HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This PDF will be accessible from your Account page after purchase and requires PDF reading software, such as Acrobat® Reader®.
The eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Cisco Network Admission Control
Volume II: NAC Framework Deployment and Troubleshooting
The self-defending network in action
Jazib Frahim, CCIE® No. 5459
Omar Santos
David White, Jr., CCIE No. 12,021
When most information security professionals think about threats to their networks, they think about the threat of attackers from the outside. However, in recent years the number of computer security incidents occurring from trusted users within a company has equaled those occurring from external threats. The difference is, external threats are fairly well understood and almost all companies utilize tools and technology to protect against those threats. In contrast, the threats from internal trusted employees or partners are often overlooked and much more difficult to protect against.
Network Admission Control (NAC) is designed to prohibit or restrict access to the secured internal network from devices with a diminished security posture until they are patched or updated to meet the minimum corporate security requirements. A fundamental component of the Cisco® Self-Defending Network Initiative, NAC enables you to enforce host patch policies and to regulate network access permissions for noncompliant, vulnerable systems.
Cisco Network Admission Control, Volume II, helps you understand how to deploy the NAC Framework solution and ultimately build a self-defending network. The book focuses on the key components that make up the NAC Framework, showing how you can successfully deploy and troubleshoot each component and the overall solution. Emphasis is placed on real-world deployment scenarios, and the book walks you step by step through individual component configurations. Along the way, the authors call out best practices and tell you which mistakes to avoid. Component-level and solution-level troubleshooting techniques are also presented. Three full-deployment scenarios walk you through application of NAC in a small business, medium-sized organization, and large enterprise.
“To successfully deploy and troubleshoot the Cisco NAC solution requires thoughtful builds and design of NAC in branch, campus, and enterprise topologies. It requires a practical and methodical view towards building layered security and management with troubleshooting, auditing, and monitoring capabilities.”
–Jayshree V. Ullal, Senior Vice President, Datacenter, Switching and Security Technology Group, Cisco Systems®
Jazib Frahim, CCIE® No. 5459, is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security.
Omar Santos is a senior network security engineer in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security team. He has more than 12 years of experience in secure data communications.
David White, Jr., CCIE No. 12,021, has more than 10 years of networking experience with a focus on network security. He is currently an escalation engineer in the Cisco TAC, where he has been for more than six years.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Cisco Press–Security
Covers: Network Admission Control
Introduction
Part I NAC Overview
Chapter 1 NAC Solution and Technology Overview
Network Admission Control
NAC: Phase I
NAC: Phase II
NAC Program Participants
Components That Make Up the NAC Framework Solution
Cisco Trust Agent
Cisco Security Agent
Network-Access Devices
Cisco VPN 3000 Series Concentrator
Cisco Secure Access Control Server
Event Monitoring, Analysis, and Reporting
Summary
Review Questions
Part II Configuration Guidelines
Chapter 2 Cisco Trust Agent
Preparing for Deployment of CTA
Supported Operating Systems
Deploying CTA in a Lab Environment
CTA Windows Installation
CTA Windows Installation with the 802.1X Wired Supplicant
CTA Mac Installation
CTA Linux Installation
Installing the CA Certificate
User Notifications
Customizing CTA with the Optional ctad.ini File
[main] Section
[EAPoUDP] Section
[UserNotifies] Section
[ServerCertDNVerification] Distinguished Name-Matching Section
[Scripting_Interface] Section
Example ctad.ini
CTA Scripting Interface
Requirements for Using the Scripting Interface
Executing the Scripting Interface
CTA Logging Service
Creating a ctalogd.ini File
Using the clogcli Utility
Deploying CTA in a Production Network
Deploying CTA on Windows
Deploying CTA on Mac OS X
Deploying CTA on Linux
Troubleshooting CTA
Installation Issues
Communication Issues
System Logs
CTA Client Fails to Receive a Posture Token
CTA 802.1X Wired Client
Client Is Disconnected (Suspended)
Chapter Summary
References
Review Question
Chapter 3 Cisco Secure Services Client
Installing and Configuring the Cisco Secure Services Client
Minimum System Requirements
Installing the Cisco Secure Services Administrative Client
Configuring the Cisco Secure Services Administrative Client
Deploying the Cisco Secure Services Client in a Production Network
End-User Client Deployment Installation Prerequisite
Creating End-User Client-Configuration Files
Creating the License File
Deploying the End-User Client
Viewing the Current Status of the Cisco Secure Services Client
Windows Wireless Zero Configuration
Troubleshooting the Cisco Secure Services Client
System Report Utility
Viewing the Client Logs and Connection Status in Real Time
Client Icon Does Not Appear in System Tray
Client GUI Does Not Start
Client Does Not Prompt for Password
Wireless Client Is Immediately Dissociated after 802.1X Authentication
Client Is Disconnected (Suspended)
Summary
References
Review Question
Chapter 4 Configuring Layer 2 NAC on Network Access Devices
NAC-L2-IP
Architecture of NAC-L2-IP
Configuring NAC-L2-IP
Troubleshooting NAC-L2-IP
NAC-L2-802.1X
Architecture of NAC-L2-802.1X
Configuring NAC-L2-802.1X
MAC Authentication Bypass
Troubleshooting NAC-L2-802.1X
Configuring NAC-L2-802.1X on Cisco Wireless Access Points
Summary
Review Questions
Chapter 5 Configuring Layer 3 NAC on Network Access Devices
Architectural Overview of NAC on Layer 3 Devices
Configuration Steps of NAC on Layer 3 Devices
Step 1: Configuring AAA Authentication
Step 2: Defining the RADIUS Server
Step 3: Specifying the Interface Access Control List
Step 4: Configuring the NAC Parameters
Step 5: Defining the NAC Intercept Access Control List (Optional)
Step 6: Setting Up the Exception Policies (Optional)
Step 7: Configuring the Clientless Host Parameters (Optional)
Step 8: Optimizing the NAC Parameters (Optional)
Monitoring and Troubleshooting NAC on Layer 3 Devices
Useful Monitoring Commands
Troubleshooting NAC
Summary
Review Questions
Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators
Architectural Overview of NAC on Cisco VPN 3000 Concentrators
Cisco Software Clients
Microsoft L2TP over IPSec Clients
Configuration Steps of NAC on Cisco VPN 3000 Concentrators
VPN Configuration on the VPN 3000 Concentrator
VPN Configuration on the Cisco VPN Client
NAC Configuration on the VPN 3000 Concentrator
Testing, Monitoring, and Troubleshooting NAC on Cisco VPN 3000 Concentrators
Remote-Access IPSec Tunnel Without NAC
Remote-Access IPSec Tunnel from an Agentless Client
Remote-Access IPSec Tunnel from a CTA Client
Summary
Review Questions
Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances
Architectural Overview of NAC on Cisco Security Appliances
Stateless Failover for NAC
Per-Group NAC Exception List
Configuration Steps of NAC on Cisco Security Appliances
VPN Configuration on the Security Appliances
VPN Configuration on the Cisco VPN Client
NAC Configuration on the Cisco Security Appliances
Testing, Monitoring, and Troubleshooting NAC on Cisco Security Appliances
Remote-Access IPSec Tunnel Without NAC
Remote-Access IPSec Tunnel from an Agentless Client
Remote-Access IPSec Tunnel from a CTA Client
Monitoring of NAC Sessions
Summary
Review Questions
Chapter 8 Cisco Secure Access Control Server
Installing ACS
Installation Prerequisites
Installing ACS on a Windows Server
Upgrading from Previous Versions of ACS Server
Post-Installation Tasks
Initial ACS Configuration
Configuring Network Device Groups (Optional)
Adding Network Access Devices
Configuring RADIUS Attributes and Advanced Options
Installing Certificates
Configuring Global Authentication Protocols
Creating Network Access Profiles Using NAC Templates
Posture Validation
Internal Posture-Validation Policies
External Posture Validation and Audit Servers
Miscellaneous Posture-Validation Options
Posture Enforcement
Downloadable IP ACLs
VLAN Assignment
Policy-Based ACLs
RADIUS Authorization Components
Network Access Profiles
Protocols Policy
Authentication Policy
Posture Validation Policy
Authorization Policy
Network Access Filtering
NAC Agentless Hosts
Centralized Agentless Host Policy for NAC-L3-IP and NAC-L2-IP
Centralized Agentless Host Policy for NAC-L2-802.1X (MAC Authentication Bypass)
Configuring the Agentless Host Policy on ACS
User Databases
Importing Vendor Attribute-Value Pairs
Enabling Logging
Configuring Failed Attempts Logging
Configuring Passed Authentications Logging
Configuring RADIUS Accounting Logging
Replication
Troubleshooting ACS
Enabling Service Debug Logging
Invalid Protocol Data
RADIUS Posture-Validation Requests Are Not Mapped to the Correct NAP
RADIUS Dictionaries Missing from the Interface Configuration Section
Certificate Issues—EAP-TLS or PEAP Authentication Failed During SSL Handshake in Failed Attempts Log
Summary
Review Questions
Chapter 9 Cisco Security Agent
Cisco Security Agent Architecture
CSA MC Rule Definitions
Global Event Correlation
Installing Cisco Security Agents Management Center
Configuring CSA NAC-Related Features
Creating Groups
Creating Agent Kits
System State and NAC Posture Changes
Summary
Review Questions
Chapter 10 Antivirus Software Integration
Supported Antivirus Software Vendors
Antivirus Software Posture Plug-Ins
Antivirus Policy Servers and the Host Credential Authorization Protocol (HCAP)
Adding External Antivirus Policy Servers in Cisco Secure ACS
Summary
Review Questions
Chapter 11 Audit Servers
Options for Handling Agentless Hosts
MAC Authentication Bypass
Audit Servers
Architectural Overview of NAC for Agentless Hosts
Configuring Audit Servers
Installation of QualysGuard Scanner Appliance
Configuration of QualysGuard Scanner Appliance
Configuration of CS-ACS Server
Monitoring of Agentless Hosts
Monitoring Agentless Hosts on QualysGuard Scanner
Monitoring CS-ACS Logs
Monitoring Agentless Hosts on a Cisco NAD
Summary
Review Questions
Chapter 12 Remediation
Altiris
Altiris Network Discovery
Importing Attribute Files to Cisco Secure ACS
Setting External Posture Validation Audit Server on Cisco Secure ACS
Installing the Altiris Network Access Agent and Posture Plug-In
Exception Policies
Creating Posture Policies on the Altiris Notification Server
PatchLink
Summary
Review Questions
Part III Deployment Scenarios
Chapter 13 Deploying and Troubleshooting NAC in Small Businesses
NAC Requirements for a Small Business
Small Business Network Topology
Configuring NAC in a Small Business
Cisco Secure ACS
End-User Clients
Switches
Web Server
Troubleshooting NAC Deployment in a Small Business
show Commands
EAP over UDP Logging
Cisco Secure ACS Logging
Certificate Issues: EAP-TLS or PEAP Authentication Failed During SSL Handshake
Incorrect Time or Date
Summary
Review Questions
Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises
Deployment Overview of NAC in a Medium-Size Enterprise
The User Network
The Management Network
The Quarantine Network
Business Requirements for NAC in a Medium-Size Enterprise
Medium-Size Enterprise NAC Solution Highlights
Enforcement Actions
Steps for Configuring NAC in a Medium-Size Enterprise
Catalyst 6500 CatOS Configuration
VPN 3000 Concentrator Configuration
Audit Server Configuration
Altiris Quarantine Solution Configuration
Trend Micro Policy Server Configuration
Cisco Secure ACS Configuration
CSA-MC Server Configuration
End-User Clients
Monitoring and Troubleshooting NAC in a Medium-Size Enterprise
Diagnosing NAC on Catalyst 6500 Switch
Diagnosing NAC on a VPN 3000 Concentrator
Cisco Secure ACS Logging
Summary
Review Questions
Chapter 15 Deploying and Troubleshooting NAC in Large Enterprises
Business Requirements for Deploying NAC in a Large Enterprise
Security Policies
Enforcement Actions
Design and Network Topology for NAC in a Large Enterprise
Branch Office
Regional Office
Headquarters
Configuring NAC in a Large Enterprise
ACS
End-User Clients
Switches
Troubleshooting NAC Deployment in a Large Enterprise
show Commands
debug Commands
ACS Logs and CS-MARS
Summary
Review Questions
Part IV Managing and Monitoring NAC
Chapter 16 NAC Deployment and Management Best Practices
A Phased Approach to Deploying NAC Framework
Readiness Assessment
Stakeholders
Initial Lab Environment
Test Plans
Initial Tuning
Final Deployment Strategy
Provisioning of User Client Software
CSA Management
Maintaining NAC Policies
Keeping Operating System Policies Up-to-Date
Keeping Your Antivirus Policies Up-to-Date
Maintenance of Remediation Servers and Third-Party Software
Technical Support
Education and Awareness
End-User Education and Awareness
Help-Desk Staff Training
Engineering and Networking Staff Training
Summary
References
Review Questions
Chapter 17 Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System
CS-MARS Overview
Setting Up Cisco IOS Routers to Report to CS-MARS
Defining the Cisco IOS Router as a Reporting Device within CS-MARS
Configuring the Cisco IOS Router to Forward Events to CS-MARS
Setting Up Cisco Switches to Report to CS-MARS
Defining the Cisco Switch as a Reporting Device within CS-MARS
Configuring the Cisco Switch to Forward Events to CS-MARS
Configuring ACS to Send Events to CS-MARS
Defining ACS as a Reporting Device within CS-MARS
Configuring Logging on ACS
Configuring 802.1X NADs in ACS to Report to CS-MARS
Installing the pnlog Agent on ACS
Configuring CSA to Send Events to CS-MARS
Defining CSA-MC as a Reporting Device within CS-MARS
Configuring CSA-MC to Forward Events to CS-MARS
Configuring VPN 3000 Concentrators to Send Events to CS-MARS
Defining the VPN 3000 Concentrator as a Reporting Device within CS-MARS
Configuring the VPN 3000 Concentrator to Forward Events to CS-MARS
Configuring the Adaptive Security Appliance and PIX Security Appliance to Send Events to CS-MARS
Defining the ASA/PIX Appliance as a Reporting Device within CS-MARS
Configuring the ASA/PIX Appliance to Forward Events to CS-MARS
Configuring QualysGuard to Send Events to CS-MARS
Generating Reports in CS-MARS
NAC Report—Top Tokens
NAC Report—Infected/Quarantine—Top Hosts
NAC Report—Agentless (Clientless) Hosts
Creating Scheduled NAC Reports
Troubleshooting CS-MARS
Events from a Specific Device Are Not Showing Up
Events Are Showing Up from an Unknown Reporting Device
Trouble Discovering a Monitored Device
Summary
Reference
Review Questions
Part V Appendix
Appendix A Answers to Review Questions
1587052253 TOC 11/2/2006