Cisco NAC Appliance Blog

Cisco Releases Idenity Services Engine (AKA ISE)

2011-06-25T20:53:00.000-04:00

Introduction

After years of innovation around Network Access Control, Cisco has released its next generation NAC solution: Identity Services Engine. ISE is combines existing loosely coupled devices AAA, profiling, posture and guest management - in single, scalability appliance. As part of the Cisco TrustSec solution and Cisco’s SecureX architecture for Borderless Networks, the Cisco Identity Service Engine provides a centralized policy engine for business relevant policy definition and enforcement. This policy work horse enables centralized, coordinated policy creation and consistent policy enforcement across the entire corporate infrastructure, from head office to branch office.

The best intro i have seen to date has been from the Rob from TechWiseTV:

ISE Features & Benefits

Visibility: Single Platform & Pane of Glass - Let IT see who and what is on the network for advanced discovery and troubleshooting

Dynamically collects & consolidates endpoint information to make adaptive policy decisions based on ‘context’
Integrates functions previously delivered in separate, loosely couples applications to deliver higher levels of policy enforcement
Inherent benefits include simplified administration, monitoring, and troubleshooting for all these functions

Policy Architecture

Context-aware enforcement: Gathers information from users, devices, infrastructure, and network services to enable organizations to enforce contextual-based business policies across the network
Business-relevant policies: Create and enforce consistent policy from the head office to the branch office
Coordinated Profiling: Allows for profiling data to be tightly integrated in to access policies. E.g. LDAP user with personal iPad gets a different privilege than the same LDAP user with Organization Owned iPad
Mobile Device Security: Dynamically identify and provision the proper policies for tablets, smartphones, GFE, etc

Compliance: Create consistent policy across the infrastructure for corporate governance.

Addresses vulnerabilities on user machines through periodic evaluation and remediation to help proactively mitigate network threats such as viruses, worms, and spyware
Ensure configuration baselines are met
Ensure patches and AV/AS definitions are up to date

Efficiency: Increase IT staff productivity by automating labor-intensive tasks and simplifying service delivery

Allows enterprises to authenticate and authorize users and endpoints via wired, wireless, and VPN with consistent policy throughout the enterprise
Dramatically reduces cost of ownership with world-class monitoring and troubleshooting features designed to streamline operations for your helpdesk and support teams

Compatibility: Cisco Infrastructure Integration AND a standards based platform

ISE integration is thoroughly tested systematically across all cisco switches
Because 802.1X is a standard, 3^rd party device support is inherit
A Few of the Cisco Switch Features that help with deployment:

Open Mode – Allow customers to deploy day 1 without causing any outages and ease with deployment and rollout of 802.1X
Multi Authentication – Allows for hubs, desktop VMs, etc to use a single port to authenticate and apply differentiating policies
Security Group Access (SGA)

Packaging and Licensing

Cisco Identity Services Engine is available as either a physical or virtual appliance. The type of license is based on functionality.

The Base license is intended for organizations that want to authenticate and authorize users and devices on their network. It includes AAA services, guest lifecycle management, compliance reporting, and end-to-end monitoring and troubleshooting.
The Advanced license expands upon the BASE and enables organizations to make policy decisions based on user and device compliance. Advanced license features include device profiling, posture services, and security group access enforcement capabilities.

Summary

ISE will be the platform that enables organizations to finally utilize port security, deal with the ever evolving enterprise and ensure they are able to deploy in days/weeks vs. months/years. Check back for some detailed technical write-ups on configuration, best practices and use cases.

ISE Documentation

NAC Version 4.6.1 - Now Available

2009-07-02T09:09:00.005-04:00

NAC Appliance Version 4.6.1 was release yesterday.

Some of the new features:

Posture Assessment Support for 64-Bit Windows Operating Systems

The new NAC Agent can be installed and launched on 64-bit versions of Windows XP and Windows Vista, and can perform posture assessment and remediation on client machines. Earlier releases of Cisco NAC Appliance provided only authentication support for 64-bit client operating systems.

Agent Configuration XML File Upload Enhancement

This XML configuration file method of setting up Agents on client machines replaces the previous Clean Access Agent configuration schema requiring Windows registry setting manipulation for custom parameters. No more registry changes, hooray!

If you previously employed Windows registry settings to adjust Clean Access Agent behavior on client machines, you must specify the same settings in the XML Agent configuration file to preserve Agent behavior using the Cisco NAC Agent.
This upgrade has a ton of new agent features, as you can see in the above images, so make sure to check out the release notes and read for yourself.

4.6.1 Release Notes

And to configure these features, please reference the configuration guides:

NAC Manager Config Guide
NAC Server Config Guide

Cisco NAC Guest Server 2.0

2009-03-19T10:16:00.003-04:00

NAC Guest Server has changed significantly with the latest 2.0 release. From External Portal Support to AD SSO, this revision has added some key enterprise features.

The features that have hit home the most for myself and my customers have been:

Active Directory Single Sign On

Cisco NAC Guest Server 2.0 can be joined to an Active Directory Domain and then automatically authenticate Internet Explorer browsers using Integrated Windows Authentication. This removes the need for sponsors to enter their username and password.

For details on configuration of ADSSO, see the Configuration of Active Directory Single Sign-On for NAC Guest Server Configuration Example

Credit Card Billing Support

Cisco NAC Guest Server 2.0 provides the ability for guests to purchase accounts via credit card support.

This means that you can now use NGS to provide ROI for guest internet access.

Management Reports

Management reports are enhanced to provide the following guest network usage information:

•Total Guest Accounts Created
•Total Authenticated Guests
•Total Cumulative Connect Time
•Sponsor Usage Reporting
•Access Summaries by Device

To See a list of all the new features in NAC Guest Server 2.0, please read the the release notes:

http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/20/gsrn20.html#wp65354

And to configure these features, please reference the configuration guide:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/nacguestserver.html

NAC NEWS UPDATES

2009-01-22T09:13:00.007-05:00

The following is a list of new things out there in the Cisco NAC World. The NAC Market is continuing to grow in 2009 and with the growth the products will continue to evolve, get better and have more options.

Security Options Abound: New NAC Release

My friends over at TechWiseTV are a huge multi-media machine, producing video, audio and podcasts. Well this PodCast is on NAC 4.5, Alok Agrawal of the NAC Business Unit and Myself dive into some of the cool features of 4.5. All of the podcasts can be subscribed to through iTunes.

To access the NAC podcast go to:

http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns719/html_TW/tw_episode_198.html

And to get more information on all the great stuff coming from Techwise TV visit:
http://www.mytechwisetv.com/
or
http://cisco.com/go/interact

NAC Layer 3 Out of Band Design Guide That Uses VRF-Lite for Traffic Isolation

Cisco wrote a new configuration guide on using VRF-Lite for traffic isolation. This is a great configuration option for NAC, but with that said never re-design your network just for NAC. VRFs can become very complex and introducing new technology into the network should be carefully planned. Using VRFs in a enterprise network does make sense, but the reasons for moving to the new network design should be a combination of the added features/benefits for Security(NAC, Guest Access, Wireless, etc.) and Network managebility, throughput, and scalability.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a3a8a7.shtml

New NAC Profiler Release

Last month a new maintenance release of Cisco NAC Profiler came out. 2.1.8-38 brings a good list of BugFixes and minor enhancements.

One Minor Enhancement that made it was Endpoint and Directory Timeout Unified Into Endpoint Timeout, which gives us more control on how to age out endpoints out of the database.

Find all the Fixes and information in the Release Notes.

The Release Notes can be found:
http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/218/218rn.html#wp101317

The new software can be download at:
http://www.cisco.com/cgi-bin/tablebuild.pl/nacprofiler-2.1.8 (Requires Valid Smartnet Contract)

NAC Support Logs in 4.5

2008-11-18T11:17:00.004-05:00

Many people might be wondering what happen to the handy dandy support logs that used to be located in the "/perfigo/logs/" directory in previous NAC versions. Well in version 4.5 there were some enhancements to the logging and with those enhancements came new placement of the logs.

These logs are most commonly used to troubleshoot NAC during deployments. Please do not turn on advanced logging without reading the documentation fully or with the assistance of Cisco TAC.

The CAM log can be found at:

/perfigo/control/tomcat/logs/nac_manager.log

The CAS log can be found at:

/perfigo/access/tomcat/logs/nac_server.log

For those of you not familiar with what the logs contain, please feel free to reference the CAM and CAS Configuration Guides:

CAM Admin Guide - Support Logs
CAS Admin Guide - Support Logs

NAC Version Matrix

2008-11-13T10:49:00.003-05:00

In June of 2006, NAC Version 4.0.0 was released. Since then, Cisco has released numerous updates and features to the NAC Appliance line! Recently a member of the NAC Mailing List posted the following request:

Is there a feature matrix to compare the various versions/tracks of
Cisco NAC?

So that is exactly what this posts answers. It is long, but I know at least one person appreciates it!

I will explore 3 major lines of code.. 4.0.X, 4.1.X and 4.5.X. Realistically all new deployments should be using 4.1.X or 4.5.X, but I wanted to give a good overview for everyone on older codes.

4.0.X

4.0.0

Support for Active Directory (Windows Domain) Single Sign-On (SSO)
Corporate Asset Authentication and Posture Assessment by MAC Address
Support for Layer 3 Out-of-Band (OOB) Deployment
New Windows Update Requirement Type
SMP Kernel Support for Super CAM
Support for Assigning VLANs by VLAN Name in OOB Deployments
Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
Ability to Change Priority of Wildcard/Range Global Device Filters
Ability to View or Search Active L2 Devices in Device Filter List
Ability to Test MAC Addresses Against Device Filters
Support for Relay IP Class Restrictions on DHCP Server
Support for DHCP Global Actions
New "service perfigo maintenance" CLI Command for CAS
Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
Support for Stub Installation/Update of the Clean Access Agent
OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
SNMP Enhancements for CAM
CAS Host-Based Traffic Policy Enhancements for Proxy Servers
Enhancements for DHCP Option Configuration Forms
Authentication Cache Timeout

4.0.1

Enable L3 Strict Mode
OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
Link-Failure Based Failover in CAS HA
Upgrade Enhancements
CAM Disable Serial Login
CAM Admin Console Login Enhancements
Client OS Detection Signature Lookup
Start Timer Specification for Cisco Updates
API Enhancements
Enhancements for Windows XP Media Center Edition/Tablet PC

4.0.3

Restricted Network Access Option for Clean Access Agent Users
Daylight Savings Time Support

4.0.4

Support for Windows Vista Operating System
License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
Improved Memory Footprint for Clean Access Agent Reports
Broadcast ARP Server Management Option Removed
Kernel Upgrade

4.0.6

Debug Log Download Enhancement
Syslog Configuration Enhancement

4.1.X

4.1.0

CAS Policy Fallback
Clean Access Agent/ActiveX/Applet DHCP Release/Renew
Support for GPO Update Trigger
Online Update to Retrieve Switch OIDs
Qualified Remediation Program Launch
Clean Access Agent for Mac OS X Authentication
Clean Access Agent Installation Options
Clean Access Agent Language Template Support
Clean Access Agent Silent Auditing
Searchable Clean Access Agent Reports
Certified Devices Timer Enhancements for Periodic Assessment
DHCP Renewal Enhancements
DHCP Subnet List Enhancements
DHCP Global Option Enhancements
IE 7.0 Support
Clean Access Agent Enhancements (4.1.0.0)
Port Profile Management for OOB Users
Enhancements to Check Parameters
Daylight Savings Time Support
Supported AV/AS Product List Enhancements (Version 42)
Deprecated IPsec/L2TP/PPTP/PPP Features
Deprecated Roaming Features

