access Agent Users
  • Daylight Savings Time Support
4.0.4
  • Support for Windows Vista Operating System
  • License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
  • Improved Memory Footprint for Clean Access Agent Reports
  • Broadcast ARP Server Management Option Removed
  • Kernel Upgrade
4.0.6
  • Debug Log Download Enhancement
  • Syslog Configuration Enhancement

4.1.X

4.1.0
  • CAS Policy Fallback
  • Clean Access Agent/ActiveX/Applet DHCP Release/Renew
  • Support for GPO Update Trigger
  • Online Update to Retrieve Switch OIDs
  • Qualified Remediation Program Launch
  • Clean Access Agent for Mac OS X Authentication
  • Clean Access Agent Installation Options
  • Clean Access Agent Language Template Support
  • Clean Access Agent Silent Auditing
  • Searchable Clean Access Agent Reports
  • Certified Devices Timer Enhancements for Periodic Assessment
  • DHCP Renewal Enhancements
  • DHCP Subnet List Enhancements
  • DHCP Global Option Enhancements
  • IE 7.0 Support
  • Clean Access Agent Enhancements (4.1.0.0)
  • Port Profile Management for OOB Users
  • Enhancements to Check Parameters
  • Daylight Savings Time Support
  • Supported AV/AS Product List Enhancements (Version 42)
  • Deprecated IPsec/L2TP/PPTP/PPP Features
  • Deprecated Roaming Features

4.1.1
  • Support for Windows Vista Operating System
  • RADIUS Challenge-Response Support
  • Layer 2 Traffic Policy Support
  • Multiple Active Directory Server Support in AD SSO
  • Restricted Administrator Web Console Options Hidden from View
  • Proxy Server Basic/Digest/NTLM Authentication Support
  • VLAN Profiles
  • VLAN Pruning
  • Event Logs Enhancement
  • Agent Report Retrieval API Operation
  • Out-of-Band IP Refresh Enhancement
  • Switch Port Configuration Enhancements
  • SNMP Receiver Settings Enhancement
  • Support for Windows Vista Operating System
  • Windows Update Upon Agent Login
  • Agent Reports Show System and User Information
  • Agent IP Address Refresh/Renew Enhancement
  • CAS-Agent Discovery (SWISS) Enhancements
  • 4.1.0.x Agent Support on Release 4.1(1)
  • MAC OS RADIUS Challenge-Response Support
  • MAC OS Automatically Close Message Dialog After Successful Login
  • MAC OS IP Refresh Support for Out-of-Band Deployments
  • MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time
4.1.2
  • Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
  • New Cisco NAC Network Module (NME-NAC-K9) Support
  • NAC Appliance Platform Type Display
  • Debug Log Download Enhancement
  • Active VPN Client Status Page Enhancement
  • WSUS Requirement Configuration Display Enhancement
  • New "service perfigo platform" CLI Command
  • Web Login Support Using Safari Browser for Mac OS
4.1.3
  • Windows Clean Access Agent Language Template Support Enhancement
  • Cisco NAC Web Agent
  • Support for Clients with Multiple Active NICs
  • Clean Access Server HA Heartbeat Link Enhancement
  • Clean Access Manager HA Configuration and Heartbeat Link Enhancements
  • Guest User Login and Registration Enhancements
  • LDAP Authentication Enhancement
  • Clean Access Server and WSUS Interaction Enhancement
  • Agent Restricted User Access Enhancement
  • Device Filter List Display and Import/Export Enhancement
  • Agent Report Information Display and Export Enhancement
  • VPN SSO Login Enhancement
  • VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
  • Syslog Configuration Enhancement
  • Debug Log Download Enhancement
  • cisco_api.jsp Enhancement
  • CSRF Protection
  • Proxy Support Enhancements
  • ARP Broadcast Packet Handling Improvement
  • Clean Access Server HA ARP Broadcast Enhancement
  • Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
  • Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
  • Clean Access Agent Auto Remediation
  • Delay Agent Logoff on CAM/CAS
  • 64-bit Windows Operating System Agent Support
  • Access to Authentication VLAN Change Detection Enhancement
  • SNMP Inform Notification Enhancement
  • SNMP "MAC Move Notification" Switch Port Configuration Support
4.1.6
  • Trusted Certificate Authority Enhancement for Production Environments
  • Enhanced CAM/CAS Web Console Features Certificate Warning Messages
  • Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
  • Enhanced Security with Server Identity Based Authorization
  • JMX Over SSL Secured with Mutual Authentication
  • HTTPS Connections Enhanced with Mutual Authentication
  • Features Optimized/Removed

