Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
1
Replies

Cisco Network Admission Control (NAC) issue

limtohsoon
Level 1
Level 1

‎10-23-2004 11:19 PM - edited ‎02-20-2020 11:42 PM

Hi Sir,

I set up Cisco NAC as a Proof of Concept for a customer. The following items are used:

(1) Cisco 2621XM Router, IOS 12.3(8)T4 ADVANCED SECURITY Feature Set

(2) CiscoSecure ACS 3.3 Trial version

(3) Trend Micro OfficeScan Corporate Edition 6.5 (using Trial license)

ACS is configured to generate self-signed certificate, which is imported by OSCE for CTA deployment. I created a NAC external database called NAC-EXT-DB and an external policy called NAC-EXT-POLICY. The certificate being used is the one generated by Trend Micro Policy Server. The Forwarding Credentials are Cisco:PA and Trend:AV.

I created the full set of groups, i.e. Healthy, Checkup, Quarantine, Infected, and Unknown (posture-token=Healthy, =Checkup, =Quarantine, =Infected, and =Unknown, respectively). Under the database group mappings, I configured the token-to-user-group-mappings correctly. Under Unknown User Policy, I selected "Check the following external user databases" and the selected database is NAC-EXT-DB.

On Trend Micro Policy Server, I only added an OSCE server and configured "Default Normal Mode Policy" for the Normal policy and "Default Outbreak Mode Policy" for the Outbreak policy. The rest are default settings. Policy Server has no problem synchronizing with OSCE.

I performed tests for all the five groups. A computer without OSCE client (thus, without CTA) hit the Unknown group and is URL-redirected to OSCE client installation website. A computer with updated virus pattern hit the Healthy group. I tried to simulate the conditions for other groups (e.g. I stop RealTime Scan service to simulate "Infected") but I got the following errors:

(1) The NAC router reports:

Sep 15 13:35:46: %EOU-6-SESSION: IP=172.16.1.3| HOST=DETECTED| Interface=FastEthernet0/0

Sep 15 13:35:46: %EOU-6-CTA: IP=172.16.1.3| CiscoTrustAgent=DETECTED

Sep 15 13:35:48: %EOU-5-RESPONSE_FAILS: Received an EAP failure response from AAA for host=172.16.1.3

Sep 15 13:35:48: %EOU-6-POSTURE: IP=172.16.1.3| HOST=REJECTED| Interface=FastEthernet0/0

Sep 15 13:35:48: %EOU-6-AUTHTYPE: IP=172.16.1.3| AuthType=EAP

(2) On ACS under Failed Attempts:

Message-Type = Authen failed

Authen-Failure-Code = External DB account Restriction

Reason = A token was not returned from a policy; Database-configuration=NAC-EXT-DB; Policy=NAC-EXT-POLICY

(3) On TM Policy Server client validation logs, the Validation Result for host 172.16.1.3 was "Infected", which is correct. Somehow, Policy Server did not prompt the appropriate message on the client computer and did not take client-side action as per the matched rule. And ACS is complaining that a token was not returned.

Likewise, I simulated Checkup condition by downgrading virus pattern to one version older, and simulated Quarantine condition by removing virus pattern on client computer. I got the same error as above. Despite these errors, Policy Server logged the Validation Result correctly (i.e. "Checkup" and "Quarantine").

In short, my NAC setup is only able to detect Healthy condition but fails to detect the other conditions. Please help.

Thank you.

B.Rgds,

Lim TS

0 Helpful
1 Reply 1

pcomeaux
Cisco Employee
Cisco Employee

‎10-27-2004 06:39 PM

Lim,

You summary is fantastic!

I have a NAC lab where I simulated what you described in detail here.

I had a similar experience to you where I could only get the Trend Policy Server to return a Healthy or Unknown token. Both of these showed up in the Failed Authentication, where they really should show up in the Passed Authentication logs.

From what I recall, the Username that you specify in the External Policy had the wrong password or was disabled in the Computer Management --> Local Users setting on the Trend Server.

I also experienced a problem with all Tokens being returned as Failed Authentications because the Certificates where not consistent. The Trend Server needs the ACS Server's public certificate to send out with CTA. The Trend Server needs though to point to the CA Trusted Root, which I could not remember when that was setup. So I manually installed that on the Trend Server by right clicking and Installing. The ACS server needs to have the same Root CA server in it's settings in the Certificates Section and/or in the External Policy section.

My reply has not been as organized as your post, but I wanted to share some hurdles I overcame which might help you. I am going to repeat my tests from scratch again to see if I come across other hints.

Thanks for using NAC!!!

peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card