4.1.1

Support for Windows Vista Operating System
RADIUS Challenge-Response Support
Layer 2 Traffic Policy Support
Multiple Active Directory Server Support in AD SSO
Restricted Administrator Web Console Options Hidden from View
Proxy Server Basic/Digest/NTLM Authentication Support
VLAN Profiles
VLAN Pruning
Event Logs Enhancement
Agent Report Retrieval API Operation
Out-of-Band IP Refresh Enhancement
Switch Port Configuration Enhancements
SNMP Receiver Settings Enhancement
Support for Windows Vista Operating System
Windows Update Upon Agent Login
Agent Reports Show System and User Information
Agent IP Address Refresh/Renew Enhancement
CAS-Agent Discovery (SWISS) Enhancements
4.1.0.x Agent Support on Release 4.1(1)
MAC OS RADIUS Challenge-Response Support
MAC OS Automatically Close Message Dialog After Successful Login
MAC OS IP Refresh Support for Out-of-Band Deployments
MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time

4.1.2

Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
New Cisco NAC Network Module (NME-NAC-K9) Support
NAC Appliance Platform Type Display
Debug Log Download Enhancement
Active VPN Client Status Page Enhancement
WSUS Requirement Configuration Display Enhancement
New "service perfigo platform" CLI Command
Web Login Support Using Safari Browser for Mac OS

4.1.3

Windows Clean Access Agent Language Template Support Enhancement
Cisco NAC Web Agent
Support for Clients with Multiple Active NICs
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
Guest User Login and Registration Enhancements
LDAP Authentication Enhancement
Clean Access Server and WSUS Interaction Enhancement
Agent Restricted User Access Enhancement
Device Filter List Display and Import/Export Enhancement
Agent Report Information Display and Export Enhancement
VPN SSO Login Enhancement
VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
Syslog Configuration Enhancement
Debug Log Download Enhancement
cisco_api.jsp Enhancement
CSRF Protection
Proxy Support Enhancements
ARP Broadcast Packet Handling Improvement
Clean Access Server HA ARP Broadcast Enhancement
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
Clean Access Agent Auto Remediation
Delay Agent Logoff on CAM/CAS
64-bit Windows Operating System Agent Support
Access to Authentication VLAN Change Detection Enhancement
SNMP Inform Notification Enhancement
SNMP "MAC Move Notification" Switch Port Configuration Support

4.1.6

Trusted Certificate Authority Enhancement for Production Environments
Enhanced CAM/CAS Web Console Features Certificate Warning Messages
Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
Enhanced Security with Server Identity Based Authorization
JMX Over SSL Secured with Mutual Authentication
HTTPS Connections Enhanced with Mutual Authentication
Features Optimized/Removed

4.5.X

4.5.0

Policy Import/Export
CAM/CAS SSL Certificate Management Enhancement
CAM/CAS Software Upload Page Enhancements
Database Snapshot Upgrade Enhancement
Clean Access Manager High Availability User Interface Enhancement
CAM/CAS Support Log Level Settings Enhancement
CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
Support for Wireless Out-of-Band Deployments
Assign Restricted VLAN for OOB Client Machines When Disconnected
Certified Device List/Online User List Enhancements
Out-of-Band Shield Enhancement
Out-of-Band Discovered Clients Cleanup
Pre-Login Banner
Strong Password Support for Root Admin Users
External Authentication Server Support for Web Administrator Login
Support for Cisco NAC Appliance/NME-NAC Platforms Only
Web Upgrade Support Removed
Default CAM Web Console Password Removed
Windows ME/98/NT OS Support Removed

Bottom Line, I recommend 4.1.6 for any new deployment that does require any of the features of 4.5.X

Cisco NAC Appliance 4.5 Released

2008-10-21T21:01:00.005-04:00

The time has come.... 4.5 is here

It can be downloaded here! (Require Valid Smartnet Contract)

As with all NAC releases, be sure to read the RELEASE NOTES before upgrading!

CAM/CAS Configuration Guides:

Bottom line is that 4.5 brings way too many features to list. That is why the release notes will help!

Looks for future posts on new features and benefits!

Configuration Example - Wireless Out Of Band - New NAC 4.5 Feature

2008-10-20T10:19:00.004-04:00

The following is a configuration guide that was posted to explain how to configure NAC 4.5 with Wireless LAN Controller 5.1 for NAC Wireless OOB support.

NAC Out-Of-Band (OOB) Wireless Configuration Example

Wireless OOB is a feature we all have been waiting for. Some of the great benefits that I see are:

- No need for a second Clean Access Server(CAS) just for wireless. If you are a smaller organization wireless and wired can be performed on a single CAS.
- Bandwidth benefits for larger wireless infrastructures. With 10Gbps network backbones and large central wireless deployments(lots of clients), having a OOB wireless deployment is a no brainer.

This is one of a few great features coming out with NAC release 4.5.

Coming Soon - Cisco NAC Release 4.5

2008-10-19T08:52:00.004-04:00

Cisco is preparing for NAC Release 4.5 which will include great features like Wireless OOB, Mac Posture Assessment Support and CAM import/export of policies.

The first piece of documentation has been published:

Cisco NAC Appliance Release 4.5 - Video Data Sheet

Keep a lookout for posting on all the new features and when the download becomes available.

NAC Updates

2008-09-30T20:02:00.003-04:00

Windows Clean Access Agent Version 4.1.7 Released - Sept 30th

In this release their are a few minor resolved caveats:

- Symantec AntiVirus 10.x not fully compatible with CCA Agent
- Vista Agent does not detect MAC Address of Wireless NIC
- AVG Anti-Virus Free 8.x support for Virus Definition check

As with all upgrades, it is highly recommended to read the release notes before upgrading. Also, on a side note, remember that upgrades should be done for a purpose, either to fix a caveat or to gain new features.

Download 4.1.7 Windows Agent

Release Notes

3 NEW Configuration Examples posted to CCO

- NAC Appliance (CCA): Configure High Availability (HA) for the Clean Access Manager (CAM)
29/Sep/2008

- Deploy NAC Profiler in an Existing Out-of-Band NAC
02/Sep/2008

- Importing SSL Certificates to NAC Profiler
02/Sep/2008

To see all the previous Configuration Examples and TechNotes

How to Block Operating Systems with CCA

A friend of mine, Rob Chee, writes a blog on network security and had a great post on how to block operating systems using User Pages with CCA.

Make sure you check out his Post.

New Configuration Example: Configure Guest Access

2008-07-31T19:37:00.004-04:00

Cisco posted a new Configuration Guide:

NAC: Configure Guest Access
This example will walk you through how to configure the various types of guest access on the Cisco Clean Access or NAC appliance.

To see all the previous Configuration Examples and TechNotes

NEW NAC Version 4.1(6)

2008-07-31T17:04:00.005-04:00

4.1.6 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1(6) Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1(6) CAM Installation & Configuration Guide

4.1(6) CAS Installation & Configuration Guide

Ask the Expert - Cisco NAC Guest Server

2008-07-16T18:36:00.003-04:00

Click Here to Begin

This is a great forum to ask your NAC Guest Server questions. Syed is apart of the stellar NAC business unit and focuses on Guest Server. Please read the detailed description below:

This is an opportunity to get an update on the new Cisco NAC Guest Server which works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the entire lifecycle of guest access with Cisco expert Syed Ghayur. Syed is a technical marketing engineer in the product marketing team for the Cisco Network Access Control (NAC) Appliance. He also works on global scalability of the product, documentation, partner training, and system engineer trainings. In addition, he works closely with the Cisco Technical Assistance Center (TAC) to resolve complex issues and product related bugs. Early this year, he joined the Security Technology Group (STG) as technical marketing engineer for NAC Appliance.

Remember to use the rating system to let Syed know if you have received an adequate response.

Syed might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 25, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

NAC Manager (CAM) Backups

2008-06-24T13:56:00.009-04:00

Background:

The Cisco NAC Manager is the brain of the Cisco NAC solution. All configuration is stored in a database which makes the solution scalable. With that said, a crucial step in any deployment is developing a backup plan to ensure that if the NAC Manager or Failover Pair fails(Hardware failure, database corruption, administrator configuration mistake, fire, flood, sinkhole, etc.) the database can be restored and everything will be back up and working!

What gets backed up:

Everything that is stored in the database gets backed up. The following is a list of items that get backed up:

o Clean Access Server Configuration information (DHCP, Managed Subnets, VLAN Mapping, Static Routes, filters, etc.)
o Filters (Device Filters, Subnet Filters)
o Posture Assessment (Checks, Rules, Requirements,etc)
o Switch Management
o User Management (User Roles, Auth Servers, User Pages, Admin Users)
o Reports
o Licenses

What doesn't get backed up:

The less talked about item is what is not backed up. The following is a list of things that must be backed up manually during deployment and are not included in the database backup:

o Initial Configuration Information (service perfigo config) for the Managers and Servers. This means that good documentation of the initial network placement and ip addresses is a MUST.
o Failover Configuration (Good documentation will be the solution)
o Certificates (This is the #1 forgotten piece of information) Make sure to backup the private keys, root certificates, and CAM/CAS Certificates

Manual Backups:

The NAC Manager supports manual backups by going to administration -> backup, name the snapshot and hit "Create Snapshot". The snapshot may be downloaded to the local pc, if desired.

Figure 1 – Manual Backups

Automatic On-Box Backups:

The NAC Manager automatically creates daily snapshots of the Clean Access Manager database and preserves the most recent from the last 30 days. It also automatically creates snapshots before and after software upgrades, and before and after failover events. No configuration is required to enable these automatic backups. These backups are stored at /perfigo/backup directory.

Figure 2 – Automatic On-Box Backups

Automatic Off-Box Backups:

The first two methods are great, but what happens if the CAM gets caught in a fire? This is why creating a backup strategy to include automatically sending backups to another device that will not take the same hit as the CAM(Think different location) is vital. Cisco has provided a script located on the CAM(/perfigo/control/bin/) called pg_backup that will take a database backup and send it to an external FTP server. The following is a list of procedures to use the pg_backup script to send your DB backup to a ftp server nightly(See example for details):

o Login to the CAM as root
o cd /perfigo/control/bin
o Test using the pg_backup script
o Create a crontab file to use with cron (Example shows running pg_backup every morning at 2:30am)
o Import the crontab file
o Verify the file imported correctly

Figure 3 – Automatic Off-Box Backups

If ftp is not available within an organization SCP/NFS/SFTP may be utilized by creating a custom backup script or hiring a consultant to create one for the organization. Also, please note the pg_backup script names the file "csdb.gz". In order to keep multiple backups, create a backup rotation script on the ftp server or modify pg_backup to include a date.

Summary:

Backups are vital to ensuring NAC will be up and running quickly through any failure. Be sure with any deployment a strong backup strategy is included.

