Index
Symbols
/var/log/ha-debug log
/var/log/ha-log log
Numerics
3500XL Edge Layer 2 switch, configuring AD SSO
A
access to resources, troubleshooting issues
access VLANs
ACLs. See also policies
Layer 3 OOB traffic control
Active Administrator Sessions page
Active Directory SSO
operation
prerequisites
AD server, configuring for AD SSO
AD SSO (Active Directory Single Sign-On)
3500XL Edge Layer 2 switch, configuring
AD SSO authentication server, adding
Agent-based Windows SSO, enabling
configuring
DHCP, enabling in NAS
domain structure
GPO updates, enabling
Layer 3 3550 core switch, configuring
mapping users to multiple roles
user attributes
NAC Agent, downloading
NAM, configuring
NAS
configuring
user account, creating
ports, configuring
supported devices
traffic policies, configuring
troubleshooting
Windows 2003 support tools, installing
Add Exempt Device page (Certified Devices tab), configuring
Add Floating Device page (Certified Devices tab), configuring
adding
CA-signed certificate to NAM
checks, rules, and requirements to HSP
external authentication servers
LDAP/AD
RADIUS
NAS appliances
to network
to NAM
to NAM in L3OOB deployment
to NAM in OOB deployment
switch to NAM in L3OOB mode
adjacency mode, effect on OOB operation
admin group, creating
admin user account, creating
agent distribution, configuring
agent issues, troubleshooting
Agent Login page (General Setup tab), configuring
agent policy enforcement, configuring
agent login, configuring
certified devices, configuring
web login, configuring
Agent-based Windows SSO, enabling for AD SSO configuration
agentless authentication
antivirus update requirements, configuring
API for guest access
applying
NAS logs to troubleshooting process
requirements to HSP user roles
assigning roles to local users
by external authentication source attribute
by MAC/IP address
by subnet
by VLAN ID
attributes, mapping users to user roles
AUPs (acceptable use policies)
components of
enforcing
samples
authentication
agentless
Clean Access Certified List
certification, requiring
clearing
device timer options
summary of characteristics
common troubleshooting issues
external authentication servers
MAC address authentication filters
mapping users to user roles
providers lists
supported authentication servers
guest access, enabling
NAS web login page, customizing
SSO
AD SSO
Cisco VPN SSO
authentication URL, Layer 3 OOB traffic control
authentication VLANs
automatic updating
B
bandwidth policies, creating
built-in user roles
normal role
Quarantine role
Temporary role
Unauthenticated role
business drivers for deployment, identifying
C
Campus LAN domain
case studies, Cisco NAC solution, ROI
CA-signed certificate, adding to NAM
central deployment
central deployment mode
central switch, configuring L3OOB
certification process for In-Band mode
certified device timer
Certified Devices tab
Add Exempt Device option, configuring
Add Floating Device option, configuring
Certified List option, configuring
Timer option, configuring
Certified List (Clean Access Agent)
certification, requiring
clearing
device timer options
summary of characteristics
Certified List page (Certified Devices tab), configuring
checklist for creating HSPs
checks
for Cisco Clean Access Agent remediation, configuring
for HSP
adding
validity of, determining
Cisco ACS, configuring for Cisco VPN SSO
Cisco ASA 5510, configuring for Cisco VPN SSO
Cisco Clean Access Agent
agent installation
installing
alternative methods
sample agent installation
minimum requirements
network scanning, configuring
remediation
checks
custom rules, creating
requirements
Cisco IOS Software, integrated NAC implementation
Cisco NAC Appliance
components
IP telephony integration
In-Band mode, best practices
Out-of-Band mode, best practices
minimum requirements
scalability
Cisco NAC Appliance Manager
minimum requirements
stateful failover
web console
Web GUI, monitoring-related pages
Cisco NAC Appliance Network Scanner
Cisco NAC Appliance Server
fallback feature
load balancing
minimum requirements
stateful failover
Cisco VPN SSO
ACS, configuring
Cisco ASA Appliance, configuring
configuring
NAS support, configuring
Cisco Wireless SSO
configuring
NAM, configuring
NAS, configuring
operation
prerequisites
WLC, configuring
Clean Access, Certified list
certification, requiring
certified device timer options
clearing
summary of characteristics
Clean Access Agent
HSP, posture assessment configuration
remediation, configuring
Reports page
clearing Certified List
CLI monitoring commands
ifconfig
netstat
top
Client/Server Adjacency mode
Layer 2, selecting
Layer 2 Strict Mode for Clean Access Agent, selecting
Layer 3, selecting
commands
ifconfig
ipconfig
ktpass
mii-tool
netstat
netstat -an
top
common helpdesk troubleshooting issues
communication plan for Cisco NAC Appliance deployment, creating
components
of Cisco NAC Appliance solution
Cisco Clean Access Agent
Cisco NAC Appliance Manager
Cisco NAC Appliance Network Scanner
Cisco NAC Appliance Server
of embedded NAC solution
compound mapping rules, mapping users to user roles
configuring
AD SSO
3500XL Edge Layer 2 switch
AD server
AD SSO authentication server
Agent-based Windows SSO, enabling
DHCP, enabling in NAS
GPO updates, enabling
Layer 3 core switch
mapping users to multiple roles
NAM
NAS
NAS settings
ports
traffic policies
agent policy enforcement
agent login
certified devices
updates, performing
web login
automatic update retrieval
Cisco Clean Access Agent, agent distribution
Cisco VPN SSO
ACS
Cisco ASA Appliance
NAS support
Cisco Wireless SSO
NAM
NAS
WLC
global filters for NAM role assignment
guest access, API
HA
on NAC Appliance Servers
host-based traffic-control policies
IP-based traffic-control policies
L2OOB deployment
Catalyst 3750 switch
example configuration
managed subnets
NAC Appliance Server
NAM
NAM, logging in
NAS, adding to NAM
NAS, editing network settings
port profiles
SNMP receiver
switch groups
switch port control
switch profiles
user authentication
user role-based VLAN assignment, verifying
user roles
VLAN mappings
L3OOB deployment
central switch
discovery host, changing
edge switch
example configuration
NAM
NAM, logging in
NAS
NAS, adding to NAM
NAS, editing network settings
port profiles
SNMP receiver
static routes
switch groups
switch port control
switch profiles
user authentication
user role-based VLAN assignment, verifying
user roles
web login page, configuring
NAC Appliance Servers
DHCP failover
High Availability mode
NAM
GUI
HA
licensing options
NAS
global settings
GUI
In-Band mode
local settings
OOB mode
OOB mode
central deployment mode
edge deployment mode
gateway mode
switch support
user access method
posture assessment
scanning
SNMP
polling
traps
user custom roles
vulnerability handling on network scanning plug-ins
connecting
NAM to network
NAS to network
creating
admin group
admin user account
AUPs
bandwidth policies
host-based traffic control policies
HSPs
checklist
goals, identifying
security domains, defining
sponsorship, obtaining
IP-based traffic control policies
local user accounts
NAS user account for AD SSO
CSM (Cisco Content Switching Module), load balancing
CSS (Content Switching Services), load balancing
custom roles
configuring
editing
options, configuring
removing
custom rules, creating for Cisco Clean Access Agent remediation
customizing NAS web login authentication page
D
day zero attacks
defining
NAC user roles
built-in
normal login roles
network access privileges for HSP
security domains for HSP creation
deleting custom roles
deploying HSP requirements
deploying Cisco NAC Appliance
pilot phase
pre-deployment phase
business drivers, identifying
communication plan, creating
deployment schedule
executive summary
required resources, identifying
scope of deployment, defining
support plan, creating
training program, developing
vision statement
production deployment phase 1
production deployment phase 2
production deployment phase 3
proof of concept phase
sample deployment plan outline
deployment modes
Client/Server Adjacency mode
Network mode
Post-Client Certification mode
device timer options (Certified List)
DHCP, enabling in NAS for AD SSO configuration
DHCP failover, configuring on NAC Appliance Servers
DHCP server, configuring on Catalyst 3750 for OOB deployment
