ptg7481339 Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design Denise Helfrich, Lou Ronnau, Jason Frazier, Paul Forbes ptg7481339 Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA ii Cisco Network Admission Control, Volume I NAC Framework Architecture and Design Denise Helfrich, Lou Ronnau, Jason Frazier, Paul Forbes Copyright© 2007 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing December 2006 Library of Congress Cataloging-in-Publication Number: 2005923482 ISBN: 1-58705-241-5 Warning and Disclaimer ptg7481339 This book is designed to provide information about Network Admission Control Framework Release 2 components and identifies steps to prepare, plan, and design NAC Framework. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. iii Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the U.S., please contact: International Sales [email protected] Publisher Paul Boger Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Production Manager Patrick Kanouse Development Editor Andrew Cupp Project Editor Jennifer Gallant Copy Editor John Edwards Technical Editors David Anderson Darrin Miller Ramakrishnan Rajamoni Publishing Coordinator Vanessa Evans Book and Cover Designer Louisa Adair Composition Mark Shirar ptg7481339 Indexer Tim Wright Proofreader Water Crest Publishing, Inc. iv About the Authors Denise Helfrich is currently a technical program sales engineer developing and supporting global online labs for the Worldwide Sales Force Delivery. For the previous six years, she was a technical mar- keting engineer in the Access Router group, focusing on security for Cisco Systems. She is the author of many Cisco training courses, including Network Admission Control. She has been active in the voice/ networking industry for over 20 years. Lou Ronnau, CCIE No. 1536, is currently a technical leader in the Applied Intelligence group of the Customer Assurance Security Practice at Cisco Systems. He is the author of many Cisco solution guides along with Implementing Network Admission Control: Phase One Configuration and Deployment. He has been active in the networking industry for over 20 years, the last 12 years with Cisco Systems. Jason Frazier is a technical leader in the Technology Systems Engineering group for Cisco Systems. He is a systems architect and one of the founders of Cisco’s Identity-Based Networking Services (IBNS) strategy. Jason has authored many Cisco solution guides and often participates in industry forums such as Cisco Networkers. He has been involved with network design and security for seven years. Paul Forbes is a technical marketing engineer in the Office of the CTO, within the Security Technology Group. His primary focus is on the NAC Partner Program, optimizing the integration between vendor applications and Cisco networking infrastructure. He is also active in other security architecture initia- tives within the Office of the CTO. He has been active in the networking industry for ten years, as both a ptg7481339 customer and working for Cisco. v About the Technical Reviewers David Anderson, CCIE No. 7660, is an engineer in Cisco’s Security Technology CTO Group. In his current role, he is working on next-generation security solutions for identity management, admission control, and security policy enforcement. He has worked on a variety of products and solutions during his seven years at Cisco. This work has included dial-access, disaster recovery, business continuance, application optimization, data center design, security architectures, and network admission control. David has authored and contributed to multiple design guides and white papers on these subjects. He has also presented these topics at conferences and forums in multiple countries. David currently holds both CCIE and CISSP certifications. Darrin Miller is an engineer in Cisco’s security technology group. Darrin is responsible for system- level security architecture. Darrin has worked primarily on policy-based admission and incident response programs within Cisco. Previous to that, Darrin has conducted security research in the areas of IPv6, SCADA, incident response, and trust models. This work has included protocol security analysis and security architectures for next-generation networks. Darrin has authored and contributed to several books and white papers on the subject of network security. Darrin has also spoken around the world at leading network security conferences on a variety of topics. Prior to his eight years at Cisco, Darrin held various positions in the network security community. Ramakrishnan (Ramki) Rajamoni, CCIE No. 9016, is an engineer in Cisco’s NSITE solution testing group. He has been associated with the Network Admission Control program since 2004. Previous to ptg7481339 that, Ramki was involved with Cisco’s IPsec and MPLS solutions. Prior to Cisco, Ramki held various positions in networking and customer support. In addition, Ramki has also authored and contributed to numerous works, and presented at various conferences on computer architecture. vi Acknowledgments The authors would like to give special recognition to Russell Rice for his vision, leadership, and drive to bring NAC from a concept into a real, viable solution across many Cisco