Previous Page Next Page

Cisco NAC Framework Solution

Cisco NAC Framework solution provides the same security policy enforcement framework as the Cisco NAC Appliance solution discussed previously. The main differentiator, which is Cisco NAC Framework, is an embedded approach that natively integrates into the existing infrastructure. It integrates using advanced security products and technologies, allowing networks to scale without making a significant investment.

Security point products only plug holes; they do not maintain network availability and resiliency. The Cisco NAC Framework solution offers proactive security architecture resulting in a resilient network infrastructure. The Cisco NAC Framework solution provides comprehensive and in-depth security defense to be built throughout the network infrastructure.

Cisco shares the NAC Framework program with third-party vendors, allowing them to integrate with Cisco NAC infrastructure to support the overall admission control solution. Participating with Cisco in this initiative are 90 leading vendors with solutions that include antivirus, remediation, client security, as well as management software manufacturers.

Partners participating in this program integrate security solutions that incorporate security features compatible with Cisco NAC infrastructure.

Note

Refer to the following Cisco URL for an updated list of Cisco NAC certified partners: http://www.cisco.com/web/partners/pr46/nac/partners.html.


Mechanics of the Cisco NAC Framework Solution

The Cisco NAC Framework solution provides a policy enforcement mechanism for all endpoints that request network access, regardless of their access methods, ownership, device types, application configurations, and remediation models.

The Cisco NAC Framework solution is an architecture-based framework designed to take advantage of existing Cisco-based network technologies and existing deployments of security and management solutions from other manufacturers.

The Cisco NAC Framework triggers when a host attempts network access through any of the following:

Figure 13-5 illustrates the Cisco NAC Framework architecture and steps through the NAC flow.

Figure 13-5. Cisco NAC Framework Architecture

The information in Figure 13-5 is taken from Cisco general product presentation on "Cisco NAC Solution."


Table 13-3 lists various NAC posture states that are used for policy enforcement.

There are two methods of collecting information from an endpoint to perform a posture assessment:

Protocols used in the NAC Framework solution include the following:

NAC Framework Components

The four primary components of the NAC Framework solution are outlined in the following list:

The Cisco NAC Framework solution provides support for the following Cisco NAC-enabled devices:

Table 13-4 lists Cisco routers that support the NAC L3 IP method (EAP over UDP). These are also referred to as the early NAC Release 1.0 devices.

Note

Cisco router models 1710, 1720, 1750, 26xx non-XM models, 3620, and 3660-CO do not support Cisco NAC. Also note that a specific Cisco IOS feature set is required to enable the Cisco NAC. Verify that the correct feature image is loaded on the supported hardware listed in Table 13-4.


Note

When NAC is enabled on a Cisco router, EAPoUDP is initiated from a router rather than the endpoint. Therefore, NAT issues may arise in which NAT is deployed between an endpoint and the router.

NAT implementations that depend on an endpoint having sent an EAPoUDP packet before forwarding an EAPoUDP request from the router are not supported. However, NAC and NAT can coexist on the same router.

NAC does not provide support when port address translation (PAT) is enabled between an endpoint and the router.


Table 13-5 lists Cisco switches that support either the NAC L2 IP method, which uses Extensible Authentication Protocol over User Data Protocol (EAP over UDP), or the NAC L2 802.1x (EAP over IEEE 802.1x) method. These are referred as the NAC Release 2.0 devices.

Table 13-6 lists the Cisco VPN 3000 series concentrator support for the NAC L3 IP method. NAC processing starts after an IPsec session is established. The VPN 3000-enabled NAC devices are referred to as the NAC Release 2.0 devices.

Note

At press time, the Cisco VPN 3000 concentrator supports L3 NAC IP for Remote Access sessions IPsec, SSL VPN, and L2TP over IPsec only. NAC does not apply to L2TP, PPTP, and LAN-to-LAN IPsec sessions.

