Friday, June 22, 2007

Managed Subnets


The most misunderstood topic of the configuration of NACA is Managed Subnets. Every time I get a call about a LAN deployment, which is not working, the first thing I say is "Managed Subnets!". Hopefully, by reading this you will start to understand the taboo term and know when/where to configure Managed Subnets.

Managed Subnets Theory:

"For all CAS modes in L2 deployments (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface."

The first question you must ask during deployment is "are there more than one VLAN on the untrusted side of the CAS?" If so, you need to give the CAS "logical interfaces" so that the CAS can "manage" those vlans/subnets. The best way to think about managed subnets is to think about a "router on a stick" deployment; A single interface has multiple sub-interfaces in order to reduce the quantity of physical interfaces on the router. This concept can be applied to the CAS. The CAS uses DOT1Q trunking to logically manage multiple subnets. Why does the CAS need to do this? The CAS needs to be able to communicate with the clients on each of the subnets connected to it untrusted interface. This includes things like Web Redirection, SWISS Protocol, etc. The first step in communication is being able to arp and without managed subnets the CAS cannot arp for the clients off of its UnTrusted interface.

When to use Managed Subnets:

"Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS. For all CAS modes in L3 deployment, Static Routes must be configured for the user subnets that are one or more hops away. Managed subnets should not be configured for these subnets. "

Layer 2 Deployment = Managed Subnets

Layer 3 Deployments = Static Routes

This logic can be used for In-Band/Out-of-Band, Real-IP/Virtual Gateway, Central/Edge Deployments. If you are a newbie to NACA please review the NACA ChalkTalks(CCO Login Required) before thinking too much into this.

How to configure Managed Subnets:

Managed Subnets are configured for each CAS at Device Management - Clean Access Server - manage X.X.X.X - Advanced - Managed Subnet

There are four configuration fields:

IP Address - This value varies based on the type of deployment:
  • Real-IP Gateway: Think of router on a stick. This ip address will be the Default Gateway for the clients on the UnTrusted VLAN.
  • Virtual Gateway: This needs to be an UNUSED IP address on the network.
Subnet Mask - Mask for the ip address used above.

VLAN ID - This is the VLAN ID of the UnTrusted VLAN. EVEN when using Virtual Gateway.

Description - Let remember that the next engineer might not understand managed subnets and needs to read this to get a better understand. Use best practice descriptions.

Figure 1 - Sample Managed Subnet


Managed Subnets are something that are overlooked a lot, but after you take the time understand them, they really are just another check on the deployment checklist. Make sure that the next time you are practicing NACA, create a lab scenario that requires managed subnets! Cheers!

Source: CAS Admin Guide

Wednesday, June 6, 2007

Mapping Users to Roles using LDAP

Cisco Posted a new Configuration Guide on how to use LDAP to map users to roles. This is relevant for any deployment integrating with LDAP as an auth server (e.g. Active Directory) or performing LDAP lookup with AD SSO.

NAC(CCA) 4.x: Map Users to Certain Roles Using LDAP Configuration Example

Make sure you check it out before your next LDAP auth server deployment.

Saturday, June 2, 2007

Cisco NAC Appliance Book

Finally after many years the first Cisco NAC Appliance book will be released in this coming August! A lot of very good engineers have contributed to this book, including the NACA TMEs! It is definately going to be something worth picking up and reading!

Cisco NAC Appliance: Enforcing Host Security with Clean Access

Book Description:

The ultimate reference guide for the Cisco NAC (Network Access Control) Appliance with easy-to-follow guides to major security applications
- Learn how Network Admission Control can make your network more secure
- Prevent security breaches by checking for and enforcing a host security policy at the network edge
- Master the design, configuration, deployment, and troubleshooting of the NAC Appliance solution

Cisco NAC Appliance from Cisco Press presents an overview of real world Cisco NAC Appliance (formerly known as Clean Access) deployment scenarios. The book provides best practices for communicating to the user community before deploying the NAC Appliance and how best to plan/design for the eventual merger of NAC framework and NAC Appliance solutions. The majority of viruses and worms in existence today would be successfully stopped using an up to date operating system along with an up to date anti-virus client. The concept of checking how up to date a host's operating system, antivirus client, and spyware removal tools are before they are given access to the network is relatively new. It is not so much the operating system's or anti-virus client's lack of ability to stop the majority of attacks so much as it is a company's lack of ability to enforce, at the network layer, security policies that require endpoint systems to have updated patches and AV software installed. This ability is the essence of what the Cisco NAC Appliance provides. This book is the ultimate reference to the Cisco NAC Appliance, and is an essential book in the library of any networking professional that works on host security or security policy enforcement.

About the Author:

Jamey Heary, CCIE No. 7680 is a Security Consulting Systems Engineer at Cisco. James also holds CISSP, CCSP, CCNP, CCDP, and Microsoft MCSE certifications, as well as a certified HIPAA Security Professional. He has a B.S. from St. Lawrence University.

Book Details:

Paperback: 550 pages
Publisher: Cisco Press; 1 edition (August 8, 2007)
Language: English
ISBN-10: 1587053063
ISBN-13: 978-1587053061