Sources: CAM Installation & Configuration Guide v4.1.3

Coming Up Next: Restores

Happy Cisco-Live week to everyone attending in Orlando and make sure to sign up for the NAC Deployment or NAC Troubleshooting session.

Cisco NAC Guest Server 1.1.1

2008-06-10T23:25:00.001-04:00

On June 9th, Cisco posted an update to NAC Guest Server.

Version 1.1.1 comes with a few new features:

Guest Role Support
Guest Role Support provides the ability for Sponsors to create guest accounts with different privileges. This includes provisioning into different roles on the Clean Access Manager, returning different RADIUS attributes to RADIUS clients or only allowing access from specified networks.

Additional NTP Server
The 1.1.1 release introduces the ability to configure two NTP servers instead of a single NTP server in 1.1.0.

FTP Backup Directory
The 1.1.1 release allows a directory to be specified as part of the scheduled FTP backup, prior versions placed the backup in the default directory of the FTP user account.

As with all NAC related upgrades make sure to read the RELEASE NOTES before upgrading!

The NAC Guest Server Installation & Configuration Guide 1.1.1 can be used for reference of the new features.

Finally to download the new version go to the NAC Guest Server Download Page. (Requires Valid CCO Login)

New Configuration Examples

2008-06-10T22:43:00.004-04:00

Cisco posted two new Configuration Guides:

NAC: LDAP over SSL on the Clean Access Manager (CAM)
This example will walk you through using SSL with your LDAP Auth Server.

NAC: LDAP Integration with ACS Configuration Example
This example will explain how to use Cisco NAC Profiler for MAC Auth Bypass(MAB) for 802.1X deployments.

To see all the previous Configuration Examples and TechNotes

Cisco NAC with IP Phones

2008-06-02T21:08:00.007-04:00

Background:

One question that many people ask is how to deal with IP Phones during your NAC Deployment. Well the easy answer is "it depends", but what does it really depend on...

Identify all of the phones:

To find all of the phones on your network you may manually go through your Call-Manager or other Voice Server and export a list or utilize Cisco NAC Profiler to find all the phones. Please note that you must keep an updated list of all IP Phones in the CAM Device Filter Table in order for NAC to exclude the phones.

Determine your NAC deployment type:

When deploying an In-Band (IB) NAC Deployment, handling phones is very simplistic. One deployment option is when all of the phones are on a Voice VLAN they should bypass NAC. Meaning if the voice VLAN is NOT be bridged or routed through the CAS, the phones will never go through NAC. Another possibility, is the phones are on the same VLAN as users.(Please note it is a best practice to separate your voice devices from data devices for security reasons and also performance/QoS). If you do have data and voice merged and you have an IB deployment, then identify all phones' MAC Addresses and add them into the Device Filter Table as an "Allow Filter". This allows the MAC Addresses of the phones to go through the CAS without authentication or posture assessment.

Figure 1 - Allow Filter for a phone (IB deployment with Data/Voice Combined)

When deploying an Out-of-Band (OOB) NAC deployment, there are a few more things to think about. OOB works by setting a port's VLAN to an authentication/quarantine VLAN during the NAC process and then changing the VLAN to an access VLAN after the user is finished. When PCs are plugged into phones, you must ensure a few basics are covered.

Don't miss a call, even when NAC is deployed:

The first basic step required to make sure NAC does not interfere with phones is to ignore all traps regarding phones plugging in. This is done, by adding in a device filter with the type "ignore" into the CAM. Please note that this configuration is regardless of the vendor/type of phone.

Figure 2 - Ignore Filter for a phone (OOB deployment)
The next step is to ensure that all port profiles being used do not bounce the port for OOB. If the CAM bounces the port then the Phone in front of the PC will get rebooted which will then cause missed calls,etc.

If you ensure these two steps are performed, then deploying NAC with phones is going to be easy.

Behind the scenes:

Cisco NAC Appliance may be deployed with most any type of phone. The key is to understand how NAC works. There are two basic ways to configure a switchport with a PC and a Phone:

Switchport with a Cisco IP Phone or other vendor IP Phone using CDP:

interface gigabitethernet 0/1
switchport mode access
switchport access vlan 10 <--- This is the VLAN NAC will change switchport voice vlan 11 <-- NAC will NEVER change this VLAN With this deployment type, NAC will never modify the voice VLAN thus never affect the phone. Switchport with an Avaya IP Phone or other vendor IP Phone using Trunking:

interface gigabitethernet 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10 <--- This is the VLAN NAC will change In this example, the phone will be tagging its frames on the Voice VLAN and the phone must pass the PC's frames through untagged. This ensures that the CAM can change the native VLAN of the port which will force the PC to either go through NAC or not. Summary:

Hopefully this answers everyones questions of how to deploy Cisco NAC Appliance with IP Phones. Keep the questions coming(JSanbower@hotmail.com) and I will be sure to keep posting!

NAC Updates

2008-04-11T15:13:00.005-04:00

I want to apologize for the lack of posts over the past couple of months. I have been out performing NAC Deployments non-stop.

I thought I would kick things off by offering some updates on the latest software release. Look for more custom check and best practice posts soon. Also, if anyone has any requests on something they would like to see posted about let me know!

Cisco Clean Access Agent 4.1.3.2
Some updates to the original 4.1.3.0 Agent has been made, refer to the release notes for all enhancements, bug fixes, etc.

Cisco NAC Profiler 2.1.8-37
On April 7th, Cisco released an upgrade to NAC Profiler.
Release Notes | Documentation

Cisco NAC Guest Server 1.1.0
Cisco released an upgrade to the Guest Server. Check out the documentation for all enhancements/fixes
Release Notes | Documentation

New NAC NEWS - ChalkTalks and PodCasts

2008-03-09T21:08:00.004-04:00

If everyone out there has not heard yet, there is a spring 2008 chalktalk series going on currently. The chalk talks are very technical and can give everyone great insight into the topics discussed.

March 13th - Cisco NAC Deployment Methodologies
March 20th - Troubleshooting Cisco NAC Appliance
March 27th - NAC Profiler Best Practices

All can be seen at 10am PDT at http://premium.meetingplace.net with meeting ID 434343

Also, Robb Boyd and the TechWise TV team posted a podcast on Troubleshooting Cisco NAC Appliance. It features "rockstar" Prem Ananthakrishnan, one of the great TMEs from the NAC BU.

NAC Troubleshooting Podcast

NAC Appliance episode on TechwiseTV

2008-01-21T23:28:00.000-05:00

There is a new TechWiseTV episode about to be taped, focusing on Cisco NAC Appliance and the producers are looking for feedback as to what the episode should focus on. The main presenter will be Alok Agrawal, one of the Technical Marketing Engineers from the Cisco NAC Business Unit. If you have never seen TechWiseTV, it is a highly technical show focusing on getting answers to the tough questions. I can promise that if enough of you want a topic discussed that Alok will definately be put on the spot to give you an answer. So please visit their website and start posting about what you are interested in hearing explained:

http://www.mytechwisetv.com/page/30+Network+Admission+Control

The following is a draft of the topics discussed:

Proposed Segmentation:
Segment 1: NAC Foundational Concepts -

What is it, why do we need it, why now?
Where does 802.1x fit, what problems can be solved here, etc.
Posture Assesment - more than just AV and Spyware
Client vs. Clientless, Inband vs. Out of Band, Remediation, Non-Cisco applications
Server, Manager, Agent Communication, Rule Set updates.

Segment 2: Server Deployment Modes

Virtual and Real IP Gateway
Layer 2 and Layer 3
In-band and Out of Band
Client & Temporal Agent

Segment 3: Topology and Design Considerations

VPN
Wireless
Remote Sites
Campus

Segment 4: Device Profiling

NAC Profiler
Collector
Design Choices/Trade-offs

NEW 4.1(3) Feature - Cisco NAC Web Agent

2007-12-22T20:23:00.000-05:00

Background:

One of the much waited for features in the NAC 4.1(3) release is the NAC Web Agent. "The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list."

In short, it is a temporary agent that gives the ability to have a detailed posture assessment performed on a machine that it is not desired to or can't install software on.

Figure 1 – Cisco NAC Web Agent

The Spotlight:

The NAC Web Agent is a great addition to the capabilities of Cisco NAC Portfolio. The following is a functionality to agent type(CAA vs. Web Agnet) comparison. It includes some of the major benefits of each agent type to give everyone a better idea of where the new NAC Web Agent fits into their deployment.

Cisco Clean Access Agent

- Favorable end user experience - After the CAA is installed, the user does NOT have to open up a web browser every time NAC has to perform Authentication and Posture Assessment.

- Active Directory SSO - Without the CAA, internal users cannot perform ADSSO.

- Automatic Remediation - CAA walks users step-by-step through what they need to do to become compliant.

Cisco NAC Web Agent

- No Administrative Rights Required - The Web Agent only requires the rights to run Java or Active-X by the browser for it to successfully install and perform posture assessment. Some guests/visitors do not have the administrator rights necessary to install the full blown CAA, which makes the Web Agent very attractive.

- No permanent software installation - Using the Web agent takes away any chance of someone complaining of the software they downloaded at your location is the reason their computer crashed.

- Detailed Posture Assessment - The Web Agent can perform the same exact checks(Registry, File, Service, and Application) as the CAA. The only caveat is that the remediation is a manual process. The administrator may present a link to the user, but after remediation the user must click "Re-Scan" to be permitted access.

- Scan cannot be blocked by a personal firewall - As basic as this sounds, the Network Scanning capability is used a lot in the field to perform scans of guests and contractors. The problem is that a majority of users today are running some form of personal firewall rendering the network scanning useless. The NAC Web Agent is run locally on the machine to enforce posture assessment, which puts network scanning on the back burner.

Configuring Cisco NAC Web Agent:

The good news is if you have ever configured posture assessment for the CAA, then you have already configured posture assessment for the Cisco NAC Web Agent. For more information on configuring Posture Assessment, check out the CAM Installation & Configuration Guide or Cisco NAC Chalk Talk 5. The only background that should be mentioned is when creating requirements for the Web Agent it is a best practice to use a Link type requirement, so that the end user can click on the appropriate link to remediate.

The first step to enabling the web agent is to create a or modify your existing User Page. The most important option is the "Web Client (ActiveX/Applet)" setting which tells NAC which type of web agent to use or prefer. e.g. Active X or Java

The next step is to require the use of the Web Agent for the relevant Roles.

Figure 2 – Require the use of the Cisco NAC Web Agent

The final step is to assign requirements to the roles that requires the web agent.

The end user experience:

Figure 3 – Cisco NAC Web Agent end user process flow

Summary:

The Cisco NAC Web Agent is definitely going to be a highly used feature in most Cisco NAC deployments. It is fairly straight forward to understand and configure. I encourage everyone to check it out along with all the great new features in 4.1(3).

