Cisco Network Admission Control, Volume II: NAC Network Deployment and Troubleshooting Jazib Frahim, CCIE No. 5459, Omar Santos, David White, Jr., CCIE No. 12021 Cisco Press Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA ii Cisco Network Admission Control, Volume II NAC Framework Deployment and Troubleshooting Jazib Frahim, CCIE No. 5459, Omar Santos, David White, Jr., CCIE No. 12021 Copyright © 2007 Cisco Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Library of Congress Catalog Card Number: 2004114756 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing November 2006 ISBN: 1-58705-225-3 Warning and Disclaimer This book is designed to provide information about the Cisco NAC Framework. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. iii Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales otuside the U.S. please contact: International Sales [email protected] Publisher Paul Boger Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Production Manager Patrick Kanouse Development Editor Andrew Cupp Project Editor Tonya Simpson Copy Editor Krista Hansing Editorial Services, Inc. Technical Editors Darin Miller John Stuppi Publishing Coordinator Vanessa Evans Book Designer Louisa Adair Cover Designer Louisa Adair Composition Carlisle Publishing Services Proofreader Chrissy White Indexer Julie Bess iv About the Authors Jazib Frahim,CCIE No. 5459, has been with Cisco Systems for more than seven years. With a Bache- lor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engi- neer with the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers as a team leader in resolving complicated security and VPN technologies. Jazib is currently working as a Senior Network Security Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Secu- rity. He is responsible for guiding customers in the design and implementation of their networks, with a focus in network security. He holds two CCIEs, one in Routing and Switching and the other in Security. He also authored the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance (ISBN: 1-58705-209-1). Additionally, Jazib has written numerous Cisco online technical documents and has been an active member on Cisco’s online forum, NetPro. He has presented at Net- workers on multiple occasions and has taught many onsite and online courses to Cisco customers, part- ners, and employees. Jazib is currently pursuing a Master of Business Administration (MBA) degree from North Carolina State University. Omar Santos is a Senior Network Security Consulting Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Security. He has more than 12 years of experience in secure data communications. Omar has designed, implemented, and supported numerous secure net- works for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and Department of Defense (DoD). He is also the author of the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security Appliance(ISBN: 1-58705-209-1) and many Cisco online technical documents and configuration guidelines. Prior to his current role, he was a technical leader of Cisco’s Technical Assistance Center (TAC), where he taught, led, and mentored many engi- neers within the organization. He is an active member of the InfraGard organization, a cooperative undertaking between the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law-enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers, partners, and other organizations. David White, Jr., CCIE No. 12021, has more than ten years of networking experience with a focus on network security. He is currently an Escalation Engineer in the Cisco TAC, where he has been for more than six years. In his role at Cisco, he is involved in new product design and implementation and is an active participant in Cisco documentation, both online and in print. David holds a CCIE in Security and is also NSA IAM certified. Before joining Cisco, David worked for the U.S. government, where he helped secure its worldwide communications network. He was born and raised in St. Petersburg, Florida, and received his Bachelor’s degree in computer engineering from the Georgia Institute of Technology. v About the Technical Reviewers Darrin Miller is an engineer in Cisco's security technology group. Darrin is responsible for system- level security architecture. He has worked primarily on policy-based admission and incident response programs within Cisco. Previous to that Darrin conducted security research in the areas of IPv6, SCADA, incident response, and trust models. This work has included protocol security analysis and security architectures for next-generation networks. Darrin has authored and contributed to several books and whitepapers on the subject of network security. He has also spoken around the world at lead- ing network security conferences on a variety of topics. Before his eight years at Cisco, Darrin held var- ious positions in the network security community. John Stuppi, CCIE No. 11154, is a Network Consulting Engineer for Cisco Systems. John is responsi- ble for creating, testing, and communicating effective techniques using Cisco product capabilities to provide protection and mitigation options to Cisco customers facing current or expected security threats. John also advises Cisco customers on incident readiness and response methodologies and assists them in DoS and worm mitigation and preparedness. John is a CCIE and a CISSP, and he holds an Informa- tion Systems Security (INFOSEC) professional certification. In addition, John has a BSEE from Lehigh University and a Master of Business Administration degree from Rutgers University. John lives in Ocean Township, New Jersey, with his wife, Diane, and his two wonderful children, Thomas and Allison. Dedications I would like to dedicate this book to my parents, Frahim and Perveen, who support and encourage me in all of my endeavors. I would also like to dedicate it to my siblings, including my brother, Shazib; my sisters, Erum and Sana; my sister-in-law, Asiya; and my cute nephew, Shayan; and my newborn