Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.pdf

8/9/2019 Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.pdf

1/692

Americas Headquarters

Cisco Systems, Inc.170 West Tasman DriveSan J ose, CA 95134-1706USAhttp://www.cisco.com

Tel: 408 526-4000800 553-NETS (6387)

Fax: 408 527-0883

Cisco NAC Appliance - Clean AccessManager Installation and Configuration

GuideRelease 4.6(1)

J uly 2009

Text Part Number: OL-19354-01
http://www.cisco.com/http://www.cisco.com/


2/692

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptati on of a program developed by the University of California, Berkeley (UCB) as part of UCBs public

domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower,Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design),

Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are

service marks; and Access Registrar, Ai ronet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, theCisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without

Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study,

IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, N etworkers, Networking Academy, Network Registrar,

PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath,

WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certai n other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship

between Cisco and any other company. (0907R)

Nessus is the trademark of Tenable Network Security.

Cisco NAC Appliance - Clean Access Manager includes software developed by the Apache Software Foundation (http://www. apache.org/) Copyright 1999-2000 The

Apache Software Foundation. All rights r eserved. The APACHE SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS OR CISCO OR ITS CONTRIBUTORS BE LIABLE FOR

ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT

OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY

OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THE APACHE SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Any Internet Protocol (IP) addresses used i n this document are not intended to be actual addresses. Any examples, command display output, and fi gures included in the

document are shown for illustrative p urposes only. Any use of actual IP addresses i n illustrative content is unintentional and coincidental.

Cisco NAC Appliance - Clean Access Manager Installation a nd Configuration Guide

2009 Cisco Systems, Inc. All ri ghts reserved.


3/692

iii

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

OL-19354-01

C O N T E N T S

About This Guide xix

Audience xix

Purpose xix

Document Organization xx

Document Conventions xxi

New Features in this Release xxi

Product Documentation xxii

Documentation Updates xxiii

Obtaining Documentation and Submitting a Service Request 2-xxiii

CHAPTER 1 Introduction 1-1

What Is Cisco NAC Appliance? 1-1

Cisco NAC Appliance Components 1-2

Clean Access Manager (CAM) 1-4

Clean Access Server (CAS) 1-5

Cisco NAC Appliance Agents 1-6

Cisco NAC Appliance Updates 1-6

Client Login Overview 1-6

Agent Login 1-7

Web Login 1-11

Client Posture Assessment Overview 1-13

Summary Steps for Configuring Client Posture Assessment 1-13

Cisco NAC Appliance Agents 1-14

Cisco NAC Agent 1-14

Clean Access Agent 1-16

Cisco NAC Web Agent 1-17

Network Scanner 1-18Managing Users 1-20

Overview of Web Admin Console Elements 1-21

Clean Access Server (CAS) Management Pages 1-22

Admin Console Summary 1-24


4/692

Contents

iv


OL-19354-01

CHAPTER 2 Installing the Clean Access Manager 2-1

Overview 2-1

Cisco NAC Appliance Hardware Platforms 2-2

Important Release Information 2-3

Summary of Steps For New Installation 2-3

Connect the Clean Access Manager 2-4

Serial Connection to the CAM 2-5

Configuring Boot Settings on NAC-3310 Based Appliances 2-6

Install the Clean Access Manager Software from CD-ROM 2-8

CD Installation Steps 2-8

Perform the Initial Configuration 2-9

Configuration Utility Script 2-10

Access the CAM Web Console 2-14Important Notes for SSL Certificates 2-17

CAM CLI Commands 2-19

Troubleshooting Network Card Driver Support Issues 2-20

Connectivity Across a Wide Area Network 2-20

Cisco NAC Appliance Connectivity Across a Firewall 2-20

CHAPTER 3 Device Management: Adding Clean Access Servers, Adding Filters 3-1

Working with Clean Access Servers 3-2

Add Clean Access Servers to the Managed Domain 3-2Manage the Clean Access Server 3-4