Sources: 4.1(3) Release Notes; 4.1(3) CAM Installation & Configuration Guide

NAC Version 4.1(3)

2007-12-21T12:07:00.000-05:00

4.1.3 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1.3 Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1.3 CAM Installation & Configuration Guide

4.1.3 CAS Installation & Configuration Guide

Enhancements in Release 4.1(3)

General Enhancements

• Cisco NAC Web Agent

• Support for Clients with Multiple Active NICs

• Clean Access Server HA Heartbeat Link Enhancement

• Clean Access Manager HA Configuration and Heartbeat Link Enhancements

• Guest User Login and Registration Enhancements

• LDAP Authentication Enhancement

• Clean Access Server and WSUS Interaction Enhancement

• Agent Restricted User Access Enhancement

• Device Filter List Display and Import/Export Enhancement

• Agent Report Information Display and Export Enhancement

• VPN SSO Login Enhancement

• Syslog Configuration Enhancement

• Debug Log Download Enhancement

• cisco_api.jsp Enhancement

• CSRF Protection

• Proxy Support Enhancements

• ARP Broadcast Packet Handling Improvement

• Clean Access Server HA ARP Broadcast Enhancement

• Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature

• Previously-Deprecated Features Removed from CAM/CAS Web Console Pages

• Supported AV/AS Product List Enhancements (Version 67)

Out-of-Band Enhancements

• Access to Authentication VLAN Change Detection Enhancement

• SNMP Inform Notification Enhancement

• SNMP "MAC Move Notification" Switch Port Configuration Support

Clean Access Agent Enhancements

• Clean Access Agent Auto Remediation

• Windows Clean Access Agent Version 4.1.3.0

• Mac OS X Clean Access Agent Version 4.1.3.0

Look out for more detailed explainations and configuration examples from the new features and functionality.

Cisco NAC Guest Server Documentation

2007-11-12T22:30:00.000-05:00

Bulletin
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806f3235.html

Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806e98c9.html

Q&A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806f525a.shtml

Release Notes 1.0.0
http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/10/gsrn100.html

Configuration Guide 1.0.0
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/10/nacguestserver.html

Deploying Cisco NAC Profiler

2007-11-09T12:11:00.000-05:00

Background:

Cisco NAC Profiler is an OEM software from Great Bay Software’s Beacon product(Read more). The basis and need for NAC Profiler is to secure Non-Responsive Hosts(NRHs). This is performed by using state of the art Endpoint Profiling and Behavior Monitoring technologies.

Endpoint profiling is defined as recording a network endpoint’s observable behaviors and analyzing identifiable characteristics of the endpoint in order to classify it as belonging to a particular group (Profile) and to assess each endpoint’s ability in a certain sphere. That certain sphere could be an endpoint’s ability to participate in a given authentication or Cisco NAC Appliance as an example. In essence, Endpoint Profiling is best described as behavior-based characterization of endpoints for the purpose of identifying and grouping together those that are similar in function, capability or other defining characteristics.

Behavior Monitoring is the ability to ensure endpoints are behaving in a way that is consistent with the classification leading to being provided with the authentication or NAC accommodation, and not indicating behaviors associated with endpoints that should in fact be participative in the full authentication or admission control process prior to being allowed onto the network.

Enough with the formal definitions (that’s what the great documentation is for), what is the real value of this solution to an organization with or without Cisco NAC and pre and post deployment of Cisco NAC?

The Value of Cisco NAC Profiler:

When planning for a NAC Appliance deployment the question of NRHs is sure to come up. How does someone find all of the Printers, Game Consoles, UPSs, IP Phones, etc. in the network? The answer is never easy. The bottom line is that the average organization’s network consists of over 50% of devices that are NRHs. The traditional method of accounting for NRHs is to manually find and record all MAC Addresses and import all of them into the NAC Manager’s Device Filter list. The challenges that this method presents are resources(Who is going to perform this task), Human Error(48bit MAC Addresses can start to look very complex after writing down hundreds or thousands of them), Adds/Moves/Changes become a nightmare, and by the time you finish recording all of the devices you can guarantee that something has changed since you started.

It becomes very clear how many hours can be saved by implementing Cisco NAC Profiler just from the above. But wait there is more… The above shows how Endpoint profiling can be used to save time and headaches, but the Behavior monitoring goes a step further into the value of NAC Profiler. Take the example of the traditional method of adding NRHs into the device filter table of the NAC Manager: Once a printer’s MAC Address is added it is always there, so if a malicious hacker or auditor walks up to the printer, prints the properties page, gets the MAC address, then he or she unplugs the printer and uses the MAC address of the printer to gain access and bypass NAC. If NAC Profiler is implemented, once the computer that is spoofing the MAC Address of the printer exhibits behavior that is outside of the typical behavior of the printer, that user will be kicked off of Device Filter list and be forced to go through standard NAC Process.

Another key benefit of having NAC Profiler is the accountability and visibility into the devices on the NAC Manager Device Filter List. As devices are placed into the Device Filter list by the Profiler Server, there is a link placed that brings an administrator directly to a page showing which switchport the device is plugged into, the respective endpoint profile data, and when it first came on the network. Any Network Operator understands the value of understanding where devices are at and when they entered and left the network.

Figure 1– NAC Manager Link to NAC Profiler

Minimize deployment costs + Minimize operational costs + Added Visibility + Added security = The value of Cisco NAC Profiler

Designing NAC Profiler:

NAC Profiler is comprised of two components:

- Profiler Server: Aggregates and classifies data from collectors and manages the database of endpoint information. Communicates using the NAC Managers API to add devices into the Device Filter list. Installed on the 3350 Appliance

- Collector Module: Gathers information about endpoints using SNMP, NetFlow, Sniffing, and active profiling. Software already installed on the NAC Server, license activates the feature.

The profiler server can be and is recommended to be configured in an High Availability(HA) pair. The Collector license should be purchased for each NAC Server that will be used to profile devices. If the NAC Server is a HA pair the license should be purchased as an HA license.

For the latest information about licensing of Cisco NAC Profiler, please refer to the Cisco NAC Profiler Data Sheet.

Collector Architecture:

NAC Profiler uses many data feeds to obtain the required information to perform Endpoint Profiling and Behavior Monitoring. The following list gives you the background of how the collectors gather data.

- NetMap Collector component module that queries network devices via SNMP for:

o System information

o Interface information

o Bridge information

o Routing/IP information

This information is used to Build and maintain a model of the network topology within the Endpoint Database.

- NetTrap Collector component module that receives selected traps from network devices to assist NetMap in maintaining the model of the network topology.

- NetWatch The passive network analyzer collector component module. Collects information about endpoints using network traffic received at one or more of the interfaces on the appliance it runs on.

- NetInquiry Active profiling Collector component module that can be used to collect information about endpoints using active techniques

- NetRelay Receives exported data from other systems such as Netflow and prepares it for processing for Endpoint Profiling and Behavior Monitoring

- Forwarder Facilitates communication between the collector and the server, acts as middleware between Collector modules and the Profiler Server.

Each NAC Profiler deployment may include a few of these or all of these depending on the required amount of data. As a best practice it is always good to start by using NetMap, NetTrap, and NetWatch to gather the relative information required to successfully profile endpoints. If any of these collectors are not available in the organization deploying NAC profiler, utilizing the NetInquiry or NetRelay collector is a great alternative. Please note that other than NetInquiry NAC Profiler is completely passive and does NOT actively send traffic to any endpoint.

Profiles Uncovered:

As of version 2.1.7, NAC Profiler comes with 38 default profiles out of the box. This includes many of the major device types in enterprise networks today.

Figure 2 – Default Profiles

In some cases, it will be required to create custom profiles in order to profile organizations’ specific devices. To do this NAC Profiler offers the ability to use the different type of rules to match the types of behavior that are specific to the devices in question. The following shows the different types of rules you can configure using Cisco NAC Profiler:

- MAC Address – Beacon maintains a list of all OUI values for MAC address vendor assignments. MAC Vendor rules allow the endpoints MAC address to be used as a criteria for classification into a Profile.

- IP Address – Beacon can use the host address of endpoints to classify devices using host IP addresses within a designated range as a criterion for classification into a Profile.

- Traffic – analysis of traffic information at layers 3-4. Based oninformation gathered by either the NetWatch collector module (traffic analysis) or NetRelay collector module (Netflow data exported from a Netflow-capable device).

- TCP Open Port – Layer 4 port information that is gathered either by monitoring SYN-ACK information passively or via the Active Profiling capabilities of NetInquiry.

- Application – analysis of application layer behavior including DHCP, Server Banners, DNS names, User Agents, etc.

- Advanced – used to create complex expressions using AND, OR, and/or NOT, or to aggregate multiple rule logic into a single rule.

Summary:

Cisco NAC Profiler is an amazing add-on to the Cisco NAC Appliance portfolio and shows value for any organization that current has or plan to have Cisco NAC Appliance. Please stay tuned for more best practices, advanced configuration and troubleshooting of Cisco NAC Profiler.

Sources: NAC Profiler ChalkTalk; Beacon Configuration Guide v2.1.8

Custom Checks - Integration with Big Fix for Remediation

2007-09-28T16:41:00.000-04:00

Background:

BigFix (www.bigfix.com) is one of the many remediation software solutions available that can work with NAC for a better end user experience. BigFix can enforce that a client has the proper software, patches, and updates on a device. This sounds a bit like NAC, but the missing puzzle piece is how to enforce that bigfix is really on the connecting device and doing its job? This posting will talk about some of checks that may be created to enforce the presence and compliance of bigfix on a device connecting into the network.

***Please note that there are many ways of looking for installed/running software and it is best practice to check in two different manners(e.g. service and application check), but to keep this post more straightforward, I will only shows one of the checks.

Is BigFix Installed:

In order to properly assess if BigFix is installed, the following checks if the BESClient is actually there.

Check Category: File Check
Check Type: File Existence
Check Name: BigFix_Installed
File Path: SYSTEM_PROGRAMS\BigFix Enterprise\BES Client\BESClient.exe
Check Description: Check if BigFix is Installed
Operating System: Windows All

Figure 1 - Check if BigFix is Installed
Using a Link or File type requirement for this check will give administrators the ability to offer the BESClient to users that do not have it installed. This will ultimately save on help desk calls and bring the host into compliance automatically.

Is BigFix Running:

Next, it is good to check if BigFix is actually running. The following custom check looks if the BESClient service is running.

Check Category: Service Check
Check Type: Service Status
Check Name: BigFix_Running
Service Name: BESClient
Check Description: Check if BigFix is Running
Operating System: Windows All

Figure 2 - Check if BigFix is Running
If a user does not have the BESClient running, we can use a Launch Programs requirement type to launch the BESClient. Look back to the blog for a future post on Launch Program Requirements.

Is BigFix Compliant:

Finally, BigFix has the ability to create central policy about what is needed on an end host. If the host has the latest patches, updates, etc. then the BESClient actually reports itself as "Compliant". The following custom check looks if the BESClient is reporting itself compliant.

Check Category: Registry Check
Check Type: Registry Value
Check Name: BigFix_Compliant
Registry Key: HKLM\SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_BESClient_BigNACresult\
Value Data Type: String
Operator: Equals
Value Data: Compliant
Check Description: Check if BigFix is Compliant
Operating System: Windows All

Figure 3 - Check if BigFix is CompliantThis shows how if you already have policy created on your remediation platform, NAC Appliance can leverage that information by enforcing compliance to the policy before entry to the network.

Summary:

NAC Appliance may leverage the functionality of other vendors' Remediation solutions by using them to remediate non-complaint host. NAC, in some occasions, can even enforce policies or requirements of those solutions to hosts before the device is allowed on the network. This post should help administrators understand that the integration can be preformed and really will help leverage the existing investments made in remediation solutions.

Chalk Talk Series 3 - Update

2007-09-21T15:00:00.001-04:00

To give everyone the update, the following is the schedule for the upcoming NAC chalk talks:

September 27th: Cisco NAC Profiler Introduction
Prem Ananthakrishnan will introduce the Cisco NAC Profiler, which discovers, tracks,
and monitors all non-PC endpoints attached to a network. By adding Profiler to a NAC
deployment, customers can apply policies and access prvileges to non-PC endpoints.

October 4: Secure Guest with Cisco NAC
Enhance guest access with Cisco’s NAC Guest Server. Syed Ghayur will introduce the
advanced provisioning and reporting features of this latest addition to the Cisco NAC
product line.

Access Information:

Time - 10am PDT, 12pm CDT, 1pm EDT
Audio - Toll-free US/Canada: 1-800-370-2618
Meeting ID: 321456#
Web - Disable any pop-up blocker software
http://gc46gw1.meetingplace.net
Enter Meeting ID 321456

Priveon Launches Real World NAC Appliance Training

2007-09-18T16:28:00.000-04:00

Most training courses prepare individuals for certifications, but Priveon's Real-World training is the exact opposite. Their new Cisco NAC Appliance class is focused around how to design, deploy, operate and optimize Cisco NAC. With 20 labs and a topology that mimics typical organizations' environments, the class is very impressive and valuable for everyone interested or involved with Cisco NAC Appliance! I have personally reviewed the class and I highly recommend it to anyone wanting to take their expertise to the next level.

www.priveon.com

Priveon NAC Appliance Training Page
http://www.priveon.com/training/cisco-naca-training/priveon-real-world-naca-training.html

NAC Chalk Talk Video on Demand (VOD) - A success for Force 3 and its clients

2007-09-15T08:58:00.000-04:00

For those of you who missed the NAC Chalk Talk I did on Thursday, here is the link to the Video on Demand, so that you can catch some of the deployment best practices.

Cisco NAC Appliance: A Success for Force 3 and Its Clients

http://tools.cisco.com/cmn/jsp/index.jsp?id=65948

I also want to thank the NAC Appliance Business Unit at Cisco and specifically Prem who hosted me out in San Jose, he is the real Rock Star!

NEW NAC Chalk Talk Series - Starting Sept 13th

2007-09-07T20:07:00.000-04:00

There is a new NAC chalk talk series starting next week and excitingly enough I will be the first person to present! My chalk talk will be focused around how to make your deployment more successful. This is your chance to ask me questions and get the answers live via IPTV! :)

If you are unfamiliar with the NAC chalktalks, they are a great source of information about how to design, deploy, configure, troubleshoot, operate and optimize Cisco NAC Appliance. Please review the existing series by visiting the below link:
View the existing NAC Chalk Talks

The details of my up coming chalk talk:

CISCO NAC APPLIANCE CHALK TALK SERIES 3

Kicking off SEPTEMBER 13th with a LIVE VIDEO BROADCAST featuring Jamie Sanbower from Force 3 --

Cisco NAC Appliance: A Success for Force 3 and Its Clients

Watch this interactive session to learn Force 3's secret to NAC success, key deployment strategies and how they use Cisco NAC to solve their client business requirements.

Date: Thursday, September 13th
Time: 10am PDT/12pm CDT/1pm EDT
Location: http://tools.cisco.com/cmn/jsp/index.jsp?id=65688 (requires CCO login)

No pre-registration required.

There will be additional chalk talks continuing the weeks following the 13th, so be sure to check back here for updates on the others!

Configure And Troubleshoot the Antivirus Definition Updates

2007-09-07T13:28:00.000-04:00

Cisco posted a new Configuration Guide on how to configure and troubleshoot Antivirus Definition Updates. This is relevant for any deployment using Cisco Preconfigure AV definition rules.

NAC Appliance (Cisco Clean Access): Configure And Troubleshoot the Antivirus Definition Updates

Cisco NAC Profiler Documentation

2007-09-06T22:35:00.000-04:00

Cisco NAC Profiler is here, and let me tell you this product makes deployments go a lot smoother. How nice is it not to have to find all of your Printers, IP Fax Machines, UPS management, Game Consoles, etc.

If you are interested in NAC Profiler services or consulting, please contact me jsanbower hotmail.com or visit www.force3.com

To save everyone some time, the following is a list of all the public documentation on Cisco NAC Profiler:

Cisco NAC Profiler Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806b7d4e.html

Cisco NAC Profiler Brochure
http://www.cisco.com/en/US/products/ps6128/prod_brochure0900aecd806b7e8c.html

Cisco NAC Profiler Q & A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806b5d40.shtml

Cisco NAC Profiler Ordering Guide
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806b7d69.html

Configuration Guide 2.1.7
http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/217/nac_profiler_cg.html

NAC Network Modules

2007-08-23T16:37:00.000-04:00

I just wanted to give everyone the update on the NEW NME-NAC-K9 module. They are supported as of version 4.1(2). The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The following are some documents to get you started with the new NAC Network Module:

Getting Started with Cisco NAC Network Modules in Cisco Access Routers

http://www.cisco.com/en/US/products/ps6128/prod_installation_guide09186a008086aa28.html
-- New guide describing initial configuration and deployment examples

Installing Cisco Network Modules in Cisco Access Routers

http://www.cisco.com/en/US/products/hw/modules/ps2797/products_installation_guide_chapter09186a008007c8ec.html
-- New Chapter in the Cisco Network Modules Hardware Installation Guide

Book Review - Cisco NAC Appliance Book

2007-08-21T12:57:00.000-04:00

Title: Cisco NAC Appliance: Enforcing Host Security with Clean Access
Author: Jamey Heary, CCIE #7680

Contributing Authors: Jerry Lin, CCIE #6469, Chad Sullivan, CCIE #6493, and Alok Agrawal
Publisher: Cisco Press

I want to start out by saying that this book completely exceeded my expectations for the first NAC Appliance book. I wish this was published 3 years ago. The author clearly articulates the business benefits of NAC, including how NAC provides return on investment (ROI), which gives any reader the know-how to wisely purchase Cisco NAC Appliance. He also shows his technical expertise by diving extremely deep into the inner workings of Cisco NAC Appliance, which gives engineers, consultants, and operations the information they need to successfully deploy or maintain the product.

This book shows great details into the process flows of In-Band & Out-of-Band users, Clean Access Agent (CAA) users and network scanning users. The information on the different deployment options and how to use them in diverse environments is great to start your NAC Design. This book makes the confusing topics seem easy and manageable.

Some of the highlights that caught my eye and I thought everyone would like were:

Chapter on Host Security Policy – An amazing deal of information on how to design/create a Host Security Policy as it relates to NAC Appliance is invaluable to deployments
Exploration of High Availability and Load Balancing – Information on how to load balance Clean Access Servers using the CSM, CSS, ACE and PBR cannot be found anywhere else. This includes saving money on Failover Bundles by using N+1 Failover
Layer 3 OOB Deployment options – Walk through of the benefits of the different methods of deploying L3 OOB, e.g. PBR, ACLS, VPNs, etc.
Deployment Best Practices – An entire chapter on how to plan, schedule, and keep all parties happy for your NAC Appliance deployment
Monitoring & Troubleshooting information – detailed list of all logs located on the CAM and CAS, as well as the information on how to troubleshoot and monitor online users

All in all this is a great book and I would recommend it for all people interested in Buying, Deploying, Operating, or Troubleshooting Cisco NAC Appliance. This is definitely a great reference manual to have at your desk!

Buy it at amazon or ciscopress

NAC WSUS Requirement Type

2007-08-17T15:10:00.000-04:00

Background:

New to 4.1.1, WSUS Requirements gives NAC Appliance administrators the ability to seamlessly integrate with local WSUS servers or utilize Microsoft Servers to ensure users are up to date on their microsoft service packs and patches.

Configuring WSUS Requirements:

The following are a list of options when configuring a WSUS Requirement:

Update Validation source - This involves checking to see if a particular client machine is up to date with patches. This check can be done against the WSUS server itself OR against Cisco rulesets.

Cisco Rules - In this case, the new “WSUS Server Update services” requirement needs to be mapped to the standard Cisco rule sets such as XP_hotfixes etc. Standard registry scans will be performed on the client machine based on these rule sets.

WSUS Server - In this case, the CCA Agent makes an API call to the WSUS Agent on the client machine to check compliance. Since our rule set is not used here (direct interaction between WSUS client and server, no need to map the Rule set to the requirement.

Update Installation source - This involves remediating the user after we have established that he/she is non-compliant. The remediation can be done either from local WSUS servers OR against WindowsUpdate

WSUS Servers - Download and Install the patches from the local WSUS servers.

Windows Update - Download and install patches from Microsoft Windows Update website

Update Installation type - This involves deciding what type of hotfixes should be downloaded and installed from the chosen source.

Express - This option installs the same Windows updates as would be available from the Windows Update application "Express" option. (For example, the Windows "Express" option may include just Critical and Important security updates or could call for installing an entire service pack update.)

Custom - Use this setting and the associated dropdown menu to install updates based on their severity by choosing Critical, Medium, or All from the associated dropdown menu. If you select Critical only the most severe/critical Windows updates are installed; selecting Medium means all updates (except for those classified as "low severity" by Microsoft) are installed; selecting All means that all of the currently available Windows Updates are installed, regardless of severity.

Upgrade to Latest OS Service Pack - automatically install the latest service pack available for the user's operating system.

UI Experience - This setting controls what the end user sees when the Updates are being installedlist of options when

Show UI - The Windows Update UI (showing that patches are being installed) is displayed to user

No UI: Updates are done silently and user does not see any UI that shows updates are being installed

Figure 1 - Configuring a WSUS Requirement

Notes on configuring WSUS Requirements:

Validation against WSUS server may take between 10-15 seconds
Make sure Access is opened to WSUS server or Windows update server in the temporary role (depending on what is being used)
Make sure that the client PC can talk to the WSUS server on port 80/443. These are the ports client machine uses to talk to WSUS server
WSUS updates may take long. So, it is important to set the Session Timer for the temporary role long enough to allow enough time for the updates to complete.
In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.
If there are update errors, see C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log.
To see if you have a Local WSUS server configured go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and the "WUServer" key will have the server listed.

Summary:

WSUS Requirements are a great new best practice method to ensure Microsoft is truly up to date.

Sources: 4.1(2) CAM Admin Guide; Whats New 4.1(1)

CAA Requirement Best Practices - Enforce Types

2007-08-13T08:14:00.000-04:00

In the world of NAC Appliance, when using the NAC Agent, there are 3 different type of enforcement types. At first look you have the ability to use the following enforce types:

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

Optional—Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking "Next"). The client system does not have to meet the requirement for the user to proceed or have network access.

Mandatory—Enforce requirement. The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

So why is this so important for NAC Deployments.... This gives administrators the ability to deploy with the least impact as possible. All deployments should start with AUDIT type requirements. By doing this we are able to see how many users are coming onto the network without compliant workstations. From this information we can see if all methods of users getting patches, updates, etc are correctly working. (E.G. if WSUS or EpolicyOrch is not working correctly you will immediately see almost all hosts out of compliance)

Next, you should change all of the previous AUDIT requirements to OPTIONAL requirements. This will still allow users access, in case of any discrepancy in your policy or remediation strategy, but will get them through any hurdles of learning how to self-remediate.

