Saturday, December 22, 2007

NEW 4.1(3) Feature - Cisco NAC Web Agent


One of the much waited for features in the NAC 4.1(3) release is the NAC Web Agent. "The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list."

In short, it is a temporary agent that gives the ability to have a detailed posture assessment performed on a machine that it is not desired to or can't install software on.

Figure 1 – Cisco NAC Web Agent

The Spotlight:

The NAC Web Agent is a great addition to the capabilities of Cisco NAC Portfolio.
The following is a functionality to agent type(CAA vs. Web Agnet) comparison. It includes some of the major benefits of each agent type to give everyone a better idea of where the new NAC Web Agent fits into their deployment.

Cisco Clean Access Agent

- Favorable end user experience - After the CAA is installed, the user does NOT have to open up a web browser every time NAC has to perform Authentication and Posture Assessment.

- Active Directory SSO - Without the CAA, internal users cannot perform ADSSO.

- Automatic Remediation - CAA walks users step-by-step through what they need to do to become compliant.

Cisco NAC Web Agent

- No Administrative Rights Required -
The Web Agent only requires the rights to run Java or Active-X by the browser for it to successfully install and perform posture assessment. Some guests/visitors do not have the administrator rights necessary to install the full blown CAA, which makes the Web Agent very attractive.

- No permanent software installation - Using the Web agent takes away any chance of someone complaining of the software they downloaded at your location is the reason their computer crashed.

- Detailed Posture Assessment - The Web Agent can perform the same exact checks(Registry, File, Service, and Application) as the CAA. The only caveat is that the remediation is a manual process. The administrator may present a link to the user, but after remediation the user must click "Re-Scan" to be permitted access.

- Scan cannot be blocked by a personal firewall - As basic as this sounds, the Network Scanning capability is used a lot in the field to perform scans of guests and contractors. The problem is that a majority of users today are running some form of personal firewall rendering the network scanning useless. The NAC Web Agent is run locally on the machine to enforce posture assessment, which puts network scanning on the back burner.

Configuring Cisco NAC Web Agent:

The good news is if you have ever configured posture assessment for the CAA, then you have already configured posture assessment for the Cisco NAC Web Agent. For more information on configuring Posture Assessment, check out the CAM Installation & Configuration Guide or Cisco NAC Chalk Talk 5. The only background that should be mentioned is when creating requirements for the Web Agent it is a best practice to use a Link type requirement, so that the end user can click on the appropriate link to remediate.

The first step to enabling the web agent is to create a or modify your existing User Page. The most important option is the "Web Client (ActiveX/Applet)" setting which tells NAC which type of web agent to use or prefer. e.g. Active X or Java

The next step is to require the use of the Web Agent for the relevant Roles.

Figure 2 – Require the use of the Cisco NAC Web Agent
The final step is to assign requirements to the roles that requires the web agent.

The end user experience:

Figure 3 – Cisco NAC Web Agent end user process flow


The Cisco NAC Web Agent is definitely going to be a highly used feature in most Cisco NAC deployments. It is fairly straight forward to understand and configure. I encourage everyone to check it out along with all the great new features in 4.1(3).

Sources: 4.1(3) Release Notes; 4.1(3) CAM Installation & Configuration Guide

Friday, December 21, 2007

NAC Version 4.1(3)

4.1.3 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1.3 Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1.3 CAM Installation & Configuration Guide

4.1.3 CAS Installation & Configuration Guide

Enhancements in Release 4.1(3)

General Enhancements

Cisco NAC Web Agent

Support for Clients with Multiple Active NICs

Clean Access Server HA Heartbeat Link Enhancement

Clean Access Manager HA Configuration and Heartbeat Link Enhancements

Guest User Login and Registration Enhancements

LDAP Authentication Enhancement

Clean Access Server and WSUS Interaction Enhancement

Agent Restricted User Access Enhancement

Device Filter List Display and Import/Export Enhancement

Agent Report Information Display and Export Enhancement

VPN SSO Login Enhancement

Syslog Configuration Enhancement

Debug Log Download Enhancement

cisco_api.jsp Enhancement

CSRF Protection

Proxy Support Enhancements

ARP Broadcast Packet Handling Improvement

Clean Access Server HA ARP Broadcast Enhancement

Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature

Previously-Deprecated Features Removed from CAM/CAS Web Console Pages

Supported AV/AS Product List Enhancements (Version 67)

Out-of-Band Enhancements

Access to Authentication VLAN Change Detection Enhancement

SNMP Inform Notification Enhancement

SNMP "MAC Move Notification" Switch Port Configuration Support

Clean Access Agent Enhancements

Clean Access Agent Auto Remediation

Windows Clean Access Agent Version

Mac OS X Clean Access Agent Version

Look out for more detailed explainations and configuration examples from the new features and functionality.

Friday, November 9, 2007

Deploying Cisco NAC Profiler


Cisco NAC Profiler is an OEM software from Great Bay Software’s Beacon product(Read more). The basis and need for NAC Profiler is to secure Non-Responsive Hosts(NRHs). This is performed by using state of the art Endpoint Profiling and Behavior Monitoring technologies.

