Episode Information   Episode Name: Episode 19 - Troubleshooting the NAC Appliance Contributors:   Nevin Absher, Blayne Dreier, Jay Johnston, Magnus Mortensen Posting Date: May 10, 2011 Description: This  episode focuses on the Network Admission Control (NAC) appliance, with special guest Nevin Absher from the Cisco AAA TAC Team in RTP, NC. The discussion starts with a basic introduction to how network  administrators can use the NAC appliance to control access to the network in various deployment scenarios. The discussion then moves to NAC deployment and operation best practices as well as specific issues that some administrators encounter when deploying the solution, and how to avoid them. NAC troubleshooting methodologies and techniques are also discussed.   Listen Now     (MP3 24 MB; 36:39 mins)   Subscribe to the Podcast in iTunes by clicking the image below:   About the Cisco TAC Security Podcast   The  Cisco TAC Security Podcast Series is created by Cisco TAC engineers.  Each episode provides an in-depth technical discussion of Cisco product  security features, with emphasis on troubleshooting.   Complete episode listing and show information     Show Notes NAC Documentation and Information Resources   NAC Appliance Chalk Talk Series   NAC Appliance Documentation   Doc for creating custom AV check ... View more

What hardware makes up Cisco’s NAC solution? On Cisco’s network security solutions Web page, you’ll find the following list of Cisco technologies, all of which play a part in the complete Cisco NAC solution: Advanced Services for Network Security Cisco Security Agent (CSA) Cisco Security Monitoring, Analysis and Response System (MARS) Cisco Trust Agent 2.0 (CTA) Cisco Secure Access Control Server for Windows (ACS) Cisco Secure Access Control Server Solution Engine (ACS) CiscoWorks Interface Configuration Manager (ICM) CiscoWorks Security Information Management Solution (CW-SIMS) NAC-enabled routers Router security Cisco VPN 3000 Series Concentrators Cisco Unified Wireless Network Cisco Catalyst switches Why NAC? Cisco NAC Appliance The single most popular piece of the Cisco NAC solution has been the Cisco NAC Appliance. As evident from the name itself, Cisco NAC Appliance is an appliance-based solution that offers fast deployment, policy management, and enforcement of security policies. With the Cisco NAC Appliance, you can opt for an in-band or out-of-band solution. The in-band solution is for smaller deployments. As your network grows into a more campus environment, you may not be able to keep the in-band design. In that case, you can move to the out-of-band deployment scenario. Here are some advantages of the Cisco NAC Appliance: Identity: At the point of authentication, the Cisco NAC Appliance recognizes users, as well as their devices and their responsibility in the network. Compliance: Cisco NAC Appliance also takes into account whether machines are compliant with security policies or not. This includes enforcing operating system updates, antivirus definitions, firewall settings, and antispyware software definitions. Quarantine: If the machines attempting to gain access don’t meet the policies of the network, the Cisco NAC Appliance can quarantine these machines and bring them into compliance (by applying patches or changing settings), before releasing them onto the network. How to fix Certificate errors on the CAM/CAS after upgrade to 4.1.6 Version 4.1.6 of Cisco NAC Appliance was released on July 31st. This release was mainly a bug fix release, but did  include a security enhancement that encrypts all traffic between the CAS  and CAM using SSL. Below is a copy of a document that will be posted to  Cisco.com soon. Just wanted to get it out there now to possibly help  some folks. Sorry that the formatting isn't coming across as well as I  hoped, but this should just be temporary until it gets published. Summary: This document describes how to fix certificate errors on the CAM/CAS with version 4.1.6. These errors will be found in either /perfigo/logs/perfigo-redirect.log0.log.0 or /perfigo/logs/perfigo-log0.log.0. An example of one of the errors is below: SEVERE: RMISocketFactory:Creating RMI socket failed to host 10.1.20.10:sun.security.validator.ValidatorException: Certificate chaining error Aug 1, 2008 1:41:22 PM com.perfigo.wlan.web.admin.ConnectorClient connect SEVERE: Communication Exception : java.rmi.ConnectIOException: Exception creating connection to: 10.1.20.10; nested exception is:  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error These errors are a result of security enhancements made in 4.1.6. In 4.1.6, the CAS and CAM both act as client and server to each other, and require that they trust each other. This results in each requiring the root and intermediate certificates of the other. For example, if the CAS has a Verisign certificate and the CAM has a Perfigo (temporary) certificate, then both the CAS and CAM would need the Verisign chain (root and intermediates) and the Perfigo root. More information: 1.First, backup any installed certificates that are not temporary certificates. a)On the CAM, open the web interface and go to Administration > CCA Manager > SSL > X509 Certificate. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate. b)Choose 'Export CSR/Private Key/Certificate' from the drop down. c)Click 'Export' next to Currently Installed Certificate and save this file. d)Click 'Export' next to Currently Installed Private Key and save this file. 2.After the backup, if the CAS and CAM are not already using temporary certificates, generate them. a)On the CAM, open the web interface and go to Administration > CCA Manager > SSL > X509 Certificate.  On the CAS, go directly to the web interface via https://<CAS IP>/admin then go to Administration > SSL > X509 Certificate. b)Choose 'Generate Temporary Certificate' from the drop down. c)Fill out the fields listed and click 'Generate'.  NOTE - This no longer requires a reboot to take effect. 3.Next, remove all Trusted Certificate Authorities from the CAS and CAM. This will make it easier to manage and improve security. a)On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate Authorities.  On the CAS, go to Administration > SSL > Trusted Certificate Authorities. b)Create a filter to exclude the Perfigo certificate.  Click the drop down 'Add filter...' and choose 'Distinguished Name'.   Change the drop down 'contains' to be 'contains not' and type 'Perfigo', then click 'Filter'. c)Drop down the number 10 next to Delete Selected and choose 100. d)Check the box right below the number that will select all CA’s in the list and click 'Delete Selected'. e)It will then show the other 50+ CA's. Click the box again and click 'Delete Selected'. 4.After removing all of the Certificate Authorities, the root and intermediate certificates need to be imported. a)On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate Authorities.  On the CAS, go to Administration > SSL > Trusted Certificate Authorities. b)Click on the 'Browse' button and choose the Root Certificate first.  The subject and issuer should be set to the same value. c)Click Import, and the CA should appear in the list below. d)Perform the same procedure for any intermediate certificates. 5.Install the CAS and CAM certificates backed up in the first step. a)On the CAM, open the web interface and go to Administration > CCA Manager > SSL > X509 Certificate.  On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate. b)Choose 'Import Certificate' from the drop down. c)Click 'Browse' and choose the certificate saved from step 1, then click 'Upload'. d)Click 'Browse' again and choose the private key that was saved from step 1.  On the file type drop down choose 'Private Key' and then click 'Upload'. e)Now click 'Verify and Install Uploaded Certificates'. NOTE: There is one error message that will not be fixed by these procedures. If the logs contain the following message, the certificate provider will need to be contacted, and the certificate will need to be reissued with the Netscape Cert Type field set to be both SSL Server and SSL client. SEVERE: SSLFilter:access deniedCN=cas1.domain.com, OU=Information Technologies, O=Company, ST=State, C=US:Netscape cert type does not permit use for SSL client ... View more