product lines and technologies. Also many thanks to our technical editors David Anderson, Darrin Miller, and Ramki Rajamoni for pro- viding their expert technical knowledge and precious time editing the book. Denise Helfrich: I would like to thank Russell Rice for the opportunity to work on the initial NAC team to develop training for Cisco’s global sales force. A special thanks to Steve Acheson, Lou Ronnau, Tho- mas Howard, David Anderson, Darrin Miller, Jon Woolwine, and Bob Gleichauf. These experts helped by sharing their knowledge and expertise, which allowed me to put their experiences to words that many could benefit from. Lastly but most importantly, thanks to my husband David for being supportive dur- ing the years of working many hours on NAC and writing chapters for this book. Lou Ronnau: I would like to thank Steve, Denise, Jason, David, Thomas, Darrin, Paul, Brian, and Mits; working with these folks was one of the most enjoyable experiences of my time at Cisco. I also thank Russell Rice and Bob Gleichauf for the NAC vision and for listening to us, Susan Churillo for keeping us straight in the early days, and the entire team of NAC developers. I’d also like to thank my wife Veronica and son Benjamin for putting up with the long hours and travel this project took. Now it’s time to spend some of those frequent-flier miles! Jason Frazier: I would like to thank my wife Christy; you are the source of all that has and ever will be achievable for me. Your love and care have made all our successes possible. Our love will endure all ptg7481339 things, and we will continue this journey together forever, sweetheart. From the bottom of my heart, thank you; I love you baby. IPPWRS. To my son Davis, I love you more than you will ever know. Your mother and I are the luckiest parents in the world. We are truly blessed. As you move through your life, know that we will always be there for you. Finally, to my friends and colleagues at Cisco, I have benefited from your continued support, guidance, and dedication. There are too many of you to list, and I truly thank you. Paul Forbes: I would like to thank my coauthors, especially Denise for her patience and determination, as well as my immediate colleagues (Jason, Thomas, Darrin, David, Mits, Brian, Lou, and Russell) for their experience, talent, vision, and most of all, passion for the technology. I’d also like to thank my wife Kristen for her unwavering devotion and love. Lastly, I’d like to thank my parents for their contributions of wisdom and opportunities over the many years of my life. vii Contents at a Glance Introduction xv Chapter 1 Network Admission Control Overview 3 Chapter 2 Understanding NAC Framework 23 Chapter 3 Posture Agents 55 Chapter 4 Posture Validation Servers 75 Chapter 5 NAC Layer 2 Operations 93 Chapter 6 NAC Layer 3 Operations 125 Chapter 7 Planning and Designing for Network Admission Control Framework 143 Chapter 8 NAC Now and Future Proof for Tomorrow 203 Appendix A Answers to Review Questions 215 Index 237 ptg7481339 viii Contents Introduction xv Chapter 1 Network Admission Control Overview 3 What Is Network Admission Control? 3 Cisco NAC Technology Progression 4 Accessing a Network That Does Not Implement NAC 5 Accessing a NAC Network 6 NAC Benefits 7 NAC Framework Components 8 NAC Framework Requirements 10 NAD Requirements 10 Router Support 11 Switch Support 11 VPN Concentrator Support 11 Wireless Support 12 Cisco Secure ACS Requirements 12 Cisco Trust Agent Requirements 13 ptg7481339 Summary of Requirements 13 NAC Framework Operational Overview 13 NAC Framework Deployment Scenarios 16 Summary 18 Resources 19 Review Questions 19 Chapter 2 Understanding NAC Framework 23 NAC Framework Authorization Process 23 Posture Token Types 26 Using Information from the Host for the Admission Decision 28 Host Credential Information 28 Arbitrary Information Collection with Cisco Trust Agent Scripting 30 Dealing with Hosts That Are Not NAC Capable 31 Static Exemptions for NAH 31 NAC Agentless Auditing 31 NAC Modes of Operation 33 NAC-L3-IP and NAC-L2-IP Overview 34 ix NAC-L2-802.1X Overview 34 NAC Communication Protocols 34 EAP Primer 35 Client-Side Front-End Protocols 35 EAP over UDP (EoU) 36 EAP over 802.1X (EAPo802.1X) 36 RADIUS and EAP over RADIUS 36 Server-Side Protocols 36 Host Credential Authorization Protocol (HCAP) 36 Generic Authorization Message Exchange (GAME) 37 Vendor-Specific Out-of-Band Protocols 37 NAC-L3-IP and NAC-L2-IP Posture Validation and Enforcement Process 37 NAC-L3-IP and NAC-L2-IP Status Query 39 NAC-L3-IP and NAC-L2-IP Revalidation 40 NAC-L2-802.1X Identity with Posture Validation and Enforcement Process 41 NAC Agentless Host Auditing Process 44 Authorization and Enforcement Methods 47 ACL Types 47 ptg7481339 PACL 47 RACL 48 VACL 48 VLANs and Policy-Based ACLs (PBACLs) 48 Cisco Trust Agent and Posture Plug-in Actions 48 NAH and Exception Handling 49 Summary 49 Resource 50 Review Questions 50 Chapter 3 Posture Agents 55 Posture Agent Overview 55 Cisco Trust Agent Architecture 57 Posture Agent Plug-in Files 61 Cisco Trust Agent Logging 62 Operating System Support 62 Posture Plug-in Functionality 64 Vendor Application Example: Cisco Security Agent 66 Cisco Trust Agent Protection 66