Configure Clean Access Manager-to-Clean Access Server Authorization 3-5

Summary of Steps to Configure Clean Access Manager-to-Clean Access Server

Authorization 3-5

Enable Authorization and Specify Authorized Clean Access Servers 3-6

Check Clean Access Server Status 3-7

Disconnect a Clean Access Server 3-7

Reboot the Clean Access Server 3-8

Remove the Clean Access Server from the Managed Domain 3-8

Troubleshooting when Adding the Clean Access Server 3-8

Global and Local Administration Settings 3-9

Global and Local Settings 3-9

Global Device and Subnet Filtering 3-10

Overview 3-10

Device Filters and User Count License Limits 3-12

Adding Multiple Entries 3-12


5/692

Contents

v


OL-19354-01

Corporate Asset Authentication and Posture Assessment by MAC Address 3-12

Device Filters for In-Band Deployment 3-14

Device Filters for Out-of-Band Deployment 3-14

Device Filters for Out-of-Band Deployment Using IP Phones 3-15

In-Band and Out-of-Band Device Filter Behavior Comparison 3-15

Device Filters and Gaming Ports 3-16

Global vs. Local (CAS-Specific) Filters 3-17

Global Device Filter Lists from Cisco NAC Profiler 3-17

Configure Device Filters 3-19

Add Global Device Filter 3-19

Display/Search/Import/Export Device Filter Policies 3-22

Order Device Filter Wildcard/Range Policies 3-23

Test Device Filter Policies 3-24

View Active Layer 2 Device Filter Policies 3-25Edit Device Filter Policies 3-26

Delete Device Filter Policies 3-26

Configure Subnet Filters 3-26

CHAPTER 4 Switch Management: Configuring Out-of-Band Deployment 4-1

Overview 4-1

In-Band Versus Out-of-Band 4-2

Out-of-Band Requirements 4-2

SNMP Control 4-4

Network Recovery for Off Line Out-of-Band Switches 4-4

Deployment Modes 4-4

Basic Connection 4-5

Out-of-Band Virtual Gateway Deployment 4-6

Flow for OOB VGW Mode 4-8

Out-of-Band Real-IP/NAT Gateway Deployment 4-10

Flow for OOB Real-IP/NAT Mode 4-12

L3 Out-of-Band Deployment 4-13

Configure Your Network for Out-of-Band 4-14

Configure Your Switches 4-15

Configuration Notes 4-15

Example Switch Configuration Steps 4-16

OOB Network Setup/Configuration Worksheet 4-20

Configure OOB Switch Management on the CAM 4-21

Add Out-of-Band Clean Access Servers and Configure Environment 4-21

Configure Global Device Filters to Ignore IP Phone MAC Addresses 4-24


6/692

Contents

vi


OL-19354-01

Configure Group Profiles 4-24

Add Group Profile 4-25

Edit Group Profile 4-25

Configure Switch Profiles 4-26

Add Switch Profile 4-27

Configure Port Profiles 4-28

Add Port Profile 4-29

Configure VLAN Profiles 4-35

Add VLAN Profile 4-37

Edit VLAN Profile 4-38

Configure SNMP Receiver 4-39

SNMP Trap 4-39

Advanced Settings 4-40

Add and Manage Switches 4-43Add New Switch 4-44

Search New Switches 4-44

Discovered Clients 4-46

Manage Switch Ports 4-47

Ports Management Page 4-48

Manage Individual Ports (MAC Notification) 4-48

Manage Individual Ports (Linkup/Linkdown) 4-54

Assign a Port Profile to Multiple Ports Simultaneously 4-55

Config Tab 4-56

Configure Access to Authentication VLAN Change Detection 4-61

Windows Clean Access Agent Client Machines 4-62

Macintosh OS X Client Machines 4-64

Out-of-Band Users 4-66

OOB User Sessions 4-66

Wired and Wireless OOB User List Summary 4-66

OOB Troubleshooting 4-68

OOB Switch Trunk Ports After Upgrade 4-68

Unable to Control 4-69

OOB Error: connected device not found 4-69

CHAPTER 5 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment 5-1

Overview 5-1

Wireless In-Band Versus Out-of-Band 5-2

Wireless Out-of-Band Requirements 5-2

SNMP Control 5-3


7/692

Contents

vii


OL-19354-01

Summary Steps to Configure Wireless Out-of-Band 5-3

Wireless Out-of-Band Virtual Gateway Deployment 5-4

Login and Authentication Flow in Wireless OOB Virtual Gateway Mode 5-5

Configure Your Network for Wireless Out-of-Band 5-5

Configure Your Wireless LAN Controllers 5-7

Wireless LAN Controllers Configuration Notes 5-7

Example Wireless LAN Controller Configuration Steps 5-8

Create the Dynamic Interface on the Wireless LAN Controller 5-8

Create the WLAN on the Wireless LAN Controller and Enable Cisco NAC Appliance

Integration 5-9

Configure SNMP on the Wireless LAN Controller 5-10

Specify the CAM as the SNMP Trap Receiver 5-11

Wireless OOB Network Setup/Configuration Worksheet 5-12

Configure Wireless LAN Controller Connection on the CAM 5-13

Add a Wireless Out-of-Band Clean Access Server and Configure Environment 5-13

Configure Group Profiles 5-14

Add Group Profile 5-14

Edit Group Profile 5-15

Configure Wireless LAN Controller Profiles 5-15

Add Wireless LAN Controller Profile 5-16

Configure SNMP Receiver 5-18

SNMP Trap 5-18

Add and Manage Wireless LAN Controllers 5-19

Add New Wireless LAN Controller 5-19

Search New Wireless LAN Controllers 5-20

Discovered Wireless Clients 5-21

Config Tab 5-22

View Wireless Out-of-Band Online Users 5-24

Wireless Out-of-Band Users 5-24

Wireless OOB User Sessions 5-24

Wireless and Wired OOB User List Summary 5-25

CHAPTER 6 Configuring User Login Page and Guest Access 6-1

User Login Page 6-1

Unauthenticated Role Traffic Policies 6-2

Proxy Settings 6-2

Add Default Login Page 6-3

Change Page Type (to Frame-Based or Small-Screen) 6-4

Enable Web Client for Login Page 6-5


8/692

Contents

viii


OL-19354-01

DHCP Release/Renew with Agent/ActiveX/Java Applet 6-6

Customize Login Page Content 6-8

Create Content for the Right Frame 6-11

Upload a Resource File 6-13Customize Login Page Styles 6-14

Configure Other Login Properties 6-15

Redirect the Login Success Page 6-15

Specify Logout Page Information 6-16

Guest User Access 6-17

Configure Guest User Registration 6-17

Configuring the Guest User Access Page 6-18

Enable the Preset Guest User Account 6-22

CHAPTER 7 User Management: Configuring User Roles and Local Users 7-1

Overview 7-1

Create User Roles 7-2

User Role Types 7-3

Unauthenticated Role 7-3

Normal Login Role 7-4

Client Posture Assessment Roles 7-5

Session Timeouts 7-6

Default Login Page 7-7

Traffic Policies for Roles 7-7

Add New Role 7-7

Role Properties 7-9

Modify Role 7-11

Edit a Role 7-12

Delete Role 7-13

Create Local User Accounts 7-13

Create or Edit a Local User 7-14

CHAPTER 8 User Management: Configuring Authentication Servers 8-1

Overview 8-1

Adding an Authentication Provider 8-4

Kerberos 8-5

RADIUS 8-6

RADIUS Challenge-Response Impact On the Agent 8-7

Windows NT 8-8


9/692

Contents

ix


OL-19354-01

LDAP 8-8

Configure LDAP Server with Simple Authentication 8-9

Configure LDAP Server with GSSAPI Authentication 8-11

Active Directory Single Sign-On (SS0) 8-13

Windows NetBIOS SSO 8-13

Implementing Windows NetBIOS SSO 8-13

Cisco VPN SSO 8-15

Add Cisco VPN SSO Auth Server 8-16

Allow All 8-17

Guest 8-17

Configuring Authentication Cache Timeout (Optional) 8-19

Authenticating Against a Backend Active Directory 8-19

AD/LDAP Configuration Example 8-20

Map Users to Roles Using Attributes or VLAN IDs 8-22

Configure Mapping Rule 8-23

Editing Mapping Rules 8-28

Auth Test 8-30

RADIUS Accounting 8-32

Enable RADIUS Accounting 8-32

Restore Factory Default Settings 8-33

Add Data to Login, Logout or Shared Events 8-33

Add New Entry (Login Event, Logout Event, Shared Event) 8-34

CHAPTER 9 User Management: Traffic Control, Bandwidth, Schedule 9-1

Overview 9-1

Global vs. Local Scope 9-3

View Global Traffic Control Policies 9-3

Add Global IP-Based Traffic Policies 9-4

Add IP-Based Policy 9-4

Edit IP-Based Policy 9-7

Add Global Host-Based Traffic Policies 9-8

Add Trusted DNS Server for a Role 9-8Enable Default Allowed Hosts 9-9

Add Allowed Host 9-10

View IP Addresses Used by DNS Hosts 9-11

Proxy Servers and Host Policies 9-12

Add Global Layer 2 Ethernet Traffic Policies 9-12

Control Bandwidth Usage 9-13


10/692

Contents

x


OL-19354-01

Configure User Session and Heartbeat Timeouts 9-15

Session Timer 9-15

Heartbeat Timer 9-15

In-Band (L2) Sessions 9-15

OOB (L2) and Multihop (L3) Sessions 9-16

Session Timer / Heartbeat Timer Interaction 9-16

Configure Session Timer (per User Role) 9-17

Configure Heartbeat Timer (User Inactivity Timeout) 9-18

Configure Policies for Agent Temporary and Quarantine Roles 9-18

Configure Agent Temporary Role 9-18

Configure Session Timeout for the Temporary Role 9-19

Configure Traffic Control Policies for the Temporary Role 9-20

Configure Network Scanning Quarantine Role 9-21

Create Additional Quarantine Role 9-21Configure Session Timeout for Quarantine Role 9-21

Configure Traffic Control Policies for the Quarantine Role 9-22

Example Traffic Policies 9-23

Allowing Authentication Server Traffic for Windows Domain Authentication 9-24

Allowing Traffic for Enterprise AV Updates with Local Servers 9-24

Allowing Gaming Ports 9-24

Microsoft Xbox 9-24

Other Game Ports 9-25

Adding Traffic Policies for Default Roles 9-26

Troubleshooting Host-Based Policies 9-28

CHAPTER 10 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment 10-1

Overview 10-1

Agent Configuration Steps 10-3

Add Default Login Page 10-3

Configure Agent Roles and User Profiles 10-3

Require Agent Login for Client Machines 10-3

Configure Restricted Network Access for Agent Users 10-6

Configure Network Policy Page (Acceptable Use Policy) for Agent Users 10-7

Configure the Agent Temporary Role 10-7

Retrieving Cisco NAC Appliance Updates 10-8

View Current Updates 10-8

Configure and Download Updates 10-11

Configure Proxy Settings for CAM Updates (Optional) 10-13

Setting Up Agent Distribution/Installation 10-14


11/692

Contents

xi


OL-19354-01

Agent Distribution 10-15

Installation Page 10-17

Cisco NAC Agent XML Configuration File Settings 10-19

Cisco NAC Appliance Agent MSI Installers 10-26

Cisco NAC Agent MSI Installer 10-26

Clean Access Agent Stub Installer 10-27

Clean Access Agent MSI Installers 10-29

Configuring Agent-Based Posture Assessment 10-33

Overview 10-34

Configuring AV/AS Definition Update Requirements 10-36

AV Rules and AS Rules 10-38

Verify AV/AS Support Info 10-39

Create an AV Rule 10-42

Create an AV Definition Update Requirement 10-45Create an AS Rule 10-49

Create an AS Definition Update Requirement 10-51

Configuring a Windows Server Update Services Requirement 10-54

Create Windows Server Update Service Requirement 10-56

Map Windows Server Update Service Requirement to Windows Rules 10-60

Configuring a Windows Update Requirement 10-61

Create a Windows Update Requirement 10-63

Map Windows Update Requirement to Windows Rules 10-66

Configuring Custom Checks, Rules, and Requirements 10-67

Custom Requirements 10-67

Custom Rules 10-68

Cisco Pre-Configured Rules (pr_) 10-68

Custom Checks 10-69

Cisco Pre-Configured Checks (pc_) 10-69

Using Pre-Configured Rules to Check for CSA 10-69

Copying Checks and Rules 10-69

Configuration Summary 10-70

Create Custom Check 10-70

Create a Custom Rule 10-75Validate Rules 10-77

Create a Custom Requirement 10-78

Configuring a Launch Programs Requirement 10-84

Launch Programs With Admin Privileges 10-84

Launch Programs Without Admin Privileges 10-84

Create a Launch Programs Requirement 10-86

Launch Programs via Clean Access Agent Example 10-88


12/692

Contents

xii


OL-19354-01

Map Requirements to Rules 10-98

Apply Requirements to User Roles 10-100

Validate Requirements 10-101

Configuring an Optional/Audit Requirement 10-102

Configuring Auto Remediation for Requirements 10-106

Post-Configuration and Agent Maintenance on the CAM 10-110

Manually Uploading the Agent to the CAM 10-110

Upload the Cisco NAC Agent to the CAM 10-110

Upload the Clean Access Agent to the CAM 10-111

Downgrading the Agent 10-112

Configure Agent Auto-Upgrade 10-113

Enable Agent Auto-Upgrade on the CAM 10-113

Disable Agent Upgrades to Users 10-113

Disable Mandatory Agent Auto-Upgrade on the CAM 10-114User Experience for Agent Auto-Upgrade 10-114

Uninstalling the Agent 10-114

Clean Access Agent Setup File 10-116

Clean Access Agent Auto-Upgrade Compatibility 10-116

CHAPTER 11 Cisco NAC Appliance Agents 11-1

Cisco NAC Agent 11-1

Windows Cisco NAC Agent Overview 11-1

Configuration Steps for the Windows Cisco NAC Agent 11-2

Windows Cisco NAC Agent User Dialogs 11-3

RADIUS Challenge-Response Cisco NAC Agent Dialogs 11-22

Windows Clean Access Agent 11-25

Windows Clean Access Agent Overview 11-25

Configuration Steps for the Windows Clean Access Agent 11-26

Windows Clean Access Agent User Dialogs 11-27

RADIUS Challenge-Response Windows Clean Access Agent Dialogs 11-40

Clean Access Agent Localized Language Templates 11-42

Mac OS X Clean Access Agent 11-45

Mac OS X Clean Access Agent Overview 11-45

Configuration Steps for the Mac OS X Clean Access Agent 11-45

Mac OS X Posture Assessment Prerequisites/Restrictions 11-46

Mac OS X Agent Prerequisites 11-46

Mac OS X Agent Restrictions 11-47

CAM/CAS Restrictions 11-47

Requirement Types Supported for Mac OS X Agent 11-47


13/692

Contents

xiii


OL-19354-01

Mac OS X Clean Access Agent Dialogs 11-48

Mac OS X Clean Access Agent Application File Locations 11-61

RADIUS Challenge-Response Mac OS X Clean Access Agent Dialogs 11-63

Cisco NAC Web Agent 11-66

Overview 11-66

System Requirements 11-67

Configuration Steps for the Cisco NAC Web Agent 11-68

Cisco NAC Web Agent User Dialogs 11-69

CHAPTER 12 Monitoring and Troubleshooting Agent Sessions 12-1

Viewing Agent Reports 12-1

Exporting Agent Reports 12-4

Limiting the Number of Reports 12-5

Create Client Agent Log Files Using the Cisco Log Packager 12-5

Manage Certified Devices 12-10

Add Exempt Device 12-12

Clear Certified or Exempt Devices Manually 12-13

View Reports for Certified Devices 12-13

View Switch/WLC Information for Out-of-Band Certified Devices 12-13

Configure Certified Device Timer 12-14

Add Floating Devices 12-16

Online Users List 12-18

Interpreting Active Users 12-18View Online Users 12-20

In-Band Users 12-20

Out-of-Band Users 12-21

Display Settings 12-24

Agent Troubleshooting 12-25

Client Cannot Connect/Login 12-26

No Agent Pop-Up/Login Disabled 12-26

Client Cannot Connect (Traffic Policy Related) 12-26

AV/AS Rule Troubleshooting 12-27

Cisco NAC Web Agent Status Codes 12-27

Known Issue for Windows Script 5.6 12-28

Known Issue for MS Update Scanning Tool (KB873333) 12-29

CHAPTER 13 Configuring Network Scanning 13-1

Overview 13-1

Network Scanning Implementation Steps 13-2


14/692

Contents

xiv


OL-19354-01

User Page Summary 13-4

Configure the Quarantine Role 13-6

Load Nessus Plugins into the Clean Access Manager Repository 13-6

Uploading Plugins 13-7

Deleting Plugins 13-8

Configure General Setup 13-9

Apply Plugins 13-10

Configure Plugin Options 13-12

Configure Vulnerability Handling 13-13

Test Scanning 13-16

Show Log 13-17

View Scan Reports 13-17

Customize the User Agreement Page 13-19

CHAPTER 14 Monitoring Event Logs 14-1

Overview 14-1

Interpreting Event Logs 14-4

View Logs 14-4

Event Log Example 14-8

Limiting the Number of Logged Events 14-9

Configuring Syslog Logging 14-9

Cisco NAC Appliance Log Files 14-11Log File Sizes 14-11

SNMP 14-12

Enable SNMP Polling/Alerts 14-13

Add New Trapsink 14-14

CHAPTER 15 Administering the CAM 15-1

Overview 15-1

Network 15-2

Failover 15-4

Set System Time 15-4

Manage CAM SSL Certificates 15-6

Web Console Pages for SSL Certificate Management 15-7

Typical SSL Certificate Setup on the CAM 15-8

Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR) 15-8

Phase 2: Prepare your CAM and CAS For CA-Signed Certs (Production Deployment) 15-9


15/692

Contents

xv


OL-19354-01

Phase 3: Adding a New CAM or CAS to an Existing Production Deployment 15-10

Generate Temporary Certificate 15-11

Generate and Export a Certification Request 15-12

Manage Signed Certificate/Private Key 15-14

Import Signed Certificate/Private Key 15-14

Export Certificate and/or Private Key 15-16

Manage Trusted Certificate Authorities 15-16

Import/Export Trusted Certificate Authorities 15-18

View Current Private Key/Certificate and Certificate Authority Information 15-19

Troubleshooting Certificate Issues 15-21

No Web Login Redirect/CAS Cannot Establish Secure Connection to CAM 15-21

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate 15-22

Regenerating Certificates for DNS Name Instead of IP 15-23

Certificate-Related Files 15-23System Upgrade 15-24

Licensing 15-26

Policy Import/Export 15-28

Policy Sync Policies 15-28

Policies Excluded from Policy Sync 15-29

Example Scenarios 15-29

Policy Sync Configuration Summary 15-30

Before You Start 15-30

Enable Policy Sync on the Master 15-31

Configure the Master 15-32

Enable Policy Sync on the Receiver 15-34

Configure the Receiver 15-35

Perform Policy Sync 15-36

Perform Manual Sync 15-37

Perform Auto Sync 15-38

Verify Policy Sync 15-39

View History Logs 15-39

Troubleshooting Manual Sync Errors 15-41

Support Logs 15-42

Admin Users 15-44

Admin Groups 15-45

Add a Custom Admin Group 15-45

Admin Users 15-47

Login/Logout an Admin User 15-48

Add an Admin User 15-48


16/692

Contents

xvi


OL-19354-01

Edit an Admin User 15-49

Active Admin User Sessions 15-50

Manage System Passwords 15-51

Change the CAM Web Console Admin Password 15-52

Change the CAS Web Console Admin User Password 15-53

Recovering Root Password for CAM/CAS 15-54

Recovering Root Password for CAM/CAS (Release 3.5.x or Below) 15-54

Backing Up the CAM Database 15-55

Automated Daily Database Backups 15-56

Manual Backups from Web Console 15-56

Creating Manual Backup 15-56

Backing Up Snapshots to Another Server via FTP 15-57

Backing Up and Restoring CAM/CAS Authorization Settings 15-57

Restoring Configuration From CAM SnapshotStandalone CAM 15-59Restoring Configuration From CAM SnapshotHA-CAM or HA-CAS 15-60