niece, Shiza, for their patience and understanding during the development of this book. —Jazib I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah and Derek, who have inspired and supported me throughout the development of this book. I would also like to dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and guidance, I would not have achieved many of my goals. —Omar I would like to dedicate this book to my wife, Holly, who has patiently put up with me (or the lack of me) during this writing process. And to our newborn son, Blake, who reminds us every day how much joy can be found in small things. I would also like to dedicate this to my loving parents, David and Connie, who have always supported me and pushed me to strive for perfection and to be the best I can be. And to my sister, Patricia, who is a true genius and someone I have always looked up to. Finally, I would not be the person I am without the strong influence that Jimmy Collins, Art and Shirley Cheek, and Brenda Markland have had on my life. To each, I am eternally grateful. —David vi Acknowledgments Wewould like to thank the technical editors, John Stuppi and Darrin Miller, for their time and technical expertise. They verified our work and provided recommendations on how to improve the quality of this manuscript. Special thanks go to Jay Biersbach for reviewing this book before final editing. We would like to thank the Cisco Press team, especially Brett Bartow and Andrew Cupp, for their patience, guidance, and consideration. Their efforts are greatly appreciated. Additionally, special thanks go to the NAC product and development teams, especially to Russell Rice, Jason Halpern, David Anderson, Thomas Gary Howard, and Darrin Miller for their unlimited support. Many thanks to our managers, William Beach, Ken Cavanagh, Mike Stallings, and Joe Dallatore, for their continuous support throughout this project. Finally, we would like to acknowledge the Cisco TAC. Some of the best and brightest minds in the net- working industry work there, supporting our customers often under very stressful conditions and work- ing miracles daily. They are truly unsung heroes, and we are all honored to have had the privilege of working side by side with them in the trenches of the TAC. vii Contents at a Glance Part I NAC Overview 3 Chapter 1 NAC Solution and Technology Overview 5 Part II Configuration Guidelines 27 Chapter 2 Cisco Trust Agent 29 Chapter 3 Cisco Secure Services Client 91 Chapter 4 Configuring Layer 2 NAC on Network Access Devices 123 Chapter 5 Configuring Layer 3 NAC on Network Access Devices 155 Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators 175 Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances 211 Chapter 8 Cisco Secure Access Control Server 241 Chapter 9 Cisco Security Agent 323 Chapter 10 Antivirus Software Integration 343 Chapter 11 Audit Servers 355 Chapter 12 Remediation 381 Part III Deployment Scenarios 393 Chapter 13 Deploying and Troubleshooting NAC in Small Businesses 395 Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises 419 Chapter 15 Deploying and Troubleshooting NAC in Large Enterprise 451 Part IV Managing and Monitoring NAC 479 Chapter 16 NAC Deployment and Management Best Practices 481 Chapter 17 Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System 497 Part V Appendix 543 Appendix A Answers to Review Questions 545 viii Contents Foreword xxi Introduction nxxii Part I NAC Overview 3 Chapter 1 NAC Solution and Technology Overview 5 Network Admission Control 5 NAC: Phase I 7 NAC: Phase II 9 Periodic Revalidation 11 NAC Agentless Hosts 11 NAC Program Participants 12 Components That Make Up the NAC Framework Solution 12 Cisco Trust Agent 12 Cisco Security Agent 14 Network-Access Devices 15 Cisco IOS Router 16 Cisco Catalyst Switch Running Cisco IOS or CAT OS 17 Cisco VPN 3000 Series Concentrator 20 Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security Appliance 21 Cisco Wireless Devices 21 Cisco Secure Access Control Server 22 Event Monitoring, Analysis, and Reporting 23 Summary 24 Review Questions 24 Part II Configuration Guidelines 27 Chapter 2 Cisco Trust Agent 29 Preparing for Deployment of CTA 30 Supported Operating Systems 31 Minimum System Requirements 32 Installation Packages and Files 32 Deploying CTA in a Lab Environment 34 CTA Windows Installation 34 CTA Windows Installation with the 802.1X Wired Supplicant 35 Installing the CTA Admin 802.1X Wired Client 35 Creating a Customized Deployment Package 36 Installing the Customized CTA 802.1X Wired Windows Client 41 ix CTA Mac Installation 42 Extracting the Installation Disk Image 43 Installing CTA on Mac OS X Using the Installation Wizard 43 CTA Linux Installation 45 Installing the CA Certificate 46 Installing a CA Certificate (or ACS Self-Signed Certificate) on Windows 46 Installing a CA Certificate (or ACS Self-Signed Certificate) on Mac OS X 47 Installing a CA Certificate (or ACS Self-Signed Certificate) on Linux 47 Post-Certificate Installation Tasks 47 User Notifications 48 Customizing CTA with the Optional ctad.ini File 48 [main] Section 49 [EAPoUDP] Section 51 [UserNotifies] Section 51 [ServerCertDNVerification] Distinguished Name-Matching Section 53 [Scripting_Interface] Section 55 Example ctad.ini 55 CTA Scripting Interface 57 Requirements for Using the Scripting Interface 58 Step 1: Create a Posture Data File 58 Step 2: Create an .inf File 60 Step 3: Add Attributes to ACS Dictionary 61 Executing the Scripting Interface 62 CTA Logging Service 63 Creating a ctalogd.ini File 64 Using the clogcli Utility 68 Deploying CTA in a Production Network 70 Deploying CTA on Windows 72 Deploying CTA on Mac OS X 75 Deploying CTA on Linux 76 Troubleshooting CTA 77 Installation Issues 77 Communication Issues 78 System Logs 80 CTA Client Fails to Receive a Posture Token 81 CTA 802.1X Wired Client 82 CTA Wired Client System Report Utility 82 Viewing the Client Logs and Connection Status in Real Time 85 Client Icon Does Not Appear in System Tray 85 Client GUI Does Not Start 85
Description: