topic Re: How build NAC? in Network Security

How build NAC?

titans2011 — Fri, 21 Feb 2020 12:20:43 GMT

Hi all.
I have a few questions. I am a student. I'm writing a diploma. In its work, using equipment Cisco. I passed the level of CCNA. But I really urgently need to do a layout for my thesis work.
Raw data:
Cisco Switch 3550, it set up VLAN
Router 2600XM, makes routing between VLAN
I have the Cisco NAC appliance running in VMware. There is a server and manager. Version 4.1.
Questions:
If you configure a server manager, can run the server independently, without access to a manager?
Does this technology Encrypt packets ?
It was my first encounter with this technology. Nobody is helping me. I need that would be on the client computer to install a program that checks their computer for the updated operating system. For me it is difficult to follow the material Cisco Guid (a lot of material, an urgent need to make a working model), can you give me a link to build such a network (server, manager, and if need to Cisco), or briefly describe how to do this?
Thanks in advance.

Re: How build NAC?

edwjames — Mon, 16 May 2011 19:29:05 GMT

Hi Max

Server Without manager is of No use.

Server only enforces, Manager manages and contains most of the configuration.

IPSEC Tunnels are formed between CAS and CAM.

The NAC agent that checks for Antivirus , etc on the Operating System Can be pushed through the CAM( The Manager) .

if the CAM is updated via the internet connection it will contain the latest versions.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html

There is no particular document for just the configuration what you need. But keep asking whatever you dont understand.

Help will be provided.

Re: How build NAC?

titans2011 — Mon, 16 May 2011 19:53:12 GMT

I'm a little confused. Thank you for providing the link.
I am interested in the following. I read somewhere that you need to configure switch or router AAA authorization, or that either associated with the radius, whether you want to do this?
My master's work involves innovation that I'll be using both asymmetric and symmetric encryption packages. In addition to encryption, NAC, wanted to use a vpn, with a different encryption. But my supervisor said it was stupid. How do you think ?

Re: How build NAC?

edwjames — Mon, 16 May 2011 20:04:01 GMT

Hi Max

YES VPN can be used with NAC.

https://supportforums.cisco.com/thread/237738

You might have heard about the Cisco secure ACS which understands radius and tacacs+ for authentication and authorization.

You have mistaken something here, NAC- Network Admission Control is all about End-Point security and ACS is Identity management and security .

Yes NAC can have an ACS as an external database from where you can authenticate and even Authorize using another Radius Server Behind ACS.

So the flow goes this way. NAC--> ACS--> Radius Server.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html

any doubts !

Regards

Eddy

Re: How build NAC?

titans2011 — Tue, 17 May 2011 06:10:04 GMT

Thanks for the replies.I Have any more questions.

When installing the server, the following questions arise:
At the beginning of the server's configuration:
Please enter the IP address for the interface eth0
This address is connected to the manager server?

The default gateway should point to a manager or a router that provides Internet access?

Next. Vlan Id Passthrough for packets from eth0 to eth1 is disabled. Would you like to enable it?

What this question means? Do I need to enable it?

Same question.

Management VLAN Tagging for egress packets of eht0 is disabled. Would you like to enable it?

What this question means? Do I need to enable it?

Please enter the IP addresses for the name servers.

This item requests that enter the DNS server?

After installing the server, do I needed any further configure it?

People often ask me how to check Agent operating systems. If the Windows everything is clear, then how is checked on unix systems?

Is there a program for smartphones, android, windows mobile ...?

Regarding VPN, I want to use a single server based on Microsoft Windows 2008. I plan to do a double encryption package, one encrypts CIsco, second server VPN.
That scheme is that you gave me with the VPN, supported CIsco, which in this scheme, there are pros?
Maxsim

Regards

Re: How build NAC?

edwjames — Tue, 17 May 2011 14:34:34 GMT

The eth0 of the CAS is connected to the trusted side of your network, it could be a switch for Eg.

It is not connected to the CAM. In VG setup the CAM and the CAS have to be in Different VLANs.

In REAL-IP Setup Theycould be connected in Same VLANs.

Router Should be the default gateway.

dont Enable VLAN ID passthrough.

InVG you will do VLAN Mapping and in Real-IP you will do routing so no nee for the pass through option.

You would like to enable management VLAN Tagging for the eth0 but not the eth1.

bacause you always manage the devices through eth0.

It just asks for the DNS server ip.

if you are using DNS resolution later when you setup, you would want to configure it.

Windows is checked well by the agent.

In MAC you can check the antivirus only.

Linux and other Mobile devices might just be authenticated and not checked for Antivirus,etc.

Support for Other OS is being worked by the DEVs.

VPN traffic can be made to pass through NAC and checked.

2 ways- j

1)just traffic passing through.

flow-remote user-->NAC-->internal network-->ASA(vpn termination point)

2)Termination and VPN SSO

flow-remote user-->ASA-->NAC-->internal network

Install guide:http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/48/hi_instal.html

Regards

eddy

Re: How build NAC?

titans2011 — Tue, 17 May 2011 15:23:38 GMT

I do not technically get spread CAS and CAM in different VLAN. Can I use one adressnoy network. For example:
CAS 172.16.0.1
CAM 172.16.0.2
Default Gateway (router) 172.16.0.3?

Re: How build NAC?

edwjames — Tue, 17 May 2011 15:47:55 GMT

Max ,you need to use different subnets for assigning addresses to CAM and CAS and then assign them different vlans on the switch they connect to.you

can use /30 subnets so that you save ip addresses.

I Have attached a drawing, Is this what you are planning to make.

I also want to know which setup mode you want to deploy your CAS in ?

VG or Real-ip.

Regards

eddy

Re: How build NAC?

titans2011 — Tue, 17 May 2011 19:31:53 GMT

Sorry, What is VG?

I made a diagram of my network. Here is the configuration of Server and Manager.

CAM:
Please enter the IP address for the interface eth0 []: 172.16.0.3
You entered 172.16.0.3 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 172.16.0.1
You entered 172.16.0.1 Is this correct? (y/n)? [y]
Please enter the hostname [localhost.localdomain]:
You entered localhost.localdomain Is this correct? (y/n)? [y]
Please enter the IP addresses for the name servers [172.16.0.2] :
You entered 172.16.0.2 Is this correct? (y/n)? [y]
After date and time ...
Enter fully qualified domain name or IP: 172.16.0.2
Enter organization unit name: Hotel
Enter organization name: Cisco
Enter city name: Odessa
Enter state code: Ukraine
Enter 2 letter country code: UA
Is this correct? (y/n)? [y]
New Unix password
Install has completed. Press to reboot.

CAS:
Please enter the IP address for the interface eth0 []: 172.16.0.1
You entered 172.16.0.1 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 172.16.0.2
You entered 172.16.0.2 Is this correct? (y/n)? [y]
[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]
[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]
Please enter the IP address for the untrusted interface eth1 []: 192.168.100.2
You entered 192.168.100.2 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth1 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 192.168.100.1
You entered 192.168.100.1 Is this correct? (y/n)? [y]
[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n]
[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]
Please enter the hostname [localhost.localdomain]:
You entered localhost.localdomain Is this correct? (y/n)? [y]
Please enter the IP address for the name server: []: 172.16.0.2
You entered 172.16.0.2 Is this correct? (y/n)? [y]

Given your previous answer, How better rewrite subnet?

These two options are still on the virtual machines, VMware. I have to test, including machines with Windows XP, set the IP 172.16.0.2, and I can not ping not 172.168.0.1, not 172.168.0.3. Although yesterday, I installed the CAS and the CAM, but not as written above in the configuration, and I was able to enter the administration panel. But today I can not do it, and even goes ping. In what may be the problem?

Regards

Maxsim

Re: How build NAC?

edwjames — Wed, 18 May 2011 17:04:40 GMT

First of all,

VG- Virtual gateway mode

It is the mode that the CAS functions in if you want it to act as a bridge or a bump in a wire. It will just map the VLANs from untrusted to the trusted side.

CAM and CAS cannot be in the same subnet.

CAM gateway as you have mentioned is 172.16.0.1.

which is the CASs IP....., you have to create an SVI on the switch which will be the gateway for the CAM.

Similarly for the CAS, an SVI on the switch will be the default gateway for the trusted eth0 of CAS.

Hostname is used if you have DNS configured properly, you can configure it here, but when you do High Availabilty or When you open the GUI of the CAM using we browser, use the hostname only if you have DNS configured.

Maybe the new ips may have left you out of the box,

try doing service perfigo config again if you can go into the root access of the device,

or else re-image it on VMWARE.

If i missed something here, kindly requote them in the next post.

Regards

eddy

Re: How build NAC?

titans2011 — Wed, 18 May 2011 19:24:22 GMT

Firstly I want to thank you for such complete answers. I hope you explain to me until the end that I could make a fully working model.
From the above described positions, not understand for me a few things:
1. If I do not have DNS, then how can I when you install CAS indicate that I do not use DNS server?
2. I realized that the CAM need to specify the gateway CAS. And for the CAS in eth0 need to specify the gateway to himself CAM?

3. When I specify during the installation of CAS local name, I must already be running a DNS server?
In the near future, I will install as you suggested to me, and report the results. I hope soon to begin setting up of the CAM via the web interface. For me, this part of the setup is hard. because I do not really understand the principle of setting.

Regards

Maxsim

Re: How build NAC?

titans2011 — Thu, 19 May 2011 16:26:05 GMT

Hello.
Today I did a great job on the installation server. Attach the network diagram. I report on the steps that I did.
The first thing I re-install CAS and CAM.
Here's the new configuration.

I made DNS record. Zone: Hotel.
Install CAM:
Please enter the IP address for the interface eth0 []: 172.17.0.2
You entered 172.17.0.2 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 172.17.0.1
You entered 172.17.0.1 Is this correct? (y/n)? [y]
Please enter the hostname [localhost.localdomain]:
You entered localhost.localdomain Is this correct? (y/n)? [y]
Please enter the IP addresses for the name servers [172.18.0.2] :
You entered 172.18.0.2 Is this correct? (y/n)? [y]
After date and time ...
Enter fully qualified domain name or IP: 172.18.0.2
Enter organization unit name: Hotel
Enter organization name: Cisco
Enter city name: Odessa
Enter state code: Ukraine
Enter 2 letter country code: UA
Is this correct? (y/n)? [y]
New Unix password
Install has completed. Press to reboot.

Install CAS:
Please enter the IP address for the interface eth0 []: 172.16.0.1
You entered 172.16.0.1 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 172.17.0.2
You entered 172.17.0.2 Is this correct? (y/n)? [y]
[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]
[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]
Please enter the IP address for the untrusted interface eth1 []: 192.168.100.2
You entered 192.168.100.2 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth1 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 192.168.100.1
You entered 192.168.100.1 Is this correct? (y/n)? [y]
[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n]
[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]
Please enter the hostname [localhost.localdomain]:
You entered localhost.localdomain Is this correct? (y/n)? [y]
Please enter the IP address for the name server: []: 172.18.0.2
You entered 172.18.0.2 Is this correct? (y/n)? [y]
After date and time ...
Enter fully qualified domain name or IP: 172.18.0.2
Enter organization unit name: Hotel
Enter organization name: Cisco
Enter city name: Odessa
Enter state code: Ukraine
Enter 2 letter country code: UA
Is this correct? (y/n)? [y]
New Unix password
Install has completed. Press to reboot.

Then I have a problem with routing. Since the router will route to untrusted networks, I thought, what can be done on the bridge between the L3 switch CAS, CAM and VPN server. I got to emmulirovat in Packet Tracer, but I could not do it on real hardware.

I used command:

# spanning-tree portfast default

Then gave the IP: 107, 101, 102 VLAN

However, the bridge is enabled on all VLAN. Is it possible in this case to make such a route, and how?

This is configuration in Switch:
Switch#sh run
Building configuration...

Current configuration : 4936 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.11
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.11
!
ip dhcp pool net2
!
ip dhcp pool VLAN50
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
!
ip dhcp pool VLAN51
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
!
ip dhcp pool VLAN52
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
!
vtp domain CoWS
vtp mode transparent
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 100,105
!
!
!
!
vlan 10,42
!
vlan 50
name VLAN50
!
vlan 51
name VLAN51
!
vlan 52
name VLAN52
!
vlan 53
name quarantine
!
vlan 100
name VLAN100
!
vlan 101
name VLAN101
!
vlan 102
name VLAN102
!
vlan 105
name vlan105
!
vlan 107
name vlan107
!
vlan 456
name healthy
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
switchport mode dynamic desirable
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 51
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 52
switchport mode access
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface FastEthernet0/25
switchport mode dynamic desirable
!
interface FastEthernet0/26
switchport mode dynamic desirable
!
interface FastEthernet0/27
switchport mode dynamic desirable
!
interface FastEthernet0/28
switchport mode dynamic desirable
!
interface FastEthernet0/29
switchport mode dynamic desirable
!
interface FastEthernet0/30
switchport mode dynamic desirable
!
interface FastEthernet0/31
switchport mode dynamic desirable
!
interface FastEthernet0/32
switchport mode dynamic desirable
!
interface FastEthernet0/33
switchport mode dynamic desirable
!
interface FastEthernet0/34
switchport mode dynamic desirable
!
interface FastEthernet0/35
switchport mode dynamic desirable
!
interface FastEthernet0/36
switchport mode dynamic desirable
!
interface FastEthernet0/37
switchport mode dynamic desirable
!
interface FastEthernet0/38
switchport mode dynamic desirable
!
interface FastEthernet0/39
switchport mode dynamic desirable
!
interface FastEthernet0/40
switchport access vlan 107
switchport mode access
!
interface FastEthernet0/41
switchport mode dynamic desirable
!
interface FastEthernet0/42
switchport access vlan 101
switchport mode access
!
interface FastEthernet0/43
switchport mode dynamic desirable
!
interface FastEthernet0/44
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/45
switchport mode dynamic desirable
!
interface FastEthernet0/46
switchport access vlan 102
switchport mode access
!
interface FastEthernet0/47
switchport access vlan 105
switchport mode access
!
interface FastEthernet0/48
switchport access vlan 105
switchport mode access
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
!
interface Vlan50
no ip address
!
interface Vlan51
no ip address
!
interface Vlan52
no ip address
!
interface Vlan100
ip address 192.168.100.111 255.255.255.0
!
interface Vlan101
ip address 172.16.0.3 255.255.255.0
!
interface Vlan102
ip address 172.18.0.1 255.255.255.0
!
interface Vlan107
ip address 172.17.0.1 255.255.255.0
!
ip classless
ip http server
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
!
end

I then checked the ping. Ping the CAM. Since routing is not configured on the server, made a ping to CAS with the switch. Not in a straight line, not the other way ping fails. So it is necessary?
Waiting for your reply, because after I will add routing to the servers, I can start setting up further.
And one more request. Can check the gateway from CAS and CAM, whether I have?

Re: How build NAC?

edwjames — Thu, 19 May 2011 18:05:50 GMT

Hi Max,

Your initial setup on the CAS and CAM is fine.

From your setup as you have different setup has different subnets on both sides of the CAS(eth0 and eth1) i deduced that you are deploying your CAS in Real-IP(routed) mode.

As you are doing the router on a still model, it should work fine.

I am not 100 percent sure about the switch configuration.

As per your setup you are doing In-Band setup.

I can give you the basic configuration of the switch in that mode and you can check.

You can tell your email-ID and i might be able to help you on that.

Because looking at the whole switch from my perspective is a bit difficult.

You will able to look at it in the right angle.

I will give you a sample config and you can double check with it.

how does that sound?

I did not understand the last line of your Post.

regards

eddy

Re: How build NAC?

edwjames — Thu, 19 May 2011 18:09:18 GMT

the answers are below.

From the above described positions, not understand for me a few things:
1. If I do not have DNS, then how can I when you install CAS indicate that I do not use DNS server?

ans-no need to indiacte, use the ip to access the cas, for now
2. I realized that the CAM need to specify the gateway CAS. And for the CAS in eth0 need to specify the gateway to himself CAM?

CAM cannot be the CAS gateway vice versa. Tehgateway for CAS on eth0 should be the next hop which will help reach the CAM and vice versa.

3. When I specify during the installation of CAS local name, I must already be running a DNS server?
In the near future

No nedd for DNS initially, You can give a name, it is locally significant.

In future DNS would be useful.

Re: How build NAC?

titans2011 — Thu, 19 May 2011 18:18:26 GMT

Well. id-email it's mean just email? I have a odesskia@gmail.com

I agree that it is difficult to configure.

What can you say about the ping. Should ping CAS?

Re: How build NAC?

edwjames — Wed, 25 May 2011 14:25:17 GMT

So if you need any other help...

Re: How build NAC?

titans2011 — Wed, 25 May 2011 18:11:31 GMT

Well. I set up a network so as you said, I understood all the points, trying to connect to the Web site.
I am interested in this question: what is the latest version of NAC? What's new in this version: in comparison with the old?

Re: How build NAC?

edwjames — Wed, 25 May 2011 21:00:54 GMT

The latest version of NAC appliance is 4.8.2.

The latest version of the NAC agent is nacagentsetup-win-4.8.2.1.

Re: How build NAC?

titans2011 — Mon, 30 May 2011 07:27:01 GMT

Well. I configure CAS and CAM from link in your first answer. I think this is not full guide, because i found link in CAM, where i need add CAS. After added, server report that he look CAS, And i test to client connect to CAS. But i not have any answer from CAS, and look in log that erorr. What' i need to do?