Endpoint profiling is defined as recording a network endpoint’s observable behaviors and analyzing identifiable characteristics of the endpoint in order to classify it as belonging to a particular group (Profile) and to assess each endpoint’s ability in a certain sphere. That certain sphere could be an endpoint’s ability to participate in a given authentication or Cisco NAC Appliance as an example. In essence, Endpoint Profiling is best described as behavior-based characterization of endpoints for the purpose of identifying and grouping together those that are similar in function, capability or other defining characteristics.

Behavior Monitoring is the ability to ensure endpoints are behaving in a way that is consistent with the classification leading to being provided with the authentication or NAC accommodation, and not indicating behaviors associated with endpoints that should in fact be participative in the full authentication or admission control process prior to being allowed onto the network.

Enough with the formal definitions (that’s what the great documentation is for), what is the real value of this solution to an organization with or without Cisco NAC and pre and post deployment of Cisco NAC?

The Value of Cisco NAC Profiler:

When planning for a NAC Appliance deployment the question of NRHs is sure to come up. How does someone find all of the Printers, Game Consoles, UPSs, IP Phones, etc. in the network? The answer is never easy. The bottom line is that the average organization’s network consists of over 50% of devices that are NRHs. The traditional method of accounting for NRHs is to manually find and record all MAC Addresses and import all of them into the NAC Manager’s Device Filter list. The challenges that this method presents are resources(Who is going to perform this task), Human Error(48bit MAC Addresses can start to look very complex after writing down hundreds or thousands of them), Adds/Moves/Changes become a nightmare, and by the time you finish recording all of the devices you can guarantee that something has changed since you started.

It becomes very clear how many hours can be saved by implementing Cisco NAC Profiler just from the above. But wait there is more… The above shows how Endpoint profiling can be used to save time and headaches, but the Behavior monitoring goes a step further into the value of NAC Profiler. Take the example of the traditional method of adding NRHs into the device filter table of the NAC Manager: Once a printer’s MAC Address is added it is always there, so if a malicious hacker or auditor walks up to the printer, prints the properties page, gets the MAC address, then he or she unplugs the printer and uses the MAC address of the printer to gain access and bypass NAC. If NAC Profiler is implemented, once the computer that is spoofing the MAC Address of the printer exhibits behavior that is outside of the typical behavior of the printer, that user will be kicked off of Device Filter list and be forced to go through standard NAC Process.

Another key benefit of having NAC Profiler is the accountability and visibility into the devices on the NAC Manager Device Filter List. As devices are placed into the Device Filter list by the Profiler Server, there is a link placed that brings an administrator directly to a page showing which switchport the device is plugged into, the respective endpoint profile data, and when it first came on the network. Any Network Operator understands the value of understanding where devices are at and when they entered and left the network.

Figure 1– NAC Manager Link to NAC Profiler

Minimize deployment costs + Minimize operational costs + Added Visibility + Added security = The value of Cisco NAC Profiler

Designing NAC Profiler:

NAC Profiler is comprised of two components:

- Profiler Server: Aggregates and classifies data from collectors and manages the database of endpoint information. Communicates using the NAC Managers API to add devices into the Device Filter list. Installed on the 3350 Appliance

- Collector Module: Gathers information about endpoints using SNMP, NetFlow, Sniffing, and active profiling. Software already installed on the NAC Server, license activates the feature.

The profiler server can be and is recommended to be configured in an High Availability(HA) pair. The Collector license should be purchased for each NAC Server that will be used to profile devices. If the NAC Server is a HA pair the license should be purchased as an HA license.

For the latest information about licensing of Cisco NAC Profiler, please refer to the Cisco NAC Profiler Data Sheet.

Collector Architecture:

NAC Profiler uses many data feeds to obtain the required information to perform Endpoint Profiling and Behavior Monitoring. The following list gives you the background of how the collectors gather data.

- NetMap Collector component module that queries network devices via SNMP for:

o System information

o Interface information

o Bridge information

o Routing/IP information

This information is used to Build and maintain a model of the network topology within the Endpoint Database.

- NetTrap Collector component module that receives selected traps from network devices to assist NetMap in maintaining the model of the network topology.

- NetWatch The passive network analyzer collector component module. Collects information about endpoints using network traffic received at one or more of the interfaces on the appliance it runs on.

- NetInquiry Active profiling Collector component module that can be used to collect information about endpoints using active techniques

- NetRelay Receives exported data from other systems such as Netflow and prepares it for processing for Endpoint Profiling and Behavior Monitoring

- Forwarder Facilitates communication between the collector and the server, acts as middleware between Collector modules and the Profiler Server.

Each NAC Profiler deployment may include a few of these or all of these depending on the required amount of data. As a best practice it is always good to start by using NetMap, NetTrap, and NetWatch to gather the relative information required to successfully profile endpoints. If any of these collectors are not available in the organization deploying NAC profiler, utilizing the NetInquiry or NetRelay collector is a great alternative. Please note that other than NetInquiry NAC Profiler is completely passive and does NOT actively send traffic to any endpoint.

Profiles Uncovered:

As of version 2.1.7, NAC Profiler comes with 38 default profiles out of the box. This includes many of the major device types in enterprise networks today.

Figure 2 – Default Profiles

In some cases, it will be required to create custom profiles in order to profile organizations’ specific devices. To do this NAC Profiler offers the ability to use the different type of rules to match the types of behavior that are specific to the devices in question. The following shows the different types of rules you can configure using Cisco NAC Profiler:

- MAC Address – Beacon maintains a list of all OUI values for MAC address vendor assignments. MAC Vendor rules allow the endpoints MAC address to be used as a criteria for classification into a Profile.

