Peter

I've run through a few messages on NAC on these forums and I thank you for answering a lot of them.

At cisco.com/tac, I'm unable to find a section for NAC. I did find something for Trust, Security agent but I am looking into more in-dept information about NAC, it's configuration, design guides, etc.

For starters, I'd like to find out what routers & switches it is currently supported on, etc. I can find this by browsing 'Feature navigator' but I think there should be a better way to get this info.

If you have a CNAC folder in your bookmarks and are willing to share some of it, I'll appreciate that.

Thank you in advance

Peter

I did find a lot of information at cisco.com/go/nac but if you have anything else I could benefit from, I would appreciate it.

Hey there -

Here's a link to the Cisco Trust Agent support provided on the TAC website:

http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_Trust_Agent

The best document I have learned the most from is this paper "Implementing Network Admission Control: Phase One Configuration and Deployment".

The other place I have learned the most from is by implementing NAC in a lab and with customers.

I'll summarize the components of NAC and you can follow up with questions that you may have:

Req'd Components:

- Network Access Device

- IOS 12.3(8)T Adv Security and above

- future goal - switches, pix, access points, vpn concentrator, etc (all points of connection into network)

- Policy Server

- Cisco Secure ACS 3.3

- Trust Agent

- Cisco Trust Agent - 1.0.53

Opt'l Components

- Antivirus

- Trend Micro, Symantec, McAfee

- Host based Security

- Cisco Security Agent

I can go into more details of whatever you would like, so please let me know.

thanks

peter

Peter

Thank you for your prompt and detailed reply.

I)Can the policy server be installed on the same machine as ACS?

II) What is the normal installation of a CNAC environment?

A)Installing Trust agent with one of your partner’s antivirus application products on endpoints OR

B)Installing the Trust Agent & Security agent bundle & the partner’s antivirus application? Cisco’s website states ‘The Cisco Trust Agent is available free of charge and can be obtained directly from Cisco as a standalone application or bundled with Cisco Security Agent’

III)When installing the antivirus applications from Symantec or another vendor, is there a special edition of their software? For example, my company already owns Symantec Corp 9.0. Can we continue using this and integrate it with NAC?

IV)Are you officially responsible for helping out here? Just curious :)

Hey there -

My formatting didn't take well on the last post, sorry for any confusions.

Req'd Components:

- Network Access Device --> IOS 12.3(8)T Adv Security and above (future goal - switches, pix, access points, vpn concentrator, etc)

- Policy Server --> Cisco Secure ACS 3.3

- Trust Agent --> Cisco Trust Agent - 1.0.53

Opt'l Components

- Antivirus ---> Trend Micro, Symantec, McAfee

- Host based Security ---> Cisco Security Agent

1 - The Policy server is ACS 3.3. External Policy servers, such as Trend's Policy server can be used by ACS to determine specific information related to a subcomponent.

2 - The NAD (Router) can be placed anywhere in the network where you choose to restrict access. This can include:

- router between VPN concentrator and internal network

- router between wireless networks and internal LAN

- router as last L3 hop before outbound firewall

- router betweek conference room or other public ports and the internal network

Depending on the AV software you use will determine the method to deploy CTA with the necessary ACS certificate. Trend supports CTA being installed as a signature update. McAfee and Symantec will have this functionality in the near future.

CTA can be downloaded from the following website if you need to deploy it seperately:

http://www.cisco.com/cgi-bin/tablebuild.pl/cta

3 - Yes, a minimum version of the AV software is needed for the CTA to be able to query the AV software for the different items that can be used to determine posture. This is done by way of a Posture Plugin that the AV companies have provided as CTA's interface to theirs. The latest information on the Cisco website indicates that Symantec will support NAC with their EDAP program in 2004 and in their Commercial products in 2005. Additional information included on the support slide shows SAV 9.0 and SCS 2.0. Please contact Symantec to see if their software is available.

4 - I do this for fun mostly and to help out customers who are willing to help themselves by researching, reading, and discussing what they are working on.

thanks!

peter

Pete

thanks for your answer. I understand that the Trust Agent is only an interface between the desktop protection application and the policy server.

Do you know if CSA-B100-DTOP-K9 is the security agent & trust agent bundled in one or is it only the trust agent?

Good question -

CTA (Cisco Trust Agent) does not have a Part #. It's a free download from cisco.com. CTA provides the interface between the Network and the Host.

CSA (Cisco Security Agent) has part numbers that are similar to the 100 desktop part number you mentioned above. CSA plays an optional, but key role in NAC providing you the assurance that users who connect have met 2 criterea:

1 - protection from worms and viruses, including Day 0

2 - enforcement of security policy on each desktop, such as stopping users from installing software or copying interal data to removeable media

Currently, CSA does not bundle CTA in the 4.0.3 installation. CSA version 4.5, which is due out later this year, will bundle CTA during the installation.

Hopefully, I understood your question!

Let me know.

thanks

peter

What is the ACS server used for? I thought you use the CISCOWORKS MANAGEMENT CENTER FOR CISCO SECURITY AGENTS for managing policies, etc.

http://www.cisco.com/en/US/products/sw/cscowork/ps5212/index.html

The CSA MC is where you configure the policies that the CSA agents enforce and where you view the events from the CSA agents.

The ACS Server holds the policy for NAC environments. CTA communicates with the IOS Router, which in turn, sends the credentials to the ACS server for Trust validation. The ACS server compares this information with its NAC Database to see which of 5 pre-configured groups the user should be placed in.

I hope this helps.

thanks

peter

ps - pls remember to rate all posts that provide you with the Right Info.

So a NAC environment cannot exist without an ACS server. Right?

Here's the summary of the NAC Phase 1 components.

This should clarify the required and optional components.

Required NAC Components:

- Network Access Device --> Router running IOS 12.3(8)T Adv Security and above (future goal - switches, pix, access points, vpn concentrator, etc)

- Policy Server --> Cisco Secure ACS 3.3

- Trust Agent --> Cisco Trust Agent - 1.0.53

Optional Components:

- Antivirus ---> Trend Micro, Symantec, McAfee

- Host based Security ---> Cisco Security Agent

thanks

peter