Database Recovery Tool 15-61

Manual Database Backup from SSH 15-62

API Support 15-62

CHAPTER 16 Configuring High Availability (HA) 16-1

Overview 16-1

Before Starting 16-5

Connect the Clean Access Manager Machines 16-6

Serial Connection 16-6

Configure the HA-Primary CAM 16-7

Configure the HA-Secondary CAM 16-10

Complete the Configuration 16-14

Upgrading an Existing Failover Pair 16-14

Failing Over an HA-CAM Pair 16-14

Useful CLI Commands for HA 16-14

Accessing High Availability Pair Web Consoles 16-15

Determining Active and Standby CAM 16-15

Determining Primary and Secondary CAM 16-15

Adding High Availability Cisco NAC Appliance To Your Network 16-16

APPENDIX A Error and Event Log Messages A-1

Client Error Messages A-1

Login Failed A-1


17/692

Contents

xvii


OL-19354-01

Network Error A-2

Users Cannot Log In During CAS Fallback Recovery A-3

Clean Access Agent Unable to Upgrade Using MSI A-4

Clean Access Agent Icon Does Not Install to Taskbar A-5

CAM Event Log Messages A-5

APPENDIX B API Support B-1

Overview B-1

Authentication Requirements B-2

Administrator Operations B-2

adminlogin B-2

B-2

adminlogout B-3

Device Filter Operations B-3

addmac B-3

removemac B-4

checkmac B-4

getmaclist B-5

Certified Devices List Operations B-5

addcleanmac B-5

removecleanmac B-6

clearcertified B-6

User Operations B-7

kickuser B-7

kickuserbymac B-7

kickoobuser B-8

queryuserstime B-8

renewuserstime B-8

changeuserrole B-9

changeloggedinuserrole B-9

Guest Access Operations B-10

getlocaluserlist B-10

addlocaluser B-10

deletelocaluser B-11

Report Operations B-11

getversion B-11

getuserinfo B-12

getoobuserinfo B-12

getcleanuserinfo B-13


18/692

Contents

xviii


OL-19354-01

getreports B-13

APPENDIX C Windows Client Registry Settings C-1

APPENDIX D Open Source License Acknowledgements D-1

Notices D-1

OpenSSL/Open SSL Project D-1

License Issues D-1

INDEX


19/692

xix


OL-19354-01

About This Guide

Revised J uly 16, 2009, OL-19354-01

This preface includes the following sections:

Audience

Purpose

Document Organization

Document Conventions

New Features in this Release

Product Documentation

Documentation Updates

Obtaining Documentation and Submitting a Service Request

AudienceThis guide is for network administrators who are implementing the Cisco NAC Appliance solution to

manage and secure their networks. Cisco NAC Appliance comprises the Clean Access Manager (CAM)

administration appliance, Clean Access Server (CAS) enforcement appliance, and Agent end-user client

software. Use this document along with the Cisco NAC Appliance - Clean Access Server Installation and

Configuration Guide, Release 4.6(1)to install and administer your Cisco NAC Appliance deployment.

PurposeThe Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1

describes how to install and configure the Clean Access Manager NAC Appliance. You can use the CleanAccess Manager (CAM) and its web-based administration console to manage multiple Clean Access

Servers (CASs) in a deployment. End users connect through the Clean Access Server to the network via

web login or Agent. This guide describes how to use the CAM web administration console to configure

most aspects of Cisco NAC Appliance. It also provides information specific to the Clean Access

Manager, such how to implement High Availability. See Product Documentationfor further details on

the document set for Cisco NAC Appliance.
http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html


20/692

xx


OL-19354-01

About This Guide

Document Organization

Table 1 Document Organization

Chapter Description

Chapter 1, Introduction Provides a high-level overview of the Cisco NAC

Appliance solution

Chapter 2, Installing the Clean Access Manager Describes how to install the Clean Access

Manager

Chapter 3, Device Management: Adding Clean

Access Servers, Adding Filters

Describes how to add and manage Clean Access

Servers from the Clean Access Manager and

configure device and/or subnet filters

Chapter 4, Switch Management: Configuring

Out-of-Band Deployment

Describes how to configure Cisco NAC Appliance

for Out-of-Band (OOB) deployment

Chapter 5, Wireless LAN Controller

Management: Configuring Wireless Out-of-Band

Deployment

Describes how to configure Cisco NAC Appliance

for Wireless Out-of-Band (Wireless OOB)

deployment.

Chapter 6, Configuring User Login Page and

Guest Access

Explains how to add the default login page needed

for all users to authenticate, customize the login

page for web login users, and configure Cisco

NAC Appliance for guest user login

Chapter 7, User Management: Configuring User

Roles and Local Users

Explains how to create user roles and new user

profiles

Chapter 8, User Management: Configuring

Authentication Servers

Describes how to set up external authentication

sources, configure Active Directory Single

Sign-On (SSO), VLAN ID or attribute-based auth

server mapping rules, and RADIUS accounting

Chapter 9, User Management: Traffic Control,Bandwidth, Schedule

Describes how to configure role-based trafficcontrol policies, bandwidth management, session

and heartbeat timers

Chapter 10, Configuring Cisco NAC Appliance

for Agent Login and Client Posture Assessment

Describes how to configure Agent distribution and

installation for client machines, as well as

configure client posture assessment in the

Cisco NAC Appliance system

Chapter 11, Cisco NAC Appliance Agents Presents overviews, login flow, and session

termination dialogs for the Cisco NAC Appliance

Agents (Cisco NAC Agent, Clean Access Agent,

and Cisco NAC Web Agent)

Chapter 12, Monitoring and TroubleshootingAgent Sessions Provides information on compiling and accessingvarious Cisco NAC Appliance Agent reports and

log files and troubleshooting Agent connection

and operation issues

Chapter 13, Configuring Network Scanning Describes how to set up network scanning for

Cisco NAC Appliance


21/692

xxi


OL-19354-01

About This Guide

Document Conventions

New Features in this ReleaseFor a brief summary of the new features and enhancements available in this release refer to

Documentation Updatesand the New and Changed Information section of theRelease Notes for Cisco

NAC Appliance, Version 4.6(1).

Chapter 14, Monitoring Event Logs Describes the Monitoring module of Cisco NAC

Appliance, including online users, event logs, and

SNMP informationChapter 15, Administering the CAM Discusses the Administration pages for the Clean

Access Manager

Chapter 16, Configuring High Availability (HA) Describes how to set up a pair of Clean Access

Manager machines for high availability

Appendix A, Error and Event Log Messages Explains some common Cisco NAC Appliance

error messages and event log entries

Appendix B, API Support Discusses API support for the Clean Access

Manager

Appendix C, Windows Client Registry Settings Describes how to configure and enable various

Clean Access Agent features using Windows

client machine registry settingsAppendix D, Open Source License

Acknowledgements

Contains Open Source License information for

Cisco products

Table 2 Document Conventions

Item Convention

Indicates command line output. Screen font

Indicates information you enter. Boldface screenfont

Indicates variables for which you supply values. Italic screen font

Indicates web admin console modules, menus, tabs, links and

submenu links.

Boldface font

Indicates a menu item to be selected. Administration > User Pages

Table 1 Document Organization

Chapter Description
http://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.html


22/692

xxii


OL-19354-01

About This Guide

Product DocumentationTable 3lists documents are available for Cisco NAC Appliance on Cisco.com at the following URL:

http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

Tip To access external URLs referenced in this document, right-click the link in Adobe Acrobat and select

Open in Weblink in Browser.

