© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Deploying Cisco Network Admission Control (NAC)
Haider Pasha, CISSPConsulting SE Manager, Advanced Technologies Africa & Levant
2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda1. NAC Overview2. General Design and Deployment3. NAC Profiler4. Guest Access5. Q & A
3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
What Is Network Admission Control?
Please enter username:
devicesecurity
networksecurity
identity
Who is the user?Is s/he authorized?What role does s/he get?
NACNACIs MS patched? A/V or A/S exists?Is it running?Are services on?Do required files exist?
Plus
Is policy established? Are non-compliantdevices quarantined? Remediation needed?Remediation available?
PlusUsing the network to enforce policies ensures that incoming devices are compliant.
SiSi SiSi
4
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC Components
NAC Manager NAC Agent orWeb Agent
Centralized management, configuration, reporting, and
policy store
Posture, services and enforcement
No-cost client for device-based scans.
SSC
PostureLayer
ACS
802.1x Supplicant Ruleset Updates
NAC Server
Access policy system for 802.1x termination
and identity based access control
802.1x supplicant via CSSC or Vista
embedded supplicant
Scheduled automatic rulesets for anti-virus, Microsoft hot-fixes and
other applications
NetworkAccessDevices
NACServicesLayer NAC Profiler NAC Guest
Aggregatesdata from Collectorto determine role
and privileges
Collects networkdata to determine
device type
Full-featured guest provisioning
server
NAC Collector
Infra-structureLayer
5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC Appliance Partnerships
NAC Appliance Supports Policies for 300+ Applications, including These Vendors:
Cisco NAC is committed to protecting customer’s investments in partner applications
6
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Solution Sizing and Platforms
NAC Management Components
Lite Manager(up to 3 Servers)
Std Manager(up to 20 Servers)
Super Manager(up to 40 Servers)
NAC Server Components
Guest Server Profiler ServerAdditionalNAC Services
Hardware PlatformLegend:
Appliance: 100,250, or 500
users
ISR Network Module
50 or 100 usersAppliance: 1500,
2500, or 3500 users
Users = online,concurrent
ISR NM
3310
3350
3390
7
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
User Machine Server
Certified and Logged On
NAC Overview: Process Flow
Manager
URL Redirect to Weblogin
DHCP Request
Connect via TCP (443)
UDP Discover (8905, 8906)
Agent Performs Posture Assessment
Download NAC Agent Agent download (80)
Download Policy to AgentAgent checks and rules, XML (443)Plugins enabled (443)
Pre-connect (1099)
User Login (443)
Report (443)
Session and heartbeat timer (443)Logged out
Connect request (1099)
Connect Response (8955, 8956)
Server Performs Access Enforcement
Open Web browser (if no agent)
8
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Use Cases
1. Distributed architecture deployment
2. NAC Server is in Bridged (Virtual Gateway) or Routed (Real-IP Gateway) mode
3. Users are Layer 2 (L2) or Layer 3 (L3) adjacent to NAC Server.
4. NAC Server is Inline (IB) all the time or can be Out-of-Band (OOB). OOB NAC Server is Inline only during NAC Posture and remediation.
9
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda1. NAC Overview2. General Design and Deployment3. NAC Profiler4. Guest Access5. Q & A
10
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: Bridge Mode
1. Direct Bridging: Frame Comes In, Frame Goes Out
2. VLAN IDs are either passed through untouched or mapped from A to B
3. DHCP and Client Routes point directly to network devices on the Trusted side
4. NAC Server is an IP passive bump in the wire, like a transparent firewall
11
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: Routed Mode
1. NAC Server is Routing, Packet Comes In, Packet Goes Out
2. VLAN IDs terminate at the Server, no pass-through or mapping
3. DHCP and Client Routes usually point to the Server for /30
4. NAC Server is an active IP router, can also NAT outbound packets *
* Be aware of NAT performance limitations
12
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: In Band
1. Easiest deployment option
2. NAC Server is Inline (in the data path) before and after posture assessment
3. Supports any switch, any hub, any AP
4. Role Based Access Control Guest, Contractor, Employee
5. ACL Filtering and Bandwidth Throttling
13
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: Out of Band
1. Multi-Gig Throughput deployment option
2. NAC Server is Inline for Posture Assessment Only
3. Supports most common Cisco Switches **
4. Port VLAN Based and Role Based Access Control
5. ACL Filtering and Bandwidth Throttling for Posture Assessment Only
NAC Manager Controls Port using SNMP
14
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
v10 or v110
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
10.90.0.2
vlan 900
10.30.0.2
1. PC is attached to the network
2. Switch sends mac address via snmp to the NAC Manager
15
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
IP : 10.10.0.10DG: 10.10.0.1
v110
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
3. NAC Manager verifies if PC is ‘Certified’. If PC not certified, NAC Manager instructs switch to assign port to Authentication Vlan
PC gets DHCP IP address in vlan 10subnet due to DHCP/DNS trafficpassing through the NAC Server
using Vlan Mapping
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
vlan 900
10.90.0.2
10.30.0.2
16
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
IP : 10.10.0.10DG: 10.10.0.1
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
4. All traffic from PC flows to the NAC Server, NAC Server enforces network access restrictions
5. PC goes through Authentication, Posture Assessment and Remediation
v110
vlan 900
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
10.90.0.2
10.30.0.2
17
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
IP : 10.10.0.10DG: 10.10.0.1
v10
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
6. NAC Server informs NAC Manager that PC is ‘Certified’
7. NAC Manager instructs switch to assign port to ‘Access’ vlan based on Port mapping or User Role Assignment
8. PC is allowed access to network
vlan 900
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
10.90.0.2
10.30.0.2
18
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Complete layer 2 network
VLAN 130 VLAN 140 VLAN 150
Access
CollapsedCore /
Distribution
Access
VLAN 120 VLAN 160VLAN 110
SiSi SiSi
VLAN’s 40, 50, 60
VLAN’s 140, 150, 160
VLAN’s 10, 20, 30
VLAN’s 110, 120, 130
19
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Core
VLAN 10 – DataVLAN 11 – VoiceVLAN 16 – Auth
T
USVR-1 (Active)
T
USVR-2 (Standby)
200
300
200
300
VLAN 200 – 10.0.1.0/24VLAN 300 – 10.0.2.0/24NAC Manager: 10.10.10.10
.4
.4 .5
.5
Network TopologyCampus Routed Access Design
HSRP
VLAN 100 used for L3 peering
SVI 300 SVI 300
SVI 200 SVI 200
1. Replace the L3 Routed Link between Distribution Layer Devices with a L2 etherchannel trunk
Carry only 3 VLANs on the trunk: Trusted, Untrusted and RP peering
Establish L3 peering via SVI 100
2. Maintain L3 Routed Links between access and distribution layers
3. HSRP is used between Untrusted SVIs (200) and Trusted SVIs (300)
D1 D2
L3 L3
100,200,300
20
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Central Site Inband NAC Server
1. No Access to Central Site without meeting policy
2. Remote segmentation depends on WAN technology
3. Point to Point networks can hairpin traffic through NAC Server to segment remotes
4. MPLS or meshed networks cannot segment remote branches
Evaluate RequirementsThe easiest and fastest method of
deployment if it meets needs.
IP Network
Central SiteResourcesNAC
Manager
NAC Server
21
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Remote Site NAC Server or Network Module (In-band or OOB)
1. Minimal network changes (same as campus deployment)
2. Remote segmentation, or port segmentation using OOB
3. Full feature support - keep ip address (vgw), /30s etc
4. Deploy In-Band for both wired and wireless users
5. Deploy Out-Of-Band for wired only deployments
Optimal SolutionProvides all the functions of a campus
deployment, contrast with cost
IP Network
NAC Server Network Module
for ISROR
NAC Manager
22
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Central Site out of Band NAC Server (L3 OOB)
1. NAC Server deployed at the centre2. Traffic from the Auth VLAN must be
restricted to NAC Server, Remediation Services etc
3. Remote segmentation is controlled through either
Access Control ListsPolicy Based RoutingSeparate MPLS VPNGRE tunnels, IPSec, etc
Port based controlPort based control with central NAC
Server comes with increased deployment complexity
IP Network
RemediationResourcesNAC
Manager
NAC Server
23
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
L3 OOB with Access Control Lists
10.1.1.0/24
IP Network
192.168.2.0/24UnauthenticatedVLAN
AVServer
WindowsUpdateServer
1. User connects laptop to the network
192.168.1.0/24AuthenticatedVLAN
NAC Manager
NAC Server
24
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
L3 OOB with Access Control Lists
10.1.1.0/24
IP Network
192.168.2.0/24UnauthenticatedVLAN
AVServer
WindowsUpdateServer
1. User connects laptop to the network2. Switch tells the NAC Manager which
puts the port in the unauthenticated VLAN
192.168.1.0/24AuthenticatedVLAN
NAC Manager
NAC Server
25
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
L3 OOB with Access Control Lists
10.1.1.0/24
IP Network
192.168.2.0/24UnauthenticatedVLAN
AVServer
WindowsUpdateServer
1. User connects laptop to the network2. Switch tells the NAC Manager which
puts the port in the unauthenticated VLAN
3. NAC Agent on users PC sends discovery packet to the NAC Manager
192.168.1.0/24AuthenticatedVLAN
NAC Manager
NAC Server
26
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
L3 OOB with Access Control Lists
10.1.1.0/24
IP Network
192.168.2.0/24UnauthenticatedVLAN
AVServer
WindowsUpdateServer
1. User connects laptop to the network2. Switch tells the NAC Manager which
puts the port in the unauthenticated VLAN
3. NAC Agent on users PC sends discovery packet to the NAC Manager
4. NAC Server intercepts discovery packet and goes through authentication, posture checking, remediation etc with client.
192.168.1.0/24AuthenticatedVLAN
NAC Manager
NAC Server
27
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
What If the PC Has a Worm/Virus/Malware?
1. If the PC has a worm it could send traffic into the network infecting other devices
2. However the ACL on the unauthenticated vlan should stop all unnecessary communication.
3. Like the temporary filter on the NAC appliance traditionally does.
10.1.1.0/24
IP Network
192.168.2.0/24UnauthenticatedVLAN
AVServer
WindowsUpdateServer
192.168.1.0/24AuthenticatedVLAN
interface fa0.[unauthenticated vlan]ip access-group nac-filter in
ip access-list extended nac-filterremark Allow traffic to remediation networkpermit ip any 10.1.1.0 0.0.0.255remark Permit to local remediation serverspermit ip any 192.168.1.[wsus,av,etc] 0.0.0.0
NAC Manager
NAC Server
28
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
L3 OOB with Access Control Lists
10.1.1.0/24
IP Network
192.168.2.0/24UnauthenticatedVLAN
AVServer
WindowsUpdateServer
5. Lastly the NAC Manager changes the switch port of the PC to the authenticated VLAN
192.168.1.0/24AuthenticatedVLAN
NAC Manager
NAC Server
29
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Appliance for Remote Users
Central Site
Branch OfficeCorporate Users
IPSec VPN
Home OfficeUnmanaged Desktop
Account ManagerMobile User
SSL Tunnel VPN
Supply PartnerExtranet
IPSec VPN
Multi-Hop IP
1. Extends policy enforcement and compliance to remote access and VPN users
2. Extends enforcement to site-to-site VPN partners
3. Leverages VPN sign-on for single-sign-on
1. Supports IPSec and SSL Tunnel VPNs2. Supports site-to-site VPNs3. Supports VPN user single-sign-on
BenefitsFeatures
30
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC for Wireless Users
1. Enables central deployment mode2. Extends enforcement to any wireless networks3. End user devices can be several hops away4. Leverages 802.1x sign-on for single-sign-on
1. Supports 802.1q trunking2. Supports thin or thick wireless 802.11 APs3. Supports Wireless user single-sign-on
BenefitsFeatures
Central Site
Wireless NetworkLWAPP Users
LWAPP
Wireless NetworkWLSM Guest
Users802.1q
GRE
802.1q
Campus BuildingWireless Users
31
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda1. NAC Overview2. General Design and Deployment3. NAC Profiler4. Guest Access5. Q & A
32
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Non-PC Endpoint Devices
An enterprise LAN is comprised of myriad endpoint types.Most are undocumented (think DHCP).
Enterprises without VoIPWired Endpoints Distribution
50%Windows
50%Other
33%Windows
33%IP phones
33%Other
Enterprises with VoIPWired Endpoints Distribution
33
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC Profiler: Secure Automation
Cisco NACProfiler
PCs Non-PCsUPS Phone Printer AP
Dis
cove
ryM
onito
ring
Endpoint ProfilingDiscover all network endpoints by type and locationMaintain real time and historical contextual data for all endpoints
Behavior MonitoringMonitor the state of the network endpointsDetect events such as MAC spoofing, port swapping, etc.
Automated process populates devices into the NAC Manager; and subsequently, into appropriate NAC policy
34
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Manager
NAC API
NAC Server with NAC Collector License
NAC Profiler Server
1. NAC Collector aggregates collection of relevant data (e.g. phones, printers, badge reader, modalities) and send to NAC Profiler Server
2. NAC Collector continuously monitor behavior of profiled devices (spoofing behavior) and updates Profiler Server
Windows AD
AAA Server
Understanding NAC Profiler
SPAN/TRAP/NETFLOW
etc
3. NAC Profiler Server profiles device and automatically adds/deletes/modifies MAC/IP on NAC Manager and places it in the NAC filter list (allow, deny, ignore, or “role”).
35
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda1. NAC Overview2. General Design and Deployment3. NAC Profiler4. Guest Access5. Q & A
36
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
4 Key Components of Guest Access
GUESTThe visitor who needs network access (usually internet only)
SPONSORThe internal user who wants to be able to provide internet access to her guest
NETWORK ENFORCEMENT DEVICEThe device that authenticates the guest and grants network access
NAC GUEST SERVEREnables sponsor to create guest account; audits; provisions account on network enforcement device
37
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
3 Ways of Guest Notification
Send accountinformation viaprint-out, email,or SMS
38
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Manager
Internet,E-mail, VPN, etc.
5. Guest enters temp access code generated by SGA Appliance
How It Works with - NAC
EnterpriseNetwork
Connect screen
3. Guest starts Web browser
4. NAC Appliance redirects to login page
6. NAC Appliance put the user in the Specific Role
CiscoNAC Guest Server
1. Employee creates account for Guest
2. Adds Guest Info to NAC Mgr via APINAC server
39
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda1. NAC Overview2. General Design and Deployment3. NAC Profiler4. Guest Access5. Q & A
40
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Recommended Reading1. Continue your Networkers at
Cisco Live learning experience with further reading from Cisco Press
2. Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
41
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Breakout Session Evaluation Form
Your session feedback is valuable
Please take the time to complete the breakout evaluation form and hand it to the member of staff
by the door on your way out
Thank you!
42
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
43
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Backup Slides
44
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC Innovation
Governance
2003 2008
2004: $92m
2006: $207m
Secure Guest
UserIdentity
DeviceProfilingWho
areyou?
What’son yourdevice?
What otherdevices areconnected?
Who else isconnecting?
What are theconditionsof access?
