Cisco NAC Appliance - Clean Access Manager Configuration Guide Release 4.9(x) March 2015 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide Audience Purpose 21 21 21 Document Organization 22 Document Conventions 23 New Features in this Release Product Documentation Documentation Updates 23 24 25 Obtaining Documentation and Submitting a Service Request Introduction 26 1-1 What is Cisco NAC Appliance? 1-1 FIPS Compliance in the Cisco NAC Appliance Network 1-2 Cisco NAC Appliance Components 1-3 Clean Access Manager (CAM) 1-5 Clean Access Server (CAS) 1-6 Cisco NAC Appliance Agents 1-7 Cisco NAC Appliance
Contents Admin Console Summary 1-25 Device Management: Adding Clean Access Servers, Adding Filters 2-1 Working with Clean Access Servers 2-2 Add Clean Access Servers to the Managed Domain 2-2 Manage the Clean Access Server 2-4 Configure Clean Access Manager-to-Clean Access Server Authorization 2-5 Summary of Steps to Configure Clean Access Manager-to-Clean Access Server Authorization 2-5 Enable Authorization and Specify Authorized Clean Access Servers 2-6 Check Clean Access Server Status 2-7 Disconnect
Contents Display/Edit/Delete Cisco ISE Profiler Details 2-31 Synchronize Endpoints from Cisco ISE Profiler 2-32 Map Endpoint Policies 2-33 Create New Rule 2-33 View Rules 2-35 Edit Rules 2-35 Delete Rules 2-36 Order Rules 2-36 Configure NAC Manager in ISE Profiler 2-36 Troubleshooting when Synchronizing the Cisco ISE 2-38 Example Scenarios 2-38 Switch Management: Configuring Out-of-Band Deployment Overview 3-1 In-Band Versus Out-of-Band 3-2 Out-of-Band Requirements 3-2 SNMP Control 3-4 Network Recovery for
Contents Add Port Profile 3-34 Configure VLAN Profiles 3-40 Add VLAN Profile 3-42 Edit VLAN Profile 3-43 Configure SNMP Receiver 3-45 SNMP Trap 3-45 Advanced Settings 3-46 Add and Manage Switches 3-48 Add New Switch 3-49 Search New Switches 3-50 Verify Devices 3-52 Discovered Clients 3-53 Manage Switch Ports 3-55 Ports Management Page 3-55 Manage Individual Ports (MAC Notification) 3-56 Manage Individual Ports (Linkup/Linkdown) 3-61 Assign a Port Profile to Multiple Ports Simultaneously Config Tab 3-64 Con
Contents Wireless In-Band Versus Out-of-Band 4-2 Wireless Out-of-Band Requirements 4-2 DHCP Bridging Mode 4-3 SNMP Control 4-4 Summary Steps to Configure Wireless Out-of-Band 4-5 Wireless Out-of-Band Virtual Gateway Deployment 4-5 Login and Authentication Flow in Wireless OOB Virtual Gateway Mode Configure Your Network for Wireless Out-of-Band 4-6 4-7 Configure Your Wireless LAN Controllers 4-7 Wireless LAN Controllers Configuration Notes 4-7 Example Wireless LAN Controller Configuration Steps 4-8 Cre
Contents Proxy Settings 5-2 Add Default Login Page 5-3 Change Page Type (to Frame-Based or Small-Screen) 5-4 Enable Web Client for Login Page 5-5 DHCP Release/Renew with Agent/ActiveX/Java Applet Customize Login Page Content 5-8 Create Content for the Right Frame Upload a Resource File 5-6 5-11 5-13 Customize Login Page Styles 5-14 Configure Other Login Properties 5-15 Redirect the Login Success Page 5-15 Specify Logout Page Information 5-16 Guest User Access 5-17 Configure Guest User Registr
Contents RADIUS 7-6 Add a FIPS 140-2 Compliant RADIUS Auth Provider Using an ACS Server RADIUS Challenge-Response Impact On the Agent 7-14 Windows NT 7-15 LDAP 7-16 Configure LDAP Server with Simple Authentication 7-17 Configure LDAP Server with GSSAPI Authentication 7-18 Multiple Domain SSL 7-21 Active Directory Single Sign-On (SS0) 7-22 Windows NetBIOS SSO 7-22 Implementing Windows NetBIOS SSO 7-22 Cisco VPN SSO 7-24 Add Cisco VPN SSO Auth Server 7-25 Allow All 7-26 Guest 7-26 Configuring Authentication
Contents View IP Addresses Used by DNS Hosts Proxy Servers and Host Policies 8-12 Add Global Layer 2 Ethernet Traffic Policies Control Bandwidth Usage 8-11 8-12 8-13 Configure User Session and Heartbeat Timeouts 8-15 Session Timer 8-15 Heartbeat Timer 8-16 In-Band (L2) Sessions 8-16 OOB (L2) and Multihop (L3) Sessions 8-16 Session Timer / Heartbeat Timer Interaction 8-17 Configure Session Timer (per User Role) 8-17 Configure Heartbeat Timer (User Inactivity Timeout) 8-18 Configure OOB Heartbeat Timer (
Contents Configure Restricted Network Access for Agent Users 9-10 Configure Network Policy Page (Acceptable Use Policy) for Agent Users Configure the Agent Temporary Role 9-11 Retrieving Cisco NAC Appliance Updates 9-12 View Current Updates 9-12 Configure and Download Updates 9-15 Configure Proxy Settings for CAM Updates (Optional) 9-11 9-17 Setting Up Agent Distribution/Installation 9-18 Agent Distribution 9-19 Installation Page 9-21 Cisco NAC Agent XML Configuration File Settings 9-24 Agent Customizat
Contents Configuration Summary 9-74 Create Custom Check 9-74 Create a Custom Rule 9-78 Validate Rules 9-80 Create a Custom Requirement 9-81 Configuring a Launch Programs Requirement 9-86 Launch Programs With Admin Privileges 9-86 Launch Programs Without Admin Privileges 9-86 Create a Launch Programs Requirement 9-89 Map Requirements to Rules 9-91 Apply Requirements to User Roles 9-93 Validate Requirements 9-94 Configuring an Optional/Audit Requirement 9-95 Configuring Auto Remediation for Requirements 9-99
Contents Mac OS X Posture Assessment Prerequisites/Restrictions 10-47 Mac OS X Agent Prerequisites 10-47 Mac OS X Agent Restrictions 10-51 CAM/CAS Restrictions 10-51 Requirement Types Supported for Mac OS X Agent 10-51 Mac OS X Cisco NAC Agent Dialogs 10-52 Mac OS X Cisco NAC Agent Application File Locations 10-67 RADIUS Challenge-Response Mac OS X Cisco NAC Agent Dialogs Monitoring and Troubleshooting Agent Sessions Viewing Agent Reports 11-1 Exporting Agent Reports 11-5 Limiting the Number of Reports 10
Contents Agent Troubleshooting 11-36 Debug Logging for Cisco NAC Appliance Agents 11-37 Generate Cisco NAC Agent Debug Logs 11-37 Cisco NAC Web Agent Logs 11-37 Generate Mac OS X Agent Debug Log 11-37 Client Cannot Connect/Login 11-38 No Agent Pop-Up/Login Disabled 11-38 Client Cannot Connect (Traffic Policy Related) 11-39 AV/AS Rule Troubleshooting 11-40 Cisco NAC Web Agent Status Codes 11-40 Known Issue for Windows Script 5.
Contents SNMP 13-13 Enable SNMP Polling/Alerts Add New Trapsink 13-15 13-14 SNMP on Individual CAS 13-18 Add New Trapsink to CAS 13-19 Administering the CAM Overview Network Failover 14-1 14-1 14-2 14-4 Set System Time 14-5 Manage CAM SSL Certificates 14-7 SSL Certificate Overview 14-7 Web Console Pages for SSL Certificate Management 14-8 Typical SSL Certificate Setup on the CAM 14-9 Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR) 14-9 Phase 2: Prepare your CAM and CAS Fo
Contents Policy Sync Configuration Summary 14-30 Before You Start 14-30 Enable Policy Sync on the Master 14-31 Configure the Master 14-32 Enable Policy Sync on the Receiver 14-34 Configure the Receiver 14-35 Perform Policy Sync 14-36 Perform Manual Sync 14-37 Perform Auto Sync 14-38 Verify Policy Sync 14-39 View History Logs 14-39 Troubleshooting Manual Sync Errors 14-41 Support Logs 14-42 Filtering Logs by CAS and/or Agent IP Agent Logs 14-45 14-46 Admin Users 14-47 Admin Groups 14-47 Add/Edit a Custom
Contents Network Error A-1 Users Cannot Log In During CAS Fallback Recovery CAM Event Log Messages API Support B-1 Overview B-1 A-2 A-2 Authentication Requirements B-2 Administrator Operations B-2 adminlogin B-2 adminlogout B-3 B-2 Device Filter Operations B-3 addmac B-3 removemac B-4 checkmac B-4 getmaclist B-5 removemaclist B-5 addsubnet B-6 updatesubnet B-6 removesubnet B-6 Synchronizing with ISE Profiler Operations profilerEndpointEvent B-7 resyncwithprofiler B-7 Cert
Contents OOB Switch Management Operations bounceport B-14 bounceportbymac B-14 B-13 Report Operations B-14 getversion B-15 getuserinfo B-15 getoobuserinfo B-16 getcleanuserinfo B-16 getreports B-16 getuallist B-21 getualfile B-21 getcannedreportslist B-22 getcannedreport B-22 MIB Support C-1 Open Source License Acknowledgements Notices D-1 OpenSSL/Open SSL Project License Issues D-1 D-1 D-1 INDEX Cisco NAC Appliance - Clean Access Manager Configuration Guide 18 OL-28003-01
About This Guide Revised March 10, 2015, OL-28003-01 This preface includes the following sections: • Audience • Purpose • Document Organization • Document Conventions • New Features in this Release • Product Documentation • Documentation Updates • Obtaining Documentation and Submitting a Service Request Audience This guide is for network administrators who are implementing the Cisco NAC Appliance solution to manage and secure their networks.
Document Organization Table 1 Document Organization Chapter Description Chapter 1, “Introduction” Provides a high-level overview of the Cisco NAC Appliance solution Chapter 2, “Device Management: Adding Clean Access Servers, Adding Filters” Describes how to add and manage Clean Access Servers from the Clean Access Manager and configure device and/or subnet filters Chapter 3, “Switch Management: Configuring Out-of-Band Deployment” Describes how to configure Cisco NAC Appliance for Out-of-Band (OOB)
Table 1 Document Organization Chapter Description Chapter 14, “Administering the CAM” Discusses the Administration pages for the Clean Access Manager Appendix A, “Error and Event Log Messages” Explains some common Cisco NAC Appliance error messages and event log entries Appendix B, “API Support” Discusses API support for the Clean Access Manager Appendix C, “MIB Support” Contains the list of Entities and Object Identifiers (OIDs) for the MIBs supported by CAM Appendix D, “Open Source License Ack
Product Documentation Table 3 lists documents are available for Cisco NAC Appliance on Cisco.com at the following URL: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html Tip To access external URLs referenced in this document, right-click the link in Adobe Acrobat and select “Open in Weblink in Browser.
Table 3 Cisco NAC Appliance Document Set Document Title Refer to This Document For Information On: Cisco NAC Appliance Hardware Installation Guide, Release 4.9(x) Details on CAM/CAS installation topics: Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(x) Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.
Obtaining Documentation and Submitting a Service Request Table 4 Updates to Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(x) (continued) Date Description 02/10/2014 Release 4.9(4) 06/25/2013 11/27/2012 • Updated System Upgrade, page 24 • Updated Release 4.9(4) screenshots as appropriate Release 4.9(3) • Updated System Upgrade, page 24 • Updated Release 4.9(3) screenshots as appropriate Release 4.
CH A P T E R 1 Introduction This chapter provides a high-level overview of the Cisco NAC Appliance solution.
Chapter 1 Introduction FIPS Compliance in the Cisco NAC Appliance Network Other key features of Cisco NAC Appliance include: • Standards-based architecture—Uses HTTP, HTTPS, XML, and Java Management Extensions (JMX). • User authentication—Integrates with existing backend authentication servers, including Kerberos, LDAP, RADIUS, and Windows NT domain. • VPN concentrator integration—Integrates with Cisco VPN concentrators (e.g. VPN 3000, ASA) and provides Single Sign-On (SSO).
Chapter 1 Introduction FIPS Compliance in the Cisco NAC Appliance Network Appliance encapsulates SWISS communications between client machines and CASs, including Discovery packet transmission/acknowledgement, authentication, and posture assessment results using the HTTPS protocol. The SWISS mechanism also features an enhanced handler that uses 3DES encryption for SWISS protocol functions.
Chapter 1 Introduction Cisco NAC Appliance Components Cisco NAC Appliance Components Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access Manager web console and enforced through the Clean Access Server and (optionally) the Agent. Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirus software, and quarantines vulnerable or infected clients for remediation before clients access the network.
Chapter 1 Introduction Cisco NAC Appliance Components Figure 1-1 Cisco NAC Appliance Deployment (L2 In-Band Example) Internet Switch L2 Router L3 eth1 Firewall eth0 LAN/Intranet Clean Access Server (CAS) Clients with co NAC Appliance Agent Clean Access Manager (CAM) Authentication sources (LDAP, RADIUS, Kerberos, WindowsNT) Admin laptop DNS server 183469 Clean Access Manager Web admin console Clean Access Manager (CAM) The Clean Access Manager (CAM) is the administration server and database
Chapter 1 Introduction Client Login Overview This guide describes the global configuration and administration of Clean Access Servers and Cisco NAC Appliance deployment using the Clean Access Manager web admin console. For a summary of CAS operating modes, see Add Clean Access Servers to the Managed Domain, page 2-2. For complete details on CAS deployment, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x).
Chapter 1 Introduction Client Login Overview • The Web Login subpage enables network scanning controls per user role/OS. In addition to dialog/web page content, you can specify whether pages appear when the user logs in with a specific user role and OS. If you want to enable both Agent and network scanning for a role, make sure to set role/OS options on both the Agent Login and Web Login configuration pages. Note Agent/network scanning pages are always configured by both user role and client OS.
Chapter 1 Introduction Client Login Overview Figure 1-2 Agent Login—General Setup Table 1-1 explains the General Setup > Agent Login configuration options shown in Figure 1-2. For examples and descriptions of Agent login user pages, see Chapter 10, “Cisco NAC Appliance Agents.” Table 1-1 Agent Login—General Setup Configuration Options Control Description User Role Choose a user role from the dropdown menu, which shows all roles in the system.
Chapter 1 Introduction Client Login Overview Table 1-1 Agent Login—General Setup Configuration Options (continued) Control Description Enable OOB logoff for Check this option to enable OOB Logoff. This option applies globally to all OOB CASs and user Windows NAC Agent and roles and enables Agent logout and heartbeat timers for OOB Agent connections. You must also Mac OS X Agent enable this option for Passive Re-assessment to function with OOB Agent connections.
Chapter 1 Introduction Client Login Overview Table 1-1 Agent Login—General Setup Configuration Options (continued) Control Description Show Network Policy to NAC Agent and Cisco NAC Web Agent users (Windows only) [Network Policy Link:] Click this checkbox if you want to display a link in the Agent login session to a Network Policy (Acceptable Use Policy) web page to Agent users. You can use this option to provide a policies or information page that users must accept before they access the network.
Chapter 1 Introduction Client Login Overview Web Login Figure 1-3 Web Login—General Setup Web login users see the login and logout pages, quarantine role or blocked access pages and Nessus scan vulnerability reports, if enabled. You can also configure a User Agreement Page that appears to web login users before accessing the network.
Chapter 1 Introduction Client Login Overview Table 1-2 Web Login—General Setup Configuration Options (continued) Control Description Show Network Scanner User Agreement Page to web login users Click this checkbox to present the User Agreement Page (“Virus Protection Information”) after web login and network scanning. The page displays the content you configure in the User Agreement configuration form. Users must click the Accept button to access the network.
Chapter 1 Introduction Client Posture Assessment Overview Client Posture Assessment Overview Cisco NAC Appliance compliance policies reduce the threat of computer viruses, worms, and other malicious code on your network. Cisco NAC Appliance is a powerful tool that enables you to enforce network access requirements, detect security threats and vulnerabilities on clients, and distribute patches, antivirus and anti-spyware software.
Chapter 1 Introduction Client Posture Assessment Overview Note The Cisco NAC Agent does not support Nessus-based network scanning. Step 5 Test your configurations for user roles and operating systems by connecting to the untrusted network as a client. Monitor the Certified Devices List, Online Users page, and Event Logs during testing. Test network scanning by performing web login, checking the network scanning process, the logout page, and the associated client and administrator reports.
Chapter 1 Introduction Client Posture Assessment Overview • “Double-byte” character support that enables the Agent to display user dialogs for supported locales/language OS platforms • Evolution Data Optimized (EVDO) connections where no wired or wireless NICs are enabled on the client machine. For more information on enabling this function for the Cisco NAC Agent, see Table 9-10 “Client-Side MAC Address Management”. • Auto-upgrade.
Chapter 1 Introduction Client Posture Assessment Overview For complete details on the Agent configuration features mentioned above, see Chapter 9, “Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment.” For details on the features of each version of the Agent, see “Cisco NAC Appliance Agents” in the latest Release Notes.
Chapter 1 Introduction Client Posture Assessment Overview Mac OS X Agent Like the Cisco NAC Agent for windows client machines, provides local-machine Agent-based posture assessment and remediation for Macintosh client machines. The Mac OS X Agent provides the following support: • Easy download and installation of the Agent on the client via initial one-time web login. The Agent installs by default for the current user and all other users on the client machine.
Chapter 1 Introduction Client Posture Assessment Overview The Cisco NAC Appliance Network Scanner method provides network-based vulnerability assessment and web-based remediation. The network scanner in the local Clean Access Server performs the actual network scanning and checks for well-known port vulnerabilities to which a particular host may be prone.
Chapter 1 Introduction Client Posture Assessment Overview Table 1-3 Web Login User Page Summary (continued) Page Configured in: Purpose Login Page Administration > User Pages > Login Page The Login page is configured separately from web pages for Agent/network scanning, and is the network authentication interface when using network scanning only. Agent users only need to use it once to initially download the Agent installation file. Login pages can be configured per VLAN, subnet and client OS.
Chapter 1 Introduction Managing Users Managing Users The Clean Access Manager makes it easy to apply existing authentication mechanisms to users on the network (Figure 1-4). You can customize user roles to group together and define traffic policies, bandwidth restrictions, session duration, client posture assessment, and other policies within Cisco NAC Appliance for particular groups of users.
Chapter 1 Introduction Overview of Web Admin Console Elements Finally, you can monitor user activity from the web console through the Online Users page (for L2 and L3 deployments) and the Certified Devices List (L2 deployments only).
Chapter 1 Introduction Clean Access Server (CAS) Management Pages Clean Access Server (CAS) Management Pages The Clean Access Server must be added to the Clean Access Manager domain before it can be managed from the web admin console. Chapter 2, “Device Management: Adding Clean Access Servers, Adding Filters,” explains how to do this. Once you have added a Clean Access Server, you access it from the admin console as shown in the steps below.
Chapter 1 Introduction Publishing Information Figure 1-7 CAS Management Pages Publishing Information The Clean Access Manager publishes the configuration settings to the Clean Access Servers whenever the following scenarios happen: • A new CAS is added to the CAM. • Connection between CAM and CAS restores after a communication failure between them. • CAM boots up. • CAS boots up. • When CAM failover happens, the newly Active CAM would publish configuration to all connected CASs.
Chapter 1 Introduction Admin Console Summary Admin Console Summary Table 1-4 summarizes the major functions of each module in the web admin console. Table 1-4 Module Summary of Modules in Clean Access Manager Web Admin Console Module Description The Device Management module allows you to: • Add, configure, manage, and perform software upgrade on Clean Access Servers via the CAS management pages (shown in Figure 1-7). See Chapter 2, “Device Management: Adding Clean Access Servers, Adding Filters”.
Chapter 1 Introduction Admin Console Summary Table 1-4 Module Summary of Modules in Clean Access Manager Web Admin Console (continued) Module Description The User Management module allows you to: • Create normal login user roles to associate groups of users with authentication parameters, traffic control policies, session timeouts, and bandwidth limitations. If using role-based configuration for OOB Port Profiles, you can configure the Access VLAN via the user role.
Chapter 1 Introduction Admin Console Summary Table 1-4 Module Summary of Modules in Clean Access Manager Web Admin Console (continued) Module Description The Administration module allows you to: • Configure Clean Access Manager network and high availability (failover) settings. See the Cisco NAC Appliance Hardware Installation Guide, Release 4.9(x) for detailed information.
CH A P T E R 2 Device Management: Adding Clean Access Servers, Adding Filters This chapter describes how to add and manage Clean Access Servers from the Clean Access Manager and configure device and/or subnet filters. It contains the following sections.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Working with Clean Access Servers Working with Clean Access Servers The Clean Access Server gets its runtime parameters from the Clean Access Manager and cannot operate until it is added to the CAM’s domain. Once the CAS is installed and added to the CAM, you can configure local parameters in the CAS and monitor it through the web admin console.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Working with Clean Access Servers Step 2 Click the New Server tab. Figure 2-1 Step 3 Add New Server In the Server IP address field, type the IP address of the Clean Access Server’s eth0 trusted interface. Note The eth0 IP address of the CAS is the same as the Management IP address. Step 4 Optionally, in the Server Location field, type a description of the Clean Access Server’s location or other identifying information.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Working with Clean Access Servers Step 7 Click Add Clean Access Server. The Clean Access Manager looks for the Clean Access Server on the network, and adds it to its list of managed Servers (Figure 2-2). The Clean Access Server is now in the Clean Access Manager’s administrative domain.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Working with Clean Access Servers Configure Clean Access Manager-to-Clean Access Server Authorization When you add Clean Access Servers to the CAM, you can also choose to enable mutual Authorization between the appliances to enhance network security. Using the CAM Authorization web console page, administrators can enter the Distinguished Names (DNs) of one or more CASs to ensure secure communications between the CAM and CAS(s).
