12-31-2007 05:55 AM - edited 02-21-2020 01:50 AM
I've found a lot of good detailed information on configuration of Cisco NAC appliances, and the general functions. But not a good, high-level walk through the steps the appliances/solution handle an OOB deployment for handling new connections to a LAN.
Something along the lines of, a user connects to the LAN, is given addressing from a DHCP server, then <somehow?> the workstation is directed to the NAC appliance, where it checks for the presense of any required agents, checks against security requirements, then..etc. (Remediation servers involved here, etc.)
Is there a high level description of the flow, what/how the NAC appliances intereact with DHCP servers, Remediation servers, and any high-level description of required configurations in AAA servers, DHCP servers, remediation servers in order for them to work with the NAC appliances in this configuration?
Thanks!
01-02-2008 07:12 AM
Are you looking for Layer 2 or Layer 3 OOB scenarios. If L3 I can do a quick write up for you, but don't want to go through the detail unless it's what you're looking for.
-Mike
01-02-2008 08:01 AM
Thanks Mike. Layer-3 OOB.
01-02-2008 12:25 PM
Hi Mike,
Please post the write up. I understand it but am always looking for better ways to explain the process. You rate a "5" in my book for volunteering.
Best,
Paul
01-04-2008 08:28 AM
Here we go:
Pre-Configuration:
1) Any managed switches must be built in on the CAM and the required configuration for switch SNMP traps must be used. This is important as it controls the CAM's visibility over user connects.
2) In L3 OOB the CAS can be placed physically anywhere. We have it in our data center.
3) Plan your VLANs. Let's say we have a remote location with 2 VLANs:
VLAN 0005 - NAC Auth
VLAN 0010 - User Access
This is important because in L3 OOB, you control traffic on the layer 3 boundary of the VLAN (i.e. the VLANs default gateway that is typically a router) using ACLs. An ACL on the "auth" VLAN controls where users can access before being certified. Typically this would allow traffic to the CAS, and remediation servers. Then, for the "clean" VLAN the ACL must prevent traffic from flowing to the CAS by denying traffic to it. So you would have a config like:
int gig0/0.5
description NAC Authentication Default Gateway
encapsulation dot1Q 5
ip address
ip helper-address
ip access-group NAC-AUTH in
ip access-list extended NAC-AUTH
! Permit traffic to CAS for authentication
permit ip any host
permit ip any host
permit ip any host
! Deny everything else so non-certified users can't access network resources
deny ip any any
int gig0/0.10
description NAC Certified Users Default Gateway
encapsulation dot1Q 10
ip address
ip helper-address
ip access-group NAC-CLEAN in
ip access-list extended NAC-CLEAN
! Deny will keep the NAC agent from constantly attempting to re-authenticate
deny ip any host
! Then let all other traffic through as we're a "clean" user
permit ip any any
4) Clients will receive all IP addresses from a DHCP server. In our deployment we use the "ip helper-address" command to forward DHCP requests to our DHCP cluster. You'll need a pool for each NAC VLAN you have.
So how does the NAC experience look like? Here's the flow:
1) New user plug into a NAC-managed switch. The switch sends a SNMP trap to the CAM that a new interface has come online.
2) The CAM detects the user is not already authenticated, so it changes the configuration of the port to place the user on VLAN 5. The user receives an IP address from the DHCP cluster.
3) Due to ACL limitation of the NAC-AUTH ACL, the user has limited access. The NAC agent on the workstation continues to poll for a live CAS at a configured address. Since the traffic is permitted the agent prompts for authentication.
4) Depending on your scenario, the user may enter credentials or may not need to if using Active Directory single sign-on.
5) If the user passes authentication, the posture validation of the client begins.
6) If the user does NOT pass posture assessment, they are left on the NAC-AUTH VLAN and are required to update as necessary. The agent will then pop-up again after a defined interval for authentication and the posture assessment will begin again.
7) Once the user is "clean", the CAM now changes the configuration of the switch again and puts the user onto VLAN 10. Once the VLAN is changed the user's client will request a new IP address and receive one from the DHCP cluster.
8) Now the user's traffic is limited by the NAC-CLEAN ACL. Since this ACL blocks access to the CAS, the agent doesn't pop-up and the user is left on the "clean" VLAN.
9) IF the user unplugs or the re-certification timer expires, the port is placed back into VLAN 5 and the next user will go through the same process or the same user will have to re-certify.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide