This chapter covers the following topics:
After you have implemented the Cisco NAC Appliance architecture appropriately in your environment and configured the necessary roles and role assignments, you will be able to configure agent policy enforcement. This configuration includes various checks, rules, and requirements as well as various scanning policies. After agent policies are configured, you will be able to ensure that systems connecting to your network will be required to authenticate, be interrogated, and comply with your policies prior to gaining access to the network.
When setting up the Cisco NAC Appliance for policy enforcement, you will typically proceed through a few steps to complete the configuration process. Here is a list of high-level steps that will be explained further throughout this chapter.
Step 1. Obtain and install updates on the NAC Appliance Manager (NAM).
Step 2. Enable and enforce the use of the Cisco Clean Access (CCA) Agent and scanning per role and operating system.
Step 3. Manage the certified list and exemptions.
Step 4. Configure role-based policies such as access and bandwidth restrictions as discussed in Chapter 8, "The Building Blocks: Roles, Authentication, Traffic Policies, and User Pages."
Step 5. Configure network scanning, agent scanning, or a combination of both mechanisms.
Step 6. Install the necessary Nessus plug-ins as required for your scanning needs.
Step 7. Configure agent scanning rules and requirements.
Step 8. Test the configuration and verify that all mechanisms are fully functioning as expected.
Step 9. Continue to fine-tune the configuration as well as the certified list and any additional exemptions.
Now that you have a process to follow, the chapter proceeds by explaining each major step and providing configuration guidance throughout the remaining sections of this chapter.
Prior to configuring your policy requirements, be certain that you have the most up-to-date checks, rules, and software updates available from the Cisco NAC Appliance Updates Server. You can view the current versions and numbers of each updated object by navigating the NAC Appliance Manager menu under Device Management > Clean Access and then selecting the Updates tab. A sample Updates tab screen is displayed in Figure 9-1.
Figure 9-1. Updates Tab Screen as Displayed on the NAC Appliance Manager
To ensure that you are always up to date with the most current software and policy components, you must set up automatic updating. Automatic updating is configured via the Device Management > Clean Access > Updates > Settings menu option as displayed in Figure 9-2.
Figure 9-2. Configuring Automatic Update Retrieval
The following is the list of configurable update options:
After you have completed the configuration of the automatic update retrieval process and performed an update, you can continue with the configuration by proceeding to the General Setup tab.
Now that you have successfully retrieved the most recent updates from Cisco, you can continue the configuration by selecting the General Setup tab on the NAC Appliance menu. From here you can configure the web login parameters and the agent login parameters.
The web login page of the General Setup tab provides the ability to configure how users authenticating via the web login page will be processed and what options they will have and be able to see on this page. The configuration options, as displayed in Figure 9-3, are as follows:
Figure 9-3. Web Login Configuration on the General Setup Tab
On completion of the form configuration as necessary, clicking the Update button commits the changes.
The Agent Login page of the General Setup tab provides the ability to configure how users authenticating via the CCA Agent will be processed and what options they will have and be able to see on this page. Figure 9-4 shows the configuration options.
Figure 9-4. Agent Login Configuration on the General Setup Tab
The following explains the options on this page:
On completion of the form configuration as necessary, clicking the Update button commits the changes.
After configuring the authentication options for your users, you may begin to think about the other devices in your network that might not be able to run the agent but will require access to the network through the NAC Appliance. Devices you might consider are printers and video conference systems as well as select other user-based systems. The Certified Devices tab on the NAC Appliance menu allows you to configure the exemptions for these devices. Additionally, you can view the currently certified devices list among other options in the following discussion.
The Certified List option (see Figure 9-5) on the Certified Devices menu allows the administrator to view and search for the devices that have been granted access to the network.
Figure 9-5. Certified List of Devices
This list is filterable by NAS or globally if desired. The list includes the following information:
There is also an option per device to kick the user and remove it from the list. In addition to kicking a single user, the administrator can use the various buttons on the page to clear all exempt systems, clear the certified systems, or clear all systems.
The devices in your network that are not capable of authenticating and posturing can be added as exempt devices. The Add Exempt Device page allows you to add MAC addresses of devices that are not required to meet the NAC Appliance requirements. The configuration of such devices is shown in Figure 9-6. After exempt devices are configured, they will be listed as such in the certified list, as illustrated in Figure 9-7. These devices are exempt from all NAS servers. If you want to locally exempt a system, you should perform the same configuration on the specific NAS.
Figure 9-6. Configuring Exempt Devices
Figure 9-7. Certified List Including Exempt Devices
Floating devices are one that will be listed as exempt for a single user session. After the user logs out, the system removes the exempt status. Floating device configuration is also used to ensure that systems hidden behind a shared network device, such as a router, virtual private network (VPN) concentrator, or firewall, which would normally share the same MAC address from the NAS perspective, are not considered to be a single device. Using this option, you can opt to identify each session via IP rather than MAC and ensure that each system is authenticated and scanned accordingly. This requires each system to be translated to its own IP address. Port Address Translation and Network Address Translation are not supported unless the user is always granted the same unique IP address.
To configure floating devices, simply navigate to the Add Floating Device option under Certified Devices and configure the list as follows:
Step 1. Enter each floating device on its own line using the following formatting rules:
— Format must be MAC TYPE DESCRIPTION.
— MAC uses xx:xx:xx:xx:xx:xx format.
— TYPE is ether 1 or 0. 1 sets the system as the device hiding other MAC addresses and lets the system know to never exempt the system by MAC. 0 sets the system as exempt only for the current session.
— DESCRIPTION cannot have any spaces.
Step 2. Click Add Device to commit the changes.
Figure 9-8 shows a sample configuration screen. After it is complete, the floating device list will be displayed in a table at the bottom of the configuration page.
Figure 9-8. Creating Floating Devices
If desired, you can configure automatically occurring processes that will clear the certified device list as necessary without manual interaction. To configure this setting, navigate to the Timers option of the Certified Devices tab. Initially you are presented with a list of any configured timers. To create a new timer, select the New option and proceed as follows:
Step 1. Provide a timer name.
Step 2. Provide a description.
Step 3. Select Enable This Timer to make sure that this automated process will run.
Step 4. Select Keep Online Users to ensure that you do not drop any currently active users if necessary.
Step 5. Provide a start date and time for the automated process.
Step 6. Provide a recurrence interval in days to allow the job to run every day as necessary.
Step 7. Define the criteria for the job:
— Select all or a specific NAS.
— Select the role that should be matched or all user roles.
— Select the type of authentication provider that was used for the session.
— Provide a minimum number of days the system in question has been certified or enter 0 to consider all systems.
Step 8. Select one of the following methods:
— Clear All Matching Certified Devices.
— Clear the Oldest number Matching Certified Devices Only, where number is definable.
— Clear the Oldest number Certified Devices Every minutes Minutes Until All Matching Devices Are Cleared. This option repeatedly clears a certain definable number of devices every definable number of minutes until the list is cleared according to the matching parameters configured.
Step 9. Click Add to commit the actions.
Figure 9-9 shows a sample timer configuration screen. After it is completed, the floating device list will be displayed in the list option under the Timer menu.
Figure 9-9. Creating a Timer
Cisco Clean Access Agent is required for the most robust level of interrogation and interaction the NAC Appliance can enforce. Clean Access Agent allows the system to collect vulnerability assessment data and provides remediation options to the interrogated system as defined by centrally configured policies. Clean Access Agent is available for Windows systems, and its use can be enforced, as illustrated earlier in this chapter, by configuring the agent login configuration page. The user is prompted to download and install Clean Access Agent to be granted network access. Prior to granting access, Clean Access Agent can look for installed software, registry keys, files, processes and services. In addition, it can require the update of several antivirus and antispyware packages as well as perform various other installations and provide guidance to the user in remediating other issues manually if necessary.
Each NAS will obtain the latest copy of Cisco Clean Access Agent from NAM when it becomes available. The users required to use Clean Access Agent are asked on initial install to download and install the agent. In addition, if desired, Clean Access Agent can be distributed via any number of other methods, such as login script, manual installation, or software distribution systems such as BigFix or Microsoft System Management Server (SMS). After installation, Clean Access Agent can automatically receive and install updates as configured centrally by the NAC Appliance administrator.
Now you will examine the user-side experience relating to installing Cisco Clean Access Agent.
Step 1. The user attempts to access a website via a web browser. Any other application connection attempt will result in a failed connection until web authentication occurs because the system has not yet been granted access.
Step 2. The web browser displays a message, shown in Figure 9-10, that the user is about to be redirected to the network authentication page.
Figure 9-10. Redirection to the Web Authentication Page User Message
Step 3. The browser automatically displays the web login page from the local NAS and requires the user to authenticate and click Continue, as displayed in Figure 9-11.
Figure 9-11. Web Login Page
Step 4. The web login occurs as configured. Figure 9-12 illustrates the network security notice page with the included button to download Clean Access Agent, which has been configured as a requirement for this deployment.
Figure 9-12. Network Security Notice and Cisco Clean Access Agent Download Button
Step 5. On clicking the Agent download button, the user is prompted to run or save Clean Access Agent downloaded from the local NAS, as illustrated in Figure 9-13.
Figure 9-13. Downloading the Clean Access Agent Locally
Step 6. On running the installer, the user continues through the installer's steps, as illustrated in Figure 9-14.
Figure 9-14. Installing Clean Access Agent
Step 7. After installing Clean Access Agent, the system will start the agent application and prompt the user to authenticate using this mechanism, as shown in Figure 9-15.
Figure 9-15. Authenticating with the Agent
Step 8. After successful authentication and interrogation, the user is granted access and notified via Clean Access Agent, as displayed in Figure 9-16.
Figure 9-16. Successful Authentication Notification from Clean Access Agent
The system and user are now successfully authenticated and postured, which allows NAC Appliance to apply the necessary access restrictions and permissions centrally defined for that user, system, and operating system. If you like, you can view the system in the certified devices list as viewed on the specific NAS or NAM.
After Clean Access Agent is deployed, you can force the users to automatically upgrade to the latest version. Additionally, you can upload the necessary patches to NAM when necessary. To perform these tasks, you must navigate to Device Management > Clean Access > Clean Access Agent > Distribution. From here, you can configure the distribution using the following options as displayed in Figure 9-17:
Figure 9-17. Configuring Agent Distribution
Other important information pertinent to the Clean Access Agent distribution methodology is configured under the Installation option below the Clean Access Agent tab. On this page, shown in Figure 9-18, you can configure the following related agent installer configuration information:
— No UI No user input is required. This is a silent install.
— Reduced UI The user can see the installation, but it requires no user input or selections.
— Full UI The user is required to interact with the installer to complete the installation.
Figure 9-18. Installation Options for the Agent Installer as Well as the Agent Download Options
Another alternative to installing Clean Access Agent via the web authentication page is to distribute it through your typical software delivery mechanism, such as login scripts, BigFix, or Microsoft SMS. To retrieve the installer files from NAM, you must navigate to the Installation option under the Clean Access Agent tab. At the bottom of this configuration page, you can download either the CCAA MSI Stub or the CCAA EXE Stub file as necessary for your software distribution mechanism. After it is downloaded, your software distribution system administrator has to appropriately script and test the automated installation process as with any other package currently distributed via this mechanism. The download options can be seen in Figure 9-18.
After Clean Access Agent authenticates to NAC Appliance, it is interrogated using mechanisms available to the current Clean Access Agent. The system will either have to meet the requirements or be brought into compliance in order to access the network. If the system does not meet requirements, access will be prevented or degraded if the administrator has configured the system for such access. The following sections cover the configuration of requirements, rules, and checks that will interrogate and remediate the end-user's system.
You must map requirements, rules, and checks to implement the necessary remediation actions that you will define for your network-attached systems. Requirements implement decisions (remediation actions) as a result of what you determine systems must have to be considered compliant. Rules are mapped to a requirement in order to define the necessary guidelines that must be met to in turn meet the requirement. Checks are single parameters that must exist for custom rules to be met, such as the existence of a registry key or process.
The following seven types of definable requirements are available:
The seven options define what outcome will occur when a requirement is not met. After the necessary configuration between rules and requirements is defined, the administrator can assign the requirement to a specific normal login user role. At this point, on authentication, users are placed into the Temporary role until they meet the requirements tied to their specific normal login role.
A common requirement configured in a customer environment is an antivirus update. The following list steps through the necessary process to create that requirement:
Step 1. Before proceeding, you must ensure that your current antivirus product is supported by navigating to the Clean Access Agent > Rules > AV/AS Support Info page. You can select your specific antivirus vendor from the drop-down list and verify that your currently deployed antivirus is supported, as illustrated in Figure 9-19. After you verify that it is supported, you can continue with your configuration steps.
Figure 9-19. Antivirus and Antispyware Support Verification
Step 2. Prior to creating the requirement, you have to create the necessary rules that are the building blocks of the requirement. Remaining on the Rules page, select the New AV Rule option. All the substeps listed here are displayed in Figure 9-20 for configuring this specific antivirus rule.
Figure 9-20. New Antivirus Rule Configuration
a. Enter a rule name, such as Trend_Micro_AV_Definition.
b. Select Trend Micro, Inc. from the Antivirus Vendor drop-down list.
c. Select Virus Definition from the Type drop-down list.
d. Select the appropriate OS.
e. Enter a description.
f. Select the appropriate check boxes for the virus definitions you want to verify.
Step 3. After adding the rule, you are returned to the rule list page that contains all configured rules. It should be noted that you can edit, copy, and delete individual rules from this listing page.
Step 4. Now that you have a rule, you can create a requirement by navigating to the Requirements option under the Clean Access Agent tab. Select New Requirement. The substeps configured here for the new requirement are displayed in Figure 9-21.
Figure 9-21. New Antivirus Requirement Configuration
a. Select AV Definition Update from the Requirement Type drop-down list.
b. Select the appropriate enforcement type:
c. Select the priority. The priority is where in the order of requirement enforcement the requirement is placed. Failure at any point causes the system to fail the requirements check.
d. Select the appropriate antivirus vendor name from the list.
e. Provide a requirement name.
f. Provide a description.
g. Select the operating systems on which the requirement should be evaluated.
h. Click the Add Requirement button.
Step 5. After completion of that page, you are returned to the requirement list page where you can reorder, edit, and delete individual requirements.
Step 6. You can now associate the rules with your new requirement. Navigate to Requirement-Rules under the Requirements option. All substeps here are displayed in Figure 9-22.
a. Select the requirement name from the drop-down list.
b. Select the appropriate operating system.
c. Select the appropriate option for Requirement Met If:
d. Set the number of days the client antivirus definition can be older than what NAM lists as current.
e. Select the rule you created earlier regarding the Trend_Micro_AV_Definition or select the appropriate pr_rule provided by Cisco.
f. Click the Update button to commit the mapping.
Figure 9-22. Requirement-Rules Mapping
Step 7. Now that you have configured the requirement that relies on the mapped rules, you must choose to enforce the requirement on the chosen role. Navigate to Role-Requirements to configure this requirement assignment. The configuration of the following substeps is displayed in Figure 9-23.
a. Select the type of role you want to apply to the requirements as either Normal Login Role or Quarantine Role.
b. Select the User role to map the requirement.
c. Check the boxes in front of the requirement or requirements you want to map to this role.
d. Click the Update button to commit the change.
Figure 9-23. Role-Requirement Mapping
Note
You might notice many of the rules and checks are prefaced with pr_ and pc_. pr_ indicates a Cisco-deployed preconfigured rule, and pc_ indicates a Cisco-deployed preconfigured check.
Many requirement types, rules, and checks are preconfigured and automatically updated by Cisco in addition to the unlimited number of configurations you can make yourself. Becoming familiar with the configuration of custom rules will provide you with extremely granular control over the policy you want to enforce.
Checks are logic that allows the Cisco Clean Access Agent to verify that a registry key, file, service, or application exists and, if pertinent, whether it is running or not running. To create a new check, you simply navigate to the New Check option under the Rules menu option. You will now configure a simple application check to verify that ftpserv.exe is running on the system you are interrogating. The following steps are illustrated in Figure 9-24.
Step 1. Select Application Check from the Check Category drop-down list.
Step 2. Leave the default and only option of Application Status for this check type.
Step 3. Name the check.
Step 4. Provide the application name.
Step 5. Select Running in the Operator drop-down list.
Step 6. Provide a check description.
Step 7. Select the appropriate operating systems for this particular check.
Step 8. Select Automatically Create Rule Based on This Check.
Step 9. Click the Add Check button.
Step 10. Navigate to the Check List menu option and scroll to the bottom to see your check.
Step 11. Navigate to the Rule List menu option and scroll to the bottom to locate the created rule.
Step 12. Select Edit Rule to better understand the creation of the new rule. This rule is displayed in Figure 9-25.
Figure 9-24. Creating an Application Check for ftpserv.exe
Figure 9-25. Dynamically Created Rule for ftpserv.exe Running
Creating a custom rule is slightly more complex than creating an antivirus or antispyware rule because you are required to understand rule logical operators. In the previous example, you dynamically created a rule from a new check. A custom rule, as displayed in Figure 9-25, can be simple and require matching a single check or can be complex and use logical application of multiple checks.
When creating a custom rule, you are required to enter a rule expression as the matching parameters. These matching parameters are configured checks. If you want to evaluate multiple checks in a single rule, you are required to use logical operators. The checks are grouped in a rule expression by using parentheses. You can use the following operators:
Note
When creating a custom rule from a check, it should be noted that to complete the steps necessary to enforce this action, you have to create a requirement, map the rule to that requirement, and then perform the appropriate role-to-requirement mapping.
Cisco NAC Appliance has the capability to perform a network scan using the Nessus scanning engine with or without the Cisco Clean Access Agent installed on the system to be scanned. The scans and updates are manual processes, and the results will vary depending on other security products and personal firewalls installed on the scanned system. On completion of a network scan of the system attempting access to the network, NAC Appliance can notify the user of the vulnerability, warn the user with a user agreement page, block the user from the network, or assign the Quarantine role. Many Nessus scans (plug-ins) are available today from http://www.nessus.org, including virus and worm detection as well as detecting the presence of network applications such as instant messengers and file-sharing applications. To use scanning, you must load the Nessus plug-ins and then configure scanning.
Nessus plug-ins must be downloaded from http://www.nessus.org due to a licensing requirement by Tenable, the owner of Nessus. After you download the plug-ins, you must rename them plugins.tar.gz before uploading. If you are uploading a single plug-in, it must be named myplugin.nasl. Perform the following steps in Figure 9-26 to complete a Nessus plug-in upload.
Step 1. Navigate to Clean Access > Network Scanner > Plugin Updates.
Step 2. Browse to the plug-in file (which is named plugins.tar.gz), and then click the Upload button.
Figure 9-26. Uploading Nessus Plug-Ins
When this is completed, you can continue to configure scanning on your NAC Appliance.
Now that you have loaded Nessus plug-ins into your NAM, you can configure scanning to occur from the NAS systems as desired. To select the plug-ins you want to use per user role and operating system, as shown in Figure 9-27, perform the following steps:
Step 1. Navigate to Clean Access > Network Scanner > Plugins.
Step 2. Select the user role to configure scanning.
Step 3. Select the associated operating system.
Step 4. In the Show drop-down box, select the plug-in group you want to view. After a plug-in group is selected, the bottom of the page will display the available plug-ins.
Step 5. Select the plug-ins you want to enable as well as any dependent plug-ins required for other selected plug-ins.
Step 6. Select the check box next to Enable Scanning with Select Plugins.
Step 7. Click the Update button.
Figure 9-27. Configuring Network Scanning by User Role and Operating System
If you are using the more complex plug-ins that can employ some additional configuration, you can navigate to the Options menu to perform additional configuration as required. Figure 9-28 shows a sample configuration option.
Figure 9-28. Configuring Advanced Scanning Configuration Options
When NAS scans a system and locates a vulnerability as a result, it can warn the user, block access, or assign the Quarantine role. This is all configured per scanning plug-in on the Vulnerabilities menu. The following configuration for a single plug-in is shown in Figure 9-29.
Step 1. Navigate to Network Scanner > Scan Setup > Vulnerabilities.
Step 2. Select the plug-in you want to configure.
Step 3. Select —NEVER—, HOLE, HOLE, WARN, or HOLE, WARN, INFO from the drop-down menu to identify the Nessus scan result that should be returned as a matching parameter from the resulting scan.
Step 4. Click the Edit icon next to the particular plug-in. Doing so presents additional configuration options.
Step 5. Enter the instruction, which is the test field that will be presented to users.
Step 6. Enter a link, which is the URL that can assist users in remediating their system.
Step 7. Click the Update button to continue.
Figure 9-29. Configuring Vulnerability Handling per Plug-In
After completing the plug-in vulnerability handling, you return to the Vulnerabilities page, which will show your configuration, as seen in Figure 9-30.
Figure 9-30. Vulnerabilities List Page
You can also configure a user agreement page that will be presented to the users so that they can be certified for network access. They are required to agree to this text before proceeding. Figure 9-31 illustrates the simple configuration of this page, which includes role-specific and OS-specific information, an informational message to present to the user, the acknowledgment instructions, and the labels for accepting or declining the user agreement.
Figure 9-31. User Agreement Page for Network Scanning
After you have completed the configuration of network scanning, you can test the configuration from the Test menu item. Figure 9-32 illustrates the configuration parameters and testing results of the plug-ins you configured.
Figure 9-32. Testing Scanning in Your Network
The configuration parameters include providing a user role, operating system, and target computer IP address, and the ability to show the log. Clicking the Test from Manager button on the test page begins the scan. While scanning is occurring, the user experience is unaffected. Figure 9-33 illustrates the user experience when using the CCA Agent, which is not required. If the CCA Agent were not installed, the scanning would have been completely transparent.
Figure 9-33. Scanning User Experience While Using the CCA Agent
Configuring the Cisco Clean Access Agent can be a complex task, but the granular requirements can make for an extremely secure and up-to-date computing environment. Properly configuring your NAC Appliance is extremely important, but when it is completed, you can rest assured that your corporate-controlled assets (as well as uncontrolled assets such as contractor systems) will be brought into compliance before they can access critical systems.