Table 3 Cisco NAC Appliance Document Set

Document Title Refer to This Document For Information On:

Cisco NAC Appliance Service

Contract/Licensing Support

Obtaining and installing product licenses

Information on service contracts, ordering and

RMA

Support Information for Cisco NAC Appliance

Agents, Release 4.5 and Later

Agent System Requirements, Agent/Server

Version Compatibility, Agent/OS/Browser

Support Matrix, Agent/AD Server

Compatibility for AD SSO, and Agent

Localized Language Template Support

Switch Support for Cisco NAC Appliance Which switches and NMEs support OOB

deployment

Known issues/troubleshooting for switches and

WLCs

Getting Started with Cisco NAC Network

Modules in Cisco Access Routers

Installing or upgrading the Clean Access Server

(CAS) software on the Cisco NAC network

module (NME-NAC-K9)

Connecting Cisco Network Admission ControlNetwork Modules

Connecting Cisco NAC network module(NME-NAC-K9) in an Integrated Services

Router

Release Notes for Cisco NAC Appliance, Version

4.6(1)

Details on the latest 4.6(1) release, including:

New features and enhancements

Fixed caveats

Upgrade instructions

Supported AV/AS product charts

CAM/CAS/Agent compatibility and version

information
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.htmlhttp://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.htmlhttp://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.htmlhttp://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.htmlhttp://www.cisco.com/en/US/products/hw/modules/ps2797/products_module_installation_guide_chapter09186a00808c3e51.htmlhttp://www.cisco.com/en/US/products/hw/modules/ps2797/products_module_installation_guide_chapter09186a00808c3e51.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.htmlhttp://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.htmlhttp://www.cisco.com/en/US/products/hw/modules/ps2797/products_module_installation_guide_chapter09186a00808c3e51.htmlhttp://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.htmlhttp://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html


23/692

xxiii


OL-19354-01

About This Guide


Documentation Updates

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional

information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and

revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed

and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free

service and Cisco currently supports RSS Version 2.0.

Cisco NAC Appliance - Clean Access Manager

Installation and Configuration Guide, Release

4.6(1)

Complete CAM details, including:

How to install the CAM software

Overviews of major concepts and features of

Cisco NAC Appliance

How to use the CAM web console to perform

global configuration of Cisco NAC Appliance

(applying to all CASs in the deployment)

How to configure CAM pairs for High

Availability

Cisco NAC Appliance - Clean Access Server

Installation and Configuration Guide, Release

4.6(1)

CAS-specific details, including:

How to install the CAS software

Where to deploy the CAS on the network

(general information) How to perform local (CAS-specific)

configuration using the CAS management

pages of the CAM web console, or the CAS

direct access console.

How to configure CAS pairs for High

Availability

Table 4 Updates to Cisco NAC Appliance - Clean Access Manager Installation andConfiguration Guide, Release 4.6(1)

Date Description

7/1/09 Release 4.6(1)

Table 3 Cisco NAC Appliance Document Set

Document Title Refer to This Document For Information On:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html


24/692

xxiv


OL-19354-01

About This Guide



25/692

C H A P T E R

1-1


OL-19354-01

1Introduction

This chapter provides a high-level overview of the Cisco NAC Appliance solution. Topics include:

What Is Cisco NAC Appliance?, page 1-1

Cisco NAC Appliance Components, page 1-2

Client Posture Assessment Overview, page 1-13

Client Login Overview, page 1-6

Managing Users, page 1-20

Overview of Web Admin Console Elements, page 1-21

Clean Access Server (CAS) Management Pages, page 1-22

Admin Console Summary, page 1-24

What Is Cisco NAC Appliance?The Cisco Network Admission Control (NAC) Appliance (formerly known as Cisco Clean Access) is a

powerful, easy-to-use admission control and compliance enforcement solution. With comprehensive

security features, in-band or out-of-band deployment options, user authentication tools, and bandwidth

and traffic filtering controls, Cisco NAC Appliance is a complete solution for controlling and securing

networks. As the central access management point for your network, Cisco NAC Appliance lets you

implement security, access, and compliance policies in one place instead of having to propagate the

policies throughout the network on many devices.

The security features in Cisco NAC Appliance include user authentication, policy-based traffic filtering,

and client posture assessment and remediation. Cisco NAC Appliance stops viruses and worms at the

edge of the network. With remote or local system checking, Cisco NAC Appliance lets you block user

devices from accessing your network unless they meet the requirements you establish.

Cisco NAC Appliance is a network-centric integrated solution administered from the web console of the

Clean Access Manager (CAM) administration server and enforced through the Clean Access Server(CAS) and the Cisco NAC Agent, Clean Access Agent, and Cisco NAC Web Agent. You can deploy the

Cisco NAC Appliance in the configuration that best meets the needs of your network. The Clean Access

Server can be deployed as the first-hop gateway for your edge devices providing simple routing

functionality, advanced DHCP services, and other services. Alternatively, if elements in your network

already provide these services, the CAS can work alongside those elements without requiring changes

to your existing network by being deployed as a bump-in-the-wire.


26/692

1-2


OL-19354-01

Chapter 1 Introduction

Cisco NAC Appliance Components

Other key features of Cisco NAC Appliance include:

Standards-based architectureUses HTTP, HTTPS, XML, and Java Management Extensions

(JMX).

User authenticationIntegrates with existing backend authentication servers, including Kerberos,

LDAP, RADIUS, and Windows NT domain.

VPN concentrator integrationIntegrates with Cisco VPN concentrators (e.g. VPN 3000, ASA) and

provides Single Sign-On (SSO).

Active Directory SSOIntegrates with Active Directory on Windows Servers to provide Single

Sign-On for Cisco NAC Agent/Clean Access Agent users logging into Windows systems.

(Cisco NAC Web Agent does not support SSO.)

Cisco NAC Appliance compliance policiesAllows you to configure client posture assessment and

remediation via use of Agent or Nessus-based network port scanning.

The Cisco NAC Web Agent performs posture assessment, but does not provide a medium for

remediation. The user must manually fix/update the client machine and Re-Scan to fulfill posture

assessment requirements with the Web Agent.

The Cisco NAC Agent does not support Nessus-based network scanning.

Layer 2 or Layer 3 deployment optionsThe Clean Access Server can be deployed within L2

proximity of users, or multiple hops away from users. You can use a single CAS for both L3 and L2

users.

In-Band (IB) or Out-of-Band (OOB) deployment optionsCisco NAC Appliance can be deployed

in-line with user traffic, or out-of-band to allow clients to traverse the network only during posture

assessment and remediation while bypassing it after certification (posture assessment).

Traffic filtering policiesRole-based IP and host-based policies provide fine-grained and flexible

control for in-band network traffic.

Bandwidth management controlsLimit bandwidth for downloads or uploads.

High availabilityActive/Passive failover (requiring two servers) ensures services continue if an

unexpected shutdown occurs. You can configure pairs of Clean Access Manager (CAM) machinesand/or CAS machines in high-availability mode.

Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not

support high availability.

Cisco NAC Appliance ComponentsCisco NAC Appliance is a network-centric integrated solution administered from the Clean Access

Manager web console and enforced through the Clean Access Server and (optionally) the Agent. Cisco

NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirussoftware, and quarantines vulnerable or infected clients for remediation beforeclients access the

network. Cisco NAC Appliance consists of the following components (in Figure 1-1):

Clean Access Manager (CAM)Administration server for Cisco NAC Appliance deployment.

The secure web console of the Clean Access Manager is the single point of management for up to

20 Clean Access Servers in a deployment (or 40 CASs if installing a SuperCAM). For Out-of-Band

(OOB) deployment, the web admin console allows you to control switches and VLAN assignment

of user ports through the use of SNMP.


27/692

1-3


OL-19354-01



Note The CAM web admin console supports Internet Explorer 6.0 or above only, and requires

high encryption (64-bit or 128-bit). High encryption is also required for client browsers for

web login and Agent authentication.

Clean Access Server (CAS)Enforcement server between the untrusted (managed) network andthe trusted network. The CAS enforces the policies you have defined in the CAM web admin

console, including network access privileges, authentication requirements, bandwidth restrictions,

and Cisco NAC Appliance system requirements.

You can install a CAS as either a stand-alone appliance (like the Cisco NAC-3300 series) or as a

network module (Cisco NME-NAC-K9) in a Cisco ISR chassis and deploy it In-Band (always inline

with user traffic) or Out-of-Band (inline with user traffic only during authentication/posture

assessment). The CAS can also be deployed in Layer 2 mode (users are L2-adjacent to CAS) or

Layer 3 mode (users are multiple L3 hops away from the CAS).

You can also deploy several CASs of varying size/capacity to fit the needs of varying network

segments. You can install Cisco NAC-3300 series appliances in your company headquarters core,

for example to handle thousands of users and simultaneously install one or more Cisco NAC network

modules in ISR platforms to accommodate smaller groups of users at a satellite office, for example

Cisco NAC Appliance AgentsOptional read-only persistent or temporal Agents that reside on

client machines. Cisco NAC Appliance Agent check applications, files, services, or registry keys to

ensure that client machines meet your specified network and software requirements prior to gaining

access to the network.

Note There is no client firewall restriction with client posture assessment via the Agent. The

Agent can check the client registry, services, and applications even if a personal firewall is

installed and running.

Cisco NAC Appliance UpdatesRegular updates of pre-packaged policies/rules that can be used

to check the up-to-date status of operating systems, antivirus (AV), antispyware (AS), and otherclient software. Provides built-in support for AV vendors and AS vendors.


28/692

1-4


OL-19354-01



Figure 1-1 Cisco NAC Appliance Deployment (L2 In-Band Example)

Clean Access Manager (CAM)The Clean Access Manager (CAM) is the administration server and database which centralizes

configuration and monitoring of all Clean Access Servers, users, and policies in a Cisco NAC Appliance

deployment. You can use it to manage up to 20 Clean Access Servers. The web admin console for the

Clean Access Manager is a secure, browser-based management interface (Figure 1-2). See Admin

Console Summary, page 1-24for a brief introduction to the modules of the web console. For out-of-band

(OOB) deployment, the web admin console provides the OOB Managementmodule to add and control

switches in the Clean Access Managers domain and configure switch ports.

Clean Access

Server (CAS)

Authentication sources(LDAP, RADIUS, Kerberos,

WindowsNT)

DNSserver

Clean AccessManager (CAM)

Firewall

183469

PCs with

Clean Access

Agent (CAA)

Switch

L2Router

L3

Internet

eth1 eth0

Admin laptop

Clean Access Manager

Web admin console

LAN/Intranet


29/692

1-5


OL-19354-01



Figure 1-2 CAM Web Admin Console

Clean Access Server (CAS)

The Clean Access Server (CAS) is the gateway between an untrusted and trusted network. The CleanAccess Server can operate in one of the following In-Band (IB) or Out-of-Band (OOB) modes:

IB Virtual Gateway (L2 transparent bridge mode)

IB Real-IP Gateway

IB NAT Gateway (IP router/default gateway with Network Address Translation services)

OOB Virtual Gateway

OOB Real-IP Gateway

OOB NAT Gateway

Note NAT Gateway (IB or OOB) is not supported for production deployment.

This guide describes the global configuration and administration of Clean Access Servers and Cisco

NAC Appliance deployment using the Clean Access Manager web admin console.

For a summary of CAS operating modes, see Add Clean Access Servers to the Managed Domain,

page 3-2. For complete details on CAS deployment, see the Cisco NAC Appliance - Clean Access Server

Installation and Configuration Guide, Release 4.6(1).

For details on OOB implementation and configuration, see Chapter 4, Switch Management:

Configuring Out-of-Band Deployment.


30/692

1-6


OL-19354-01


Client Login Overview

For details on options configured locally on the CAS, such as DHCP configuration, Cisco VPN

Concentrator integration, CAS High-Availability implementation, or local traffic policies, see the Cisco

NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.6(1).

Cisco NAC Appliance AgentsWhen enabled for your Cisco NAC Appliance deployment, the Agent can ensure that computers

accessing your network meet the system requirements you specify. The Agent is a read-only, easy-to-use,

small-footprint program that resides on Windows user machines. When a user attempts to access the

network, the Agent checks the client system for the software you require, and helps users acquire any

missing updates or software.

Agent users who fail the system checks you have configured are assigned to the Agent Temporary role.

This role gives users limited network access to access the resources needed to comply with the Agent

requirements. Once a client system meets the requirements, it is considered clean and allowed network

access.

The Cisco NAC Appliance Agent types available in Cisco NAC Appliance are:

Cisco NAC Agent (persistent Agent for Windows client machines)

Windows Clean Access Agent (persistent Agent for Windows client machines)

Mac OS X Clean Access Agent (persistent Agent for Macintosh client machines)

Cisco NAC Web Agent (temporal Agent for Windows client machines)

For more information on the Agent types available in Cisco NAC Appliance, see Chapter 11, Cisco

NAC Appliance Agents.

Cisco NAC Appliance Updates

Regular updates of pre-packaged policies/rules can be used to check the up-to-date status of operatingsystems, antivirus/antispyware software, and other client software. Cisco NAC Appliance provides

built-in support for major AV and AS vendors. For complete details, see Retrieving Cisco NAC

Appliance Updates, page 10-8.

Client Login OverviewAgent scanning and/or network scanning must first be enabled under Device Management > Clean

Access > General Setup before configuring posture assessment.

The Agent Loginsubpage enables Agent controls per user role/OS.

The Web Loginsubpage enables network scanning controls per user role/OS.In addition to dialog/web page content, you can specify whether pages appear when the user logs in with

a specific user role and OS. If you want to enable both Agent and network scanning for a role, make sure

to set role/OS options on both the Agent Loginand Web Loginconfiguration pages.

Note Agent/network scanning pages are always configured by both user role and client OS.


31/692

1-7


OL-19354-01



Agent Login

Agent users see the web login page and the Agent download page the first time they perform initial web

login in order to download and install the Agent setup installation file. After installation, Agent users

should login through the Agent dialog which automatically pops up when Popup Login Window is

selected from the system tray icon menu (default setting). Cisco NAC Agent/Clean Access Agent userscan also bring up the login dialog by right-clicking the Agent system tray icon and selecting Login.

Cisco NAC Web Agent users are automatically connected to the network once their client machine is

scanned and found compliant with Agent Requirement settings.

Note Agent Login/Logout is disabled (grayed out) for special logins, such as VPN SSO, AD SSO, and MAC

address-based login. The Logout option is not needed for these deployments, since the machine always

attempts to log back in immediately.

Agent users will not see Quarantine role pages or popup scan vulnerability reports, as the Agent dialogs

perform the communication. You can also configure a Network Policy page (Acceptable Use Page) that

Agent users must accept after login and before accessing the network.

If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the

end-user Agent login session may feature extra authentication challenge-response dialogs not available

in other dialog sessionsbeyond the standard user ID and password. This additional interaction is due

to the user authentication profile on the RADIUS server, itself, and does not require any additional

configuration on the Clean Access Manager or Clean Access Server. For example, the RADIUS server

profile configuration may feature an additional authentication challenge like verifying a token-generated

PIN or other user-specific credentials in addition to the standard user ID and password. In this case, one

or more additional login dialog screens may appear as part of the login session.

Note Ensure that your RADIUS server and associated clients are configured to interact correctly according to

the RADIUS authentication method you choose.


32/692

1-8


OL-19354-01



Figure 1-3 Agent LoginGeneral Setup

Table 1-1explains the General Setup > Agent Login configuration options shown in Figure 1-3. For

examples and descriptions of Agent login user pages, see Chapter 11, Cisco NAC Appliance Agents.

