Re: ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

ciscomoderator · ‎11-28-2005

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Reza Malekzadeh about Network Admission Control (NAC) which uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. Reza Malekzadeh is a product marketing manager for the Security Technology Group at Cisco Systems, focused on the Network Admission Control (NAC) initiative. Prior to joining Cisco, Mr. Malekzadeh was the co-founder of Twingo Systems, a provider of secure desktop solutions for untrusted computers. Twingo Systems was acquired by Cisco in 2004.

Remember to use the rating system to let Reza know if you have received an adequate response.

Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 9, 2005. Visit this forum often to view responses to your questions and the questions of other community members.

t.reisinger · ‎11-28-2005

I try to identify a machine with CTA 2.0 client and the scripting interface, against an ACS server with an self written posture validation server (Apache/PHP Script). At the client network there is no possibility for NAC Layer 2/802.1x. Used Software NAC Phase 2 with the following versions ACS 4.0.23, CTA 2.0.26.

I have on the client an un-exportable machine certificate installed where I send via the scripting interface the serial number to the ACS. I need the HCAP definition for the different status messages from and to the ACS (certificate is valid = healthy, certificate is invalid = quarantine…). I can already “see” my certificate serial number on the ACS (with my own ADF file imported into ACS with certutil.exe), but there is no documentation about the communication between ACS <-> HCAP <-> External Posture Validation Server.

Script ini file on the client:

[main]

PluginName=ctascriptPP.dll

VendorID=9

VendorIDName=Cisco Systems

Styles=SupportAsync

AppList=cert-check

[cert-check]

AppType=61440

AppTypeName=cert-check

Sample AVP File on ACS:

[attr#0]

vendor-id=9

vendor-name=Cisco

application-id=61440

application-name=cert-check

attribute-id=32768

attribute-name=version

attribute-profile=in

attribute-type=version

attribute-value=2.0

[attr#1]

vendor-id=9

vendor-name=Cisco

application-id=61440

application-name=cert-check

attribute-id=32769

attribute-name=serial

attribute-profile=in

attribute-type=octet-array

attribute-value=0x3f 0xaa 0x91 0xf5 0x00 0x00 0x00 0x00 0x05 0x1f

I hope Cisco publishes this needed information, because I don’t understand the reason for an open script interface on the client side and closed information strategy on the ACS server side.

rmalekza · ‎11-28-2005

Hello,

the scrip[ting interface is designed to allow you to write custom scripts and run them out of band. It is designed to help IT Managers run custom checks.

However, the HCAP protocol that allows a third party posture server to talk to ACS is part of the NAC Partner Program. It is not a publicly published interface. It is available to ISVs who participate in the NAC Program at this time.

regards

reza

t.reisinger · ‎11-29-2005

1. For the IT Managers to "use" the custom checks outside of the ACS server (like my certificates) you don't have a chance, checkups inside the ACS are statically

2. I don't think, that Cisco want's for every "small-customer-special-solution” a new ISV participant. If YES, we will apply.

3. Do you see any chance to become a NAC-ISV with our small and very special solution?

rmalekza · ‎11-29-2005

The NAC Partner Program is open to all ISVs: small and big. If you have a solution that you develop and sell to end users, you are welcome to join the NAC Program. All the program details and online application form are posted at http://www.cisco.com/en/US/partners/pr46/nac/index.html

regards

reza

bangelucci · ‎11-29-2005

Which vendors (within the NAC program) currently support HCAP and can be configured as External Posture Validation Server on ACS 4.0?

t.reisinger · ‎11-29-2005

There is no "exact" list HOW the different vendors implemented there products. Only a list of vendors with a products name, you can search on the vendor homepage for further details. A few of them don't use HCAP (symantec, mcafee,...). There you can only query static parameters directly on the ACS Server. Trend Micro for example uses HCAP (but doesn't work in my test enviroment).

http://www.cisco.com/en/US/partners/pr46/nac/partners.html

rmalekza · ‎11-29-2005

Hello,

Today IBM, Trend Micro and CA are shipping complete solutions that include a back end policy server integration. For the latest list of all products integrated in NAC, please visit: http://www.cisco.com/en/US/partners/pr46/nac/partners.html

regards

reza

bangelucci · ‎11-30-2005

Hi,

I Have found the CA e-trust installation guide that explain how to deploy di agent with NAC, but I haven't found anything about the Command Centre (the management console of e-Trust) and the possibility to use as an external policy server with ACS. Have you tested it by any chance?

Thank you very much,

Barbara

rmalekza · ‎11-30-2005

Hello,

After checking with Computer Associates, this would be explained in the documentation that will come out when they introduce the PVS product for NAC. Hope this answers the question.

Regards

reza

Bryan.Carter · ‎12-07-2005

I have been attempting to get NAC 1 to work for the past two months in a very specific, limited scenario. We require any VPN client connecting via a 3005 Concentrator (4.1.7) to be to have Trand Micro OfficeScan client present, running, and up to date.

I have the VPN Concentrastor setup and the clients can connect.

I have the ACS server (3.3) setup and clients can connect.

I have the Trand Policy Server setup to provide Posture Validation. The certificates are installed. The CTA agent has been deployed to the test machine. (Is there a way to make this part of the VPN CLient install?)

It appears in the logs that everything is happening, yet no matter what I do at the client, it can still connect and the status is placed in Hold-Off.

What I need is a good, detailed set of instractions on how to get this working. I am pretty sure that I have all of the pieces in place, but can't find any docs from Trend or Cisco that takes you from Step 1 all the way through, including some troubleshooting.

Is there such documentation anywhere, and would you let me know how to get it?

Thanks

Bryan Carter

rmalekza · ‎12-08-2005

Hello,

We have a number of documents on our site, including a deployment guide with troubleshooting tips. Please visit http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

regards

reza

Russ LaPlante · ‎11-29-2005

Hello,

Is it possible to use Microsoft's IAS server to provide the Radius functionality necessary for NAC to operate? If not, what is unique about ACS that makes NAC possible?

Thanks, Russ

rmalekza · ‎11-29-2005

ACS is a mandatory component for NAC. It has the smarts to commununicate with our Network Access Devices. It can however be set up as a Radius proxy and not handle the user authentication piece but just the NAC Policy piece and communications.

regards

reza

cammaher · ‎11-29-2005

Hi,

Firstly, could someone point me in the right direction to download CTA 2.0? I am unable to find it anywhere on the Cisco website.

Also, we are in the design phase of deplying NAC in our network and I was hoping someone might be able to let me know of a good document (How-to guide) on deploying NAC? I have read all the 'overviews' but am after a low level deployment guide, especially on how to setup the ACS server for NAC.

Any help would be appreciated! Thanks,

Cam

ASK THE EXPERT  NETWORK ADMISSIONS CONTROL 2 (NAC2)

ASK THE EXPERT NETWORK ADMISSIONS CONTROL 2 (NAC2)