Table of Contents
Part I: The Host Security Landscape
Chapter 1. The Weakest Link: Internal Network Security
Security Is a Weakest-Link Problem
Hard Outer Shell with a Chewy Inside: Dealing with Internal Security Risks
The Software Update Race: Staying Ahead of Viruses, Worms, and Spyware
Chapter 2. Introducing Cisco Network Admission Control Appliance
Cisco NAC Integrated Implementation
Cisco NAC Return on Investment
Part II: The Blueprint: Designing a Cisco NAC Appliance Solution
Chapter 3. The Building Blocks in a Cisco NAC Appliance Design
Cisco NAC Appliance Solution Components
Cisco NAC Appliance Network Scanner
Cisco NAC Appliance Minimum Requirements
Cisco NAC Appliance Manager and Server Requirements
Cisco Clean Access Agent Requirements
Scalability and Performance of Cisco NAC Appliance
Chapter 4. Making Sense of All the Cisco NAC Appliance Design Options
In-Band Versus Out-of-Band Overview
Layer 2 Versus Layer 3 Client Adjacency Overview
Virtual Gateway Versus Real IP Gateway Overview
How to Choose a Client/Server Adjacency Mode
Layer 2 Strict Mode for Clean Access Agent
The Certification Process in In-Band Mode
Certification Steps for Host with Clean Access Agent
Steps for Client to Acquire an IP Address
Clean Access Agent Authentication Steps
Clean Access Agent Host Security Posture Assessment Steps
Clean Access Agent Network Scanner Steps
Agent Post-Certification Steps
Login Steps for Host Using Web Login (No Clean Access Agent)
Web Login Authentication Steps
Web Login Network Scanning Steps
Advantages of Using In-Band Mode
Disadvantages of Using In-Band Mode
Where You Can Use In-Band Mode
How the Adjacency Mode Affects Out-of-Band Operation
Layer 3 Out-of-Band Traffic Control Methods
How the Network Mode Affects Out-of-Band Operation
Login Steps with OOB in L2 Adjacency, Virtual Gateway Mode
Clean Access Agent Authentication Steps in OOB
Agent Host Security Posture Assessment Steps for OOB
Agent Post-Certification Steps for OOB
Login Steps for OOB in L3 Adjacency, Real IP Mode
Initial Client Steps for L3 OOB
Steps to Obtain an IP Address in L3 OOB
Client Authentication and PBR Steps in L3 OOB
Client Certification and Post-Certification Steps in L3 OOB
Advantages of Using Out-of-Band Mode
Disadvantage of Using Out-of-Band Mode
Where You Can Use Out-of-Band Mode and Where You Cannot
Switches Supported by NAC Appliance Out-of-Band
Clean Access Agent and Web Login with Network Scanner
Chapter 5. Advanced Cisco NAC Appliance Design Topics
External Authentication Servers
Mapping Users to Roles Using Attributes or VLAN IDs
MAC Address Authentication Filters
Active Directory SSO Prerequisites
How Active Directory SSO Works
Cisco Wireless SSO Prerequisites
NAC Appliance and IP Telephony Integration
IP Telephony Best Practices for In-Band Mode
IP Telephony Best Practices for Out-of-Band Mode
High Availability and Load Balancing
Stateful Failover of NAC Appliance Manager
Stateful Failover of NAC Appliance Server
Fallback Feature on NAC Appliance Server
Cisco Content Switching Module or Standalone Content Services Switch
NAC Appliance Server Load Balancing Using Policy-Based Routing
Part III: The Foundation: Building a Host Security Policy
Chapter 6. Building a Cisco NAC Appliance Host Security Policy
What Makes Up a Cisco NAC Appliance Host Security Policy?
Host Security Policy Checklist
Involving the Right People in the Creation of the Host Security Policy
Determining the High-Level Goals for Host Security
Common High-Level Host Security Goals
Understanding and Defining NAC Appliance User Roles
Commonly Used Roles and Their Purpose
Establishing Acceptable Use Policies
Checks, Rules, and Requirements to Consider
Sample HSP Format for Documenting NAC Appliance Requirements
Common Checks, Rules, and Requirements
Method for Adding Checks, Rules, and Requirements
Method for Determining Which User Roles a Particular Security Requirement Should Be Applied To
Method for Deploying and Enforcing Security Requirements
Defining Network Access Privileges
Enforcement Methods Available with NAC Appliance
Commonly Used Network Access Policies
Part IV: Cisco NAC Appliance Configuration
Chapter 7. The Basics: Principal Configuration Tasks for the NAM and NAS
Understanding the Basic Cisco NAC Appliance Concepts
NAM Hardware Installation Requirements
NAM Software Installation Requirements
Performing Initial NAM Configurations
NAS Hardware Installation Requirements
NAS Software Installation Requirements
NAS Software License Requirement
Performing Initial NAS Configurations
Configuring NAS Deployment Mode
Out-of-Band Deployment Options
Understanding NAS Management Within the NAM GUI
Adding Additional NAS Appliances
Chapter 8. The Building Blocks: Roles, Authentication, Traffic Policies, and User Pages
Editing or Deleting a Custom Role
Creating a Local User and Assigning a Role
Assigning a Role by MAC and IP Address
Assigning a Role by External Authentication Source Attributes
Creating Admin Users and Groups
Adding External Authentication Sources
Adding a RADIUS External Authentication Source
Adding an LDAP/AD External Authentication Source
Configuring and Creating Traffic Policies
IP-Based Traffic Control Policy
Host-Based Traffic Control Policy
Customizing User Pages and Guest Access
Chapter 9. Host Posture Validation and Remediation: Cisco Clean Access Agent and Network Scanner
Understanding Cisco NAC Appliance Setup
Alternative Agent Installation Methods
Requirements, Rules, and Checks
Creating and Enforcing a Requirement
Chapter 10. Configuring Out-of-Band
Out-of-Band Overview and Design
Central Deployment Mode or Edge Deployment Mode
Gateway Mode for NAC Appliance Server
Simple Network Management Protocol Trap to Trigger the NAC Process
Port-Based VLAN Assignment or User Role–Based VLAN Assignment
Sample Design and Configuration for Layer 2 Out-of-Band Deployment
Step 1: Configuring the Switch
Configuring VLAN Trunking Protocol and VLANs
Configuring the Switch as a DHCP Server
Configuring Fa1/0/1—The Interface Connecting the NAC Appliance Manager eth0 Port
Configuring Fa1/0/3—The Interface Connecting the Trusted Port (eth0) of NAC Appliance Server
Configuring Fa1/0/4—The Interface Connecting the Untrusted Port (eth1) of NAC Appliance Server
Configuring Fa1/0/5—The Interface Connecting the Host
Configuring Simple Network Management Protocol
Step 2: Configuring NAC Appliance Manager
Step 3: Configuring NAC Appliance Server
Step 4: Logging In to NAC Appliance Manager
Step 5: Adding NAC Appliance Server to NAC Appliance Manager
Step 6: Editing Network Settings on NAC Appliance Server
Step 7: Configuring VLAN Mapping
Step 8: Configuring Managed Subnets
Step 9: Configuring a Switch Group
Step 10: Configuring a Switch Profile
Step 11: Configuring a Port Profile
Step 12: Configuring the SNMP Receiver
Step 13: Adding a Switch to NAC Appliance Manager
Step 14: Configuring Ports to Be Managed by NAC
Step 15: Configuring User Roles
Step 16: Configuring User Authentication on the Local Database
Step 17: Testing Whether OOB and User Role–Based VLAN Assignment Works
Sample Design and Configuration for Layer 3 Out-of-Band Deployment
Step 1: Configuring the Switches
Configuring the Central Switch
Step 2: Configuring NAC Appliance Manager
Step 3: Configuring NAC Appliance Server
Step 4: Logging In to NAC Appliance Manager
Step 5: Adding NAC Appliance Server to NAC Appliance Manager
Step 6: Editing Network Settings on NAC Appliance Server
Step 7: Configuring Static Routes
Step 8: Configuring a Switch Group
Step 9: Configuring a Switch Profile
Step 10: Configuring a Port Profile
Step 11: Configuring the SNMP Receiver
Step 12: Adding the Switch to NAC Appliance Manager
Step 13: Configuring Ports to Be Managed by NAC Appliance
Step 14: Configuring User Roles
Step 15: Configuring User Authentication on the Local Database
Step 16: Changing the Discovery Host
Step 17: Configuring the Web Login Page
Step 18: Testing Whether OOB and User Role–Based VLAN Assignment Works
Additional Out-of-Band Considerations
Chapter 11. Configuring Single Sign-On
Active Directory Single Sign-On Overview
Basic AD SSO Configuration Steps
Configuring Single Sign-On for Windows AD
Layer 3 3550 Core Switch Configuration
3500XL Edge Layer 2 Switch Configuration
Active Directory or Domain Controller Configuration
Adding an AD Server as an AD SSO Auth Server
Configuring Traffic Policies and Ports in the Unauthenticated Role for AD Authentication
Configuring AD SSO Settings in NAS
Configuring the AD Server and Running the ktpass Command
Enabling Agent-Based Windows AD SSO
(Optional) Adding LDAP Lookup Server to Map Users to Multiple Roles
LDAP Browser (Not Required but Very Helpful)
Configuring LDAP Lookup Server in NAM
User Attributes in Active Directory
Enabling User Login Pages in NAM
Configuring Single Sign-On for VPN
Configuring NAS to Support VPN SSO
Configuring Single Sign-On for Cisco Wireless LAN Controller
Chapter 12. Configuring High Availability
High Availability on NAC Appliance Manager
High Availability on NAC Appliance Server
Example of a High Availability Configuration for NAC Appliance Manager and Server
Adding NAC Appliance Managers in High Availability Mode
Adding a CA-Signed Certificate to the Primary NAC Appliance Manager
Generating a Self-Signed Temporary Certificate on the Primary NAC Appliance Manager
Adding a Certificate to the Secondary NAC Appliance Manager
Configuring High Availability for NAC Appliance Managers
Adding NAC Appliance Servers in High Availability Mode
Configuring the eth2 Interfaces
Configuring the Primary Server for High Availability
Configuring the Secondary Server for High Availability
Setting Up DHCP Failover on NAC Appliance Servers
Part V: Cisco NAC Appliance Deployment Best Practices
Chapter 13. Deploying Cisco NAC Appliance
NAC Appliance Overview (Diagram)
Business Drivers for Deployment
Production Deployment Phase 1: Initial Introduction to User Community
Production Deployment Phase 2: Implementing Host Security Policy Checks Without Enforcement
Production Deployment Phase 3: Host Security Policy Enforcement
Part VI: Cisco NAC Appliance Monitoring and Troubleshooting
Chapter 14. Understanding Cisco NAC Appliance Monitoring
Understanding the Various Monitoring Pages and Event Logs
Discovered Clients and Online Users Pages
Understanding and Changing Logging Levels of NAC Appliance
Understanding Monitoring of Web Login and Clean Access Agents
Manually and Automatically Clearing the Certified List
Requiring Certification for Every Login
Summary of the Behavior of the Certified List
Monitoring the Status of NAC Appliance Manager and NAC Appliance Servers
Manager and Server Monitoring Using the Linux CLI
Manager and Server Monitoring Using the Web GUI
Chapter 15. Troubleshooting Cisco NAC Appliance
Common Issues Encountered by the Help Desk in the First 30 Days
Users Not Being Able to Get a Web Login Page, or the NAC Appliance Agent Not Popping
Users Not Being Able to Authenticate
Users Getting Stuck in the Quarantine or Temporary Role
Users Not Being Put in the Correct VLAN or Not Getting Access to Certain Resources
Appendix. Sample User Community Deployment Messaging Material
Sample NAC Appliance Requirement Change Notification E-Mail
Sample NAC Appliance Notice for Bulletin Board or Poster