- IP Address – Beacon can use the host address of endpoints to classify devices using host IP addresses within a designated range as a criterion for classification into a Profile.

- Traffic – analysis of traffic information at layers 3-4. Based oninformation gathered by either the NetWatch collector module (traffic analysis) or NetRelay collector module (Netflow data exported from a Netflow-capable device).

- TCP Open Port – Layer 4 port information that is gathered either by monitoring SYN-ACK information passively or via the Active Profiling capabilities of NetInquiry.

- Application – analysis of application layer behavior including DHCP, Server Banners, DNS names, User Agents, etc.

- Advanced – used to create complex expressions using AND, OR, and/or NOT, or to aggregate multiple rule logic into a single rule.


Cisco NAC Profiler is an amazing add-on to the Cisco NAC Appliance portfolio and shows value for any organization that current has or plan to have Cisco NAC Appliance. Please stay tuned for more best practices, advanced configuration and troubleshooting of Cisco NAC Profiler.

Sources: NAC Profiler ChalkTalk; Beacon Configuration Guide v2.1.8

Friday, September 28, 2007

Custom Checks - Integration with Big Fix for Remediation


BigFix ( is one of the many remediation software solutions available that can work with NAC for a better end user experience. BigFix can enforce that a client has the proper software, patches, and updates on a device. This sounds a bit like NAC, but the missing puzzle piece is how to enforce that bigfix is really on the connecting device and doing its job? This posting will talk about some of checks that may be created to enforce the presence and compliance of bigfix on a device connecting into the network.

***Please note that there are many ways of looking for installed/running software and it is best practice to check in two different manners(e.g. service and application check), but to keep this post more straightforward, I will only shows one of the checks.

Is BigFix Installed:

In order to properly assess if BigFix is installed, the following checks if the BESClient is actually there.

Check Category: File Check
Check Type: File Existence
Check Name: BigFix_Installed
File Path: SYSTEM_PROGRAMS\BigFix Enterprise\BES Client\BESClient.exe
Check Description: Check if BigFix is Installed
Operating System: Windows All

Figure 1 - Check if BigFix is Installed

Using a Link or File type requirement for this check will give administrators the ability to offer the BESClient to users that do not have it installed. This will ultimately save on help desk calls and bring the host into compliance automatically.

Is BigFix Running:

Next, it is good to check if BigFix is actually running. The following custom check looks if the BESClient service is running.

Check Category: Service Check
Check Type: Service Status
Check Name: BigFix_Running
Service Name: BESClient
Check Description: Check if BigFix is Running
Operating System: Windows All

Figure 2 - Check if BigFix is Running

If a user does not have the BESClient running, we can use a Launch Programs requirement type to launch the BESClient. Look back to the blog for a future post on Launch Program Requirements.

Is BigFix Compliant:

Finally, BigFix has the ability to create central policy about what is needed on an end host. If the host has the latest patches, updates, etc. then the BESClient actually reports itself as "Compliant". The following custom check looks if the BESClient is reporting itself compliant.

Check Category: Registry Check
Check Type: Registry Value
Check Name: BigFix_Compliant
Registry Key: HKLM\SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_BESClient_BigNACresult\
Value Data Type: String
Operator: Equals
Value Data: Compliant
Check Description: Check if BigFix is Compliant
Operating System: Windows All

Figure 3 - Check if BigFix is Compliant
This shows how if you already have policy created on your remediation platform, NAC Appliance can leverage that information by enforcing compliance to the policy before entry to the network.


NAC Appliance may leverage the functionality of other vendors' Remediation solutions by using them to remediate non-complaint host. NAC, in some occasions, can even enforce policies or requirements of those solutions to hosts before the device is allowed on the network. This post should help administrators understand that the integration can be preformed and really will help leverage the existing investments made in remediation solutions.

Friday, September 21, 2007

Chalk Talk Series 3 - Update

To give everyone the update, the following is the schedule for the upcoming NAC chalk talks:

September 27th: Cisco NAC Profiler Introduction
Prem Ananthakrishnan will introduce the Cisco NAC Profiler, which discovers, tracks,
and monitors all non-PC endpoints attached to a network. By adding Profiler to a NAC
deployment, customers can apply policies and access prvileges to non-PC endpoints.

October 4: Secure Guest with Cisco NAC
Enhance guest access with Cisco’s NAC Guest Server. Syed Ghayur will introduce the
advanced provisioning and reporting features of this latest addition to the Cisco NAC
product line.

Access Information:

Time - 10am PDT, 12pm CDT, 1pm EDT
Audio - Toll-free US/Canada: 1-800-370-2618
Meeting ID: 321456#
Web - Disable any pop-up blocker software
Enter Meeting ID 321456

Tuesday, September 18, 2007

Priveon Launches Real World NAC Appliance Training

Most training courses prepare individuals for certifications, but Priveon's Real-World training is the exact opposite. Their new Cisco NAC Appliance class is focused around how to design, deploy, operate and optimize Cisco NAC. With 20 labs and a topology that mimics typical organizations' environments, the class is very impressive and valuable for everyone interested or involved with Cisco NAC Appliance! I have personally reviewed the class and I highly recommend it to anyone wanting to take their expertise to the next level.