Finally, utilize MANDATORY requirements to ensure that all policy is enforced.

The last major idea that should be taken into account is how to schedule this type of roll out. I typically recommend 30-45 days for AUDIT requirements and then 30-60 days for OPTIONAL requirements, but this must be determined on a per organization basis. The key thing to take from this posting is that you do have this wonderful option to phase the enforcement of policy for your NAC deployment and it will help ensure a smooth transition for administrators and end users. One less talked about configuration option that you can use to make your NAC deployment more successful.

Jamey Heary's Cisco NAC Blog on Network World

2007-08-05T08:59:00.000-04:00

Make sure to check out the new blog on Cisco Subnet. Jamey Heary the author of the New Cisco NAC Appliance Book is writing it. It can be checked out here:

http://www.networkworld.com/community/heary

About the Blogger:

Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years

For the first time - 4.1.2 CAM/CAS guides in HTML

2007-07-30T04:45:00.000-04:00

CAM Guide:
http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

CAS Guide:
http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/412_cas_book.html

NAC Version 4.1.2

2007-07-27T11:28:00.000-04:00

Download is available here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1(2) Documentation Page

Some of the feature "enhancements" that i found interesting and useful:

- NEW Cisco NAC Network Module (NME-NAC-K9) Support

Release 4.1(2) introduces support for the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs).

The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server (CAS) on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another. The integration of CAS capabilities into a network module for ISRs allows network administrators to manage a single device in the branch office for data, voice, and security requirements. The NME-NAC-K9 network module is available as a single hardware module with 50-user and 100-user license options, and supports a maximum of 100 online, concurrent users.

Once initially installed, the Cisco NAC network module is managed in the CAM web console like any other Clean Access Server, and a single CAM can manage both CAS appliances and NAC network modules. To add the Cisco NAC network module to your network, at least one Clean Access Manager appliance (Lite, Standard or Super) must be already installed and configured.

Cisco ISR platforms need to run Cisco ISO software Release 12.4(11)T or later (IP Base image or above) in order to support the Cisco NAC network module.

If introducing the Cisco NME-NAC-K9 network module to an existing Cisco NAC Appliance network, you must upgrade all CAM/CAS appliances to release 4.1(2) for compatibility.

Look out for an upcoming blog entry to show how to deploy the Network Module

- NAC Appliance Platform Type Display

Now that we have Network Modules, this gives us the ability to tell whether we are looking at a NM or an Appliance. Two ways to do this:

UTILIZE THE GUI:

CAM web console:
Device Management > CCA Servers > Manage [CAS_IP] > Network > IP | new Platform field featuring either "APPLIANCE" or "NME-NAC"

CAS web console:
Administration > Network Settings > IP | new Platform field featuring either "APPLIANCE" or "NME-NAC"

UTILIZE THE CLI:

The CAS CLI includes the new service perfigo platform command in release 4.1(2). The command allows you to determine whether the CAS is a standard Clean Access Server appliance or a new Cisco NME-NAC-K9 network module installed in a Cisco ISR router chassis. The command output includes either "APPLIANCE" or "NME-NAC" as the platform setting.

- Debug Log Download Enhancement

Beginning with release 4.1(2), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. Previously, debug logs compiled to download to technical support included all recorded log entries in the CAM/CAS database. The default setting is one week (7 days).

- As always... New AV/AS Support List

To review all enhancement, caveats and upgrade procedures please read the following release notes:

Cisco NAC Appliance 4.1(2) Release Notes

Please note that it is best practice to follow the upgrade procedures to the "T" when upgrading your NAC Managers and Servers.

For those of you just getting into the land of NACA, there is a very good presentation on the features that came about in Release 4.1(0) located on CCO called "What's New in Cisco NAC Appliance 4.1" that should catch you up on the latest and greatest features.

Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

2007-07-21T13:28:00.000-04:00

Cisco posted a new Configuration Guide on how to configure and troubleshoot ADSSO. This is relevant for any deployment using ADSSO and also has some great text on the common error messages and associated resolutions.

NAC Appliance (CCA): Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

VPN Deployments with ASA 8.0

2007-07-20T08:00:00.000-04:00

Background:

One common design challenge in the past was how to deploy NAC for VPN Users when the VPN device is also a corporate firewall. This entry will hopefully help you understand the existing ways of deploying NAC for VPN Users and also help you understand how to design NAC for VPN Users with ASA 8.X.

NAC For VPN Users with a standalone VPN Device:

This is the typical deployment for VPN Concentrators, PIX/ASA (for vpn only), and IOS VPN Routers(for vpn only). The CAS is typically and preferred to be deployed in Virtual Gateway Mode. VG allows for zero IP Address changes and only requires the addition of 1 Authentication/Untrusted VLAN. For more information on how to configure NAC for Standalone VPN Devices please see the NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example

Figure 1 - VPN Deployment with a Standalone VPN Device

NAC For VPN Users with a 6.X/7.X Corporate Firewall/VPN Device without a DMZ:

With this deployment you need to ensure normal internet traffic from corporate users does NOT go through the CAS. In order to accomplish this, the CAS is deployed using Real-IP Gateway and policy based routing is used on the next layer 3 hop from the firewall to send VPN Users traffic to the CAS's untrusted interface.

Figure 2 - VPN Deployment with a 6.X/7.X Corporate Firwall & VPN Device without a DMZ

NAC For VPN Users with a ASA 6.X/7.X Corporate Firewall/VPN Device with a DMZ:

In this scenario the PIX/ASA has a DMZ interface that is hosting public servers. If we look to the same deployment option as before, it presents a problem: VPN Users are able to get to the DMZ without having to go through NAC. This leave us with a couple of options:

Block all VPN Users from getting to the DMZ
Only allow specific services from VPN Users to the DMZ
Allow everything to get to the DMZ without going through NAC
Advanced Workaround using NAT on the Core Router (Not recommended)

Figure 3 - VPN Deployment with a ASA 6.X/7.X Corporate Firwall & VPN Device with a DMZ

NAC For VPN Users with a ASA 8.X Corporate Firewall/VPN Device with a DMZ:

This is what you all have been waiting for, how does VPN Deployment change with ASA 8.0? It all comes down to one new feature "Restrict Access to VLAN" (also know as VLAN Mapping).

Restrict Access to VLAN—(Optional) Also called "VLAN mapping," this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The security appliance forwards all traffic on this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this security appliance.

This configuration option is configured within the Remote Access Group Policy:

Figure 4 - Restrict Access to VLAN Configuration

Please note that you must create an DOT1Q trunk and create the VPN DMZ interface using a subinterface for this option to appear. Now that we have a way to ensure VPN users get put onto a specific interface, we are able to deploy the CAS in Virtual Gateway mode and control complete access to VPN Users through NAC. This forces all users to go through NAC before they are allowed to do anything.

Figure 5 - VPN Deployment with a ASA 8.X Corporate Firwall & VPN Device with a DMZ

Summary:

Cisco's ASA 8.0 software has really made deployments with NAC for VPN Users a lot less complex. Utilizing the VLAN Mapping setting on the ASA is only going to open up doors down the road for even better seamless integration of NAC Appliance into your infrastructure.

Sources: CAS Admin Guide; ASDM Online Help

Cisco NAC Profiler Announcement

2007-07-18T14:09:00.000-04:00

Background:

Great Bay Software Inc., the innovator of Endpoint Profiling for enterprise networks, today announced it has signed a worldwide OEM agreement with Cisco that adds the company's Beacon Endpoint Profiler solution to the award-winning Cisco Network Admission Control (NAC) product line. This agreement ensures that all network-attached endpoints, including non-PCs, meet the specified requirements for network access, creating the industry's most comprehensive NAC solution set.

As part of the agreement, Cisco will rebrand and sell the Beacon Endpoint Profiler as Cisco NAC Profiler. The Endpoint Profiling and Behavior Monitoring functions provided by NAC Profiler combined with the Cisco NAC Appliance solution will ease deployments and improve the security management of endpoints unassociated with specific users, such as network printers, medical imaging devices, IP phones, HVAC sensors and wireless access points. NAC Profiler can improve the return on investment for a NAC deployment by dynamically tracking the movement of these devices on the network.

The Cisco NAC Profiler provides a number of benefits both in the initial implementation of NAC and throughout the entire lifecycle of a deployment. Great Bay's Endpoint Profiling technology generates an automated inventory of all endpoints, significantly reducing the level of effort required in the implementation of NAC. The Cisco NAC Profiler informs the NAC system of critical endpoint data, including device address information, a type descriptor (printer, phone, AP, UPS, etc.), access type (a value that defines the appropriate level of access for that endpoint) and access to additional information about that device and its history in the network. This eliminates the need for manual inventories and data entry.

"We're excited to extend our collaboration with Cisco and to be part of an end-to-end NAC solution that provides a security model for all network-attached endpoints," said Steve Pettit, president of Great Bay Software. "Customers will benefit from Cisco's global business infrastructure and from the ongoing innovation this relationship will continue to deliver."

"Great Bay Software's endpoint profiling enhances an end-to-end NAC solution strategy," said Nick Chong, head of the NAC Appliance line of business for Cisco. "Cisco NAC Appliance, the leading NAC offering in the marketplace today, continues to represent the latest in technical innovation involving NAC, and adding Great Bay's profiling technology enriches our overall NAC solution."

Cisco's NAC Profiler will consist of two functional components in the NAC Appliance solution: the Profiler Server and the Collector Application. The Profiler Server will run on a dedicated appliance while the Collector Application will reside on the Cisco NAC Appliance Server. Cisco NAC Profiler is scheduled to be available in August 2007.

About Great Bay Software:

Great Bay Software Inc. is the innovator of Endpoint Profiling, a technology designed to rapidly establish and maintain a real time view of all network attached endpoints. The company's Endpoint Profiling technology has applications in enabling the deployment and administration of Network Admission Control and network-based authentication, in addressing compliance concerns related to unauthorized devices attaching to the Enterprise network, and in managing the endpoint lifecycle for all network attached devices.

Summary:

I have been working with beacon for over a year now and have had nothing but success for deployments and the customers on-going operations. It is the fries with burger when it comes to NAC in an enterprise environment. Next time you are planning a NAC deployment for your integration or are sick of adding device filters every time a new phone or printer is brought up check out Beacon!

Sources: MarketWire; Great Bay Software

Timers

2007-07-15T11:11:00.000-04:00

Background:

Cisco NAC Appliance is a great method of threat containment by ensuring users' identity and posture, but at what point do you want to ensure that the user whom has once been compliant is still indeed compliant? This is the reason why timers are such an important aspect of any NACA Deployment. This entry will help you to understand the different options within NAC and ensure that you configure what is needed for your deployment.

The Options:

Certified Device Timer

Automatically Clear Certified Device List at specific intervals (X number of days)
May clear devices based on particular CAS, User Role, Auth Provider
May clear X amount of users at a time
May create multiple timers to meet your needs

Session Timer

An Absolute Timer that is specific to the user role (X number of minutes)
Applies to both IB & OOB
Triggers after a preset time to kick users off the online user list

Heartbeat Timer

Number of minutes after which a user is logged off the network if a device is non responsive (in-band only)
CAS sends an ARP request for the client for the set time (L2)
CAS looks for traffic sourced from the user (L3)
If proxy arp is enabled then the Heartbeat timer does nothing (L3)
5 Minute minimum

Best Practices for the use of Timers:

ALWAYS configure Certified Device Timers to enforce posture assessment after X amount of time for any Layer 2 or Layer 3 Deployment.

Use Heartbeat Timers to automatically remove inactive users when using IB.

Use User Role Session Timers for timeout of the Quarantine/Temporary User Roles and if you have a per role maximum connect time that is less than 1 day.

Summary:

No matter where you are deploying NAC the discussion of how often you need to re-authenticate/posture assess a user should come up. Hopefully, you will understand the need and plan appropriately for you deployment.

For more information on how to configure these timers, please read the CAM Admin Guide or for hands on experience and instruction, please consider taking Priveon's Cisco NAC Appliance Special Operations Class.

Managed Subnets

2007-06-22T00:02:00.000-04:00

Background:

The most misunderstood topic of the configuration of NACA is Managed Subnets. Every time I get a call about a LAN deployment, which is not working, the first thing I say is "Managed Subnets!". Hopefully, by reading this you will start to understand the taboo term and know when/where to configure Managed Subnets.

Managed Subnets Theory:

"For all CAS modes in L2 deployments (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface."

The first question you must ask during deployment is "are there more than one VLAN on the untrusted side of the CAS?" If so, you need to give the CAS "logical interfaces" so that the CAS can "manage" those vlans/subnets. The best way to think about managed subnets is to think about a "router on a stick" deployment; A single interface has multiple sub-interfaces in order to reduce the quantity of physical interfaces on the router. This concept can be applied to the CAS. The CAS uses DOT1Q trunking to logically manage multiple subnets. Why does the CAS need to do this? The CAS needs to be able to communicate with the clients on each of the subnets connected to it untrusted interface. This includes things like Web Redirection, SWISS Protocol, etc. The first step in communication is being able to arp and without managed subnets the CAS cannot arp for the clients off of its UnTrusted interface.

When to use Managed Subnets:

"Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS. For all CAS modes in L3 deployment, Static Routes must be configured for the user subnets that are one or more hops away. Managed subnets should not be configured for these subnets. "

Layer 2 Deployment = Managed Subnets

Layer 3 Deployments = Static Routes

This logic can be used for In-Band/Out-of-Band, Real-IP/Virtual Gateway, Central/Edge Deployments. If you are a newbie to NACA please review the NACA ChalkTalks(CCO Login Required) before thinking too much into this.

How to configure Managed Subnets:

Managed Subnets are configured for each CAS at Device Management - Clean Access Server - manage X.X.X.X - Advanced - Managed Subnet

There are four configuration fields:

IP Address - This value varies based on the type of deployment:

Real-IP Gateway: Think of router on a stick. This ip address will be the Default Gateway for the clients on the UnTrusted VLAN.
Virtual Gateway: This needs to be an UNUSED IP address on the network.

Subnet Mask - Mask for the ip address used above.

VLAN ID - This is the VLAN ID of the UnTrusted VLAN. EVEN when using Virtual Gateway.

Description - Let remember that the next engineer might not understand managed subnets and needs to read this to get a better understand. Use best practice descriptions.

Figure 1 - Sample Managed Subnet

Summary:

Managed Subnets are something that are overlooked a lot, but after you take the time understand them, they really are just another check on the deployment checklist. Make sure that the next time you are practicing NACA, create a lab scenario that requires managed subnets! Cheers!

Source: CAS Admin Guide

Mapping Users to Roles using LDAP

2007-06-06T21:40:00.000-04:00

Cisco Posted a new Configuration Guide on how to use LDAP to map users to roles. This is relevant for any deployment integrating with LDAP as an auth server (e.g. Active Directory) or performing LDAP lookup with AD SSO.

NAC(CCA) 4.x: Map Users to Certain Roles Using LDAP Configuration Example

Make sure you check it out before your next LDAP auth server deployment.

Cisco NAC Appliance Book

2007-06-02T13:14:00.000-04:00

Finally after many years the first Cisco NAC Appliance book will be released in this coming August! A lot of very good engineers have contributed to this book, including the NACA TMEs! It is definately going to be something worth picking up and reading!

Cisco NAC Appliance: Enforcing Host Security with Clean Access

Book Description:

The ultimate reference guide for the Cisco NAC (Network Access Control) Appliance with easy-to-follow guides to major security applications
- Learn how Network Admission Control can make your network more secure
- Prevent security breaches by checking for and enforcing a host security policy at the network edge
- Master the design, configuration, deployment, and troubleshooting of the NAC Appliance solution

Cisco NAC Appliance from Cisco Press presents an overview of real world Cisco NAC Appliance (formerly known as Clean Access) deployment scenarios. The book provides best practices for communicating to the user community before deploying the NAC Appliance and how best to plan/design for the eventual merger of NAC framework and NAC Appliance solutions. The majority of viruses and worms in existence today would be successfully stopped using an up to date operating system along with an up to date anti-virus client. The concept of checking how up to date a host's operating system, antivirus client, and spyware removal tools are before they are given access to the network is relatively new. It is not so much the operating system's or anti-virus client's lack of ability to stop the majority of attacks so much as it is a company's lack of ability to enforce, at the network layer, security policies that require endpoint systems to have updated patches and AV software installed. This ability is the essence of what the Cisco NAC Appliance provides. This book is the ultimate reference to the Cisco NAC Appliance, and is an essential book in the library of any networking professional that works on host security or security policy enforcement.

About the Author:

Jamey Heary, CCIE No. 7680 is a Security Consulting Systems Engineer at Cisco. James also holds CISSP, CCSP, CCNP, CCDP, and Microsoft MCSE certifications, as well as a certified HIPAA Security Professional. He has a B.S. from St. Lawrence University.

Book Details:

Paperback: 550 pages
Publisher: Cisco Press; 1 edition (August 8, 2007)
Language: English
ISBN-10: 1587053063
ISBN-13: 978-1587053061

Custom Checks – Personal Firewall Software

2007-05-19T20:44:00.000-04:00

Background:

Many organizations require personal firewall software to be run on clients connecting into their network as a part of their security policy. This post explores how to create custom checks to enforce the use of personal firewall software on connecting clients. This is one of the most requested custom checks I receive and hopefully you will find it benefit.

Create Checks and Rules:

For this example, I am going to show how to create custom checks for 3 different types of Personal Firewall Applications. All of this software is free and can be downloaded. To create a custom check you must go to:

Device Management – Clean Access – Clean Access Agent – Rules – New Check

Windows XP Firewall Check

The most reliable way I have found to check for XP firewall is to use a Registry Check looking for the following Registry Value:

Registry Key:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Registry Value:
EnableFirewall

If the XP Firewall is on the Value will be = to “1”

Figure 1 – XP Firewall Check

Make sure to select the proper OS type and also “Automatically create a rule based on this check” so that you can use the rule later.

*** Please note that the registry value looked at does not distinguish between interfaces that the firewall is turned on, e.g. users could turn on the firewall for Wireless and be connected to the LAN and pass the check. If anyone finds a more reliable way, please let me know.

Zone Alarm Firewall Check

The status of Zone Alarm can be found by looking at services running on your MS OS. Zone Alarm creates service “vsmon” that can be checked using a Service Check to ensure it is running.

Figure 2 – Zone Alarm Firewall Check

Make sure to select the proper OS type and also “Automatically create a rule based on this check” so that you can use the rule later.

Comodo Firewall Check

Unlike Zone Alarm, Comodo does not create a service that we can monitor, but it does have a process running when it is turned on. When Comodo is running it runs a process called “cpf.exe”, which we can create an Application Check to ensure it is runnning

Figure 3 – Comodo Firewall Check

Make sure to select the proper OS type and also “Automatically create a rule based on this check” so that you can use the rule later.

These 3 Custom Checks should give you an idea of how to check for different type of personal firewall applications. I know this is only a list of 3 of many different SW vendors, but if you can understand how to find the information about your preferred software then you should be good to go.

Create a Requirement:

For this example I have chosen to create a Local Check to inform users that they do not have Personal Firewall Software running. Other options might be to send them to a Help-Desk website, Vendor Website or to present them with a preferred personal firewall software download. To create a new requirement go to:

Device Management – Clean Access – Clean Access Agent – Requirements – New Requirement

Figure 4 – Personal Firewall Requirement

Make sure to select the proper OS as all if you want to enforce it on all Windows OS.

Map Requirements to Rules:

Next, we must assign the rules we created from the custom checks to the new requirement. To Map Requirements-Rules go to:

Device Management – Clean Access – Clean Access Agent – Requirements - Requirement-Rules

Figure 5 – Personal Firewall Requirement-Rules Windows All

Figure 6 – Personal Firewall Requirement-Rules Windows XP

The most important notes about configuring the Requirement-Rules Mapping is to select “Any Selected Rule Succeeds” and making sure you map the rules on a per OS basis, e.g. the XP check is not applicable to Windows All, but it is applicable to Windows XP All.

Map Roles to Requirements:

Pick the role(s) that you want to enforce this requirement onto and check the new requirement. To map Roles to Requirements go to:

Device Management – Clean Access – Clean Access Agent – Role-Requirements

Then you must select the role and select the new requirement.

Summary:

Enforcement of the use of Personal Firewall Software is something that a lot of NACA deployment wants, and now you should be on the path of being able to do it.

Deployment Best Practices Series - Operations Acceptance of the Solution

2007-05-16T20:19:00.000-04:00

Background:

Operations Acceptance of NACA is very important for a successful deployment. If Staff does not accept the solution than it will not be utilized to its capabilities or be maintained. This post is all about educating staff in order to ensure a successful deployment.

Introducing NACA to the Operations Staff:

NACA has to become an integral part of network and security operations in order to have a successful deployment. The following are some of the topics that Network Operations must be informed about:

Clean Access Servers (CASs) act as an extension to the routers and switches in the network

This causes network operations the need to understand how the CASs reside in the data path of users

In an Out-of-Band (OOB) Deployment, netops has to understand the integration between the Clean Access Manager (CAM) and all access switches

This requires the staff to have knowledge about SNMP Servers & SNMP Traps

Security Operations have many topics that they must know about to ensure acceptance of the deployment, some of those include:

How to enforce security policy with NACA
How to Review logs and report on users found non compliant

. . In order for the operation staff to understand these topics, they must have training and experience with NACA and the concepts. It is your job as a deployment engineer to ensure that these topics are covered and operations can hit the ground running with NACA.

Introducing NACA to the Help Desk Staff:

Help Desk is the nerve center of a NACA deployment. Ensuring that the HD staff can help users when issues happen is imperative to making them successful. Keys to empowering your help desk staff are:

Train them about common issues
Ensure they have proper access and knowledge of how to access the information needed to troubleshoot or help users
Have a documented escalation path (e.g. help-desk - operations -engineering - Cisco TAC)

Summary:

Operations & Help Desk Staff are sometime forgotten about, but their knowledge and support of the NACA deployment is critical to a successful deployment.

Deployment Best Practices Series – Deployment Expertise

2007-05-15T12:29:00.000-04:00

Background:

NAC Appliance is a product that can looks very easy to install. For most people, this can be the start of many problems. It is important to realize that the product is made to be easy and that level can be obtained, but a lot of hours are required to realize the Ins and Outs of NACA. This post is all about the misconceptions about what level of knowledge a deployment engineer should have, as well as the steps engineers can do to get to that level.

Understanding the Learning Curve:

NAC Appliance is a product that does deploy very quickly. For smaller deployments, it can be stood up and working in just hours, but this is for engineers that have taken the time to understand it. The more hours you spend looking into the CAM GUI the easier things get. This product gets confusing in a few instances:

Customization of Posture Assessment and Remediation

Going above and beyond the normal of Windows HotFixes and AV Installation/Definitions
Truly enforcing security policy with CCA

Deploying on a complex network

The network is not following best practice design methods
There is not a deterministic Layer 2 or Layer 3 path from the client to a central point

I cannot tell you how many times something simple becomes complex as a result to the preceding topics. It is a best practice to work with this product before deploying to a production environment. One of the best parts of this product is the fact that it does fit into so many Diverse Networks, unlike others. As an administrator, it is important to note that it does "plop" right into ANY network, but implementing NAC is a perfect time to gain more knowledge and conform better to best practice network design.

Getting the most of NACA:

The reason that Expertise in deployments is so important for a successful rollout is the fact that the product has so many small caveats and non-publicized features that can truly make or break the deployment. I personally would like to advertise the interesting custom checks that an experienced NACA engineer can use to enforce security policy. A minor list of examples being Preventing Instant Messenger, Peer-to-Peer, Sniffer Applications or checking for Group Policy features.

Making sure you do not fall victim of lack of expertise:

The following are best practice ways to ensure that the deployment goes well by ensuring that you have the skills it takes to deploy NACA. Any one topic will help you get experience, but the more you perform the better the deployment will go:

Formal Training – Find a class that teaches NAC Appliance. Ensure that the content matches your deployment strategy and the instructor ACTUALLY has experience with NACA in the real world. Stay astray from the “cookie cutter” type classes. Priveon, a security training company, has really world class training program for this type of training or you can always request custom training from a local Cisco Partner.

Research – Use the resources available to you to inform yourself about NACA Deployments. This can be performed via the NACA Chalktalks, NACA Documentation, whitepapers, etc.

Lab Experience – Getting NACA into the lab so that you can test the features and functionality that you want to deploy in a controlled environment can give you the knowledge and experience to become prepared for the real deployment is key to a successful deployment. This phase should come before any pilots.

Consultant Help – There are many external resources available for you to either give you a turn key solution or assist in your deployment of NACA. The reasons behind this investment could be resources or technical expertise, but the key to using this resource to your ability is making sure you shadow and learn from the consult deploying NACA.

Summary:

Many organization fall victim to “I thought I could get it working” and then really do not receive the benefits of NAC Appliance. This is the reason why to have a successful deployment you must have experience with the product.

Deployment Best Practices Series - User Acceptance of the Solution

2007-05-09T14:14:00.000-04:00

Background:

User Acceptance of NACA is the #1 most important consideration that must be made during a deployment. This post should hopefully help you understand the best practices to make users "accept" the solution.

Messaging the Solution to Users:

In order for users to not get really upset about the solution, you MUST message the plans of turning on the NACA solution. If you do not message this information to users they will have no idea what hit them and you can rest assure that their boses or parents(in the EDU space) will hear about it and you will be getting A LOT of complaints. Along with these complaints will be the complete dislike of the solution before they have even used it. Messaging is simple and can be performed by using:

- Posters/Banners
- E-mail
- Formal Letters

The content on the messaging needs to include:

- Benefits of CCA for the end-user & organization as a whole
- Reasons the organization is deploying the solution
- Time frames of deployment
- How the Deployment will affect the user
- What are the responsibilities of the user
- Policies that are enforced and when will they be enforced
- References to the Organization's Security Policy
- Where to find more information or who to contact in case of problems

This messaging will help users really see the reasoning why NACA is important and how it can help them as an individual. This in turn will truly help the acceptance of them having to interact with NACA.

Making the first encounter of the "terrible" green goblin (CAA) tolerable:

At first look, users can be very upset about having to use an agent to get onto the network. Because of the messaging that you have done they are at a minimum expecting it and have the knowledge to get through the experience. Tasks that you can do to ensure that the first time the user ever uses the product is successful and acceptable are:

- Deploy the agent via a Software Pushing Technology, like Altiris, to ensure that the user does not have to download the agent.

- Only cutover some users at a time, do NOT cutover all X users at once. This ensures that the users are able to have the best performance possible. This will also allow any administrators or help-desk staff to respond efficiently if problems arise.

- Make sure to enable Single Sign On (SSO), if possible, to allow the users not to have to login twice.

- To ensure users are able to be comfortable with the agent, before they have to spend 2 hours updating their machine to conform with security policy, it is best practice to start the NACA Deployments with optional requirements. This will present the user with the violations of their devices without stopping them from performing their normal tasks. E.G. All users must have AV Installed is a requirement in your security policy, but for the first 30 days the CAA will prompt users to install AV, but won't stop them from accessing the network if they chose not to remediate. After the users have had time to realize that they are out of compliance and they have had plenty of time to fix their violations at their convenience (typically 3-30 days depending on type/size/culture of the organization), the optional requiremetns should be changed to mandatory. This time frame of optional requirements should be illustrated in the original messaging about the solution. If the user community is non-adaptive to changes at all, then some organization even start with no requirements and then move to optional requirements.

Ensuring on-going Acceptance of the solution:

In order for users to continue to have that good feeling about the solution, administrators must follow some simple guidelines to ensure the user community stays happy:

- Configure the clearing of devices (Certified Device Timers, Session Timers, Heartbeat Timers) in a reasonable fashion. Timers must be used to ensure periodic posture assessment of users, but they should be configured in a reasonable manner. E.G. If a person has to login to theCAA every hour on the hour to get on the network they will not be happy.

- Ensure that maintenance of the NACA solution is performed off hours, remember some deployments are in-band and will denial of service users if you perform an upgrade during the day.

- Continue the good communication that was initially established. E.G. if you are going to start enforcing the use of Cisco Security Agent, make sure that the users understand the new requirement and do have time to ensure they are within compliance.

- Make sure the users have a knowledgeable help-desk that they can consult on any issues that come up.

Summary:

Users are people too and if you take the proper steps to ensure that their experience with the solution is a positive one, you will receive positive feedback and lower the total cost of ownership (TCO). Help Desk tickets will be minimal and you can sleep better at night because users do have the latest signatures.

Deployment Best Practices Series

2007-05-09T13:34:00.000-04:00

I receive the following question all the time:

"How do I make sure that my deployment of NAC Appliance goes well?"

The easiest way to answer this question is to ask "What makes a NACA Deployment Fail?" Failing, in context to the above, means that the solution causes more harm than good and does not provide the benefits as promised. Cisco NAC Appliance is a product that can do everything and more that Cisco promises. The following are what I have found to cause more harm than good if they are not addressed from the beginning of the deployment:

1.) User Acceptance of the Solution
2.) Deployment Expertise
3.) Operations Acceptance of the Solution

This is where the series comes into play. I will be posting what I have found to be "best practices" to address these 3 problem areas and hopefully help everyone to understand how to make their deployments successful.

I really am open to feedback if anyone has any suggestion/comments for the series.

NACA Version 4.1.1

2007-05-07T21:12:00.000-04:00

Version 4.1.1 was posted to CCO for download on April 30th.

Some of the feature "enhancements" that i found interesting and useful, but not too geeky are:

- Support for Windows Vista
This is something that has been around in the 4.0.X train but not 4.1.X, so customers should really enjoy this feature

- Multiple Active Directory Server Support in ADSSO
Previously, you could only define a single AD Server for ADSSO. Now with 4.1.1 you are able to authenticate to an entire "Domain". This greatly enhances the availability of ADSSO.

- Restricted Administrator Web Console Options Hidden from View
Now when you can take away even Read-Only rights to certain aspects of the CAM. This makes it less tempting for the help-desk staff to go in and look through private event data, etc.

- VLAN Prunning
This works in conjunction with a Virtual Gateway CAS using VLAN Mapping to ensure that only known VLAN ID packets are allowed to traverse the internal network. This should prevent any broadcast/loop issues that might have previously happened.

- WSUS Support
Now we are playing ball with the introduction of WSUS support. This release tightly integrates updates through WSUS, to ensure users have the proper patches.

This is only a few of the many new enhancements in 4.1(1). To review all enhancement, caveats and upgrade procedures please read the following release notes:

Cisco NAC Appliance 4.1(1) Release Notes

Please note that it is best practice to follow the upgrade procedures to the "T" when upgrading a NACA deployment.

For those of you just getting into the land of NACA, there is a very good presentation on the features that came about in Release 4.1(0) located on CCO called "What's New in Cisco NAC Appliance 4.1" that should catch you up on the latest and greatest features.

NACA Chalk Talks

2007-05-05T09:56:00.000-04:00

The guys at the BU have invested a lot of time on getting people the basic knowledge about NACA by doing a "chalk talk" series that can provide you with a really good resource. If you are joining us with zero knowledge or just basic knowledge these presentations are a great place to start. They do require CCO Login, but are definitely worth filling out the form. I probably will not talk about any of the topics in the presentations, because that would not hold any value, but you probably will see me expand on some of the topics that did not get as much attention as warranted.

Chalk Talk 1: Cisco NAC Appliance Foundation Concepts
Presenter: Alok Agrawal
Chalk Talk 2: Configuring NAC Appliance in In-Band Mode
Presenter: Prem Ananthakrishnan
Chalk Talk 3: Configuring NAC Appliance in Out-of-Band Mode
Presenter: Alok Agrawal
Chalk Talk 4: Configuring NAC Appliance for High Availability
Presenter: Alok Agrawal
Chalk Talk 5: Configuring Posture Assessment and Remediation
Presenter: Prem Ananthakrishnan
Chalk Talk 6: L3 OOB with Rice University
Presenter: Ryan Moore & Jeff Heilman, Rice University
Chalk Talk 7: Configuring L3 OOB using ACLs
Presenter: Alok Agrawal
Chalk Talk 8: Configuring Authentication, Roles, and SSO
Presenter: Prem Ananthakrishnan
Chalk Talk 9: Maintaining and Managing Your NAC Appliance
Presenter: Prem Ananthakrishnan

CAM & CAS Licensing

2007-05-04T14:26:00.000-04:00

CCA is licensed in two manners:

CAM Licensing
The CAM is licensed on the basis of how many CASs it can manage.
1 CAS Failover Bundle = 1 Server Count
CAM comes in 3 Flavors: Lite(manages up to 3 Servers), Standard(manages up to 20 Servers), & Super(manages up to 40 Servers)

CAS Licensing
The CAS is licensed on the basis of how many users are logged in. The easiest way to understand this is to think about how many Online Users show up int the IB/OOB OU List. The only caveat to this is that if you are using Device Filters that are marked as "Check" you need to include them in the CAS User Count.
CAS comes in many flavors ranging from 100 users to 2500 users

Reference:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/license.htm

Welcome to NACA Blog

2007-05-04T14:20:00.000-04:00

I just wanted to say welcome to people. I am really utilizing this blog as a Knowledge Management System to post ideas about best practices, whacky or mis-understood topics, Tip & Tricks, and Configuration Topics. Please let me know if you would like to help contribute to this blog and the more comments the better.