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Working with Clean Access Servers Note If you use the Authorization feature in a CAM HA-pair, follow the guidelines in Backing Up and Restoring CAM/CAS Authorization Settings, page 14-62 to ensure you are able to exactly duplicate your Authorization settings from one CAM to its high availability counterpart.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Working with Clean Access Servers Step 4 If you want to first test whether or not the CAM is able to authorize and connect to the CAS(s) in your network, click Test CCA Server Authorization to test connection with the CASs you include in the Authorized CCA Servers list. The CAM generates SSL Connection log messages that you can view in the CAM Monitoring > Event Logs web console page after you click Update in step 5.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global and Local Administration Settings Reboot the Clean Access Server You can perform a graceful reboot of a Clean Access Server by clicking the Reboot icon in the List of Servers tab. In a graceful reboot, the Clean Access Server performs all normal shutdown procedures before restarting, such as writing logging data to disk.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global and Local Administration Settings • Local administration settings are set in the CAS management pages for a Clean Access Server and apply only to that CAS. These include CAS network settings, SSL certificates, DHCP and 1:1 NAT configuration, VPN concentrator configuration, IPSec key changes, local traffic control policies, and local device/subnet filter policies.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering • Agent requirements and network scanning plugins are configured globally from the CAM and apply to all CASs.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Note • IB: Block network access to the device/subnet. OOB: Block network access and assign the Auth VLAN to the device. • IB: Bypass login/posture assessment and assign a user role to the device/subnet. OOB: Bypass login/posture assessment and assign the Out-of-Band User Role VLAN to the device (the Access VLAN configured in the user role).
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Device Filters and User Count License Limits Note • MAC addresses specified with the “ALLOW” option in the Device Filter list (bypass authentication/posture assessment/remediation) do not count towards the user count license limit.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering • CHECK and IGNORE device filter options. • ROLE and CHECK filters require choosing a User Role from the dropdown menu. • IGNORE is for OOB only. For IB, checking this option has no effect. • IGNORE is for global filters only. It does not appear on CAS New/Edit filter pages.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Note In both Layer 2 and Layer 3 deployments, Out-of-Band device filters rely only on client MAC address when determining whether or not to act upon MAC notification messages from an associated switch. (Device filters do not take client IP addresses into account for Out-of-Band client machines because the CAM cannot reliably verify Out-of-Band client IP addresses.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering For OOB, the order of priority for rule processing is as follows: 1. Device Filters (if configured with a MAC address, and if enabled for OOB) 2. Certified Devices List 3.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Once you build a list of the applicable IP phone MAC addresses, ensure that Cisco NAC Appliance ignores them by enabling the Change VLAN according to global device filter list option for the Port Profile (under OOB Management > Profiles > Port > New or Edit) when you configure your Cisco NAC Appliance system for OOB.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Table 2-2 Layer 2 and Layer 3 In-Band and Out-of-Band MAC Address FIlter Behavior Out-of-Band without Port Profile option (Global)—Out-of-Band (CAS) Out-of-Band with Port Profile option (Global only) CHECK (device not in Do posture assessment (Same as above) Certified Devices List) (In-Band Online Users list entry in Temporary role) and add Certified Devices List entry after posture assessment (
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering For device filter policies specifying a range of MAC addresses where two or more policies potentially affect the same MAC address, the priority of the policy (in Device Management > Filters > Devices > Order) determines which global or local policy to enforce.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Note Figure 2-5 Cisco NAC Profiler Entries in CAM Device Filters Figure 2-6 Endpoint Summary The Policy Sync feature exports all global device filters created on the Master CAM to the Receiver CAMs. Any MAC address which is in the Master CAM’s global Device Filter list will be exported, including Cisco NAC Profiler generated filters. See Policy Import/Export, page 14-28 for details.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Configure Device Filters This section describes the following: • Add Global Device Filter • Display/Search/Import/Export Device Filter Policies • Edit Device Filter Policies • Delete Device Filter Policies Add Global Device Filter If there is a MAC address entry in the Device Filter list, the machine can also be checked per Cisco NAC Appliance policies (e.g.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Figure 2-7 Step 2 New Device Filter In the New Device Filter form, enter the MAC address of the device(s) for which you want to create a policy in the text field. Type one entry per line using the following format: / Note the following: • You can use wildcards “*” or a range “-” to specify multiple MAC addresses.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Step 3 • As an option, you can enter an IP address with the MAC to make sure no one spoofs the MAC address to gain network access. If you enter both a MAC and an IP address, the client must match both for the rule to apply. • You can specify a description by device or for all devices.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Display/Search/Import/Export Device Filter Policies • Priorities can be defined for ranges (via the Order page). • A single MAC address device filter (e.g. 00:14:6A:6B:6C:6D) always takes precedence on the filter List over a wildcard/range device filter (e.g. 00:14:6A:6B:*, or 00:14:6A:*). • New wildcard/range device filters are always put at the end of the List page.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering The Clean Access Server column in the list shows the scope of the policy. If the policy was configured locally in the CAS management pages, this field displays the IP address of the originating Clean Access Server. If the policy was configured globally for all Clean Access Servers in the Device Management > Filters module of the admin console, the field displays GLOBAL.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Figure 2-9 Note Order 2. Click the arrows in the Priority column to move the priority of the wildcard/range filter up or down. 3. Click Commit to apply the changes. (Click Reset to cancel the changes.) For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison, page 2-16.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering View Active Layer 2 Device Filter Policies The Active Layer 2 In-Band Device Filters list displays all clients currently connected to the CAS, sending packets, and with their MAC addresses in a device filter. This list is especially useful in cases where users are configured to bypass authentication (via device filters) and/or posture assessment (such as when no requirements are enforced).
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Edit Device Filter Policies Step 1 Click the Edit icon next to device filter policy in the filter list. The Edit page appears similar to Figure 2-7. Step 2 You can edit the IP Address, Description, Access Type, and Role used. Click Save to apply the changes. Note Note that the MAC address is not an editable property of the filter policy.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Global Device and Subnet Filtering Figure 2-12 Subnet Filters Step 2 In the Subnet Address/Netmask fields, enter the subnet address and subnet mask in CIDR format. Step 3 Optionally, type a Description of the policy or device. Step 4 Choose the network Access Type for the subnet: Step 5 • allow – Enables devices on the subnet to access the network without authentication.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler The filter list can be sorted by column by clicking on the column heading label (Subnet, Clean Access Server, Description, Access Type). Integrating Cisco ISE Profiler The Cisco Identity Services Engine (ISE) Profiler 1.0.4 can be integrated with Cisco NAC Appliance 4.9 and the ISE Profiler endpoints can be synchronized with the NAC Appliance.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Add Cisco ISE Profiler Details Step 1 In the CAM Web Console, navigate to Device Management > Filters > Configuration > Profiler > New. Figure 2-13 Step 2 Step 3 Note Adding ISE Profiler Details Enter the Cisco ISE Profiler details as follows: • Profiler Name – Enter any descriptive name for the Cisco ISE Profiler. • Address (IP/DNS) – Enter the IP Address or the DNS Name of the Cisco ISE.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Display/Edit/Delete Cisco ISE Profiler Details You can view the list of ISE Profilers added, edit the configuration details, or remove ISE Profiler using the List page. Step 1 Navigate to Device Management > Filters > Configuration > Profiler > List.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Synchronize Endpoints from Cisco ISE Profiler After configuring the ISE Profiler details in the CAM Web Console, CAM can synchronize all the endpoints from ISE Profiler either automatically or manually by using the Sync Settings. Step 1 Navigate to Device Management > Filters > Configuration > Profiler > Sync Settings.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Map Endpoint Policies You can create rules with the endpoint profiles that are already existing in the Cisco ISE Profiler and map them to the CAM. Create New Rule Step 1 Go to Device Management > Filters > Configuration > Rules > New.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Step 2 In the New Rule form, enter the following: • Rule Name – Enter a name for the new Rule. • Rule Description – Enter a description. • Matching Profile – Enter Endpoint Profile names in the text box as follows: – Specify an exact Profile name. You can click Display Profiles and select a Profile from the popup list.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler • CHECK IB - bypass login, apply posture assessment (bypass L2 posture assessment if certified), assign role OOB (Switch) - bypass login, apply posture assessment if not certified, assign User Role VLAN OOB (WLC) - bypass login, apply posture assessment if not certified, assign WLC Access VLAN • IGNORE OOB (Switch) - ignore SNMP traps from managed switches (IP Phones) Step 4 Bounce this port if end
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Delete Rules To delete a rule, in the Device Management > Filters > Configuration > Rules > List tab, click the checkbox preceding the Rule Name in the List and click the Delete Selected button. The selected rules are removed from the list. Order Rules The Order page can be used to change the priority of the Rules.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Figure 2-20 Step 2 In the NAC Managers page, click Add. The New NAC Manager page appears as shown in Figure 2-21. Figure 2-21 Step 3 NAC Manager page on Cisco ISE Adding NAC Manager to ISE Profiler Enter the NAC Manager (CAM) details as follows: • Name – Enter any descriptive name for the CAM. • Description – Optionally, enter a description for the CAM.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler Step 4 • Username – Enter the name of the CAM web console admin user. • Password – Enter the password for the CAM web console admin user. Click Submit. For further details on the Cisco ISE Profiler, refer to the Cisco Identity Services Engine User Guide on Cisco.com at: http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler The above is displayed when CAM is trying to connect to secondary ISE. 2011-08-26 15:14:01.014 +0530 DefaultQuartzScheduler_Worker-1 INFO com.cisco.nac.core.nacprofiler.job.FullSyncJob - Opening url inputstream - took 0 hour(s) 0 minute(s) 1 second(s) 101 milli(s) com.cisco.nac.core.nacprofiler.job.
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters Integrating Cisco ISE Profiler 2011-08-29 14:30:22.971 +0530 DefaultQuartzScheduler_Worker-1 INFO com.perfigo.wlan.web.admin.SmartManagerConf - SMC - STORE: UPDATE smartmanager_conf SET prop_value='Sync with profiler failed at 08/29/2011 14:30:22# Reason - Unable to obtain information from the configured profiler(s). 1) Please check the connectivity and configuration.