2005: $131m
2007: $354m
2008: $570m
Market Size
(source: IDC
, June 2007)Va
lue-
Add
PostureAssessment
45
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Basic NAC Components
1. NAC Manager (Clean Access Manager)Centralizes management for administrators,
support personnel, and operators
2. NAC Server (Clean Access Server)Serves as enforcement point for network
access control
3. NAC Agent (Clean Access Agent)Optional lightweight client for device-based
registry scans in unmanaged environments
4. Rule-set UpdatesScheduled automatic updates for anti-virus,
iti l h t fi d th li ti
46
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC Appliance Partnerships
NAC Appliance Supports Policies for 300+ Applications, including These Vendors:
Cisco NAC is committed to protecting customer’s investments in partner applications
47
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
User Machine Server
Certified and Logged On
NAC Overview: Process Flow
Manager
URL Redirect to Weblogin
DHCP Request
Connect via TCP (443)
UDP Discover (8905, 8906)
Agent Performs Posture Assessment
Download NAC Agent Agent download (80)
Download Policy to AgentAgent checks and rules, XML (443)Plugins enabled (443)
Pre-connect (1099)
User Login (443)
Report (443)
Session and heartbeat timer (443)Logged out
Connect request (1099)
Connect Response (8955, 8956)
Server Performs Access Enforcement
Open Web browser (if no agent)
48
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agent Options: Web and Persistent
49
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: Layer 2 Mode and Layer 3 Mode
1. NAC Servers have two client access deployment modelsLayer 2 Mode
Layer 3 Mode
2. Any NAC Server can be configured for either method, but a NAC Server can only be one at a time
3. Deployment mode selection is based on whether the client is Layer 2 adjacent to the NAC Server
50
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: Layer 2 Mode
1. Client is Layer 2 Adjacent to the Server
2. MAC address is used as a unique identifier
3. Supports both VGW and Real IP GW
4. Supports both In Band and Out of Band
5. Most common deployment model for LANs
51
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation: Layer 3 Mode
1. Client is NOT Layer 2 Adjacent to the NAC Server
2. IP Address is used as a unique identifier
3. Supports both VGW and Real IP GW
4. Supports In Band Mode
5. Needed for WAN and VPN
52
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation:Bridge Or Router?
1. NAC Servers at the most basic level can pass traffic in one of two ways:Bridged Mode = Virtual Gateway (VGW)
Routed Mode = Real IP Gateway / NAT Gateway (RIPGW)
2. Any NAC Server can be configured for either method, but a NAC Server can only be one at a time
3. Gateway mode selection affects the logical traffic path
4. Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band
53
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Server Foundation:In Band and Out of Band
1. NAC Servers have two traffic flow deployment modelsIn Band
Out of Band
2. Any NAC Server can be configured for either method, but a NAC Server can only be one at a time
3. Selection is based on whether the customer wants to remove the NAC Server from the data path
4. NAC Server is ALWAYS inline during Posture Assessment
54
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
NAC Appliance for Remote Users
Central Site
Branch OfficeCorporate Users
IPSec VPN
Home OfficeUnmanaged Desktop
Account ManagerMobile User
SSL Tunnel VPN
Supply PartnerExtranet
IPSec VPN
Multi-Hop IP
1. Extends policy enforcement and compliance to remote access and VPN users
2. Extends enforcement to site-to-site VPN partners
3. Leverages VPN sign-on for single-sign-on
1. Supports IPSec and SSL Tunnel VPNs2. Supports site-to-site VPNs3. Supports VPN user sign-on
BenefitsFeatures
55
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Deploy VPN with Single Sign On (SSO)
1. User logs in using IPSEC or SSL VPN client.
2. VPN server sends Radius Accounting packet to NAC Server
3. NAC Server performs SSO for that user based on the Accounting packet
4. NAC Server can optionally be configured to forward that Accounting packet to another Radius server
56
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC for Wireless Users
1. Enables central deployment mode2. Extends enforcement to any wireless networks3. End user devices can be several hops away4. Leverages 802.1x sign-on for single-sign-on
1. Supports 802.1q trunking2. Supports thin or thick wireless 802.11 APs3. Supports Wireless user single-sign-on
BenefitsFeatures
Central Site
Wireless NetworkLWAPP Users
LWAPP
Wireless NetworkWLSM Guest
Users802.1q
GRE
802.1q
Campus BuildingWireless Users
57
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Wireless with Single Sign On (SSO)
WLC performs Authentication
WLC sends Radius
Accounting to NAC Server
58
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Core
VLAN 10 – DataVLAN 11 – VoiceVLAN 16 – Auth
T
USVR-1 (Active)
T
USVR-2 (Standby)
200
300
200
300.4
.4 .5
.5
Enforcing Auth Traffic Through CASUse of Policy-Based Routing
Apply policy route-map
Apply policy route-map
1. Common ACL/route-map to be defined independently from the network deployment (Multilayer or Routed Access)ip access-list extended NACS-PBR
deny udp any host <DHCP_IP> eqbootpcpermit ip 10.1.10.0 0.0.0.255 anypermit ip 10.1.20.0 0.0.0.255 any!
