Cisco NAC Appliance: Enforcing Host Security with Clean Access

Chad Sullivan, Jamey Heary, Alok Agrawal, Jerry Lin

  • 出版商: Cisco Press
  • 出版日期: 2007-07-01
  • 售價: $2,230
  • 貴賓價: 9.5$2,119
  • 語言: 英文
  • 頁數: 576
  • 裝訂: Paperback
  • ISBN: 1587053063
  • ISBN-13: 9781587053061
  • 相關分類: Cisco資訊安全
  • 下單後立即進貨 (約2~4週)




Cisco NAC Appliance

Enforcing Host Security with Clean Access


Authenticate, inspect, remediate, and authorize end-point devices using Cisco NAC Appliance


Jamey Heary, CCIE® No. 7680

Contributing authors: Jerry Lin, CCIE No. 6469,

Chad Sullivan, CCIE No. 6493, and Alok Agrawal


With today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. Few organizations are closed entities with well-defined security perimeters, which has led to the creation of perimeterless networks with ubiquitous access. Organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past.


Cisco® Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection, enforcement, and remediation solution that is designed to meet these new challenges. Cisco NAC Appliance allows you to enforce host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system. Cisco NAC Appliance provides proactive protection at the network entry point.


Cisco NAC Appliance provides you with all the information needed to understand, design, configure, deploy, and troubleshoot the Cisco NAC Appliance solution. You will learn about all aspects of the NAC Appliance solution including configuration and best practices for design, implementation, troubleshooting, and creating a host security policy.


Jamey Heary, CCIE® No. 7680, is a security consulting systems engineer at Cisco, where he works with its largest customers in the northwest United States. Jamey joined Cisco in 2000 and currently leads its Western Security Asset team and is a field advisor for its U.S. Security Virtual team. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP®, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. He has been working in the IT field for 13 years and in IT security for 9 years.


  • Understand why network attacks and intellectual property losses can originate from internal network hosts
  • Examine different NAC Appliance design options
  • Build host security policies and assign the appropriate network access privileges for various user roles
  • Streamline the enforcement of existing security policies with the concrete measures NAC Appliance can provide
  • Set up and configure the NAC Appliance solution
  • Learn best practices for the deployment of NAC Appliance
  • Monitor, maintain, and troubleshoot the Cisco NAC Appliance solution


This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.