4.5.X

4.5.0
  • Policy Import/Export
  • CAM/CAS SSL Certificate Management Enhancement
  • CAM/CAS Software Upload Page Enhancements
  • Database Snapshot Upgrade Enhancement
  • Clean Access Manager High Availability User Interface Enhancement
  • CAM/CAS Support Log Level Settings Enhancement
  • CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
  • Support for Wireless Out-of-Band Deployments
  • Assign Restricted VLAN for OOB Client Machines When Disconnected
  • Certified Device List/Online User List Enhancements
  • Out-of-Band Shield Enhancement
  • Out-of-Band Discovered Clients Cleanup
  • Pre-Login Banner
  • Strong Password Support for Root Admin Users
  • External Authentication Server Support for Web Administrator Login
  • Support for Cisco NAC Appliance/NME-NAC Platforms Only
  • Web Upgrade Support Removed
  • Default CAM Web Console Password Removed
  • Windows ME/98/NT OS Support Removed

Bottom Line, I recommend 4.1.6 for any new deployment that does require any of the features of 4.5.X
Posted by Jamie R. Sanbower at 10:49 AM 0 comments Links to this post
Labels: , ,

Tuesday, October 21, 2008

Cisco NAC Appliance 4.5 Released

The time has come.... 4.5 is here


It can be downloaded here! (Require Valid Smartnet Contract)

As with all NAC releases, be sure to read the RELEASE NOTES before upgrading!

CAM/CAS Configuration Guides:
Bottom line is that 4.5 brings way too many features to list. That is why the release notes will help!

Looks for future posts on new features and benefits!
Posted by Jamie R. Sanbower at 9:01 PM 0 comments Links to this post
Labels: , ,

Monday, October 20, 2008

Configuration Example - Wireless Out Of Band - New NAC 4.5 Feature

The following is a configuration guide that was posted to explain how to configure NAC 4.5 with Wireless LAN Controller 5.1 for NAC Wireless OOB support.

NAC Out-Of-Band (OOB) Wireless Configuration Example


Wireless OOB is a feature we all have been waiting for. Some of the great benefits that I see are:

- No need for a second Clean Access Server(CAS) just for wireless. If you are a smaller organization wireless and wired can be performed on a single CAS.
- Bandwidth benefits for larger wireless infrastructures. With 10Gbps network backbones and large central wireless deployments(lots of clients), having a OOB wireless deployment is a no brainer.

This is one of a few great features coming out with NAC release 4.5.
Posted by Jamie R. Sanbower at 10:19 AM 0 comments Links to this post
Labels: , , ,

Sunday, October 19, 2008

Coming Soon - Cisco NAC Release 4.5

Cisco is preparing for NAC Release 4.5 which will include great features like Wireless OOB, Mac Posture Assessment Support and CAM import/export of policies.

The first piece of documentation has been published:

Cisco NAC Appliance Release 4.5 - Video Data Sheet


Keep a lookout for posting on all the new features and when the download becomes available.
Posted by Jamie R. Sanbower at 8:52 AM 0 comments Links to this post
Labels: ,

Tuesday, September 30, 2008

NAC Updates

Windows Clean Access Agent Version 4.1.7 Released - Sept 30th

In this release their are a few minor resolved caveats:

- Symantec AntiVirus 10.x not fully compatible with CCA Agent
- Vista Agent does not detect MAC Address of Wireless NIC
- AVG Anti-Virus Free 8.x support for Virus Definition check

As with all upgrades, it is highly recommended to read the release notes before upgrading. Also, on a side note, remember that upgrades should be done for a purpose, either to fix a caveat or to gain new features.

Download 4.1.7 Windows Agent

Release Notes


3 NEW Configuration Examples posted to CCO

- NAC Appliance (CCA): Configure High Availability (HA) for the Clean Access Manager (CAM)
29/Sep/2008

- Deploy NAC Profiler in an Existing Out-of-Band NAC
02/Sep/2008

- Importing SSL Certificates to NAC Profiler
02/Sep/2008


To see all the previous Configuration Examples and TechNotes


How to Block Operating Systems with CCA

A friend of mine, Rob Chee, writes a blog on network security and had a great post on how to block operating systems using User Pages with CCA.

Make sure you check out his Post.
Posted by Jamie R. Sanbower at 8:02 PM 0 comments Links to this post
Labels: , ,

Thursday, July 31, 2008

New Configuration Example: Configure Guest Access

Cisco posted a new Configuration Guide:

NAC: Configure Guest Access
This example will walk you through how to configure the various types of guest access on the Cisco Clean Access or NAC appliance.


To see all the previous Configuration Examples and TechNotes
Posted by Jamie R. Sanbower at 7:37 PM 0 comments Links to this post
Labels: ,

NEW NAC Version 4.1(6)

4.1.6 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download



4.1(6) Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1(6) CAM Installation & Configuration Guide

4.1(6) CAS Installation & Configuration Guide
Posted by Jamie R. Sanbower at 5:04 PM 0 comments Links to this post
Labels: ,
Subscribe to: Posts (Atom)