Discovered Clients page, monitoring NAC Appliance solution
discovery host, configuring in L3OOB deployment
discovery host IP, viewing
downloading NAC Agent for AD SSO
E
edge deployment
edge deployment mode
edge switch, configuring L3OOB
editing
custom roles
NAS network settings in L3OOB deployment
NAS network settings in OOB deployment
email samples
for postings
letters to students
NAC Appliance requirement change notification
embedded NAC solution
components of
enforcing
AUPs
HSP requirements
errors, troubleshooting out-of-band issues
eth0 interface failure, NAM HA failover
eth2 interfaces, configuring HA on NAC Appliance Servers
event log
logging levels, changing
monitoring NAC Appliance solution
example configurations
L2OOB configuration
Catalyst 3750 switch, configuring
managed subnets
NAC Appliance Server, configuring
NAM, configuring
NAM, logging in
NAS, adding to NAM
NAS, editing network settings
port profiles
SNMP receiver
switch groups
switch port control
switch profiles
user authentication
user role-based VLAN assignment, verifying
user roles
VLAN mappings
L3OOB configuration
central switch, configuring
discovery host, changing
edge switch, configuring
NAM, configuring
NAM, logging in
NAS, adding to NAM
NAS, configuring
NAS, editing network settings
port profiles, configuring
SNMP receiver, configuring
static routes, configuring
switch groups, configuring
switch port control
switch profiles, configuring
user authentication
user role-based VLAN assignment, verifying
user roles
web login page, configuring
NAC Appliance Manager
executive summary
external authentication servers
authentication process
LDAP/AD, adding
MAC address authentication filters
mapping users to user roles
using attributes
provider lists
RADIUS, adding
supported authentication servers
F
failure scenarios, risk analysis
fallback feature of NAC Appliance Server
floating devices, configuring
G
gateway mode, OOB mode configuration
General Setup tab
Agent Login page, configuring
Web Login page, configuring
generating self-signed temporary certificates
on primary NAM
on secondary NAM
global filters for NAM role assignment, configuring
global settings (NAS), configuring
goals for HSP creation, identifying
GPO updates, enabling for AD SSO configuration
guest access, enabling
Guest domain
H
HA (high availability), configuring
NAC Appliance Servers, configuring
eth2 interfaces
primary servers
secondary servers
NAM, configuring
troubleshooting
heartbeat packet exchange
during NAM failover
on NAC Appliance Servers
helpdesk, common troubleshooting issues
High Availability mode on NAC Appliance Server. configuring
host posture assessment features
Clean Access Agent Reports
host security policy decision matrix
host-based traffic control policies, creating
HSPs (host security policies)
checks
adding
validity of, determining
creating
checklist
goals, identifying
security domains, defining
sponsorship, obtaining
NAC appliance enforcement methods
network access policy
network access privileges, defining
posture assessment, configuring
requirements
adding
deploying
enforcing
user role selection process
validity of, determining
rules
adding
validity of, determining
sample format
I
IB (In-Band) mode
identifying goals for HSP creation
ifconfig command
In-Band mode
advantages of
best practices
certification process
configuring
disadvantages of
information security
installing
Cisco Clean Access Agent
agent distribution
alternative methods
sample installation
NAM
requirements
updates
NAS, requirements
Windows 2003 support tools for AD SSO
integrated NAC implementation
integrating Cisco NAC Appliance into IP telephony environment
In-Band mode, best practices
Out-of-Band mode, best practices
internal security
as weakest link
network admission controls
risks to
Internet domain
IP telephony integration
In-Band mode, best practices
Out-of-Band mode, best practices
IP-based traffic control policies, creating
ipconfig command
J–K
ktpass command
ktpass.exe file, running on domain controllers for AD SSO configuration
L
L2OOB deployment
Catalyst 3750 switch, example configuration
example configuration
managed subnets, configuring
