Table Of ContentCisco Network Admission Control,
Volume II:
NAC Network Deployment
and Troubleshooting
Jazib Frahim, CCIE No. 5459, Omar Santos, David White, Jr.,
CCIE No. 12021
Cisco Press
Cisco Press
201 West 103rd Street
Indianapolis, IN 46290 USA
ii
Cisco Network Admission Control, Volume II
NAC Framework Deployment and Troubleshooting
Jazib Frahim, CCIE No. 5459, Omar Santos, David White, Jr., CCIE No. 12021
Copyright © 2007 Cisco
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ-
ten permission from the publisher, except for the inclusion of brief quotations in a review.
Library of Congress Catalog Card Number: 2004114756
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing November 2006
ISBN: 1-58705-225-3
Warning and Disclaimer
This book is designed to provide information about the Cisco NAC Framework. Every effort has been made to make
this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco shall have neither liability nor
responsibility to any person or entity with respect to any loss or damages arising from the information contained in
this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-
ized. Cisco Press or Cisco cannot attest to the accuracy of this information. Use of a term in this book should not be
regarded as affecting the validity of any trademark or service mark.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted
with care and precision, undergoing rigorous development that involves the unique expertise of members from the
professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could
improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at
feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.
iii
Corporate and Government Sales
Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales.
For more information please contact: U.S. Corporate and Government Sales 1-800-382-3419
corpsales@pearsontechgroup.com
For sales otuside the U.S. please contact: International Sales international@pearsoned.com
Publisher Paul Boger
Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Jeff Brady
Executive Editor Brett Bartow
Production Manager Patrick Kanouse
Development Editor Andrew Cupp
Project Editor Tonya Simpson
Copy Editor Krista Hansing Editorial Services, Inc.
Technical Editors Darin Miller
John Stuppi
Publishing Coordinator Vanessa Evans
Book Designer Louisa Adair
Cover Designer Louisa Adair
Composition Carlisle Publishing Services
Proofreader Chrissy White
Indexer Julie Bess
iv
About the Authors
Jazib Frahim,CCIE No. 5459, has been with Cisco Systems for more than seven years. With a Bache-
lor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engi-
neer with the LAN Switching team. He then moved to the TAC Security team, where he acted as a
technical leader for the security products. He led a team of 20 engineers as a team leader in resolving
complicated security and VPN technologies. Jazib is currently working as a Senior Network Security
Engineer in the Worldwide Security Services Practice of Cisco’s Advanced Services for Network Secu-
rity. He is responsible for guiding customers in the design and implementation of their networks, with a
focus in network security. He holds two CCIEs, one in Routing and Switching and the other in Security.
He also authored the Cisco Press book Cisco ASA: All-in-one Firewall, IPS, and VPN Adaptive Security
Appliance (ISBN: 1-58705-209-1). Additionally, Jazib has written numerous Cisco online technical
documents and has been an active member on Cisco’s online forum, NetPro. He has presented at Net-
workers on multiple occasions and has taught many onsite and online courses to Cisco customers, part-
ners, and employees.
Jazib is currently pursuing a Master of Business Administration (MBA) degree from North Carolina
State University.
Omar Santos is a Senior Network Security Consulting Engineer in the Worldwide Security Services
Practice of Cisco’s Advanced Services for Network Security. He has more than 12 years of experience
in secure data communications. Omar has designed, implemented, and supported numerous secure net-
works for Fortune 500 companies and the U.S. government, including the United States Marine Corps
(USMC) and Department of Defense (DoD). He is also the author of the Cisco Press book Cisco ASA:
All-in-one Firewall, IPS, and VPN Adaptive Security Appliance(ISBN: 1-58705-209-1) and many Cisco
online technical documents and configuration guidelines. Prior to his current role, he was a technical
leader of Cisco’s Technical Assistance Center (TAC), where he taught, led, and mentored many engi-
neers within the organization. He is an active member of the InfraGard organization, a cooperative
undertaking between the Federal Bureau of Investigation and an association of businesses, academic
institutions, state and local law-enforcement agencies, and other participants that are dedicated to
increasing the security of the critical infrastructures of the United States of America. Omar has also
delivered numerous technical presentations to Cisco customers, partners, and other organizations.
David White, Jr., CCIE No. 12021, has more than ten years of networking experience with a focus on
network security. He is currently an Escalation Engineer in the Cisco TAC, where he has been for more
than six years. In his role at Cisco, he is involved in new product design and implementation and is an
active participant in Cisco documentation, both online and in print. David holds a CCIE in Security and
is also NSA IAM certified. Before joining Cisco, David worked for the U.S. government, where he
helped secure its worldwide communications network. He was born and raised in St. Petersburg,
Florida, and received his Bachelor’s degree in computer engineering from the Georgia Institute of
Technology.
v
About the Technical Reviewers
Darrin Miller is an engineer in Cisco's security technology group. Darrin is responsible for system-
level security architecture. He has worked primarily on policy-based admission and incident response
programs within Cisco. Previous to that Darrin conducted security research in the areas of IPv6,
SCADA, incident response, and trust models. This work has included protocol security analysis and
security architectures for next-generation networks. Darrin has authored and contributed to several
books and whitepapers on the subject of network security. He has also spoken around the world at lead-
ing network security conferences on a variety of topics. Before his eight years at Cisco, Darrin held var-
ious positions in the network security community.
John Stuppi, CCIE No. 11154, is a Network Consulting Engineer for Cisco Systems. John is responsi-
ble for creating, testing, and communicating effective techniques using Cisco product capabilities to
provide protection and mitigation options to Cisco customers facing current or expected security threats.
John also advises Cisco customers on incident readiness and response methodologies and assists them
in DoS and worm mitigation and preparedness. John is a CCIE and a CISSP, and he holds an Informa-
tion Systems Security (INFOSEC) professional certification. In addition, John has a BSEE from Lehigh
University and a Master of Business Administration degree from Rutgers University. John lives in
Ocean Township, New Jersey, with his wife, Diane, and his two wonderful children, Thomas
and Allison.
Dedications
I would like to dedicate this book to my parents, Frahim and Perveen, who support and encourage me in
all of my endeavors. I would also like to dedicate it to my siblings, including my brother, Shazib; my
sisters, Erum and Sana; my sister-in-law, Asiya; and my cute nephew, Shayan; and my newborn niece,
Shiza, for their patience and understanding during the development of this book.
—Jazib
I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children, Hannah
and Derek, who have inspired and supported me throughout the development of this book. I would also
like to dedicate this book to my parents, Jose and Generosa. Without their knowledge, wisdom, and
guidance, I would not have achieved many of my goals.
—Omar
I would like to dedicate this book to my wife, Holly, who has patiently put up with me (or the lack of
me) during this writing process. And to our newborn son, Blake, who reminds us every day how much
joy can be found in small things.
I would also like to dedicate this to my loving parents, David and Connie, who have always supported
me and pushed me to strive for perfection and to be the best I can be. And to my sister, Patricia, who is a
true genius and someone I have always looked up to.
Finally, I would not be the person I am without the strong influence that Jimmy Collins, Art and Shirley
Cheek, and Brenda Markland have had on my life. To each, I am eternally grateful.
—David
vi
Acknowledgments
Wewould like to thank the technical editors, John Stuppi and Darrin Miller, for their time and technical
expertise. They verified our work and provided recommendations on how to improve the quality of this
manuscript. Special thanks go to Jay Biersbach for reviewing this book before final editing.
We would like to thank the Cisco Press team, especially Brett Bartow and Andrew Cupp, for their
patience, guidance, and consideration. Their efforts are greatly appreciated.
Additionally, special thanks go to the NAC product and development teams, especially to Russell Rice,
Jason Halpern, David Anderson, Thomas Gary Howard, and Darrin Miller for their unlimited support.
Many thanks to our managers, William Beach, Ken Cavanagh, Mike Stallings, and Joe Dallatore, for
their continuous support throughout this project.
Finally, we would like to acknowledge the Cisco TAC. Some of the best and brightest minds in the net-
working industry work there, supporting our customers often under very stressful conditions and work-
ing miracles daily. They are truly unsung heroes, and we are all honored to have had the privilege of
working side by side with them in the trenches of the TAC.
vii
Contents at a Glance
Part I NAC Overview 3
Chapter 1 NAC Solution and Technology Overview 5
Part II Configuration Guidelines 27
Chapter 2 Cisco Trust Agent 29
Chapter 3 Cisco Secure Services Client 91
Chapter 4 Configuring Layer 2 NAC on Network Access Devices 123
Chapter 5 Configuring Layer 3 NAC on Network Access Devices 155
Chapter 6 Configuring NAC on Cisco VPN 3000 Series Concentrators 175
Chapter 7 Configuring NAC on Cisco ASA and PIX Security Appliances 211
Chapter 8 Cisco Secure Access Control Server 241
Chapter 9 Cisco Security Agent 323
Chapter 10 Antivirus Software Integration 343
Chapter 11 Audit Servers 355
Chapter 12 Remediation 381
Part III Deployment Scenarios 393
Chapter 13 Deploying and Troubleshooting NAC in Small Businesses 395
Chapter 14 Deploying and Troubleshooting NAC in Medium-Size Enterprises 419
Chapter 15 Deploying and Troubleshooting NAC in Large Enterprise 451
Part IV Managing and Monitoring NAC 479
Chapter 16 NAC Deployment and Management Best Practices 481
Chapter 17 Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and
Response System 497
Part V Appendix 543
Appendix A Answers to Review Questions 545
viii
Contents
Foreword xxi
Introduction nxxii
Part I NAC Overview 3
Chapter 1 NAC Solution and Technology Overview 5
Network Admission Control 5
NAC: Phase I 7
NAC: Phase II 9
Periodic Revalidation 11
NAC Agentless Hosts 11
NAC Program Participants 12
Components That Make Up the NAC Framework Solution 12
Cisco Trust Agent 12
Cisco Security Agent 14
Network-Access Devices 15
Cisco IOS Router 16
Cisco Catalyst Switch Running Cisco IOS or CAT OS 17
Cisco VPN 3000 Series Concentrator 20
Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series
Security Appliance 21
Cisco Wireless Devices 21
Cisco Secure Access Control Server 22
Event Monitoring, Analysis, and Reporting 23
Summary 24
Review Questions 24
Part II Configuration Guidelines 27
Chapter 2 Cisco Trust Agent 29
Preparing for Deployment of CTA 30
Supported Operating Systems 31
Minimum System Requirements 32
Installation Packages and Files 32
Deploying CTA in a Lab Environment 34
CTA Windows Installation 34
CTA Windows Installation with the 802.1X Wired Supplicant 35
Installing the CTA Admin 802.1X Wired Client 35
Creating a Customized Deployment Package 36
Installing the Customized CTA 802.1X Wired Windows Client 41
ix
CTA Mac Installation 42
Extracting the Installation Disk Image 43
Installing CTA on Mac OS X Using the Installation Wizard 43
CTA Linux Installation 45
Installing the CA Certificate 46
Installing a CA Certificate (or ACS Self-Signed Certificate) on Windows 46
Installing a CA Certificate (or ACS Self-Signed Certificate) on Mac OS X 47
Installing a CA Certificate (or ACS Self-Signed Certificate) on Linux 47
Post-Certificate Installation Tasks 47
User Notifications 48
Customizing CTA with the Optional ctad.ini File 48
[main] Section 49
[EAPoUDP] Section 51
[UserNotifies] Section 51
[ServerCertDNVerification] Distinguished Name-Matching Section 53
[Scripting_Interface] Section 55
Example ctad.ini 55
CTA Scripting Interface 57
Requirements for Using the Scripting Interface 58
Step 1: Create a Posture Data File 58
Step 2: Create an .inf File 60
Step 3: Add Attributes to ACS Dictionary 61
Executing the Scripting Interface 62
CTA Logging Service 63
Creating a ctalogd.ini File 64
Using the clogcli Utility 68
Deploying CTA in a Production Network 70
Deploying CTA on Windows 72
Deploying CTA on Mac OS X 75
Deploying CTA on Linux 76
Troubleshooting CTA 77
Installation Issues 77
Communication Issues 78
System Logs 80
CTA Client Fails to Receive a Posture Token 81
CTA 802.1X Wired Client 82
CTA Wired Client System Report Utility 82
Viewing the Client Logs and Connection Status in Real Time 85
Client Icon Does Not Appear in System Tray 85
Client GUI Does Not Start 85
Description:Secure the network edge with the premier book on NAC deployment and management * The first book on deploying and managing the Cisco NAC solution * Addresses the security risks of remote and mobile computer users connecting to corporate networks * Enables end-point products (i.e. PCs, servers, and PD
