Table Of ContentCANAC
Implementing Cisco
NAC Appliance
Volume 1
Version 2.1
Student Guide
Editorial, Production, and Web Services: 02.26.07
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Students, this letter describes important
course evaluation access information!
Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program,
Cisco Systems is committed to bringing you the highest-quality training in the industry.
Cisco learning products are designed to advance your professional goals and give you
the expertise you need to build and maintain strategic networks.
Cisco relies on customer feedback to guide business decisions; therefore, your valuable
input will help shape future Cisco course curricula, products, and training offerings.
We would appreciate a few minutes of your time to complete a brief Cisco online
course evaluation of your instructor and the course materials in this student kit. On the
final day of class, your instructor will provide you with a URL directing you to a short
post-course evaluation. If there is no Internet access in the classroom, please complete
the evaluation within the next 48 hours or as soon as you can access the web.
On behalf of Cisco, thank you for choosing Cisco Learning Partners for your
Internet technology training.
Sincerely,
Cisco Systems Learning
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Table of Contents
Volume 1
Course Introduction 1
Overview 1
Learner Skills and Knowledge 1
Course Goal and Objectives 2
Course Flow 3
Additional References 4
Cisco Glossary of Terms 4
Cisco NAC Endpoint Security Solutions 1-1
Overview 1-1
Module Objectives 1-1
Introducing Cisco Self-Defending Networks 1-3
Overview 1-3
Objectives 1-3
Changing Landscape of Security 1-4
Cisco Host-Protection Strategy 1-7
The Cisco SDN Initiative 1-8
Cisco NAC Products 1-14
Summary 1-18
Introducing Cisco NAC Appliance 1-19
Overview 1-19
Objectives 1-19
Cisco NAC Appliance Solution 1-20
Cisco NAC Appliance Components 1-24
Cisco NAC Appliance Platforms 1-29
Cisco NAC Appliance Local and Remote Compliance Scenarios 1-30
Cisco NAC Appliance Configuration Overview 1-33
Cisco NAC Appliance User Interface 1-35
Summary 1-37
Introducing In-Band and Out-of-Band Deployment Options 1-39
Overview 1-39
Objectives 1-39
Cisco NAS Deployment Options 1-40
In-Band and Out-of-Band Deployment Options 1-44
Cisco NAC Appliance Out-of-Band Deployment 1-46
Cisco NAC Appliance In-Band Deployment 1-49
Cisco NAS Operating Modes 1-51
Summary 1-56
Module Summary 1-57
References 1-57
Module Self-Check 1-58
Module Self-Check Answer Key 1-62
Cisco NAC Appliance Common Elements Configuration 2-1
Overview 2-1
Module Objectives 2-1
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring User Roles 2-3
Overview 2-3
Objectives 2-3
What Is a User Role? 2-4
Managing User Roles 2-8
Defining Traffic Policies for User Roles 2-13
Configuring Traffic Policies for User Roles 2-16
Creating Local User Accounts 2-23
Configuring User Session Timeouts 2-25
Configuring Guest Access 2-30
Summary 2-34
Configuring External Authentication 2-35
Overview 2-35
Objectives 2-35
Configuring External Authentication Providers 2-36
Mapping Users to User Roles 2-44
Testing User Authentication 2-48
Configuring RADIUS Accounting for Users 2-49
Summary 2-54
Configuring DHCP on the Cisco NAS 2-55
Overview 2-55
Objectives 2-55
Cisco NAS DHCP Modes 2-56
Enabling the DHCP Module 2-58
Configuring IP Ranges 2-60
Working with Subnets 2-71
Reserving IP Addresses 2-75
Configuring User-Specified DHCP Options 2-78
Summary 2-82
Module Summary 2-83
References 2-83
Module Self-Check 2-84
Module Self-Check Answer Key 2-86
Cisco NAC Appliance Implementation 3-1
Overview 3-1
Module Objectives 3-1
Implementing Cisco NAC Appliance In-Band Deployment 3-3
Overview 3-3
Objectives 3-3
In-Band Process Flow 3-4
In-Band Deployment Configurations 3-8
Configuring the Cisco NAS for In-Band Deployment 3-14
Adding the Cisco NAS to the Managed Domain 3-16
Configuring the Cisco NAS Interfaces 3-18
Adding Managed Subnets 3-20
Configuring Cisco NAS VLAN Settings 3-22
Summary 3-27
ii Implementing Cisco NAC Appliance (CANAC) v2.1 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Implementing the Microsoft Windows SSO Feature on the Cisco NAC Appliance 3-29
Overview 3-29
Objectives 3-29
Cisco NAC Appliance SSO for Microsoft Windows 3-30
Kerberos Ticket Exchange 3-32
Communicating Between Cisco NAS and a Microsoft Windows Active Directory Server 3-34
Configuring Active Directory SSO for the Cisco NAM, Cisco NAS, and Microsoft Windows Active
Directory Server 3-35
Summary 3-50
Implementing the Cisco VPN SSO Feature on the Cisco NAC Appliance 3-51
Overview 3-51
Objectives 3-51
Introducing Cisco NAC Appliance VPN SSO 3-52
Introducing VPN SSO Support 3-54
Configuring Cisco NAC Appliance for VPN Concentrator or ASA Integration 3-55
Summary 3-71
Implementing Cisco NAC Appliance Out-of-Band Deployment 3-73
Overview 3-73
Objectives 3-73
Out-of-Band Process Flow 3-74
Out-of-Band Deployment Considerations 3-78
Adding an Out-of-Band Cisco NAS to the Cisco NAM 3-83
Implementing Cisco NAS Out-of-Band Operating Modes 3-87
Summary 3-97
Managing Switches 3-99
Overview 3-99
Objectives 3-99
Implementing Switch Management 3-100
Configuring the Network for Out-of-Band Deployment 3-101
Configuring Group Profiles 3-106
Configuring Switch Profiles 3-110
Configuring Port Profiles 3-113
Configuring the SNMP Receiver 3-119
Adding Switches to the Managed Domain 3-123
Configuring Switch Ports to Use Port Profiles 3-129
Managing Switch Configuration Settings 3-134
Summary 3-138
Module Summary 3-139
References 3-140
Module Self-Check 3-141
Module Self-Check Answer Key 3-145
Cisco NAC Appliance Implementation Options 4-1
Overview 4-1
Module Objectives 4-1
Implementing Cisco NAC Appliance on a Network 4-3
Overview 4-3
Objectives 4-3
Implementing Cisco NAC Appliance 4-4
Introducing the General Setup Tab 4-11
Introducing User Pages 4-14
Managing Certified Devices 4-17
Summary 4-29
© 2007 Cisco Systems, Inc. Implementing Cisco NAC Appliance (CANAC) v2.1 iii
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Implementing Network Scanning 4-31
Overview 4-31
Objectives 4-31
Introducing Network Scanning 4-32
Configuring the Quarantine Role 4-34
Implementing Nessus Plug-Ins 4-40
Testing a Scanning Configuration 4-48
Customizing the User Agreement Page 4-49
Viewing Scan Reports 4-52
Summary 4-54
Configuring the Cisco NAM to Implement the Cisco NAA on User Devices 4-55
Overview 4-55
Objectives 4-55
Configuring the Cisco NAM to Implement the Cisco NAA 4-56
Retrieving Updates 4-57
Requiring the Use of the Cisco NAA 4-59
Configuring the Cisco NAA Temporary Role 4-62
Introducing Cisco NAA Checks, Rules, and Requirements 4-65
Creating a Check 4-74
Creating Rules 4-75
Creating Requirements 4-80
Mapping Requirements to Rules and Roles 4-85
Summary 4-88
Configuring Cisco NAM High Availability 4-89
Overview 4-89
Objectives 4-89
Introducing High Availability for Cisco NAMs 4-90
Establishing a Serial Connection Between Cisco NAMs 4-95
Configuring the Primary Cisco NAM 4-98
Configuring the Secondary Cisco NAM 4-102
Summary 4-105
Configuring Cisco NAS High Availability 4-107
Overview 4-107
Objectives 4-107
Introducing High Availability for Cisco NASs 4-108
Configuring the Primary Cisco NAS 4-112
Configuring the Secondary Cisco NAS 4-117
Testing the Cisco NAS High-Availability Configuration 4-123
Configuring DHCP Failover 4-124
Summary 4-130
Module Summary 4-131
References 4-131
Module Self-Check 4-132
Module Self-Check Answer Key 4-138
iv Implementing Cisco NAC Appliance (CANAC) v2.1 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CANAC
Course Introduction
Overview
The Cisco Self-Defending Network (SDN) strategy addresses the need for Network Admission
Control (NAC). The Cisco NAC Appliance is an easily deployed software NAC solution that
can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access
your network. The Implementing Cisco NAC Appliance (CANAC) v2.1 course will provide
learners with the skills and knowledge to be able to implement the Cisco NAC Appliance
solution as a part of a Cisco SDN security strategy.
Learner Skills and Knowledge
This subtopic lists the skills and knowledge that learners must possess to benefit fully from the
course. The subtopic also includes recommended Cisco learning offerings that learners should
first complete to benefit fully from this course.
Learner Skills and Knowledge
(cid:131) Working knowledge of routing and switching or CCNA
(cid:131) Working knowledge of VLANs or BCMSN
(cid:131) Working knowledge of digital certificates or SNRS
(cid:131) Working knowledge of HSRP or BCSI
(cid:131) Fundamental knowledge of implementing network security or
SND or CCSP or Cisco Security CQS
©2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1—3
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Course Goal and Objectives
This topic describes the course goal and objectives.
Course Goal
“Upon completion of this course, you
will have the skills and knowledge to
implement a Cisco NAC Appliance solution
into a network equipped with
Cisco products.”
Implementing NAC Appliance
©2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1—4
Upon completing this course, you will be able to meet these objectives:
(cid:132) Given network security requirements, select the appropriate NAC endpoint security
deployment scenario that will meet or exceed network security requirements
(cid:132) Configure the elements of a NAC Appliance solution
(cid:132) Configure the NAC Appliance in-band and out-of-band implementation options
(cid:132) Implement a highly available NAC Appliance solution to mitigate network threats and
facilitate network access for those users that meet corporate security requirements
(cid:132) Maintain a highly available NAC Appliance deployment in medium-sized and enterprise-
sized network environments
2 Implementing Cisco NAC Appliance (CANAC) v2.1 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.