route-map NACS-PBR permit 10match ip address CAS-PBRset ip next-hop 10.0.1.10
1. Policy route-map applied to Auth SVIs (Multilayer design) or to the routed interface (Routed Access design)
2. Traffic is always policy routed to the active NAC Server (since it “owns” the VIP 10.0.1.10)
D1 D2
100,200,300
59
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Core
VLAN 10 – DataVLAN 11 – VoiceVLAN 16 – Auth
Virtualization using ACE/CSM1. ACE uses a single Virtual IP to load
balance authentication sessions to the NAC Appliances’ Untrusted Interfaces
2. ACE Virtual Server IP servicing the Farm of NAC Appliances in the Data Center is the D/G IP next-hop for all traffic in the Authentication VLAN.
3. Traffic from client in Auth VLAN can be sent to directed to ACE Virtual IP using
MPLS VPN
PBRs
VRF Lite
Discovery Host (Agent only)
4. Class-map on ACE can control interesting traffic
5. Interface “Health Probes” used on ACE to detect status of NAC servers
D1 D2
Ace Module
Data Center
Discovery Host
10.10.42.1
ACE VIP address
Ace Module
To ACE VIP
10.10.42.1
CAM
60
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Physical Topology
Ace module on Cat 6K
L3-OOB: Does not require bi-directional symmetric traffic through NAC servers
Host based traffic rules not applicable
61
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Virtualization using ACE/CSM – L3 OOB
1. Traffic on the Auth VLAN is routed to the ACE Virtual IP servicing Untrusted interfaces of NAC Server
2. NAC Server SSL Certificate should be generated using Untrustedinterface IP address (Otherwise NAC Server redirects user to Trusted interface )
3. Configure ACLs to deny UDP 8906 packets from the clients to the Untrusted network of the NAC Server on Access VLAN
62
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Remote Site Summary
1. Work out real requirements – simplest deploymentmay offer needed security with easy deployment
2. Deploy remote NAC Server for easy deployment, fullfeature set and ease of management
3. Layer 3 OOB for centralized deployments wherecontrol to the port is needed
4. For Layer 3 OOB deployments ACLs are recommended to ease the deployment
63
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Collector Modules
Receives NetFlow data directly from switches or other NetFlow data sources
NetRelay
Active profiling module that attempts to open ports on user defined networks to actively generate traffic for analysis
NetInquiry
Passive network traffic analyzer that gleans useful profiling information from network traffic
NetWatch
Receives port link state changes and New MAC notifications from edge devices useful for profiling and behavior analysis
NetTrap
SNMP module that polls edge devices for specific information pertaining to connected devices, port states and other useful data for endpoint profiling and behavior analysis.
NetMap
64
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
End Point Discovery
1. Gathers information about the endpoints associated with that NAC Server.
2. Information gathered includes data from SNMP, Network Traffic Analysis, and/or Active Profiling.
3. Distributed Collector model ensures that only pertinent traffic is forwarded to NAC Profiler Server (NPS).
65
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Use Collected data to match profile
66
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Action When Profile Matches
67
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Login to NAC manager to confirm action
68
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Device added to NAC Manager Filter List
69
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
View Profiled data from NAC Manager
70
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Detailed View from within NAC Manager
71
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Behavior Monitoring
What happens when a PC tries to spoof the MAC address of the Printer?
Behavior monitoring understands that this is NOT a printer anymore and hence the device is removed from “Printer” role on NAC Manager
72
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco NAC Profiler Components
NAC Profiler ServerAggregates and classifies data from Collectors and managesdatabase of endpoint information. Updates the Cisco NAC Manager (CAM) list to place end points intoappropriate access Roles.
Sold as a new 3350 appliance.
CollectorNAC Collector Gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling
Sold as a license; Module is Co-resident with NACServer (CAS) running 4.1.2 and above
73
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Behavior Monitoring
Following Device removed from list by NAC Profiler Server.
74
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Sponsor Portal: Overview
75
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Sponsor Interface Customization
Change the entire interface
76
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Corporate Logo Customization
Rebrand with your corporate logo
77
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Audit and Reports
SponsorInformation
GuestInformation
AccountInformation
78
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Report Details
Report Details
Top Related