The Cisco VPN 3000 Series Concentrators product is End-of-Sale and End-of-Life. For more details, refer to http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notice0900aecd805cd5a0.html.


Table 13-7 lists the Cisco Firewall Security Appliances that support the NAC L3 method.

Table 13-7. Cisco NAC Supported Security Appliances
Security ApplianceOperating System VersionSupported Methods
PIX 500 seriesVersion 7.2 or laterNAC-L3-IP
ASA 5500 seriesVersion 7.2 or laterNAC-L3-IP
NAC on a security appliance is supported for IPsec VPN sessions only.


Cisco NAC on the security appliances such as PIX 500 series and ASA 5500 series firewall appliances differs from NAC on Cisco IOS Layer 3 devices (such as routers) where routers trigger Posture Validation (PV) based on IP routed traffic. Cisco IOS-based NAD devices such as routers use an Intercept ACL to trigger Posture validation based on IP traffic, as shown in Example 13-1.

Cisco NAC on security appliance triggers Posture validation on IPsec VPN and SSL VPN sessions only. NAC on the security appliance does not support Layer 3 non-VPN traffic, IPv6 traffic, and security contexts.

Table 13-8 lists the Cisco wireless access points that support the NAC L2 802.1x method. These are referred to as the NAC Release 2.0 devices.

Table 13-8. Cisco NAC Supported Wireless Access Points
Cisco Wireless Access PointsSupported ModelsOperating System Image
350 seriesAll12.3(7)JA1 or later
1100 seriesAll12.3(7)JA1 or later
1130 AG seriesAll12.3(7)JA1 or later
1200 seriesAll12.3(7)JA1 or later
1230 AG seriesAll12.3(7)JA1 or later
1240 AG seriesAll12.3(7)JA1 or later
Table 13-9 lists the Cisco wireless LAN controllers that support the NAC L2 802.1X method. These are referred to as the NAC Release 2.0 devices.


Table 13-9. Cisco NAC Supported Airespace Appliance Devices
Wireless LAN Controllers ModelsCisco Unified Wireless Network Software
Cisco 2000Release 3.1 or later
Cisco 4100Release 3.1 or later
Cisco 4400Release 3.1 or later
Wireless Services Module (WiSM)Release 3.1 or later
Wireless LAN Services Module (WLSM)Release 3.1 or later
Wireless LAN Controller Module for Integrated Services RoutersRelease 3.1 or later


NAC Framework Deployment Scenarios

NAC framework can be deployed on various Cisco NAC-enabled devices, as previously discussed. NADs such as Cisco routers, switches, wireless access points, firewalls, and concentrators are used for enforcement to grant access to compliant endpoints that are attempting to connect to the network. Endpoints connecting from various scenarios including LAN, wireless LAN, WAN, and through VPN connections are supported by NAC Framework.

Figure 13-7 depicts various Cisco NAC Framework deployment scenarios.

Figure 13-7. Cisco NAC Framework—Deployment Scenarios


NAC Framework Enforcement Methods

As discussed earlier, the NAC Framework can be deployed on various NAC-enabled devices for policy enforcement and network admission control.

Three primary methods for enforcing a security policy and performing admission control follow:

Figure 13-8 depicts various Cisco NAC Framework scenarios to perform admission control and enforcement points.

Figure 13-8. Cisco NAC Framework—Admission Control and Enforcement Points


Table 13-10 shows the summary of features available in the three NAC Framework enforcement and admission control methods.

Table 13-10. Cisco NAC Framework—Enforcement Methods
FeatureNAC-L3-IPNAC-L2-IPNAC-L2-802.1x
Trigger mechanismIP PacketDHCP or ARP requestData link up
Machine identityN/AN/Acheck mark
User identityN/AN/Acheck mark
Posturecheck markcheck markcheck mark
VLAN assignmentN/AN/Acheck mark
URL-redirectioncheck markcheck markN/A
Downloadable ACLscheck markcheck mark6500-only (PBACLs)
Posture status queriescheck markcheck mark 
802.1x posture changeN/AN/Acheck mark


Implementing NAC-L3-IP

Figure 13-9 shows various posture states (for example, Compliant, Noncompliant, Healthy, Quarantine) in NAC-L3-IP scenarios when a NAC-enabled device attempts a network connection:

Figure 13-9. Cisco NAC Framework—NAC-L3-IP Case Scenarios


Figure 13-10 shows the topology diagram for the NAC-L3-IP sample configuration that is shown in Example 13-1, on a Cisco IOS-based device (for example, a router or Layer 3 switch) when a NAC-enabled device (with CTA) attempts network connection. NAC is triggered via an IP packet.

Figure 13-10. Cisco NAC Framework—NAC-L3-IP Sample Configuration Topology


Example 13-1. NAC-L3-IP IOS-Router Configuration

aaa new-model
aaa authentication eou default group radius
aaa authorization auth-proxy default group radius
aaa session-id common
!
ip admission name NAC-L3-IP eapoudp list EoU-Trigger-ACL #Define NAC trigger
!
Interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group Interface-ACL in
 ip admission NAC-L3-IP
!
Interface FastEthernet0/1
 ip address 10.100.100.1 255.255.255.0
!
ip access-list extended EoU-Trigger-ACL    #NAC Trigger ACL
 deny udp any any eq domain            #allow DNS to bypass NAC
 deny tcp any host 10.100.100.101 eq www    #allow HTTP to bypass NAC
 permit ip any any                #all other IP traffic triggers NAC
!
ip access-list extended Interface-ACL
 permit udp any any eq 21862            #permit EAPoUDP
 permit udp any eq bootpc any eq bootps    #permit DHCP
!
radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
radius-server key cisco123
radius-server vsa send authentication            #Enable VSAs
ip radius source-interface FastEthernet0/0
!
eou timeout hold-period 60        #Delay re-EAP after EAP failure
eou timeout revalidation 60        #Timeout to re-check all credentials
                        #ACS can override, enforces policy changes
eou timeout status-query 60        #How often check for status changes
ip auth-proxy inactivity-timer 60    #Equivalent to EoU revalidation timer
!
eou allow clientless            #Permit agentless hosts, used for auditing
!
ip http server                #IOS web server required for URL redirection
ip http authentication aaa        #Enable auth-proxy
ip http secure-server            #SSL
!
eou logging                #Enable EAPoUDP logging
logging 10.100.100.103
!

					  

Implementing NAC-L2-IP

Figure 13-11 shows various posture states (for example, Compliant, Noncompliant, Healthy, Quarantine) in NAC-L2-IP scenarios when a NAC-enabled device attempts network connection:

Figure 13-11. Cisco NAC Framework—NAC-L2-IP Case Scenarios


Figure 13-12 shows the topology diagram for a NAC-L2-IP sample configuration. Example 13-2 is the configuration on a Catalyst switch when a NAC-enabled device (with and without CTA) attempts network connection. NAC is triggered via ARP or DHCP packet. Layer 2 switches do not have intercept ACLs; they use port ACLs.

Figure 13-12. Cisco NAC Framework—NAC-L2-IP Sample Configuration Topology


Example 13-2. NAC-L2-IP Catalyst Switch Configuration Example

hostname sw-3550
!
aaa new-model
aaa authentication eou default group radius
aaa authorization auth-proxy default group radius
aaa session-id common
!
ip subnet-zero
ip routing
no ip domain-lookup
!
ip admission name NAC-L2-IP eapoudp            #Define NAC policy
ip admission name NAC-L2-IP-Bypass eapoudp bypass
!
ip dhcp excluded-address 10.1.1.1 10.1.1.5
ip dhcp pool my_dhcp_pool
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   lease 3
!
ip dhcp snooping vlan 10    #Optional—Enable DHCP snooping on VLAN 10
ip device tracking        #Build IP device table from ARP requests
!
vtp domain cisco
vtp mode transparent
!
identity profile eapoudp
 device authorize ip-address 10.1.1.5 policy AgentlessHost_Profile
identity policy AgentlessHost_Profile
 access-group AgentlessHost_ACL
 redirect url http://10.99.99.99 match Quarantine_URL_Redir_ACL
!
vlan 10
 name healthy
!
vlan 99
 name quarantine
!
vlan 100
 name server
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
 ip access-group Interface-ACL in
 ip admission NAC-L2-IP
!
ip access-list extended Interface-ACL
 permit udp any any eq 21862            #permit EAPoUDP
 permit udp any eq bootpc any eq bootps    #permit DHCP
 permit udp any any eq domain            #permit DNS
 permit tcp any host 10.99.99.99 eq www    #permit HTTP access to update server
permit icmp any any                #permit ICMP for testing
deny   ip any any                #Implicit Deny
!
ip access-list extended AgentlessHost_ACL
 permit ip any any
!
ip access-list extended Quarantine_URL_Redir_ACL
 deny   tcp any host 10.99.99.99 eq www
 permit tcp any any eq www
!
radius-server attribute 8 include-in-access-req
radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
radius-server key cisco123
radius-server vsa send authentication            #Enable VSAs
!
eou allow ip-station-id
eou timeout hold-period 60        #Delay re-EAP after EAP failure
eou timeout revalidation 60        #Timeout to re-check all credentials
                    #ACS can override, enforces policy changes
eou timeout status-query 60        #How often check for status changes
ip auth-proxy inactivity-timer 60    #Equivalent to EoU revalidation timer
!
eou allow clientless            #Permit agentless hosts, used for auditing
!
interface Vlan10
 ip address 10.1.1.1 255.255.252.0
!
interface Vlan99
 ip address 10.99.99.1 255.255.252.0
!
interface Vlan100
 ip address 10.100.100.1 255.255.252.0
!
ip classless
ip http server
ip http secure-server
!
eou logging                #Enable EAPoUDP logging
logging 10.100.100.103
!

					  

Implementing NAC-L2-802.1x

Figure 13-13 shows various posture states (for example, Compliant, Noncompliant, Healthy, Quarantine) in NAC-L2-802.1x scenarios when a NAC-enabled device attempts network connection:

Figure 13-13. Cisco NAC Framework—NAC-L2-802.1x Case Scenarios


Example 13-3 shows a sample configuration for NAC-L2-802.1x on a Catalyst switch when a NAC-enabled device (with CTA) attempts network connection. NAC-L2-802.1x leverages the existing 802.1x (EAP) L2 session to perform posture assessment and enforcement. NAC is triggered when the data link state goes up after a host is powered on.

AAA authorization must be configured on the switch if network-related services such as a per-user VLAN assignment on 802.1x authenticated ports are required. The following three RADIUS attributes (attribute 64, 65, and 81) must be returned to the switch for 802.1x authentication:

Example 13-3. NAC-L2-802.1x Catalyst Switch Configuration

hostname Sw-3550
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
!
ip dhcp snooping vlan 10
ip device tracking
vtp domain cisco
vtp mode transparent
!
dot1x system-auth-control
!
vlan 10
 name healthy
!
vlan 99
 name quarantine
!
vlan 100
 name server
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
 dot1x pae authenticator
 dot1x port-control auto
 dot1x reauthentication
!
radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
radius-server key cisco123
radius-server vsa send authentication
!

					  

The Cisco NAC Framework solution provides a scalable architecture with a centralized policy and a distributed enforcement component, with robust integration with Cisco security products and technologies.

Cisco NAC fundamentally changes how networks are secured with a strong access level that results in a proactive security model that was not available before.

Note

Refer to the NAC Framework URL for further information on the Cisco NAC Framework solution: http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html.


Previous Page Next Page