NAC Appliance Server, configuring
NAM
configuring
logging in
NAS
adding to NAM
editing network settings
port profiles, configuring
SNMP receiver, configuring
switch groups, configuring
switch port control, configuring
switch profiles, configuring
user authentication, configuring
user role-based VLAN assignment, verifying
user roles, configuring
VLAN mappings, configuring
L2OOB mode
L3OOB deployment
central switch, configuring
discovery host, changing
edge switch, configuring
example configuration
MAC address discovery process
NAM, configuring
NAM, logging in
NAS
adding to NAM
configuring
editing network settings
port profiles, configuring
SNMP receiver, configuring
static routes, configuring
switch, adding to NAM
switch groups, configuring
switch port control, configuring
switch profiles, configuring
traffic control
using ACLs
using authentication URL
using PBR
user authentication, configuring
user role-based VLAN assignment, verifying
user roles, configuring
web login page, configuring
L3OOB mode
Layer 2 Adjacency
Layer 2 mode (Client/Server Adjacency)
Layer 2 Strict mode for Clean Access Agent
Layer 3 Adjacency
Layer 3 core switch, configuring AD SSO
Layer 3 mode (Client/Server Adjacency)
LDAP/AD, adding new external authentication servers
letters to students, email sample
licensing
NAM options
troubleshooting
limiting bandwidth
link detection
Linkup traps
Linux OS, ktpass.exe file, running on domain controllers for AD SSO configuration
load balancing
Cisco NAC Appliance Server
CSM
local settings (NAS), configuring
local user accounts, creating
locating serial port
logging in
normal login user roles, defining
OOB in L2 Virtual Gateway mode
OOB in L3 Real IP Gateway mode
SSO
troubleshooting
web login authentication
network scanning
post-web login steps
logging levels, changing
M
MAC address
authentication filters
Layer 3 OOB mode discovery process
MAC Notification traps
maintaining high availability
NAC Appliance Manager, stateful failover
NAC Appliance Server
fallback feature
stateful failover
Spanning Tree N+1
managed subnet interface
managed subnets, configuring in Virtual Gateway OOB deployment
mandatory components of Cisco NAC Appliance solution
Cisco NAC Appliance Manager
Cisco NAC Appliance Server
mapping
roles to local users
by external authentication source attributes
by MAC/IP address
by subnet
by VLAN ID
rules to Cisco Clean Access Agent remediation requirements
users to multiple roles for AD SSO configuration
user attributes
users to user roles
mii-tool command
minimum requirements for Cisco NAC Appliance operation
monitoring
Clean Access Agents, Reports page
Cisco NAC Appliance Manager
Active Administrator Sessions page
Web GUI
NAC Appliance solution
Discovered Clients page
event logs
logging levels, changing
Online Users page
OOB monitoring stages and pages
Summary page
N
NAC Appliance Agent
downloading for AD SSO
troubleshooting
NAC Appliance Server
DHCP failover, configuring
High Availability mode, configuring
IB mode
advantages of
certification process
disadvantages of
OOB
SNMP
NAC Framework
NAM
AD SSO, configuring
configuring
for Cisco Wireless SSO
GUI
connecting to network
HA
configuring
heartbeat packet exchange
installing, requirements
L2OOB, configuring
L3OOB, configuring
licensing options
updates, performing
NAM logs, applying to troubleshooting process
NAS
AD SSO, configuring
AD SSO support, configuring
adding to NAM
appliances, adding
configuring
GUI
configuring for Cisco Wireless SSO
connecting to network
global settings, configuring
In-Band mode, configuring
installling, requirements
L2OOB, configuring
L3OOB, configuring
local settings, configuring
OOB mode, configuring
web login authentication page, customizing
NAS logs, applying to troubleshooting process
Nessus
plug-ins, uploading
scans, obtaining
netstat -an command
netstat command
network access policies
network access privileges, defining for HSP
Network mode
effect on OOB operation
Real IP Gateway mode
Virtual Gateway mode
network scanning
configuring
plug-ins, vulnerability handling
testing configuration
user agreement page, creating
normal built-in user role
normal login roles
normal login user roles
O
obtaining sponsorship for HSP creation
Online Users page, monitoring NAC Appliance solution
OOB deployment
adjacency mode, effect on
L2 Virtual Gateway mode, login process
L3 Real IP Gateway mode, login process
Layer 2
managed subnets, configuring
NAM, logging in
NAS, adding to NAM
NAS, editing network settings
port profiles, configuring
sample configuration
SNMP receiver, configuring
switch groups, configuring
switch port control, configuring
switch profiles, configuring
user authentication configuring
user role-based VLAN assignment, verifying
user roles, configuring
VLAN mappings, configuring
Layer 3
discovery host, changing
MAC address discovery process
NAM, logging in
NAS, adding to NAM
NAS, editing network settings
sample configuration
switch port control, configuring
traffic control
user authentication, configuring
user role-based VLAN assignment, verifying
user roles, configuring
web login page, configuring
monitoring stages and pages
network mode, effect on
OOB (Out-of-Band) mode
OOB Management domain
OOB mode
advantages of
best practices
central deployment mode
configuring
disadvantages of
edge deployment mode
gateway mode, configuring
SNMP
MAC Notification traps
SNMP Linkup traps
supported switches
switch support
user access method, configuring
optional components of Cisco NAC Appliance solution
Cisco Clean Access Agent
Cisco NAC Appliance Network Scanner
out-of-band issues, troubleshooting
P
PBR
Cisco NAC Appliance Server, load balancing
Layer 3 OOB traffic control
Perfigo
pilot phase for Cisco NAC Appliance deployment
plug-ins (Nessus), uploading
policy enforcement
agent login, configuring
certified devices, configuring
configuring
troubleshooting
web login, configuring
polling
port profiles
configuring in Virtual Gateway OOB deployment
L3OOB, configuring
ports, configuring for AD SSO
Post-Client Certification mode
posture assessment
configuring
pre-deployment phase
business drivers, identifying
communication plan, creating
deployment schedule, creating
executive summary
required resource, identifying
scope
support plan, creating
training program, developing
vision statement
prerequisites
for Active Directory SSO
for VPN SSO
for wireless SSO
primary servers, configuring HA
production deployment phase 1 (Cisco NAC Appliance)
production deployment phase 2 (Cisco NAC Appliance)
production deployment phase 3 (Cisco NAC Appliance)
proof of concept phase for Cisco NAC Appliance deployment
provider lists
Q
Quarantine built-in user role
Quarantine roles
troubleshooting users stuck in
R
RADIUS, adding new external authentication servers
Real IP Gateway mode
Real IP mode (Layer 3), login process
Real IP NAT Gateway
Real-IP Gateway mode
remediation
checks
custom rules, creating
requirements
rules, mapping
Remote Access domain
removing custom roles
requirements
for Cisco Clean Access Agent remediation
rules, mapping
for HSP
adding
deploying
enforcing
user role selection process
validity of, determining
for NAS installation
requiring Clean Access certification for every login
researching HSP enforcement areas
resources for Cisco NAC Appliance deployment, identifying
restricting bandwidth
risk analysis of failure scenarios
risks to internal security
ROI (return on investment), case studies
roles. See also user roles
assigning to local users
by external authentication source attribute
by MAC/IP address
by subnet
by VLAN ID
of NAC users, defining
normal login roles
rules for HSP
adding
validity of, determining
S
sample Cisco Clean Access Agent installation
sample deployment plan outline
sample emails
for postings
letters to students
NAC Appliance requirement change notification
sample HSP format
scalability of Cisco NAC Appliance
scanning
configuring
plug-ins, vulnerability handling
testing configuration
user agreement pages, creating
schedule for Cisco NAC Appliance deployment, creating
scope of Cisco NAC Appliance deployment project, defining
secondary NAM, HA configuration
secondary servers, HA configuration
security
internal security
as weakest link
network admission controls
regulations, challenges in maintaining compliance
security domains for HSP creation, defining
security policy committee
selecting
Client/Server Adjacency mode
Layer 2
Layer 2 Strict mode for Clean Access Agent
Layer 3
network mode
user roles for applying HSP requirements
self-signed temporary certificates
generating on primary NAM
generating on secondary NAM
serial port, locating
SNMP
configuring on Catalyst 3750 for OOB deployment
role in OOB
traps, configuring
SNMP polling, configuring
SNMP receiver
configuring in Virtual Gateway OOB deployment
L3OOB, configuring
Softerra LDAP browser
Spanning Tree N+1
sponsorship for HSP creation, obtaining
SSO (Single Sign-On)
AD SSO
AD server, configuring
AD SSO authentication server, adding
Agent-based Windows SSO, enabling
configuring
DHCP, enabling in NAS
domain structure
GPO updates, enabling
mapping users to multiple roles
NAC Agent, downloading
NAS settings, configuring
operation
ports, configuring
prerequisites
supported devices
traffic policies, configuring
troubleshooting
Cisco VPN SSO, configuring
Cisco Wireless SSO, configuring
VPN SSO
operation
prerequisites
troubleshooting
wireless SSO
operation
prerequisites
troubleshooting
standalone CSS, load balancing
stateful failover
of NAC Appliance Manager
of NAC Appliance Server
static routes, configuring L3OOB
subnet filters, applying to local user roles
Summary page, monitoring NAC Appliance solution
support logs, HA-related
support plan for Cisco NAC Appliance deployment, creating
SVIs, configuring on Catalyst 3750 for OOB deployment
switch groups
configuring in Virtual Gateway OOB deployment
L3OOB, configuring
switch port control, configuring
in L3OOB deployment
in Virtual Gateway OOB deployment
switch ports
configuring on Catalyst 3750 for OOB deployment
port profiles
switch profiles, configuring
in Virtual Gateway OOB deployment
L3OOB
T
Temporary built-in user role
Temporary role, troubleshooting users stuck in
testing
network scanning configuration
primary server HA configuration
threats to internal security
Timer page (Certified Devices tab), configuring
top command
traffic control, Layer 3 OOB
using ACLs
using authentication URL
using PBR
traffic control policies
configuring for AD SSO
host-based, creating
IP-based, creating
troubleshooting
training program for Cisco NAC Appliance deployment, developing
traps (SNMP)
configuring
Linkup
MAC Notification
troubleshooting
access-related issues
agent issues
NAM logs, applying to troubleshooting process
NAS logs, applying to troubleshooting process
common issues encountered
HA
licensing issues
out-of-band issues
policy issues
SSO issues
AD SSO
VPN SSO
wireless SSO
tty ports
U
Unauthenticated built-in user role
updates, performing on NAM
uploading Nessus plug-ins
user agreement pages, creating for network scanning
user authentication
configuring in L3OOB deployment
configuring in Virtual Gateway OOB deployment
MAC address authentication filters
mapping users to user roles
using attributes
provider lists
supported authentication servers
user login roles, defining
user role-based VLAN assignment, verifying
user roles
built-in, defining
configuring
in L3OOB deployment
in Virtual Gateway OOB deployment
custom
configuring
editing
removing
defining
V
validity of checks, rules, and requirements in HSP
verifying
HA status/configuration
primary server HA configuration
user role-based VLAN assignment
L3OOB
viewing discovery host IP
Virtual Gateway mode
Layer 2 login process
vision statement for Cisco NAC Appliance deployment
VLANs
authentication VLANs
configuring in Virtual Gateway OOB deployment
ID-to-role mappings, creating
port profiles
VPN SSO
operation
prerequisites
troubleshooting
vulnerability handling, configuring on network scanning plug-ins
W–X–Y–Z
Web GUI, monitoring Cisco NAC Appliance Manager
web login
authentication
network scanning
post-web login steps
with Network Scanner
web login authentication page (NAS)
configuring in L3OOB deployment
customizing
Web Login page (General Setup tab), configuring
Windows 2003 support tools, installing for AD SSO
Wireless domain
wireless SSO
operation
prerequisites
troubleshooting
WLC, configuring for Cisco Wireless SSO