Priveon NAC Appliance Training Page

Saturday, September 15, 2007

NAC Chalk Talk Video on Demand (VOD) - A success for Force 3 and its clients

For those of you who missed the NAC Chalk Talk I did on Thursday, here is the link to the Video on Demand, so that you can catch some of the deployment best practices.

Cisco NAC Appliance: A Success for Force 3 and Its Clients

I also want to thank the NAC Appliance Business Unit at Cisco and specifically Prem who hosted me out in San Jose, he is the real Rock Star!

Friday, September 7, 2007

NEW NAC Chalk Talk Series - Starting Sept 13th

There is a new NAC chalk talk series starting next week and excitingly enough I will be the first person to present! My chalk talk will be focused around how to make your deployment more successful. This is your chance to ask me questions and get the answers live via IPTV! :)

If you are unfamiliar with the NAC chalktalks, they are a great source of information about how to design, deploy, configure, troubleshoot, operate and optimize Cisco NAC Appliance. Please review the existing series by visiting the below link:
View the existing NAC Chalk Talks

The details of my up coming chalk talk:


Kicking off SEPTEMBER 13th with a LIVE VIDEO BROADCAST featuring Jamie Sanbower from Force 3 --

Cisco NAC Appliance: A Success for Force 3 and Its Clients

Watch this interactive session to learn Force 3's secret to NAC success, key deployment strategies and how they use Cisco NAC to solve their client business requirements.

Date: Thursday, September 13th
Time: 10am PDT/12pm CDT/1pm EDT
Location: (requires CCO login)

No pre-registration required.

There will be additional chalk talks continuing the weeks following the 13th, so be sure to check back here for updates on the others!

Configure And Troubleshoot the Antivirus Definition Updates

Cisco posted a new Configuration Guide on how to configure and troubleshoot Antivirus Definition Updates. This is relevant for any deployment using Cisco Preconfigure AV definition rules.

NAC Appliance (Cisco Clean Access): Configure And Troubleshoot the Antivirus Definition Updates

Thursday, September 6, 2007

Cisco NAC Profiler Documentation

Cisco NAC Profiler is here, and let me tell you this product makes deployments go a lot smoother. How nice is it not to have to find all of your Printers, IP Fax Machines, UPS management, Game Consoles, etc.

If you are interested in NAC Profiler services or consulting, please contact me jsanbower or visit

To save everyone some time, the following is a list of all the public documentation on Cisco NAC Profiler:

Cisco NAC Profiler Data Sheet

Cisco NAC Profiler Brochure

Cisco NAC Profiler Q & A

Cisco NAC Profiler Ordering Guide

Configuration Guide 2.1.7

Thursday, August 23, 2007

NAC Network Modules

I just wanted to give everyone the update on the NEW NME-NAC-K9 module. They are supported as of version 4.1(2). The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The following are some documents to get you started with the new NAC Network Module:

Getting Started with Cisco NAC Network Modules in Cisco Access Routers
-- New guide describing initial configuration and deployment examples

Installing Cisco Network Modules in Cisco Access Routers
-- New Chapter in the Cisco Network Modules Hardware Installation Guide

Tuesday, August 21, 2007

Book Review - Cisco NAC Appliance Book

Title: Cisco NAC Appliance: Enforcing Host Security with Clean Access
Author: Jamey Heary, CCIE #7680

Contributing Authors: Jerry Lin, CCIE #6469, Chad Sullivan, CCIE #6493, and Alok Agrawal
Publisher: Cisco Press

I want to start out by saying that this book completely exceeded my expectations for the first NAC Appliance book. I wish this was published 3 years ago. The author clearly articulates the business benefits of NAC, including how NAC provides return on investment (ROI), which gives any reader the know-how to wisely purchase Cisco NAC Appliance. He also shows his technical expertise by diving extremely deep into the inner workings of Cisco NAC Appliance, which gives engineers, consultants, and operations the information they need to successfully deploy or maintain the product.

This book shows great details into the process flows of In-Band & Out-of-Band users, Clean Access Agent (CAA) users and network scanning users. The information on the different deployment options and how to use them in diverse environments is great to start your NAC Design. This book makes the confusing topics seem easy and manageable.

Some of the highlights that caught my eye and I thought everyone would like were:

  • Chapter on Host Security Policy – An amazing deal of information on how to design/create a Host Security Policy as it relates to NAC Appliance is invaluable to deployments
  • Exploration of High Availability and Load Balancing – Information on how to load balance Clean Access Servers using the CSM, CSS, ACE and PBR cannot be found anywhere else. This includes saving money on Failover Bundles by using N+1 Failover
  • Layer 3 OOB Deployment options – Walk through of the benefits of the different methods of deploying L3 OOB, e.g. PBR, ACLS, VPNs, etc.
  • Deployment Best Practices – An entire chapter on how to plan, schedule, and keep all parties happy for your NAC Appliance deployment
  • Monitoring & Troubleshooting information – detailed list of all logs located on the CAM and CAS, as well as the information on how to troubleshoot and monitor online users

All in all this is a great book and I would recommend it for all people interested in Buying, Deploying, Operating, or Troubleshooting Cisco NAC Appliance. This is definitely a great reference manual to have at your desk!