Table 1-1 Agent LoginGeneral Setup Configuration Options

Control Description

User Role Choose a user role from the dropdown menu, which shows all roles in the system. Configure

Agent Login settings for each role for which the Agent will be required. (See Add New Role,

page 7-7for how to create new user roles.)

Operating System Choose the client OS for the specified user role.ALL settings apply by default to all client operating systems if no OS-specific settings are

specified.

WINDOWS_ALLapply to all Windows operating systems if no Windows-OS specific settings

are specified.


33/692

1-9


OL-19354-01



Require use of Agent (for

Windows and Macintosh

OSX only)

Click this checkbox to redirect clients in the selected user role and OS to the Agent Download

Page Message(or URL) after the initial web login. Users will be prompted to download, install,

and use the Agent to log into the network. To modify the default download instructions, typeHTML text or enter a URL.

Note Agent requirement configuration must also be completed as described in Configuring

Agent-Based Posture Assessment, page 10-33

The Require use of Agentand Require use of Cisco NAC Web Agentoptions are not

mutually exclusive. If you choose to enable both options, both choices appear to users

when they are directed to the Login Page.

Require use of Cisco NAC

Web Agent (for Windows

2000/XP/Vista only)

Click this checkbox to redirect clients in the selected user role and OS to the Cisco NAC Web

Agent Download Page Message(or URL) after the initial web login. Users will be prompted

to download, install, and access the network using the temporal Cisco NAC Web Agent. To

modify the default download instructions, type HTML text or enter a URL.

Note Agent requirement configuration must also be completed as described in ConfiguringAgent-Based Posture Assessment, page 10-33

The Require use of Agentand Require use of Cisco NAC Web Agentoptions are not

mutually exclusive. If you choose to enable both options, both choices appear to users

when they are directed to the Login Page.

Allow restricted network

access in case user cannot

use NAC Agent and

Cisco NAC Web Agent

Click this optional checkbox to allow users to have restricted network access if they choose not

to install the Cisco NAC Agent/Clean Access Agent or launch the Cisco NAC Web Agent. This

feature is intended primarily to allow access for users logging into a user role that requires an

Agent, but who have systems on which they cannot download and install the Agent (as in the

case of inadequate/non-admin privileges on the machine, for example).

Users can also take advantage of restricted network access to gain limited network access

when the client machine fails remediation and the user must implement updates to meet networkaccess requirements before they can log in using their assigned user role.

For details, see Configure Restricted Network Access for Agent Users, page 10-6.

Restricted Access User

Role

Use this dropdown menu to specify a user role for users who accept restricted network access

instead of installing the Cisco NAC Agent/Clean Access Agent or installing and launching the

Cisco NAC Web Agent.

Restricted Access Button

Text

You can change the text in this box to show users who can log in to the Cisco NAC Appliance

system a customized button in the Agent login dialog process.

Note If users are logging in via the Clean Access Agent, they do not see the configurable text

string. Instead, Clean Access Agent users only ever see the Limited button label.

Table 1-1 Agent LoginGeneral Setup Configuration Options (continued)

Control Description


34/692

1-10


OL-19354-01



Show Network Policy to

NAC Agent and Cisco

NAC Web Agent users(Windows only)

[Network Policy Link:]

Click this checkbox if you want to display a link in the Agent login session to a Network Policy

(Acceptable Use Policy) web page to Agent users. You can use this option to provide a policies

or information page that users must accept before they access the network. This page can behosted on an external web server or on the Clean Access Manager itself.

To link to an externally-hosted page, type the URL in the Network Policy Link field, in the

format http://mysite.com/helppages.

To put the network pol icy page on the CAM, for example helppage.htm, upload the page

using Administration > User Pages > File Upload, then point to the page by typing the

URL http:///auth/helppage.htm in the Network Policy Linkfield.

Note The Network Policy page is only shown to the first user that logs in with the device. This

helps to identify the authenticating user who accepted the Network Policy Page.

Clearing the device from the Certified Devices List will force the user to accept the

Network Policy again at the next login.

For more details, see Figure 11-30 on page 11-20, Figure 11-58 on page 11-37, and ConfigureNetwork Policy Page (Acceptable Use Policy) for Agent Users, page 10-7 .

Logoff NAC Agent users

from network on their

machine logoff or

shutdown after secs

(for Windows & In-Band

setup)

Click this option to enable logoff of the Agent from the Cisco NAC Appliance network when a

user logs off the Windows domain (Start > Shutdown > Log off current user) or shuts down a

Windows workstation. This removes the user from the Online Users List.

Note If you do not enable the Logoff NAC Agent users from network on their machine

logoff or shutdown after secsoption on the CAM, the last authenticated user

remains logged in even if the current user on the client logs off from the client system.

For SSO, the next user to use that client will be logged in with the credentials of the

previous user. In the case of the Cisco NAC Web Agent (which does not perform SSO),

the next user has the access of the previous user.

Note If a user reboots his/her client machine as part of a remediation step (if the requiredapplication installation process requires you to restart your machine, for example), and

the Logoff NAC Agent users from network on their machine logoff or shutdown

after secsoption has not been enabled, the client machine remains in the

Temporary role until the Session Timer expires and the user is given the opportunity to

perform login/remediation again.

Refresh Windows domain

group policy after login

(for Windows only)

Click this checkbox to automatically refresh the Windows domain group policy (perform GPO

update) after the user login (for Windows only). This feature is intended to facilitate GPO update

when Windows AD SSO is configured for Cisco NAC Agent/Clean Access Agent users. See the

Enable GPO Updates section in the Cisco NAC Appliance - Clean Access Server Installation

and Configuration Guide, Release 4.6(1)for more details.

Automatically close login

success screen after []secs

Click this checkbox and set the time to configure the Login success dialog to close automatically

after the user is successfully certified/logged into normal login role (otherwise user has to clickOKbutton). Setting the time to 0 seconds prevents display of the Agent Login success screen

(see Figure 11-59 on page 11-38). Valid range is 0-300 seconds.

Automatically close

logout success screen

after [] secs (for Windows

only)

Click this checkbox and set the time to configure the Logout success dialog to close

automatically when the user manually logs out (otherwise user has to click OKbutton). Setting

the time to 0 seconds prevents display of the logout success screen (see Figure 11-61 on

page 11-39). Valid range is 0-300 seconds.

Table 1-1 Agent LoginGeneral Setup Configuration Options (continued)

Control Description
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cas/s_adsso.html#wp1158735http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps6128/products_user_guide_list.htmlhttp://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cas/s_adsso.html#wp1158735


35/692

1-11


OL-19354-01



Web Login

Figure 1-4 Web LoginGeneral Setup

Web login users see the login and logout pages, quarantine role or blocked access pages and Nessus scan

vulnerability reports, if enabled. You can also configure a User Agreement Page that appears to web

login users before accessing the network.

If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the initial

Web Login session may feature extra authentication challenge-response dialogs beyond the standard user

ID and password. This additional interaction is due to the user authentication profile on the RADIUS

server, itself, and does not require any additional configuration on the Clean Access Manager or CleanAccess Server. For example, the RADIUS server profile configuration may feature an additional

authentication challenge like verifying a token-generated PIN or other user-specific credentials in

addition to the standard user ID and password. In this case, one or more additional login dialog screens

may appear as part of the login session.

Note Ensure that your RADIUS server and associated clients are configured to interact correctly according to

the RADIUS authentication method you choose.

Table 1-2explains the General Setup > Web Login configuration options shown in Figure 1-4. For

examples and descriptions of web login user pages, see Table 1-3 on page 1-19.

Table 1-2 Web LoginGeneral Setup Configuration Options

Control Description

User Role Choose the user role for which to apply Cisco NAC Appliance General Setup controls. The

dropdown list shows all roles in the system. Configure user roles from User Management >

User Role(see Add New Role, page 7-7.)

Operating System Choose the client OS for the specified user role. By default, 'ALL' settings apply to all client

operating systems if no OS-specific settings are specified.