Category: Cisco Press–Security

Covers: End-Point Security

Table of Contents

Introduction xxii

Part I The Host Security Landscape 3

Chapter 1 The Weakest Link: Internal Network Security 5

Security Is a Weakest-Link Problem 6

Hard Outer Shell with a Chewy Inside: Dealing with Internal Security Risks 7

The Software Update Race: Staying Ahead of Viruses, Worms, and Spyware 9

Summary 10

Chapter 2 Introducing Cisco Network Admission Control Appliance 13

Cisco NAC Approaches 13

    NAC as an Appliance 13

    NAC as an Embedded Solution 15

    Cisco NAC Integrated Implementation 16

Cisco NAC Appliance Overview 16

Cisco NAC Return on Investment 17

Summary 18

Part II The Blueprint: Designing a Cisco NAC Appliance Solution 21

Chapter 3 The Building Blocks in a Cisco NAC Appliance Design 23

Cisco NAC Appliance Solution Components 23

    Cisco NAC Appliance Manager 24

    Cisco NAC Appliance Server 25

    Cisco Clean Access Agent 28

    Cisco NAC Appliance Network Scanner 29

Cisco NAC Appliance Minimum Requirements 30

    Cisco NAC Appliance Manager and Server Requirements 31

    Cisco Clean Access Agent Requirements 32

Scalability and Performance of Cisco NAC Appliance 33

Summary 33

Chapter 4 Making Sense of All the Cisco NAC Appliance Design Options 35

NAC Design Considerations 35

    Single-Sign-On Capabilities 36

    In-Band Versus Out-of-Band Overview 36

    Layer 2 Versus Layer 3 Client Adjacency Overview 37

    Virtual Gateway Versus Real IP Gateway Overview 37

Deployment Options 38

    How to Choose a Client/Server Adjacency Mode 39

        Layer 2 Mode 40

        Layer 3 Mode 40

        Layer 2 Strict Mode for Clean Access Agent 41

    How to Choose a Network Mode 42

        Virtual Gateway Mode 42

        Real IP Gateway Mode 43

In-Band Mode 43

    The Certification Process in In-Band Mode 44

    Certification Steps for Host with Clean Access Agent 44

        Steps for Client to Acquire an IP Address 44

        Clean Access Agent Authentication Steps 45

        Clean Access Agent Host Security Posture Assessment Steps 45

        Clean Access Agent Network Scanner Steps 46

        Agent Post-Certification Steps 47

    Login Steps for Host Using Web Login (No Clean Access Agent) 47

        Web Login Authentication Steps 48

        Web Login Network Scanning Steps 48

        Post—Web Login Steps 50

    Advantages of Using In-Band Mode 50

    Disadvantages of Using In-Band Mode 51

    Where You Can Use In-Band Mode 51

Out-of-Band Mode 52

    How the Adjacency Mode Affects Out-of-Band Operation 56

        Layer 3 Out-of-Band Traffic Control Methods 58

    How the Network Mode Affects Out-of-Band Operation 65

    Login Steps with OOB in L2 Adjacency, Virtual Gateway Mode 68

        Initial Steps for OOB Clients 69

        Clean Access Agent Authentication Steps in OOB 71

        Agent Host Security Posture Assessment Steps for OOB 71

        Agent Post-Certification Steps for OOB 72

    Login Steps for OOB in L3 Adjacency, Real IP Mode 73

        Initial Client Steps for L3 OOB 74

        Steps to Obtain an IP Address in L3 OOB 74

        Client Authentication and PBR Steps in L3 OOB 75

        Client Certification and Post-Certification Steps in L3 OOB 76

    Advantages of Using Out-of-Band Mode 77

    Disadvantage of Using Out-of-Band Mode 78

    Where You Can Use Out-of-Band Mode and Where You Cannot 78

    Switches Supported by NAC Appliance Out-of-Band 78

Clean Access Agent and Web Login with Network Scanner 81

Summary 85

Chapter 5 Advanced Cisco NAC Appliance Design Topics 87

External Authentication Servers 87

    Mapping Users to Roles Using Attributes or VLAN IDs 89

    MAC Address Authentication Filters 92

Single Sign-On 93

    Active Directory SSO 93

        Active Directory SSO Prerequisites 94

        How Active Directory SSO Works 94

    VPN SSO 96

        VPN SSO Prerequisites 96

        How VPN SSO Works 96

    Cisco Wireless SSO 99

        Cisco Wireless SSO Prerequisites 99

        How Cisco Wireless SSO Works 99

NAC Appliance and IP Telephony Integration 101

    IP Telephony Best Practices for In-Band Mode 101

    IP Telephony Best Practices for Out-of-Band Mode 102

High Availability and Load Balancing 104

    High Availability 106

        Stateful Failover of NAC Appliance Manager 107

        Stateful Failover of NAC Appliance Server 108

        Fallback Feature on NAC Appliance Server 109

        Spanning Tree N+1 110

    Load Balancing 112

        Cisco Content Switching Module or Standalone Content Services Switch 113

        NAC Appliance Server Load Balancing Using Policy-Based Routing 116

Summary 118

Part III The Foundation: Building a Host Security Policy 121

Chapter 6 Building a Cisco NAC Appliance Host Security Policy 123

What Makes Up a Cisco NAC Appliance Host Security Policy? 123

    Host Security Policy Checklist 124

    Involving the Right People in the Creation of the Host Security Policy 124

Determining the High-Level Goals for Host Security 126

    Common High-Level Host Security Goals 127

Defining the Security Domains 129

Understanding and Defining NAC Appliance User Roles 132

    Built-In User Roles 133

        Unauthenticated Role 134

        Normal Login Role 134

        Temporary Role 134

        Quarantine Role 135

    Commonly Used Roles and Their Purpose 136

Establishing Acceptable Use Policies 138

Checks, Rules, and Requirements to Consider 143

    Sample HSP Format for Documenting NAC Appliance Requirements 148

    Common Checks, Rules, and Requirements 149

    Method for Adding Checks, Rules, and Requirements 150

        Research and Information 150

        Establishing Criteria to Determine the Validity of a Security Check, Rule,

            or Requirement in Your Organization 152

        Method for Determining Which User Roles a Particular Security

            Requirement Should Be Applied To 153

        Method for Deploying and Enforcing Security Requirements 153

Defining Network Access Privileges 154

    Enforcement Methods Available with NAC Appliance 155

    Commonly Used Network Access Policies 156

Summary 160

Part IV Cisco NAC Appliance Configuration 163

Chapter 7 The Basics: Principal Configuration Tasks for the NAM and NAS 165

Understanding the Basic Cisco NAC Appliance Concepts 165

NAM Overview 166

    NAM Hardware Installation Requirements 166

    NAM Software Installation Requirements 166

    How to Connect NAM 166

    Performing Initial NAM Configurations 167

    NAC Licensing 172

    NAM GUI Description 173NAS Overview 175

    NAS Hardware Installation Requirements 175

    NAS Software Installation Requirements 176

    NAS Software License Requirement 176

    How to Connect NAS 176

    Performing Initial NAS Configurations 176

    NAS GUI Description 179

Configuring NAS Deployment Mode 182

    In-Band Deployment Options 182

    Out-of-Band Deployment Options 186

Understanding NAS Management Within the NAM GUI 186

    Global Versus Local Settings 187

        Global Settings 187

        Local NAS Settings 193

Adding Additional NAS Appliances 201

Summary 201

Chapter 8 The Building Blocks: Roles, Authentication, Traffic Policies, and User Pages 203

Configuring User Roles 203

    Creating Custom Roles 203

    Editing or Deleting a Custom Role 206

Configuring Role Assignment 207

    Creating a Local User and Assigning a Role 207

    Assigning a Role by VLAN 209

    Assigning a Role by MAC and IP Address 213

    Assigning a Role by Subnet 217

    Assigning a Role by External Authentication Source Attributes 219

    Role Mapping Summary 219

Configuring Authentication 220

    Creating Admin Users and Groups 220

        Creating an Admin Group 220

        Creating an Admin User 222

    Adding External Authentication Sources 222

        Adding a RADIUS External Authentication Source 223

        Adding an LDAP/AD External Authentication Source 224

Configuring and Creating Traffic Policies 226

    IP-Based Traffic Control Policy 227

    Host-Based Traffic Control Policy 229

    Bandwidth Policies 230Customizing User Pages and Guest Access 232

    Login Pages 232

    Guest Access 236

    API for Guest Access 236

Summary 237

Chapter 9 Host Posture Validation and Remediation: Cisco Clean Access Agent and Network Scanner 239

Understanding Cisco NAC Appliance Setup 239

    Cisco NAC Appliance Updates 240

    General Setup 242

        Web Login 242

        Agent Login 243

    Certified Devices 245

        Certified List 245

        Add Exempt Device 246

        Add Floating Device 246

        Timer 249

Cisco Clean Access Agent 250

    Agent Installation Process 250

        Sample Agent Installation 251

        Agent Distribution 255

        Alternative Agent Installation Methods 257

Agent Policy Enforcement 258

    Requirements, Rules, and Checks 258

        Creating and Enforcing a Requirement 258

        Creating Checks 264

        Creating a Custom Rule 266

Network Scanning 266

    Nessus Plug-Ins 266

    Scanning Setup 267

    Vulnerability Handling 269

    User Agreement Configuration 271

    Testing the Scanning Setup 271

Summary 273

Chapter 10 Configuring Out-of-Band 275

Out-of-Band Overview and Design 275

    User Access Method 275

    Switch Support 275

    Central Deployment Mode or Edge Deployment Mode 276

    Layer 2 or Layer 3 276

    Gateway Mode for NAC Appliance Server 276

    Simple Network Management Protocol Trap to Trigger the NAC Process 277

    Port-Based VLAN Assignment or User Role—Based VLAN Assignment 278

Sample Design and Configuration for Layer 2 Out-of-Band Deployment 278

    Step 1: Configuring the Switch 279

        Configuring VLAN Trunking Protocol and VLANs 279

        Configuring SVIs 280

        Configuring the Switch as a DHCP Server 281

        Configuring Fa1/0/1–The Interface Connecting the NAC Appliance Manager

            eth0 Port 282

        Configuring Fa1/0/3–The Interface Connecting the Trusted Port (eth0) of

            NAC Appliance Server 282

        Configuring Fa1/0/4–The Interface Connecting the Untrusted Port (eth1) of

            NAC Appliance Server 283

        Configuring Fa1/0/5–The Interface Connecting the Host 283

        Configuring Simple Network Management Protocol 283

    Step 2: Configuring NAC Appliance Manager 284

    Step 3: Configuring NAC Appliance Server 286

    Step 4: Logging In to NAC Appliance Manager 288

    Step 5: Adding NAC Appliance Server to NAC Appliance Manager 289

    Step 6: Editing Network Settings on NAC Appliance Server 290

    Step 7: Configuring VLAN Mapping 291

    Step 8: Configuring Managed Subnets 292

    Step 9: Configuring a Switch Group 293

    Step 10: Configuring a Switch Profile 294

    Step 11: Configuring a Port Profile 295

    Step 12: Configuring the SNMP Receiver 296

    Step 13: Adding a Switch to NAC Appliance Manager 297

    Step 14: Configuring Ports to Be Managed by NAC 298

    Step 15: Configuring User Roles 299

    Step 16: Configuring User Authentication on the Local Database 303

    Step 17: Testing Whether OOB and User Role—Based VLAN Assignment

        Works 304

Sample Design and Configuration for Layer 3 Out-of-Band Deployment 310

    Step 1: Configuring the Switches 311

        Configuring the Central Switch 311

        Configuring the Edge Switch 313

    Step 2: Configuring NAC Appliance Manager 318

    Step 3: Configuring NAC Appliance Server 319

    Step 4: Logging In to NAC Appliance Manager 322

    Step 5: Adding NAC Appliance Server to NAC Appliance Manager 322

    Step 6: Editing Network Settings on NAC Appliance Server 323

    Step 7: Configuring Static Routes 324

    Step 8: Configuring a Switch Group 325

    Step 9: Configuring a Switch Profile 326

    Step 10: Configuring a Port Profile 326

    Step 11: Configuring the SNMP Receiver 328

    Step 12: Adding the Switch to NAC Appliance Manager 328

    Step 13: Configuring Ports to Be Managed by NAC Appliance 330

    Step 14: Configuring User Roles 331

    Step 15: Configuring User Authentication on the Local Database 334

    Step 16: Changing the Discovery Host 335

    Step 17: Configuring the Web Login Page 336

    Step 18: Testing Whether OOB and User Role—Based VLAN Assignment

        Works 337

    Additional Out-of-Band Considerations 342

Summary 343

Chapter 11 Configuring Single Sign-On 345

Active Directory Single Sign-On Overview 345

Supported Devices for AD SSO 345

Basic AD SSO Configuration Steps 346

Configuring Single Sign-On for Windows AD 347

    NAM Configuration 348

    NAS Configuration 349

    Layer 3 3550 Core Switch Configuration 352

    3500XL Edge Layer 2 Switch Configuration 354

    Active Directory or Domain Controller Configuration 355

    Beginning Overall Setup 356

        Adding an AD Server as an AD SSO Auth Server 357

        Configuring Traffic Policies and Ports in the Unauthenticated Role for AD Authentication 358

        Configuring AD SSO Settings in NAS 359

        Configuring the AD Server and Running the ktpass Command 360

    Enabling Agent-Based Windows AD SSO 364

    Enabling GPO Updates 364

    (Optional) Adding LDAP Lookup Server to Map Users to Multiple Roles 366

        LDAP Browser (Not Required but Very Helpful) 366

        Configuring LDAP Lookup Server in NAM 368

        User Attributes in Active Directory 370

        Enabling DHCP in NAS 379

        Enabling User Login Pages in NAM 382

        NAC Agent Download and Login 382

Configuring Single Sign-On for VPN 386

    ACS Setup 388

    ASA-5510 VPN Setup 388

        Configuring NAS to Support VPN SSO 393

Configuring Single Sign-On for Cisco Wireless LAN Controller 398

    ACS Server Setup 399

    WLC Setup 399

    NAM/NAS Setup 402

Summary 403

Chapter 12 Configuring High Availability 405

High Availability on NAC Appliance Manager 405

High Availability on NAC Appliance Server 408

Example of a High Availability Configuration for NAC Appliance Manager and Server 411

    Adding NAC Appliance Managers in High Availability Mode 412

        Adding a CA-Signed Certificate to the Primary NAC Appliance Manager 413

        Generating a Self-Signed Temporary Certificate on the Primary NAC

            Appliance Manager 414

        Adding a Certificate to the Secondary NAC Appliance Manager 415

        Configuring High Availability for NAC Appliance Managers 416

    Adding NAC Appliance Servers in High Availability Mode 418

        Configuring the eth2 Interfaces 419

        Configuring the Primary Server for High Availability 420

        Configuring the Secondary Server for High Availability 429

        Setting Up DHCP Failover on NAC Appliance Servers 438

        Troubleshooting HA 440

Summary 440

Part V Cisco NAC Appliance Deployment Best Practices 443

Chapter 13 Deploying Cisco NAC Appliance 445

Pre-Deployment Phase 446

    Executive Summary 447

    Scope 447

    Vision 448

        NAC Appliance Overview (Diagram) 448

        Host Security Policy 448

        Business Drivers for Deployment 448

        Deployment Schedule 449

        Resources 449

        New Equipment 451

        Support Plan 451

        Communication Plan 451

        Cisco NAC Appliance Training 451

Deployment Plan Overview 452

Proof of Concept Phase 454

Pilot Phase 455

Production Deployment Phases 456

    Production Deployment Phase 1: Initial Introduction to User Community 456

    Production Deployment Phase 2: Implementing Host Security Policy Checks

        Without Enforcement 457

    Production Deployment Phase 3: Host Security Policy Enforcement 458

Summary 459

Part VI Cisco NAC Appliance Monitoring and Troubleshooting 461

Chapter 14 Understanding Cisco NAC Appliance Monitoring 463

Understanding the Various Monitoring Pages and Event Logs 463

    Summary Page 463

    Discovered Clients and Online Users Pages 465

        Discovered Clients Page 466

        Online Users Page 467

    Event Logs 470

        Understanding and Changing Logging Levels of NAC Appliance 474

    SNMP 477

Understanding Monitoring of Web Login and Clean Access Agents 480

    Clean Access Agent Reports 480

    Certified List 484

        Manually and Automatically Clearing the Certified List 486

        Requiring Certification for Every Login 488

        Summary of the Behavior of the Certified List 490

Monitoring the Status of NAC Appliance Manager and NAC Appliance Servers 490

    Manager and Server Monitoring Using the Linux CLI 491

    Manager and Server Monitoring Using the Web GUI 492

Summary 493

Chapter 15 Troubleshooting Cisco NAC Appliance 495

Licensing Issues 495

Adding NAS to NAM 496

Policy Issues 498

Agent Issues 500

Out-of-Band Issues 504

Single Sign-On Issues 509

    AD SSO 509

    VPN and Wireless SSO 512

High Availability Issues 513

Useful Logs 516

    NAM Logs 516

    NAS Logs 516

    Additional Logs 517

Common Issues Encountered by the Help Desk in the First 30 Days 517

    Users Not Being Able to Get a Web Login Page, or the NAC Appliance Agent Not Popping 518

    Users Not Being Able to Authenticate 518

    Users Getting Stuck in the Quarantine or Temporary Role 519

    Users Not Being Put in the Correct VLAN or Not Getting Access to Certain Resources 520

Summary 521

Appendix Sample User Community Deployment Messaging Material 523

Sample NAC Appliance Requirement Change Notification E-Mail 523

Sample NAC Appliance Notice for Bulletin Board or Poster 524

Sample NAC Appliance Letter to Students 526

Index 528