Buy it at amazon or ciscopress

Friday, August 17, 2007

NAC WSUS Requirement Type


New to 4.1.1, WSUS Requirements gives NAC Appliance administrators the ability to seamlessly integrate with local WSUS servers or utilize Microsoft Servers to ensure users are up to date on their microsoft service packs and patches.

Configuring WSUS Requirements:

The following are a list of options when configuring a WSUS Requirement:

  • Update Validation source - This involves checking to see if a particular client machine is up to date with patches. This check can be done against the WSUS server itself OR against Cisco rulesets.
    • Cisco Rules - In this case, the new “WSUS Server Update services” requirement needs to be mapped to the standard Cisco rule sets such as XP_hotfixes etc. Standard registry scans will be performed on the client machine based on these rule sets.
    • WSUS Server - In this case, the CCA Agent makes an API call to the WSUS Agent on the client machine to check compliance. Since our rule set is not used here (direct interaction between WSUS client and server, no need to map the Rule set to the requirement.
  • Update Installation source - This involves remediating the user after we have established that he/she is non-compliant. The remediation can be done either from local WSUS servers OR against WindowsUpdate
    • WSUS Servers - Download and Install the patches from the local WSUS servers.
    • Windows Update - Download and install patches from Microsoft Windows Update website
  • Update Installation type - This involves deciding what type of hotfixes should be downloaded and installed from the chosen source.
    • Express - This option installs the same Windows updates as would be available from the Windows Update application "Express" option. (For example, the Windows "Express" option may include just Critical and Important security updates or could call for installing an entire service pack update.)
    • Custom - Use this setting and the associated dropdown menu to install updates based on their severity by choosing Critical, Medium, or All from the associated dropdown menu. If you select Critical only the most severe/critical Windows updates are installed; selecting Medium means all updates (except for those classified as "low severity" by Microsoft) are installed; selecting All means that all of the currently available Windows Updates are installed, regardless of severity.
    • Upgrade to Latest OS Service Pack - automatically install the latest service pack available for the user's operating system.
  • UI Experience - This setting controls what the end user sees when the Updates are being installedlist of options when
    • Show UI - The Windows Update UI (showing that patches are being installed) is displayed to user
    • No UI: Updates are done silently and user does not see any UI that shows updates are being installed
Figure 1 - Configuring a WSUS Requirement

Notes on configuring WSUS Requirements:
  • Validation against WSUS server may take between 10-15 seconds
  • Make sure Access is opened to WSUS server or Windows update server in the temporary role (depending on what is being used)
  • Make sure that the client PC can talk to the WSUS server on port 80/443. These are the ports client machine uses to talk to WSUS server
  • WSUS updates may take long. So, it is important to set the Session Timer for the temporary role long enough to allow enough time for the updates to complete.
  • In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.
  • If there are update errors, see C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log.
  • To see if you have a Local WSUS server configured go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and the "WUServer" key will have the server listed.

WSUS Requirements are a great new best practice method to ensure Microsoft is truly up to date.

Sources: 4.1(2) CAM Admin Guide; Whats New 4.1(1)

Monday, August 13, 2007

CAA Requirement Best Practices - Enforce Types

In the world of NAC Appliance, when using the NAC Agent, there are 3 different type of enforcement types. At first look you have the ability to use the following enforce types:

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

—Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking "Next"). The client system does not have to meet the requirement for the user to proceed or have network access.

Mandatory—Enforce requirement. The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

So why is this so important for NAC Deployments.... This gives administrators the ability to deploy with the least impact as possible. All deployments should start with AUDIT type requirements. By doing this we are able to see how many users are coming onto the network without compliant workstations. From this information we can see if all methods of users getting patches, updates, etc are correctly working. (E.G. if WSUS or EpolicyOrch is not working correctly you will immediately see almost all hosts out of compliance)

Next, you should change all of the previous AUDIT requirements to OPTIONAL requirements. This will still allow users access, in case of any discrepancy in your policy or remediation strategy, but will get them through any hurdles of learning how to self-remediate.

Finally, utilize MANDATORY requirements to ensure that all policy is enforced.

The last major idea that should be taken into account is how to schedule this type of roll out. I typically recommend 30-45 days for AUDIT requirements and then 30-60 days for OPTIONAL requirements, but this must be determined on a per organization basis. The key thing to take from this posting is that you do have this wonderful option to phase the enforcement of policy for your NAC deployment and it will help ensure a smooth transition for administrators and end users. One less talked about configuration option that you can use to make your NAC deployment more successful.

Sunday, August 5, 2007

Jamey Heary's Cisco NAC Blog on Network World

Make sure to check out the new blog on Cisco Subnet. Jamey Heary the author of the New Cisco NAC Appliance Book is writing it. It can be checked out here:

About the Blogger:

Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years

Friday, July 27, 2007

NAC Version 4.1.2

Download is available here:

Cisco NAC Appliance Software Download Page

Requires a valid Smartnet contract in order to download

4.1(2) Documentation Page

Some of the feature "enhancements" that i found interesting and useful:

- NEW Cisco NAC Network Module (NME-NAC-K9) Support

Release 4.1(2) introduces support for the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs).

The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server (CAS) on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another. The integration of CAS capabilities into a network module for ISRs allows network administrators to manage a single device in the branch office for data, voice, and security requirements. The NME-NAC-K9 network module is available as a single hardware module with 50-user and 100-user license options, and supports a maximum of 100 online, concurrent users.

Once initially installed, the Cisco NAC network module is managed in the CAM web console like any other Clean Access Server, and a single CAM can manage both CAS appliances and NAC network modules. To add the Cisco NAC network module to your network, at least one Clean Access Manager appliance (Lite, Standard or Super) must be already installed and configured.

Cisco ISR platforms need to run Cisco ISO software Release 12.4(11)T or later (IP Base image or above) in order to support the Cisco NAC network module.

If introducing the Cisco NME-NAC-K9 network module to an existing Cisco NAC Appliance network, you must upgrade all CAM/CAS appliances to release 4.1(2) for compatibility.

Look out for an upcoming blog entry to show how to deploy the Network Module

- NAC Appliance Platform Type Display

Now that we have Network Modules, this gives us the ability to tell whether we are looking at a NM or an Appliance. Two ways to do this:


CAM web console:
Device Management > CCA Servers > Manage [CAS_IP] > Network > IP | new Platform field featuring either "APPLIANCE" or "NME-NAC"

CAS web console:
Administration > Network Settings > IP | new Platform field featuring either "APPLIANCE" or "NME-NAC"


The CAS CLI includes the new service perfigo platform command in release 4.1(2). The command allows you to determine whether the CAS is a standard Clean Access Server appliance or a new Cisco NME-NAC-K9 network module installed in a Cisco ISR router chassis. The command output includes either "APPLIANCE" or "NME-NAC" as the platform setting.

- Debug Log Download Enhancement

Beginning with release 4.1(2), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. Previously, debug logs compiled to download to technical support included all recorded log entries in the CAM/CAS database. The default setting is one week (7 days).

- As always... New AV/AS Support List

To review all enhancement, caveats and upgrade procedures please read the following release notes:

Cisco NAC Appliance 4.1(2) Release Notes

Please note that it is best practice to follow the upgrade procedures to the "T" when upgrading your NAC Managers and Servers.

For those of you just getting into the land of NACA, there is a very good presentation on the features that came about in Release 4.1(0) located on CCO called "What's New in Cisco NAC Appliance 4.1" that should catch you up on the latest and greatest features.

Saturday, July 21, 2007

Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

Cisco posted a new Configuration Guide on how to configure and troubleshoot ADSSO. This is relevant for any deployment using ADSSO and also has some great text on the common error messages and associated resolutions.

NAC Appliance (CCA): Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

Friday, July 20, 2007

VPN Deployments with ASA 8.0


One common design challenge in the past was how to deploy NAC for VPN Users when the VPN device is also a corporate firewall. This entry will hopefully help you understand the existing ways of deploying NAC for VPN Users and also help you understand how to design NAC for VPN Users with ASA 8.X.

NAC For VPN Users with a standalone VPN Device:

This is the typical deployment for VPN Concentrators, PIX/ASA (for vpn only), and IOS VPN Routers(for vpn only). The CAS is typically and preferred to be deployed in Virtual Gateway Mode. VG allows for zero IP Address changes and only requires the addition of 1 Authentication/Untrusted VLAN. For more information on how to configure NAC for Standalone VPN Devices please see the NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example

Figure 1 - VPN Deployment with a Standalone VPN Device

NAC For VPN Users with a 6.X/7.X Corporate Firewall/VPN Device without a DMZ:

With this deployment you need to ensure normal internet traffic from corporate users does NOT go through the CAS. In order to accomplish this, the CAS is deployed using Real-IP Gateway and policy based routing is used on the next layer 3 hop from the firewall to send VPN Users traffic to the CAS's untrusted interface.

Figure 2 - VPN Deployment with a 6.X/7.X Corporate Firwall & VPN Device without a DMZ

NAC For VPN Users with a ASA 6.X/7.X Corporate Firewall/VPN Device with a DMZ:

In this scenario the PIX/ASA has a DMZ interface that is hosting public servers. If we look to the same deployment option as before, it presents a problem: VPN Users are able to get to the DMZ without having to go through NAC. This leave us with a couple of options:
  • Block all VPN Users from getting to the DMZ
  • Only allow specific services from VPN Users to the DMZ
  • Allow everything to get to the DMZ without going through NAC
  • Advanced Workaround using NAT on the Core Router (Not recommended)
Figure 3 - VPN Deployment with a ASA 6.X/7.X Corporate Firwall & VPN Device with a DMZ

NAC For VPN Users with a ASA 8.X Corporate Firewall/VPN Device with a DMZ

This is what you all have been waiting for, how does VPN Deployment change with ASA 8.0? It all comes down to one new feature "Restrict Access to VLAN" (also know as VLAN Mapping).

Restrict Access to VLAN—(Optional) Also called "VLAN mapping," this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The security appliance forwards all traffic on this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this security appliance.

This configuration option is configured within the Remote Access Group Policy:

Figure 4 - Restrict Access to VLAN Configuration
Please note that you must create an DOT1Q trunk and create the VPN DMZ interface using a subinterface for this option to appear. Now that we have a way to ensure VPN users get put onto a specific interface, we are able to deploy the CAS in Virtual Gateway mode and control complete access to VPN Users through NAC. This forces all users to go through NAC before they are allowed to do anything.