36/692

1-12


OL-19354-01



Show Network Scanner

User Agreement Page to

web login users

Click this checkbox to present the User Agreement Page (Virus Protection Information) after

web login and network scanning. The page displays the content you configure in the User

Agreementconfiguration form. Users must click the Acceptbutton to access the network.Note The User Agreement page is only shown to the first user that logs in with the device.

This helps to ident ify the authenticating user who accepted the UAP. Clearing the device

from the Certified Devices List will force the user to accept the UAP again at the next

login.

If choosing this option, be sure to configure the page as described in Customize the User

Agreement Page, page 13-19.

Enable pop-up scan

vulnerability reports

from User Agreement

Page

Click this checkbox to enable web login users to see the results of their network scan from a

popup browser window. If popup windows are blocked on the client computer, the user can view

the report by clicking the Scan Reportlink on the Logout page.

Require users to becertified at every web

login

Click this checkbox to force user to go through network scanning every time they accessthe network.

If disabled (default), users only need to be certified the first time they access the network,

or until their MAC address is cleared from the Certified Devices List.

Note This option only applies to the In-Band Online Users List. When this option is enabled

and the Online Users List entry is deleted, the corresponding Certified Devices List

entry is deleted if there are no other Online Users List (either In-Band or Out-of-Band)

entries with the same MAC address.

Exempt certified devices

from web login

requirement by adding to

MAC filters

Click this checkbox to place the MAC address of devices that are on the Cisco NAC Appliance

Certified Devices Listinto the authentication passthrough list. This allows devices to bypass

authentication and posture assessment the next time they access the network.

Block/Quarantine users

with vulnerabilities in

role

Click this checkbox and select a quarantinerole from the dropdown menu to put the user

in the quarantine role if found with vulnerabilities after network scanning. If quarantined,

the user must correct the problem with their system and go through network scanning again

until no vulnerabilities are found in order to access the network.

Click this checkbox and select Block Access from the dropdown menu to block the user

from the network if found with vulnerabilities after network scanning. If a user is blocked,

the Blocked Access page is shown with the content entered in the Message (or URL) for

Blocked Access Page:field.

Note The role session expiration time appears in parentheses next to the quarantine role name.

This session time will also appears on the User Agreement Page, if display of the page

is enabled for a quarantined user.

Show quarantined usersthe User Agreement Page

of

If Quarantineis selected for Block/Quarantine users with vulnerabilities in role, this optionappears below. It lets you present a User Agreement Page specific to the quarantine role chosen

for users who fail scanning. Alternatively, Cisco NAC Appliance can present the page

associated with the users normal login role, or no page. See Customize the User Agreement

Page, page 13-19for further information.

Message (or URL) for

Blocked Access Page:

If Block Accessis selected for Block/Quarantine users with vulnerabilities in role, this

option appears. To modify the default message, type HTML text or enter a URL for the message

that should appear when a user is blocked from the network for failing Nessus Scanning.

Table 1-2 Web LoginGeneral Setup Configuration Options (continued)

Control Description


37/692

1-13


OL-19354-01


Client Posture Assessment Overview

Client Posture Assessment OverviewCisco NAC Appliance compliance policies reduce the threat of computer viruses, worms, and other

malicious code on your network. Cisco NAC Appliance is a powerful tool that enables you to enforce

network access requirements, detect security threats and vulnerabilities on clients, and distribute

patches, antivirus and anti-spyware software. It lets you block access or quarantine users who do notcomply with your security requirements, thereby stopping viruses and worms at the edge of the network,

before they can do harm.

Cisco NAC Appliance evaluates a client system when a user tries to access the network. Almost all

aspects of Cisco NAC Appliance are configured and applied by user role and operating system. This

allows you to customize Cisco NAC Appliance as appropriate for the types of users and devices that will

be accessing your network. Cisco NAC Appliance provides three different methods for finding

vulnerabilities on client systems and allowing users to fix vulnerabilities or install required packages:

Cisco NAC Appliance Agent only (Cisco NAC Agent, Clean Access Agent, or Cisco NAC Web

Agent)

Network scanning only

Agent with network scanning

Summary Steps for Configuring Client Posture Assessment

The general summary of steps to configure client posture assessment in Cisco NAC Appliance is as

follows:

Step 1 Download Updates.

Retrieve general updates for the Agent(s) and other deployment elements. See Retrieving Cisco NAC

Appliance Updates, page 10-8.

Step 2 Configure Agent-based access or network scanning per user role and OS in the General Setup tab.

Require use of the Agent for a role, enable network scanning web pages for web login users, and blockor quarantine users with vulnerabilities. See Client Login Overview, page 1-6.

Step 3 Configure the client posture assessment-related user roles with session timeout and traffic policies

(in-band). Traffic policies for the quarantine role allow access to the User Agreement Page and web

resources for quarantined users who failed network scanning. Traffic policies for the Agent Temporary

role allow access to the resources from which the user can download required software packages. See

Configure Policies for Agent Temporary and Quarantine Roles, page 9-18.

Step 4 Configure Agent-based posture assessment, network scanning, or both .

If configuring Agent Login. Require use of the Agent for the user role in the General Setup >

Agent Logintab. Plan and define your requirements per user role. Configure AV Rules or create

custom rules from checks. Map AV Rules to an AV Definition Update requirement, and/or map

custom rules to a custom requirement (File Distribution/Link Distribution/Local Check). Maprequirements to each user role. See Configuring Agent-Based Posture Assessment, page 10-33.

If configuring network scanning. Load Nessus plugins to the Clean Access Manager repository.

To enable network scanning, select the Nessus plugins to participate in scanning, then configure

scan result vulnerabilities for the user roles and operating systems. Customize the User Agreement

page. See Network Scanning Implementation Steps, page 13-2. Note that the results of network

scanning may vary due to the prevalence of personal firewalls which block any network scanning

from taking place.


38/692

1-14


OL-19354-01


Client Posture Assessment Overview

Note The Cisco NAC Agent does not support Nessus-based network scanning.

Step 5 Test your configurations for user roles and operating systems by connecting to the untrusted network

as a client. Monitor the Certified Devices List, Online Users page, and Event Logs during testing. Test

network scanning by performing web login, checking the network scanning process, the logout page, andthe associated client and administrator reports. Test the Agent by performing the initial web login and

Agent download, login, Requirement checks and scanning, and view the associated client and

administrator reports.

Step 6 If needed, manage the Certified Devices List by configuring other devices, such as floating or exempt

devices. Floating devices must be certified at the start of every user session. Exempt devices are always

excluded from Network Scanning (Nessus scans). See Manage Certified Devices, page 12-10.

For more information, see:

Configuring Agent-Based Posture Assessment, page 10-33

Network Scanning Implementation Steps, page 13-2

Cisco NAC Appliance Agents

Cisco NAC Agent

The Cisco NAC Agent provides local-machine Agent-based posture assessment and remediation for both

32- and 64-bit Windows operating systems and supports double-byte character formats that, along

with full UTF-8 compliance, enable the you to offer native client-side localization for a number of

common languages. (For a list of supported languages, see Cisco NAC Agent XML Configuration File

Settings, page 10-19.) Users must download and install the Agent, which allows for visibility into the

host registry, process checking, application checking, and service checking. The Agent can be used toperform AV/AS definition updates, distribute files uploaded to the Clean Access Manager, or distribute

links to websites in order for users to fix their systems.

Note There is no client firewall restriction with Cisco NAC Agent posture assessment. The Agent can check

client registry, services, and applications even if a personal firewall is installed and running.

Cisco NAC Agent client machine login and session behavior is determined by settings specified in the

NACAgentCFG.xmlAgent configuration file, residing in the install directory on the client machine.

(The default install directory on Windows XP is C:\Program Files\Cisco\Cisco NAC Agent\. However,

you or the client machine user may specify a different directory.) You can customize the settings in the

NACAgentCFG.xmlfile according

Documents

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.pdf