Figure 5 - VPN Deployment with a ASA 8.X Corporate Firwall & VPN Device with a DMZ


Cisco's ASA 8.0 software has really made deployments with NAC for VPN Users a lot less complex. Utilizing the VLAN Mapping setting on the ASA is only going to open up doors down the road for even better seamless integration of NAC Appliance into your infrastructure.

Sources: CAS Admin Guide; ASDM Online Help

Wednesday, July 18, 2007

Cisco NAC Profiler Announcement


Great Bay Software Inc., the innovator of Endpoint Profiling for enterprise networks, today announced it has signed a worldwide OEM agreement with Cisco that adds the company's Beacon Endpoint Profiler solution to the award-winning Cisco Network Admission Control (NAC) product line. This agreement ensures that all network-attached endpoints, including non-PCs, meet the specified requirements for network access, creating the industry's most comprehensive NAC solution set.

As part of the agreement, Cisco will rebrand and sell the Beacon Endpoint Profiler as Cisco NAC Profiler. The Endpoint Profiling and Behavior Monitoring functions provided by NAC Profiler combined with the Cisco NAC Appliance solution will ease deployments and improve the security management of endpoints unassociated with specific users, such as network printers, medical imaging devices, IP phones, HVAC sensors and wireless access points. NAC Profiler can improve the return on investment for a NAC deployment by dynamically tracking the movement of these devices on the network.

The Cisco NAC Profiler provides a number of benefits both in the initial implementation of NAC and throughout the entire lifecycle of a deployment. Great Bay's Endpoint Profiling technology generates an automated inventory of all endpoints, significantly reducing the level of effort required in the implementation of NAC. The Cisco NAC Profiler informs the NAC system of critical endpoint data, including device address information, a type descriptor (printer, phone, AP, UPS, etc.), access type (a value that defines the appropriate level of access for that endpoint) and access to additional information about that device and its history in the network. This eliminates the need for manual inventories and data entry.

"We're excited to extend our collaboration with Cisco and to be part of an end-to-end NAC solution that provides a security model for all network-attached endpoints," said Steve Pettit, president of Great Bay Software. "Customers will benefit from Cisco's global business infrastructure and from the ongoing innovation this relationship will continue to deliver."

"Great Bay Software's endpoint profiling enhances an end-to-end NAC solution strategy," said Nick Chong, head of the NAC Appliance line of business for Cisco. "Cisco NAC Appliance, the leading NAC offering in the marketplace today, continues to represent the latest in technical innovation involving NAC, and adding Great Bay's profiling technology enriches our overall NAC solution."

Cisco's NAC Profiler will consist of two functional components in the NAC Appliance solution: the Profiler Server and the Collector Application. The Profiler Server will run on a dedicated appliance while the Collector Application will reside on the Cisco NAC Appliance Server. Cisco NAC Profiler is scheduled to be available in August 2007.

About Great Bay Software:

Great Bay Software Inc. is the innovator of Endpoint Profiling, a technology designed to rapidly establish and maintain a real time view of all network attached endpoints. The company's Endpoint Profiling technology has applications in enabling the deployment and administration of Network Admission Control and network-based authentication, in addressing compliance concerns related to unauthorized devices attaching to the Enterprise network, and in managing the endpoint lifecycle for all network attached devices.


I have been working with beacon for over a year now and have had nothing but success for deployments and the customers on-going operations. It is the fries with burger when it comes to NAC in an enterprise environment. Next time you are planning a NAC deployment for your integration or are sick of adding device filters every time a new phone or printer is brought up check out Beacon!

Sources: MarketWire; Great Bay Software

Sunday, July 15, 2007



Cisco NAC Appliance is a great method of threat containment by ensuring users' identity and posture, but at what point do you want to ensure that the user whom has once been compliant is still indeed compliant? This is the reason why timers are such an important aspect of any NACA Deployment. This entry will help you to understand the different options within NAC and ensure that you configure what is needed for your deployment.

The Options:

  • Certified Device Timer
    • Automatically Clear Certified Device List at specific intervals (X number of days)
    • May clear devices based on particular CAS, User Role, Auth Provider
    • May clear X amount of users at a time
    • May create multiple timers to meet your needs
  • Session Timer
    • An Absolute Timer that is specific to the user role (X number of minutes)
    • Applies to both IB & OOB
    • Triggers after a preset time to kick users off the online user list
  • Heartbeat Timer
    • Number of minutes after which a user is logged off the network if a device is non responsive (in-band only)
    • CAS sends an ARP request for the client for the set time (L2)
    • CAS looks for traffic sourced from the user (L3)
    • If proxy arp is enabled then the Heartbeat timer does nothing (L3)
    • 5 Minute minimum

Best Practices for the use of Timers:

ALWAYS configure Certified Device Timers to enforce posture assessment after X amount of time for any Layer 2 or Layer 3 Deployment.

Use Heartbeat Timers to automatically remove inactive users when using IB.

Use User Role Session Timers for timeout of the Quarantine/Temporary User Roles and if you have a per role maximum connect time that is less than 1 day.


No matter where you are deploying NAC the discussion of how often you need to re-authenticate/posture assess a user should come up. Hopefully, you will understand the need and plan appropriately for you deployment.

For more information on how to configure these timers, please read the CAM Admin Guide or for hands on experience and instruction, please consider taking Priveon's Cisco NAC Appliance Special Operations Class.

Friday, June 22, 2007

Managed Subnets


The most misunderstood topic of the configuration of NACA is Managed Subnets. Every time I get a call about a LAN deployment, which is not working, the first thing I say is "Managed Subnets!". Hopefully, by reading this you will start to understand the taboo term and know when/where to configure Managed Subnets.

Managed Subnets Theory:

"For all CAS modes in L2 deployments (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface."

The first question you must ask during deployment is "are there more than one VLAN on the untrusted side of the CAS?" If so, you need to give the CAS "logical interfaces" so that the CAS can "manage" those vlans/subnets. The best way to think about managed subnets is to think about a "router on a stick" deployment; A single interface has multiple sub-interfaces in order to reduce the quantity of physical interfaces on the router. This concept can be applied to the CAS. The CAS uses DOT1Q trunking to logically manage multiple subnets. Why does the CAS need to do this? The CAS needs to be able to communicate with the clients on each of the subnets connected to it untrusted interface. This includes things like Web Redirection, SWISS Protocol, etc. The first step in communication is being able to arp and without managed subnets the CAS cannot arp for the clients off of its UnTrusted interface.

When to use Managed Subnets:

"Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS. For all CAS modes in L3 deployment, Static Routes must be configured for the user subnets that are one or more hops away. Managed subnets should not be configured for these subnets. "

Layer 2 Deployment = Managed Subnets

Layer 3 Deployments = Static Routes

This logic can be used for In-Band/Out-of-Band, Real-IP/Virtual Gateway, Central/Edge Deployments. If you are a newbie to NACA please review the NACA ChalkTalks(CCO Login Required) before thinking too much into this.

How to configure Managed Subnets:

Managed Subnets are configured for each CAS at Device Management - Clean Access Server - manage X.X.X.X - Advanced - Managed Subnet

There are four configuration fields:

IP Address - This value varies based on the type of deployment:
  • Real-IP Gateway: Think of router on a stick. This ip address will be the Default Gateway for the clients on the UnTrusted VLAN.
  • Virtual Gateway: This needs to be an UNUSED IP address on the network.
Subnet Mask - Mask for the ip address used above.

VLAN ID - This is the VLAN ID of the UnTrusted VLAN. EVEN when using Virtual Gateway.

Description - Let remember that the next engineer might not understand managed subnets and needs to read this to get a better understand. Use best practice descriptions.

Figure 1 - Sample Managed Subnet


Managed Subnets are something that are overlooked a lot, but after you take the time understand them, they really are just another check on the deployment checklist. Make sure that the next time you are practicing NACA, create a lab scenario that requires managed subnets! Cheers!

Source: CAS Admin Guide

Wednesday, June 6, 2007

Mapping Users to Roles using LDAP

Cisco Posted a new Configuration Guide on how to use LDAP to map users to roles. This is relevant for any deployment integrating with LDAP as an auth server (e.g. Active Directory) or performing LDAP lookup with AD SSO.

NAC(CCA) 4.x: Map Users to Certain Roles Using LDAP Configuration Example

Make sure you check it out before your next LDAP auth server deployment.

Saturday, June 2, 2007

Cisco NAC Appliance Book

Finally after many years the first Cisco NAC Appliance book will be released in this coming August! A lot of very good engineers have contributed to this book, including the NACA TMEs! It is definately going to be something worth picking up and reading!

Cisco NAC Appliance: Enforcing Host Security with Clean Access

Book Description:

The ultimate reference guide for the Cisco NAC (Network Access Control) Appliance with easy-to-follow guides to major security applications
- Learn how Network Admission Control can make your network more secure
- Prevent security breaches by checking for and enforcing a host security policy at the network edge
- Master the design, configuration, deployment, and troubleshooting of the NAC Appliance solution

Cisco NAC Appliance from Cisco Press presents an overview of real world Cisco NAC Appliance (formerly known as Clean Access) deployment scenarios. The book provides best practices for communicating to the user community before deploying the NAC Appliance and how best to plan/design for the eventual merger of NAC framework and NAC Appliance solutions. The majority of viruses and worms in existence today would be successfully stopped using an up to date operating system along with an up to date anti-virus client. The concept of checking how up to date a host's operating system, antivirus client, and spyware removal tools are before they are given access to the network is relatively new. It is not so much the operating system's or anti-virus client's lack of ability to stop the majority of attacks so much as it is a company's lack of ability to enforce, at the network layer, security policies that require endpoint systems to have updated patches and AV software installed. This ability is the essence of what the Cisco NAC Appliance provides. This book is the ultimate reference to the Cisco NAC Appliance, and is an essential book in the library of any networking professional that works on host security or security policy enforcement.

About the Author:

Jamey Heary, CCIE No. 7680 is a Security Consulting Systems Engineer at Cisco. James also holds CISSP, CCSP, CCNP, CCDP, and Microsoft MCSE certifications, as well as a certified HIPAA Security Professional. He has a B.S. from St. Lawrence University.

Book Details:

Paperback: 550 pages
Publisher: Cisco Press; 1 edition (August 8, 2007)
Language: English
ISBN-10: 1587053063
ISBN-13: 978-1587053061