CH A P T E R 3 Switch Management: Configuring Out-of-Band Deployment This chapter describes how to configure Cisco NAC Appliance for Out-of-Band (OOB) deployment.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Overview In-Band Versus Out-of-Band Table 3-1 summarizes different characteristics of each type of deployment. Table 3-1 In-Band vs. Out-of-Band Deployment In-Band Deployment Characteristics Out-of-Band Deployment Characteristics The Clean Access Server (CAS) is always inline with user traffic (both before and following authentication, posture assessment and remediation). Enforcement is achieved through being inline with traffic.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Overview Note Cisco Catalyst 3850 switches are supported starting from Cisco NAC Appliance Release 4.9(4).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Overview SNMP Control With Out-of-Band deployment, you can add switches to the Clean Access Manager’s domain and control particular switch ports using the Simple Network Management Protocol (SNMP). SNMP is an application layer protocol used by network management tools to exchange management information between network devices.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes Deployment Modes This section describes Out-of-Band deployment for Virtual Gateway and Real-IP. For all gateway modes, to incorporate Cisco NAC Appliance Out-of-Band in your network, you must add an Authentication VLAN to your network and trunk all Auth VLANs to the untrusted interface of the Clean Access Server.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes Figure 3-2 After — Client is Out-of-Band After Being Certified Clean Access Server Internet Untrusted (eth1) Auth (quarantine) VLAN Managed Switch Access VLAN Unmanaged port Authenticated Client 183458 Managed port Once the client is authenticated and certified (i.e.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes In Out-of-Band Virtual Gateway mode, the Clean Access Server uses the VLAN mapping feature to retag the unauthenticated client’s allowed traffic (such as DNS or DHCP requests) from the Authentication VLAN to the Access VLAN and vice versa. In this way, no new client IP address is needed when the client is eventually switched to the Access VLAN, because the DHCP-acquired IP address is already paired with the Access VLAN ID.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes Figure 3-3 Out-of-Band VGW Mode: Catalyst 6500 Series Example Clean Access Server (VGW, with VLAN mapping) Trusted Untrusted VLAN Trunk (Access) VLAN 10, 20 VLAN Trunk (Auth) VLAN 100, 200 650X L2/L3 Switch/Router Clean Access Manager VLAN Trunk (Auth, Access) VLAN Trunk (Auth, Access) VLAN 10, 100 VLAN 20, 200 Edge Switch Access VLAN: 10 Auth VLAN: 100 Client Edge Switch Access VLAN: 20 Auth VLAN: 200 Client
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes Note Note To support a variety of switch configurations, Cisco NAC Appliance supports switches using both MAC Change Notification and MAC Move Notification traps. 3. The client attempts to acquire a DHCP address. The core L2 switch forwards all Auth VLAN traffic to the Out-of-Band Virtual Gateway CAS. 4. The CAS receives the VLAN 100 traffic on its untrusted interface (via the 802.1q trunk). 5.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes 12. For certified clients, the Port Profile form (OOB Management > Profiles > Port > New or Edit) provides the following options (see Add Port Profile, page 3-34 for details). You can switch the client to: • The Access VLAN specified in the Port Profile form. • The Access VLAN specified for the user role of the client, if you choose to use a role-based port profile (see Figure 3-9 on page 3-27 for details).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes Figure 3-4 Out-of-Band Real-IP Gateway Deployment L3 Core/ Distribution Clean Access Manager Real IP or NAT GW Clean Access Server (L3 for Auth VLANs) e.g. x.x.100.1 x.x.200.1 (L3 for Access VLANs) x.x.10.1 x.x.20.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Deployment Modes Flow for Out-of-Band Real-IP Gateway Mode Note 1. The unauthenticated user connects the client machine to the network through an edge switch. 2. The switch sends MAC notification or linkup/linkdown SNMP traps for the client to the CAM.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Network for Out-of-Band Note • The initial VLAN of the port. For this configuration, the client port is switched to the Authentication VLAN for authentication/certification, then when the client is certified, the port is switched back to the initial VLAN of the port saved by the CAM when the switch was added.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches Note If configuring the CAS as an OOB Virtual Gateway, do not connect the untrusted interface to the switch until VLAN mapping has been configured correctly under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x) for details.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches • If implementing High-Availability, do not enable Port Security on the switch interfaces to which the CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery. • You must ensure your switch has the Access VLAN in its VLAN database to ensure proper switching behavior. On some models of Cisco switches (e.g. 6506, IOS Version 12.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches Note If the CAM is down and the CAS is performing VLAN mapping in “fail open” state, do not reboot the CAS because the VLAN mapping capability will be lost until the CAM comes back online. Step 4 For Real-IP Gateways, add static routes on the L3 switch or router to route traffic for the managed subnets to the trusted interface of the respective CASs.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches (config)# snmp-server community c2950_write RW • SNMP V3 settings: For auth (username: “c2950_user;” password: “c2950_auth”): (config)# snmp-server view v1default iso included (config)# snmp-server group c2950_group v3 auth read v1default write v1default notify vldefault (config)# snmp-server user c2950_user c2950_group v3 auth md5 c2950_auth For priv (username: “c2950_user;” password: “c2950_priv”): (config)# snmp-
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches For auth (SNMP username/password is “cam_user”/“cam_auth”) (config)# snmp-server group cam_group v3 auth read v1default write v1default notify v1default (config)# snmp-server user cam_user cam_group v3 auth md5 cam_auth (config)# snmp-server host 172.16.1.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches Figure 3-5 Example Physical Setup PIX Internet 172.16.1.1 172.16.1.61 CAT 3550 VLAN 2 eth0 F 0/2 CAM F 0/1 10.60.3.2 VLAN 3,10,20 eth0 CAS F 0/8 F 0/17 eth1 10.60.3.2 VLAN 2,10,20 VLAN 31,41 F 0/17 F 0/18 CAT 2950 VLAN 10,20 Note 172.16.1.64 VLAN 2 184070 F 0/24 The CAS interfaces should be on a separate VLAN from the CAM VLAN and access VLANs.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches Figure 3-6 Example L3 Switch Configuration Cisco NAC Appliance - Clean Access Manager Configuration Guide 3-20 OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches OOB Network Setup/Configuration Worksheet Table 3-2 summarizes information needed to configure switches and the Clean Access Manager.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches List of MIBs and OIDs Table 3-3 lists the MIBs and OIDs used by NAC for both wireless controllers and switches.These OIDs and their corresponding MIBs should be implemented by the device that is being added to NAC. Table 3-3 List of MIBs and OIDs used by NAC OID Object Name MIB 1.3.6.1.2.1.2.1.0 ifNumber IF-MIB 1.3.6.1.2.1.2.2.1.1 ifIndex IF-MIB 1.3.6.1.2.1.2.2.1.2 ifDescr IF-MIB 1.3.6.1.2.1.31.1.1.1.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches Table 3-3 List of MIBs and OIDs used by NAC OID Object Name MIB 1.3.6.1.4.1.9.9.215.1.1.5.0 cmnNotificationsEnabled CISCO-MAC-NOTIFICATION MIB 1.3.6.1.4.1.9.9.215.1.2.1.1 cmnIfConfigEntry CISCO-MAC-NOTIFICATION MIB 1.3.6.1.4.1.9.9.215.1.2.1.1.1 cmnMacAddrLearntEnable CISCO-MAC-NOTIFICATION MIB 1.3.6.1.4.1.9.9.215.1.2.1.1.2 cmnMacAddrRemovedEnable CISCO-MAC-NOTIFICATION MIB 1.3.6.1.4.1.9.9.215.1.1.8.1.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Your Switches Table 3-3 List of MIBs and OIDs used by NAC OID Object Name MIB 1.3.6.1.2.1.1.4.0 sysContact SNMPv2-MIB 1.3.6.1.2.1.4.20.1.1 ipAdEntAddr IP-MIB 1.3.6.1.2.1.4.20.1.2 ipAdEntIfIndex IP-MIB 1.3.6.1.2.1.4.20.1.3 ipAdEntNetMask IP-MIB 1.3.6.1.4.1.9.9.599.1.3.1.1.11 cldcClientEntry CISCO-LWAPP-DOT11-CLIEN T-MIB 1.3.6.1.4.1.9.9.599.0 ciscoLwappDot11ClientMIBNot CISCO-LWAPP-DOT11-CLIEN ifs T-MIB 1.3.6.1.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Configure OOB Switch Management on the CAM This section describes the web admin console configuration steps to implement Out-of-Band. In general, you first configure Group, Switch, and Port profiles, as well as the Clean Access Manager’s SNMP Receiver settings, under OOB Management > Profiles.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-7 Add New OOB Server The Out-of-Band Server Types appear in the dropdown menu to add a new Clean Access Server: • Out-of-Band Virtual Gateway • Out-of-Band Real-IP Gateway The Clean Access Server itself must be either In-Band or Out-of-Band. The Clean Access Manager can control both In-Band and Out-of-Band CASs in its domain.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-8 Step 3 If you plan to use role-based port profiles (see Configure Port Profiles, page 3-33), specify the Access VLAN in the Out-of-Band User Role VLAN field when you create a new user role (Figure 3-9). See Adding a New User Role, page 6-7 for details.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Step 4 When Out-of-Band is enabled, the Monitoring > View Online Users page displays links for both In-Band and Out-of-Band users and display settings (Figure 3-10). See Out-of-Band Users, page 11-31 for details.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-11 Group Profiles List Add Group Profile Step 1 Go to OOB Management > Profiles > Group > New (Figure 3-12). Figure 3-12 New Group Step 2 Enter a single word for the Group Name. You can use digits and underscores, but no spaces. Step 3 Enter an optional Description. Step 4 Click Add. The new Group profile appears under OOB Management > Profiles > Group > List.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-13 Edit Group Step 3 You can toggle the switches that belong in the Group profile by selecting the IP address of the switch from the Member Switches or Available Switches columns and clicking the Join or Remove buttons as applicable. Step 4 Click the Update button when done to save your changes.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM The Switch profiles list under OOB Management > Profiles > Device > List provides three icons: • Devices—Clicking this icon brings up the list of added switches and WLCs under OOB Management > Devices > Devices > List (see Figure 3-28). • Edit—Clicking this icon brings up the Edit Switch profile form (see Figure 3-16).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • Step 6 Step 7 Step 8 Step 9 Type the Community String for SNMP V1 or SNMP V2C configured for the switch. If SNMP V3 is used for SNMP Read Settings on the switch, configure the following settings to match those on the switch: • Choose a Security Method from the dropdown menu: NoAuthNoPriv, AuthNoPriv(MD5), AuthNoPriv(SHA), AuthPriv(MD5+DES), or AuthPriv(SHA+DES). • Type the User Name.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-16 Example Switch Profile Configure Port Profiles The Port profile determines whether a port is managed or unmanaged, the Authentication and Access VLANs to use when switching the client port, and other behavior for the port (see Ports Management Page, page 3-54).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note If the Cisco NAC Appliance system somehow terminates the OOB client session (if the system administrator is forced to “kick” the user out, for example) and the switch changes the VLAN assignment for the client’s access port from the Access VLAN back to the Authentication VLAN, the client machine discovers the VLAN change and, if configured, initiates an IP address refresh/renew to ensure the u
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-18 New Port Profile Step 2 Type a single word for the Profile Name. You can use digits and underscores, but no spaces. The name should reflect whether the Port profile is managed or unmanaged.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note Step 7 If the switch cannot find the VLAN specified (e.g. the VLAN Name is mistyped), an error also appears on the perfigo.log (not the Event Log). For Access VLAN, choose one of the following options from the dropdown menu: • Default Access VLAN—The CAM will put authenticated users with certified devices on the Default Access VLAN specified in the Port Profile.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note Cisco recommends enabling this option for all Out-of-Band deployments to ensure the most accurate status updates in the Out-of-Band Online Users list, and ensure that you do not configure any local (CAS-based) device filters that would potentially conflict with this global setting.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Step 14 You can enable the Do not bounce port to generate Linkup trap if MAC address query failed checkbox to wake up LAN devices or when you are using MAC-NOTIFICATION trap to discover connected devices.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM This feature enables administrators to remove other online Out-of-Band users on the switch port when a new user is detected on the same port. It also allows for the modification of the port profile if an existing user is seen on a different switchport. Checking this option ensures that only one valid user is allowed on one switch port at the same time. If an online user (e.g.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Configure VLAN Profiles You can use VLAN profiles on your Cisco NAC Appliance to resolve VLAN name-to-VLAN ID mappings while simultaneously ensuring uniform L3 OOB support for multiple access points on your network. VLAN profiles work in conjunction with port profiles to specify the Access VLAN for a user session based on a set of VLAN name-to-VLAN ID mappings.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM 4. User1 is authenticated and the CAM instructs switch A to assign VLAN 5 to the managed port. 5. User1 achieves VPN access to the internal network. 6. Later in the day, while visiting a client, user1 again attempts to access the network, but this time user1’s session arrives at access switch B. 7.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Add VLAN Profile To create a new VLAN profile: Step 1 Go to OOB Management > Profiles > VLAN > New (Figure 3-22). Figure 3-22 New VLAN Profile Step 2 Specify a unique Profile Name for the new VLAN profile. Step 3 Type an optional Description for the VLAN profile.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Step 7 Click Add. Edit VLAN Profile To edit an existing VLAN profile: Step 1 Go to OOB Management > Profiles > VLAN > List (Figure 3-23). Figure 3-23 Step 2 VLAN Profiles Click the Edit icon for the existing VLAN profile you want to update. The Edit VLAN Profile window (Figure 3-24) appears.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM b. If you want to reassign one or more VLAN name-to-VLAN ID mappings, click the Edit icon corresponding to the mapping you want to update, specify a new VLAN ID under Edit VLAN Name Mapping, and click Update. (See Figure 3-25.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-26 CAM SNMP Receiver Step 2 Use the default Trap Port on Clean Access Manager (162) or enter a new port number here. Step 3 For SNMP V1 Settings, type the Community String used on switches using SNMP V1. Step 4 For SNMP V2c Settings, type the Community String used on switches using SNMP V2c.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM To Change Default SNMP Step 1 Go to OOB Management > Profiles > SNMP Receiver > Advanced Settings (Figure 3-27).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • Note Note Port-Security Delay (default is 3 seconds)—If port-security is enabled on the switch, after the VLAN is switched, the CAM must wait the number of seconds specified in the Port-Security Delay field before setting the port-security information on the switch.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM If the Port Profile requires bouncing the port after the VLAN is changed, then after user login, the user will see “Renewing IP address” page after the sum of the number of seconds specified in this field and the number of seconds specified in the Port Bounce Interval.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • Note Delete—Clicking the Delete icon deletes the switch from the list (a confirmation dialog will appear first). When adding a switch based on its loopback address, the OOB Management > Devices > Devices > List will display a MAC address of 00:00:00:00:00:00 for the switch.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Step 8 Click the Reset button to reset the form. Search New Switches The Search page allows you to discover and add unmanaged switches within an IP range. Step 1 Go to OOB Management > Devices > Devices > Search (Figure 3-30). Figure 3-30 Search Switches Step 2 Select a Device Profile from the dropdown list.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note While all switches matching the read community string of the Switch Profile used for the search are listed, only those switches matching the read SNMP version and community string can be added using the Commit button. A switch cannot be controlled unless its write SNMP settings match those configured for its Switch Profile in the Clean Access Manager.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • Note • Step 7 MAC Notification—If a switch supports MAC Notification, choose this option. To support a variety of switch configurations, Cisco NAC Appliance supports switches using both MAC Change Notification and MAC Move Notification traps. Linkup Notification—If a switch does not support MAC Notification, then choose this option. Click Verify.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note An entry must exist in the Wired Clients list in order for the CAM to determine the switch port for which to change the VLAN. If the user is logging in at the same time that an entry in the Wired Clients list is deleted, the CAM will not be able to detect the switch port.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM – Access VLAN—Access VLAN of the client. A value of “N/A” in this column indicates the Access VLAN ID is unavailable for the client. For example, if the user is switched to the Auth VLAN but has never successfully logged into Cisco NAC Appliance (due to wrong user credentials), this machine will never have been to the Access VLAN.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM If the switch does not support MAC change notification/MAC move notification traps, the Setup button (Set up mac-notification on managed switch ports) and MAC Notif. column are not displayed on the page. In this case, linkup/linkdown traps must be supported and configured on the switch and Clean Access Manager.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Step 5 Click Setup ( •Setup button (MAC notification switches only) (5), page 3-56) to initialize MAC change notification/MAC move notification on switch ports (if available on the switch). Step 6 Click Save ( •Save (6), page 3-57) to save the switch running configuration to the switch stored (startup) configuration.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • Save (6) Click the Save button to save the running configuration into non-volatile memory (startup configuration) on the switch. Click OK in the confirmation. Note The VLAN assignment of the port will not be changed in the startup configuration of the switch unless you click the Save button.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • Name Port name, for example: Fa0/1, Fa0/24, Gi0/1, Gi0/21 (for Cisco switches) • Index The port number on the switch, for example: 1, 24, 25, 26 • Description Type of port, for example: FastEthernet0/1, FastEthernet0/24, GigabitEthernet0/1, GigabitEthernet0/2 • Status Connection status of the port. – A green button indicates a device is connected to the port.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM page 3-34). When a switch is added, this column is identical to the Current VLAN column. When new ports are added to a switch, this column displays “N/A” for these ports until the Set New Ports button is clicked ( •Set New Ports (Initial VLAN Port Profiles only), page 3-56). To change the Initial VLAN of a port on-the-fly: a.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note • The MAC address(es) connected to a particular port may not be available when the Access VLAN of the port does not exist in the VLAN database. This occurs on some models of Cisco switches (e.g. 6506, IOS Version 12.2(18) SXD3). Profile (2) To control a port from the CAM, select a managed port profile from the dropdown menu, then click Update and Setup.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-35 Ports Tab—Linkup/Linkdown Cisco NAC Appliance - Clean Access Manager Configuration Guide OL-28003-01 3-61
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Assign a Port Profile to Multiple Ports Simultaneously If your switch configuration includes many access ports that all feature the same port profile assignments to provide remote users authentication and access to the network, you can use the OOB Management > Devices > Switch [x.x.x.x] > Ports > Manage page to assign the same port profile to many switch ports all at the same time.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Config Tab The Config tab allows you to modify Basic, Advanced, and Group profile settings for a particular switch: • Basic • Advanced • Group Basic The Basic tab (Figure 3-37) shows the following values configured for the switch.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Note • Because Cisco NAC Appliance OOB can control switch trunk ports, when upgrading, make sure uplink ports for managed switches are configured as “uncontrolled” ports.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM • An OOB online user is removed and the Port Profile is configured with the Kick Out-of-Band online user when linkdown trap is received option. • Port Security is enabled on the switch. Port Security Port Security is a switch feature that restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure OOB Switch Management on the CAM Figure 3-39 Note Enabling Port Security from the CAM • Port Security can only be enabled on a port set to Access mode (i.e not Trunk mode). • The MAC address(es) connected to a particular port may not be available after Port Security is enabled. This occurs on some models of Cisco switches (e.g. 4507R, IOS Version 12.2(18) EW).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Configure Access to Authentication VLAN Change Detection Group This page displays all the Group Profiles configured in the Clean Access Manager, and the Group Profiles to which the switch currently belongs. You can add the switch to other Groups, or you can remove the switch from a Group Joined. To change the Group membership for all switches, go to OOB Management > Profiles > Group (see Configure Group Profiles, page 3-28).
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Out-of-Band Users If the Agent detects a change, the client machine automatically refreshes its IP address via DHCP release/renew. By default, the Agent automatically polls for the VLAN assignment on the switch every 5 seconds. If you want to increase or decrease that interval, users can adjust the “VlanDetectInterval” client setting.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Out-of-Band Users • MAC notification traps Note To support a variety of switch configurations, Cisco NAC Appliance supports switches using both MAC Change Notification and MAC Move Notification traps. • Certified Timer expiration • Session Timer expiration • Manual removal from CAM For additional details, see also Interpreting Event Logs, page 13-4 and Manage Certified Devices, page 11-10.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Out-of-Band Users Table 3-4 Wired and Wireless User List Summary User List Description Wired Clients and Wireless Clients • The Wired Clients and Wireless Clients lists (Figure 3-33 on page 3-53 and Figure 4-20 on page 4-24) record the activities of Out-of-Band clients (regardless of VLAN), based on the SNMP trap information that the CAM receives.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment OOB Troubleshooting OOB Troubleshooting • OOB Switch Trunk Ports After Upgrade, page 3-71 • OOB Error: connected device not found, page 3-71 • OOB Error: connected device not found, page 3-71 OOB Switch Trunk Ports After Upgrade Because Cisco NAC Appliance can control switch trunk ports for OOB (starting from release 3.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Troubleshooting SNMP • Make sure the switch profile matches the switch type under OOB Management > Devices > Devices > New For example, if the switch is a 3750, but you specified it a 2950 switch profile when adding the switch, when the CAM receives the SNMP linkup trap from the switch for the client that is connecting (with the MAC address specified in the Agent error message), the CAM will attempt to contact that switch to find that MAC a
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Troubleshooting SNMP 2012-01-08 18:41:57.010 +0530 [TP-Processor23] ERROR com.perfigo.wlan.web.sms.Switch - switch [9.0.20.3] SNMP WRITE failed, 1 consecutive write failures! 2012-01-08 18:41:57.011 +0530 [TP-Processor23] ERROR com.perfigo.wlan.web.sms.SnmpManager This error happens when there is a mismatch in the SNMP Write settings. When the admin clicks the ports for a switch, then this error is displayed in the CAM web console.
Chapter 3 Switch Management: Configuring Out-of-Band Deployment Troubleshooting SNMP 3. Create SNMP User If there is a change in the above order, then the user is not properly bound to the correct Group or View. This causes issues to the user and throws the above error. OOB Client MAC/IP Not Found Invalid Switch Configuration-OOB Error: OOB Client MAC/IP not found. Please contact network administrator. This error usually occurs when the user tries to login.
CH A P T E R 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment This chapter describes how to configure Cisco NAC Appliance for Wireless Out-of-Band (Wireless OOB) deployment.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Overview Starting from NAC Appliance Release 4.9, the wireless OOB is supported for roaming as well. When the client machine roams, the connectivity is not lost. Wireless Out-of-Band is supported in the following scenarios of roaming: • Bewteen Access Points: When client roams from one Access Point to another within the same Wireless controller (WLC).
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Overview Note • Clean Access Servers supporting wireless client login and authentication must be installed and configured in Virtual Gateway mode for Cisco NAC Appliance Release 4.8(1) and earlier versions. • For Cisco NAC Appliance Release 4.8(2) and later, Cisco Wireless LAN Controllers must be configured in bridging mode to interoperate with Layer 3 Out-of-Band wireless client login.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Overview The DHCP bridging feature is a global setting, so it affects all DHCP transactions within the controller. You need to add ip helper statements in the wired infrastructure for all necessary VLANs on the controller. You can disable the DHCP proxy through the User Interface as well.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Wireless Out-of-Band Virtual Gateway Deployment Summary Steps to Configure Wireless Out-of-Band To enable Wireless OOB in you access network, you need to perform the following tasks: 1. Configure your Wireless LAN Controller: a. Enable SNMP read and write settings on the WLC. b.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Wireless Out-of-Band Virtual Gateway Deployment Wireless Out-of-Band Layer 2 VGW Mode Wireless LAN controller Layer 2 switch Trunk VLAN 10, 110 Clean Access Server VLAN 110 VLAN 10 Wireless client Layer 3 switch Clean Access Manager VLAN 10 188734 Figure 4-2 Login and Authentication Flow in Wireless OOB Virtual Gateway Mode 1.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Your Network for Wireless Out-of-Band When the user logs out of the wireless OOB network, the WLC sends another SNMP update to the CAM to ensure the CAM removes the user profile from the wireless Online Users list.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Your Wireless LAN Controllers • Authentication and Access VLANs are defined on the WLC and changes between the two are transmitted to the CAM using SNMP traps—administrators do not assign VLANs from the CAM via user role assignments or otherwise. • When a wireless user logs off, the WLC also sends SNMP information to the CAM to ensure the user ID is removed from the Online Users list.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Your Wireless LAN Controllers Figure 4-3 Step 4 WLC 4400 Interfaces > Edit Page Configure the following parameters: • Guest LAN • Enable the Quarantine option and specify a quarantine Quarantine VLAN ID. Note Check the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) Out-of-Band integration.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Your Wireless LAN Controllers Step 1 In the WLC graphical user interface, click WLANs > New. The WLANs > New page appears. Step 2 Choose WLAN from the Type dropdown menu. Step 3 Enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN in the Profile Name field. The profile name must be unique.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Your Wireless LAN Controllers Step 1 Click Management and then Communities under SNMP. The SNMP v1 / v2c Community page appears. Step 2 Click New to create a new community. The SNMP v1 / v2c Community > New page appears (Figure 4-5). Figure 4-5 SNMP v1 / v2c Community > New Page Step 3 In the Community Name field, enter a unique name containing up to 16 alphanumeric characters.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Your Wireless LAN Controllers Figure 4-6 SNMP Trap Receivers > New Page Step 2 Specify the host name of the CAM to receive SNMP traps from the WLC in the Trap Receiver Name field. Step 3 Enter the CAM’s IP address in the IP Address field. Step 4 Choose Enable from the Status dropdown menu. Step 5 Click Apply to commit your changes. Step 6 Click Save Configuration to save your settings.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM Table 4-3 Configuration Worksheet (continued) Configuration Settings Value Community name for SNMP Trap V2c devices: Auth method/username/password for SNMP Trap V3 WLCs: Configure Wireless LAN Controller Connection on the CAM This section describes the web admin console configuration steps to implement Wireless OOB.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Figure 4-7 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Add New OOB Server The Clean Access Server itself must be either In-Band or Out-of-Band. The Clean Access Manager can control both In-Band and Out-of-Band CASs in its domain. Note You can only deploy CASs supporting wireless client machine authentication in Virtual Gateway mode.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM Add Group Profile Step 1 Go to OOB Management > Profiles > Group > New (Figure 4-9). Figure 4-9 New Group Step 2 Enter a single word for the Group Name. You can use digits and underscores, but no spaces. Step 3 Enter an optional Description. Step 4 Click Add. The new Group profile appears under OOB Management > Profiles > Group > List.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Step 4 Note Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Click the Update button when done to save your changes. To delete a group profile, you must first remove the joined switches and/or WLCs from the profile. Configure Wireless LAN Controller Profiles A WLC profile must first be created under OOB Management > Profiles > Device > New, then applied when a new WLC is added.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM Figure 4-12 Step 2 New Wireless LAN Controller Profile Enter a single word for the Profile Name. You can use digits and underscores but no spaces. Note It is a good idea to enter a WLC name that identifies the model and SNMP read and write versions, for example “WLC4400v2v3.” Step 3 Enter the SNMP Port configured on the WLC to receive read/write requests.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Step 8 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment If SNMP v3 is used for SNMP write settings on the WLC, configure the following settings to match those on the WLC: • Choose a Security Method from the dropdown menu: NoAuthNoPriv, AuthNoPriv(MD5), AuthNoPriv(SHA), AuthPriv(MD5+DES-CBC), or AuthPriv(SHA+DES-CBC). • Type the User Name. • Type the User Auth. • Type the User Priv.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM SNMP Trap This page configures settings for the SNMP traps the CAM receives from switches and WLCs. The Clean Access Manager SNMP Receiver can simultaneously support different versions of SNMP (V1, V2c, V3) when controlling groups of switches and/or WLCs in which individual devices may be using different versions of SNMP.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment • Add New Wireless LAN Controller, page 4-20 • Search New Wireless LAN Controllers, page 4-21 • Verify Devices, page 4-22 Figure 4-15 List of Devices The list of devices under OOB Management > Devices > Devices > List displays all switches added from the New or Search forms.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM Figure 4-16 Add New Wireless LAN Controller Step 2 Choose the Device Profile from the dropdown menu to apply to the WLC to be added. Step 3 Choose the Device Group for the WLC from the dropdown menu. Step 4 Type the IP Addresses of the WLC(s) you want to add. Separate each IP address by line. Step 5 Enter an optional Description of the new switch.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Step 2 Select a Device Profile from the dropdown list. The read community string of the selected WLC profile is used to find WLCs with matching read settings. Step 3 Type an IP Range in the text box. (The maximum range for a search is 256 addresses.) Step 4 By default, the Don’t list devices already in the database checkbox is already checked.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM Step 3 Choose a Device Group from the dropdown. Step 4 Choose a Default Port Profile from the dropdown. Step 5 Type a valid IP Address in the text box. Step 6 Choose the Control Method to configure the SNMP trap notification type that the CAM SNMP Receiver will use for a particular switch. Note The Control Method is applicable only for the switches.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Discovered Wireless Clients Figure 4-20 shows the OOB Management > Devices > Discovered Clients > Wireless Clients page. The Wireless Clients page lists all clients discovered by the Clean Access Manager via SNMP traps between the CAM and the WLC.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Configure Wireless LAN Controller Connection on the CAM – AP MAC—The MAC address of the WLC Access Point through which the client is accessing the network – Auth VLAN—Authentication (Quarantine) VLAN A value of “N/A” in this column indicates that the VLAN ID for this MAC address is unavailable from the WLC.
Chapter 4 Configure Wireless LAN Controller Connection on the CAM Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment • Device Profile—Shows the Device Profile you are using for this WLC configured under OOB Management > Profiles > Device. The WLC Device Profile sets the model type, the SNMP port on which to send SNMP traps, SNMP version for read and write and corresponding community strings, or authentication parameters (SNMP V3 Write).
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Wireless Out-of-Band Users Wireless Out-of-Band Users Wireless OOB User Sessions The following events trigger Wireless OOB users’ disconnection from the Cisco NAC Appliance system: • SNMP trap messages from the WLC • Certified Timer expiration • Session Timer expiration • Manual removal from CAM Following log-off, users must undergo authentication again before they are allowed back into the internal network.
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment Wireless Out-of-Band Users Cisco NAC Appliance - Clean Access Manager Configuration Guide 4-28 OL-28003-01
CH A P T E R 5 Configuring User Login Page and Guest Access This chapter explains how to add the default login page needed for all users to authenticate and customize the login page for web login users. It also describes how to configure Guest User Access, page 5-17.
Chapter 5 Configuring User Login Page and Guest Access User Login Page Caution A login page must be added and present in the system in order for both web login and Agent users to authenticate. If a default login page is not present, Agent users will see an error dialog when attempting login (“Clean Access Server is not properly configured, please report to your administrator.”). To quickly add a default login page, see Add Default Login Page, page 5-3.
Chapter 5 Configuring User Login Page and Guest Access Add Default Login Page • Note Proxy server IP address and port pair (for example, 10.10.10.2:80) — this is useful in environments where the IP and port of the proxy server to be used are known (e.g. corporate/enterprise). Proxy settings are local policies configured on the CAS under Device Management > Clean Access Servers > Manage [CAS_IP] > Advanced > Proxy.
Chapter 5 Configuring User Login Page and Guest Access Change Page Type (to Frame-Based or Small-Screen) Figure 5-2 Login Page List After the login page is added, you must Edit it to configure all of its other properties.
Chapter 5 Configuring User Login Page and Guest Access Enable Web Client for Login Page Figure 5-3 3. General Login Page Properties—Configuring Page Type From the Page Type dropdown menu, choose one of the following options: – Frameless (default) – Frame-based—This sets the login fields to appear in the left frame of the page, and allows you to configure the right frame with your own customized content (such as organizational logos, files, or referenced URLs).
Chapter 5 Configuring User Login Page and Guest Access Enable Web Client for Login Page Note When the Agent is installed, the Agent automatically sends the MAC address of all network adapters on the client to the CAS. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x) for more information.
Chapter 5 Configuring User Login Page and Guest Access Enable Web Client for Login Page • Use web client to detect client MAC address and Operating System • Use web client to release and renew IP address when necessary (OOB) In the same configuration page, the network administrator can set the webclient preferences. Normally the Linux/Mac OS X clients are prompted for the root/admin password to refresh their IP address if the client user does not have the privilege to do so.
Chapter 5 Configuring User Login Page and Guest Access Customize Login Page Content • ActiveX on IE, Java Applet on non-IE Browser (Default)—Runs ActiveX if Internet Explorer is detected, and runs Java Applet if another (non-IE) browser is detected. If ActiveX fails on IE, the CAS attempts to run a Java Applet. For non-IE browsers, only the Java Applet is run.
Chapter 5 Configuring User Login Page and Guest Access Customize Login Page Content Figure 5-5 3. Login Page Content Configure the login page controls on the page using the following text fields and options. – Image – An image file, such as a logo, that you want to appear on the login page. To refer to your own logo, first upload the logo image. See Upload a Resource File, page 5-13. – Title – The title of the page as it will appear in the title bar of the browser window and above the login field.
Chapter 5 Configuring User Login Page and Guest Access Customize Login Page Content Note Guest users accessing the Cisco NAC Appliance system via the preset “Guest” user account (described in Enable the Preset “Guest” User Account, page 5-22) must use the “Local DB” provider option. If you are using the Guest User Registration feature, you must first configure a Guest provider type (described in Guest, page 7-26) and enable that provider type here to enable the Guest User Registration feature.
Chapter 5 Configuring User Login Page and Guest Access Create Content for the Right Frame Figure 5-6 Login Page Elements Create Content for the Right Frame 1. From Administration > User Pages > Login Page > List, click the Edit icon next to the page to be customized. If you have set the login page to be frame-based (as described in Change Page Type (to Frame-Based or Small-Screen), page 5-4), and additional Right Frame submenu link will appear for the page. 2.
Chapter 5 Configuring User Login Page and Guest Access Create Content for the Right Frame Figure 5-7 3. Login Page—Right Frame Content You can enter a URL or HTML content for the right frame: a. Enter URL: (for a single webpage to appear in the right frame) For an external URL, use the format http://www.webpage.com. For a URL on the Clean Access Manager, use the format: [Uploaded File]:file_name.htm For images, use the format: [Uploaded File]:file_name.
Chapter 5 Configuring User Login Page and Guest Access Upload a Resource File See also Upload a Resource File, page 5-13 for details. 4. Click Update to save your changes. 5. After you save your changes, click View to see how your customized page will appear to users.
Chapter 5 Configuring User Login Page and Guest Access Customize Login Page Styles For further details on uploading content for the User Agreement Page (for web login/network scanning users), see also Customize the User Agreement Page, page 12-19. For details on configuring traffic policies to allow client access to files stored on the CAM, see Adding Traffic Policies for Default Roles, page 8-27. Customize Login Page Styles 1. Go to Login Page > Edit > Style to modify the CSS properties of the page.
Chapter 5 Configuring User Login Page and Guest Access Configure Other Login Properties – Instruction CSS: CSS tags for formatting instruction areas of the login page. – Misc CSS: CSS tags for formatting miscellaneous areas of the login page. 3. Click Update to commit the changes made on the Style page, then click View to view the login page using the updated changes.
Chapter 5 Configuring User Login Page and Guest Access Configure Other Login Properties 3. For the After Successful Login Redirect to option, click “this URL” and type the destination URL in the text field, making sure to specify “http://” in the URL. Make sure you have created a traffic policy for the role to allow HTTP access so that the user can get to the web page (see Add Global IP-Based Traffic Policies, page 8-4). 4. Click Save Role when done.
Chapter 5 Configuring User Login Page and Guest Access Guest User Access See Create Local User Accounts, page 6-15 for further details. Guest User Access Guest access makes it easy to provide visitors or temporary users limited access to your network.
Chapter 5 Configuring User Login Page and Guest Access Guest User Access Note If you do not enable all of these options on the Administration > User Pages > Login Page, Guest User Registration users do not see the option to log in as a guest. – After you save your changes, click View to see how your customized page will appear to users. Figure 5-6 on page 5-11 illustrates how each field correlates to elements of the generated login page. 4.
Chapter 5 Configuring User Login Page and Guest Access Guest User Access • Policy and Accept Policy Label—(Optional) If you enable and specify text for the Policy and Accept Policy Label settings, the guest login dialog prompts the user to “accept” the guest access policy you enter (see Figure 5-14) by clicking the checkbox before clicking Continue. Otherwise, the guest user sees the credentials dialog (Figure 5-15) when they first attempt to log in to the NAC Appliance system.
Chapter 5 Configuring User Login Page and Guest Access Guest User Access Table 5-1 Step 7 Login ID Type Settings Login ID Type Description Example Guest User Entry Numeric A strictly digit-based string defining the user ID 543212345 SSN The guest user’s social security number 123-45-6789 • Affiliation Label—The text guest users see in the user affiliation entry field of the credentials dialog. (Other examples include “Company,” “Vendor,” “Contractor,” or “Guest of.
Chapter 5 Configuring User Login Page and Guest Access Guest User Access Figure 5-14 Example Guest “Accept Policy” Dialog Figure 5-15 Example Guest Credentials Dialog Cisco NAC Appliance - Clean Access Manager Configuration Guide OL-28003-01 5-21
Chapter 5 Configuring User Login Page and Guest Access Guest User Access Enable the Preset “Guest” User Account At installation, the Clean Access Manager includes a built-in guest user account. By default, the local user “guest” belongs to the Unauthenticated Role and is validated by the Clean Access Manager itself (Provider: LocalDB).
CH A P T E R 6 User Management: Configuring User Roles and Local Users This chapter describes the following topics: • Overview, page 6-1 • Create User Roles, page 6-2 • Create Local User Accounts, page 6-15 For details on configuring authentication servers, see Chapter 7, “User Management: Configuring Authentication Servers.” For details on creating and configuring the web user login page and guest users, see Chapter 5, “Configuring User Login Page and Guest Access.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles When a user authenticates, either through the web login page or Agent, Cisco NAC Appliance determines the normal login role of the user and the requirements and/or network scans to be performed for the role. Cisco NAC Appliance then performs requirement checking and/or network scanning as configured for the role and operating system.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Figure 6-1 Normal Login User Roles User Role Types The system puts a user in a role when the user attempts to log in. There are four default user role types in the system: Unauthenticated Role, Normal Login role, Agent Temporary role, and Quarantine role. Unauthenticated Role There is only one Unauthenticated Role and it is the system default role.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Normal Login Role There can be multiple normal login roles (including “restricted access” roles) in the system. A user is put into a normal login role after a successful login. You can configure normal login roles to associate users with the following: • Network access traffic control policies—what parts of the network and which application ports can users can access while in the role.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Therefore, if a MAC address associates the client with “Role A”, but the user’s login ID associates him or her to “Role B”, “Role A” is used. For additional details, see also Global Device and Subnet Filtering, page 2-10 and Device Filters for Out-of-Band Deployment, page 2-14.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles – The user logs in using the Agent and meets requirements but network scanning finds a vulnerability on the user system. The user has the amount of time configured in the Session Timer for the role to access resources to fix vulnerabilities. If the user cancels or times out, the user is logged out of the quarantine role and must restart the login process.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Default Login Page A default login page must be added and present in the system in order for both the web login and Agent users to authenticate. The login page is generated by Cisco NAC Appliance and is shown to end users by role. When users first try to access the network from a web browser, an HTML login page appears prompting the users for a user name and password.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Figure 6-2 Add New User Role Step 2 If you want the role to be active right away, leave Disable this role cleared. Step 3 Type a unique name for the role in the Role Name field. Step 4 Type an optional Role Description. Step 5 For the Role Type, choose either: • Note Normal Login Role – Assigned to users after a successful login.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles • Step 6 Note Quarantine Role – Assigned to users to quarantine them when network scanning finds a vulnerability on the user system. Note that a system Quarantine role already exists and can be configured. However, the New Role form allows you to add additional quarantine roles if needed. See Role Properties, page 6-9 for configuration details on each role setting.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Table 6-1 Role Properties (continued) Control Description Out-of-Band User Role VLAN Out-of-Band (OOB) Configuration —Retag Trusted-side Traffic with Role VLAN Once a user has finished posture assessment and remediation, if needed, and the client device is deemed to be “certified,” the switch port to which the client is connected can be assigned to a different Access VLAN based on the value specified in the Out-of-B
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Table 6-1 Role Properties (continued) Control Description After Successful Login Redirect to When successfully logged in, the user is forwarded to the web page indicated by this field. You can have the user forwarded to: • previously requested URL – (default) The URL requested by the user before being redirected to the login page.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Table 6-1 Role Properties (continued) Control Description Show Logged-on Users The information that should be displayed to web users in the Logout page. After the web user successfully logs in, the Logout page pops up in its own browser and displays user status based on the combination of options you select: • User info—Information about the user, such as the user name.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Table 6-1 Role Properties (continued) Control Description Enable Passive Re-assessment This option allows periodic re-assessment on client systems that are online to ensure continuous compliancy of the current network policies. This option is disabled by default.
Chapter 6 User Management: Configuring User Roles and Local Users Create User Roles Modifying an Existing Temporary, Quarantine, or Login Role From the List of Roles tab (Figure 6-3), you can configure traffic and bandwidth policies for any user role. You can also edit the Agent Temporary role, Quarantine role, and any normal login role you have created.
Chapter 6 User Management: Configuring User Roles and Local Users Create Local User Accounts Step 3 Click the Edit icon next to a role to bring up the Edit Role form. An Edit Role window similar to that in Figure 6-2 appears. Step 4 Modify role settings as desired. See Role Properties, page 6-9 for details. Step 5 Click Save Role. Delete Role To delete a role, click the Delete icon next to the role in the List of Roles tab of the User Management > User Roles page.
Chapter 6 User Management: Configuring User Roles and Local Users Create Local User Accounts Figure 6-4 New Local User Step 2 If you want the user account to be active immediately, be sure to leave the Disable this account check box cleared. Step 3 Type a unique User Name for the user. This is the login name by which the user is identified in the system. Step 4 Type a password in the Password field and retype it in the Confirm Password field. The password value is case-sensitive.
CH A P T E R 7 User Management: Configuring Authentication Servers This chapter describes how to set up external authentication sources, configure Active Directory Single Sign-On (SSO), VLAN ID or attribute-based auth server mapping rules, and RADIUS accounting.
Chapter 7 User Management: Configuring Authentication Servers Overview Working with Existing Backend Authentication Servers When working with existing backend authentication servers, Cisco supports the following authentication protocol types: • Kerberos • RADIUS (Remote Authentication Dial-In User Service) • Windows NT (NTLM Auth Server) • LDAP (Lightweight Directory Access Protocol) When using this option, the CAM is the authentication client which communicates with the backend auth server.
Chapter 7 User Management: Configuring Authentication Servers Overview Local Authentication You can set up any combination of local and external authentication mechanisms for both users and Cisco NAC Appliance administrators. Typically, external authentication sources are used for general users, while local authentication (where users are validated internally to the CAM) is used for test users, guests, or other types of users with limited network access.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Adding an Authentication Provider The following are the general steps to add an authentication server to the Clean Access Manager: Step 1 Go to User Management > Auth Servers > New. Step 2 From the Authentication Type list, choose the authentication provider type. Step 3 For Provider Name, type a name that is unique for authentication providers.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Kerberos Note In Cisco NAC Appliance, you can configure one Kerberos auth provider and one LDAP auth provider using the GSSAPI authentication method, but only one of the two can be active at any time. See LDAP, page 7-16 for more information.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider While running Windows 2008 AD Server at 2003 Server functional level, if you face issues, try the following: Run KTPass to allow multiple algorithms for new service account. ktpass –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass PasswordText –out c:\newadsso.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 2 From the Authentication Type dropdown menu, choose Radius. Figure 7-4 Add RADIUS Auth Server Step 3 Provider Name—Type a unique name for this authentication provider. Enter a meaningful or recognizable name if web login users will be able to select providers from the web login page. Step 4 Server Name—The fully qualified host name (e.g., auth.cisco.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Note If your CAM is deployed as a member of an HA failover pair, be sure you specify the service IP address for the HA pair to ensure the RADIUS authentication server receives the proper RADIUS accounting packets from the CAM. Regardless of whether the HA-Primary or HA-Standby CAM sends the accounting packets it will show up in the accounting packets as the pair.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 4 Under Console Root, click Certificates (Local Computer). A list of PKI objects appears at the right pane. Step 5 Go to Action > All Tasks > Import and click Next. Step 6 Click Browse, select the server certificate, and click Next Step 7 Select Place all certificates in the following store. Step 8 Click Browse, specify the appropriate certificate, and click Next. Step 9 Click Next.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Figure 7-5 New IP Security Policy Step 4 On the wizard, click Next. Step 5 Enter a name for the policy (for example, “IPSec rules for CAM-ACS”) and click Next. Step 6 Uncheck (disable) the Activate the default responses rule option and click Next. Step 7 Leave the Edit properties box checked (enabled) and click Finish. Step 8 In the properties dialog, click Add.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 9 Select the IP Filter List tab and click Add (Figure 7-6). Figure 7-6 IP Filter List Step 10 Specify a name for the IP address filter list (for example, “CAM to ACS Filter List”). Step 11 Click Add to add filter. Step 12 Select the Addresses tab. Step 13 Specify A Specific IP address as the Source address and enter the CAM IP address.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 19 Select the Filter Action tab and click Add to add a new filter action (Figure 7-7). Figure 7-7 New Filter Action Step 20 Select the General tab and enter a name (for example, “NAC IPSec Filter Action”). Step 21 Select the Security Methods tab. Step 22 Choose the Negotiate security option and click Add. Step 23 Specify Integrity and encryption as the security method and click OK.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 27 Select the Authentication Methods tab and remove all authentications methods that are displayed (Figure 7-8). Figure 7-8 Step 28 Authentication Methods Click Add.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 29 Select Use a certificate from this certification authority (CA) (Figure 7-9). Figure 7-9 Use a certificate from this certification authority (CA) Step 30 Click Browse, select the entry corresponding to your root certificate authority, and click OK. Step 31 Click OK. Step 32 Select the Tunnel Setting tab and ensure that the This rule does not specify and IPSec tunnel option is specified.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider or other user-specific credentials in addition to the standard user ID and password. In this case, one or more additional login dialog screens may appear as part of the login session. For details, refer to RADIUS Challenge-Response Cisco NAC Agent Dialogs, page 10-22. Windows NT Note • If the CAM is not in the same subnet as the domain controllers, then the CAM DNS settings must be able to resolve the DCs.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider LDAP Note This section describes the general steps to configure an LDAP authentication provider. You can also use these steps to configure SIMPLE or GSSAPI authentication for an LDAP Lookup Server, which is used for authorization when configuring AD SSO. For details on configuring AD SSO, refer to the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x).
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Configure LDAP Server with Simple Authentication Step 1 Go to User Management > Auth Servers > New. Step 2 From the Authentication Type dropdown menu, choose LDAP. Figure 7-11 Add LDAP Auth Server—SIMPLE Authentication Mechanism Step 3 Provider Name—Type a unique name for this authentication provider.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 6 Server version—The LDAP version. Supported types include Version 2 and Version 3. Leave as Auto (default) to have the server version automatically detected. Step 7 Search Base Context—The root of the LDAP tree in which to perform the search for users (e.g. dc=cisco, dc=com). Step 8 Search Filter—The attribute to be authenticated (e.g., uid=$user$, or sAMAccountName=$user$).
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Step 1 Go to User Management > Auth Servers > Lookup Servers > New. Step 2 From the Authentication Type dropdown menu, choose LDAP. Figure 7-12 Add LDAP Auth Server—GSSAPI Authentication Mechanism Step 3 Provider Name—Type a unique name for this authentication provider. Enter a meaningful or recognizable name if web login users will be able to select providers from the web login page.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider If the first LDAP server listed does not respond within 15 seconds, the CAM then attempts to authenticate using the alternate LDAP server(s) in the list. Every LDAP authentication request is passed to the first server specified in the list by default. You can only input 128 characters in this field, thus limiting the number of redundant servers you can specify. Step 6 Server version—The LDAP version.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider You can also specify “failover” or “redundant” mappings in the KDC/Realm Mapping field.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider d. Search(Admin) Password—The password for the LDAP user. e. Search Base Context—The root of the LDAP tree to perform the search for users (e.g. dc=cisco, dc=com). Step 4 Click Add. Step 5 The bottom pane displays the details of the servers you have added. Step 6 You can click the Edit icon to modify the details and the Delete icon to remove a server.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider b. Enter each Windows Domain Controller IP and click Add Server. See section “Enable Windows NetBIOS SSO” of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x) for details. 3. Note Add IP traffic control policies for the Unauthenticated role to allow users on the untrusted side access to the domain controllers on the trusted network.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Cisco VPN SSO Cisco NAC Appliance enables administrators to deploy the CAS In-Band behind a VPN concentrator, or router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 In-Band deployment by allowing the CAM and CAS to track user sessions by unique IP address when users are separated from the CAS by one or more routers.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Figure 7-15 Agent with SSO for VPN Users Add Cisco VPN SSO Auth Server To enable SSO for Cisco VPN concentrator users, add a Cisco VPN SSO auth server: Step 1 Go to User Management > Auth Servers > New. Step 2 From the Authentication Type dropdown menu, choose Cisco VPN SSO. Figure 7-16 Add Cisco VPN Auth Server Step 3 Provider Name—The Provider Name value defaults to CiscoVPN.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Allow All The AllowAll option is a special authentication type that provides an alternative to the Guest Access login button feature. It allows users to type in any credential to login (e.g., an email address for user name and/or password) but does not validate the credentials.
Chapter 7 User Management: Configuring Authentication Servers Adding an Authentication Provider Allow All function. For example, you can require users to supply a contact phone number and birth date before they are allowed to access the network as a guest user. The identifier a user submits in the login page appears in the Online Users and User Management > Local Users > Guest Users pages while the user is logged in.
Chapter 7 User Management: Configuring Authentication Servers Configuring Authentication Cache Timeout (Optional) Configuring Authentication Cache Timeout (Optional) For performance reasons, the Clean Access Manager caches the authentication results from user authentication for 2 minutes by default. The Authentication Cache Timeout control on the Auth Server list page allows administrators to configure the number of seconds the authentication result will be cached in the CAM.
Chapter 7 User Management: Configuring Authentication Servers Authenticating Against a Backend Active Directory AD/LDAP Configuration Example The following illustrates a sample configuration using LDAP to communicate with the backend Active Directory: 1. Create a Domain Admin user within Active Directory Users and Computers. Place this user into the Users folder. 2. Within Active Directory Users and Computers, select Find from the Actions menu.
Chapter 7 User Management: Configuring Authentication Servers Authenticating Against a Backend Active Directory Figure 7-21 6. Example New LDAP Server for AD The following fields are all that is necessary to properly set up this auth server within the CAM: a. Description: Used just for reference. b. ServerURL: ldap://192.168.137.10:3268 – This is the domain controller IP address and default Microsoft Global Catalog port for AD.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs Map Users to Roles Using Attributes or VLAN IDs The Mapping Rules forms can be used to map users into user role(s) based on the following parameters: • The VLAN ID of user traffic originating from the untrusted side of the CAS (all auth server types) Note • Only Layer 2 Adjacency mode is supported.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs VLAN IDs to map users into user roles. Mapping rules can be created for a range of VLAN IDs, and attribute matches can be made case-insensitive. This allows multiple conditions to be flexibly configured for a mapping rule. A mapping rule comprises an auth provider type, a rule expression, and the user role into which to map the user.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs Figure 7-24 2. Mapping for Cisco VPN Auth Type The Add Mapping Rule form appears. Figure 7-25 Example Add Mapping Rule (Cisco VPN) Configure Conditions for Mapping Rule (A) • Provider Name—The Provider Name sets the fields of the Mapping Rules form for that authentication server type.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs conditions, instead of associating attribute types to attribute values, you choose two existing conditions to associate together, which become Left and Right Operands for the compound statement. 3.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs 7. Operator (VLAN ID)—If you choose VLAN ID as the Condition Type, choose one of the following operators to define a condition that tests against VLAN ID integers. – equals – True if the VLAN ID matches the VLAN ID in the Property Value field. – not equals – True if the VLAN ID does not match the VLAN ID in the Property Value field.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs Figure 7-26 Example Add VLAN ID Mapping Rule Figure 7-27 Example Add LDAP Mapping Rule (Attribute) Cisco NAC Appliance - Clean Access Manager Configuration Guide 7-36 OL-28003-01
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs Figure 7-28 Example Add RADIUS Mapping Rule (Attribute) Figure 7-29 Example Compound Condition Mapping Rules . Editing Mapping Rules Priority—To change the priority of a mapping rule later, click the up/down arrow next to the entry in the User Management > Auth Servers > List. The priority determines the order in which the rules are tested.
Chapter 7 User Management: Configuring Authentication Servers Map Users to Roles Using Attributes or VLAN IDs Edit—Click the Edit icon next to the rule to modify the mapping rule, or delete conditions from the rule. Note that when editing a compound condition, the conditions below it (created later) are not displayed. This is to avoid loops. Delete—Click the delete icon next to the Mapping Rule entry for an auth server to delete that individual mapping rule.
Chapter 7 User Management: Configuring Authentication Servers Auth Test Figure 7-33 RADIUS—Microsoft Attribute Names Figure 7-34 RADIUS—WISPr (Wireless Internet Service Provider roaming) Attribute Names Auth Test The Auth Test tab is allows you to test Kerberos, RADIUS, Windows NT, LDAP, and AD SSO authentication providers you configured against actual user credentials, and lists the role assigned to the user.
Chapter 7 User Management: Configuring Authentication Servers Auth Test Note You cannot use Auth Test to test SSO. A client machine is needed to test SSO. To test authentication: Step 1 From User Management > Auth Servers > Auth Test tab, select the provider against which you want to test credentials in the Provider list. If the provider does not appear, make sure it is correctly configured in the List tab.
Chapter 7 User Management: Configuring Authentication Servers RADIUS Accounting Table 7-1 Note Example “Authentication Failed” Results Message Description Message: Invalid User Credential Correct user name, incorrect password Message: Unable to find the full DN for user Correct password, incorrect user name (LDAP provider) Message: Client Receive Exception: Packet Receive Failed (Receive timed out) Correct password, incorrect user name (RADIUS provider) Message: Invalid Admin(Search
Chapter 7 User Management: Configuring Authentication Servers RADIUS Accounting Figure 7-36 RADIUS Accounting Server Config Page Step 2 Select Enable RADIUS Accounting to enable the Clean Access Manager to send accounting information to the named RADIUS accounting server. Step 3 Enter values for the following form fields: • Server Name—The fully qualified host name (e.g. auth.cisco.com) or IP address of the RADIUS accounting server.
Chapter 7 User Management: Configuring Authentication Servers RADIUS Accounting Step 4 Click Update to update the server configuration. Restore Factory Default Settings The Clean Access Manager can be restored to the factory default accounting configuration as follows: 1. Go to Administration > Backup to backup your database before restoring default settings. 2. Go to User Management > Auth Servers > Accounting > Server Config 3.
Chapter 7 User Management: Configuring Authentication Servers RADIUS Accounting • User Name—User account name. Logout Event Data Fields The following four data fields apply to logout events only and are not sent for login or shared events: • Logout Time (Unix Seconds)—Logout time of the user in Unix seconds. • Logout Time (DTF)—Logout time of the user in date time format. • Session Duration (Seconds)—Duration of the session in seconds.
Chapter 7 User Management: Configuring Authentication Servers RADIUS Accounting Figure 7-38 RADIUS Attribute Dropdown Menu 4. From the Send RADIUS Attribute dropdown menu, choose a RADIUS attribute. 5. Click the Change Attribute button to update the RADIUS Attribute type. The type, such as “String” or “Integer,” will display in this field. 6. Configure the type of data to send with the attribute.
Chapter 7 User Management: Configuring Authentication Servers RADIUS Accounting Figure 7-39 Login Events Figure 7-40 Logout Events Figure 7-41 Shared Events Cisco NAC Appliance - Clean Access Manager Configuration Guide 7-46 OL-28003-01
CH A P T E R 8 User Management: Traffic Control, Bandwidth, Schedule This chapter describes how to configure role-based traffic control policies, bandwidth management, session and heartbeat timers.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Overview Cisco NAC Appliance offers three types of traffic policies: IP-based policies—IP-based policies are fine-grained and flexible and can stop traffic in any number of ways. IP-based policies are intended for any role and allow you to specify IP protocol numbers as well as source and destination port numbers.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Overview Example 3: 1. Allow TCP *.* 10.10.10.1/255.255.255.255 2. Block TCP *.* 10.10.10.0/255.255.255.0 Result: Allow TCP access to 10.10.10.1 while blocking TCP access to everything else in the subnet (10.10.10.*). Example 4 (Layer 2 Ethernet - Virtual Gateway mode only): 1. Allow SNA IBM Systems Network Architecture 2.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global IP-Based Traffic Policies Figure 8-1 Trusted -> Untrusted Direction Field Add Global IP-Based Traffic Policies You can configure traffic policies for all the default roles already present in the system (Unauthenticated, Temporary, Quarantine). You will need to create normal login user roles first before you can configure traffic policies for them (see Chapter 6, “User Management: Configuring User Roles and Local Users.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global IP-Based Traffic Policies 3. Note 4. Click the Add Policy link next to the user role to create a new policy for the role, or click Add Policy to All Roles to add the new policy to all roles (except the Unauthenticated role) at once. The Add Policy to All Roles option adds the policy to all roles except the Unauthenticated role. Once added, traffic policies are modified individually and removed per role only.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global IP-Based Traffic Policies 8. Set the Category of the traffic as follows: – ALL TRAFFIC (default)—The policy applies to all protocols and to all trusted and untrusted source and destination addresses. – IP—If selected, the Protocol field displays as described below. – IP FRAGMENT—By default, the Clean Access Manager blocks IP fragment packets, since they can be used in denial-of-service (DoS) attacks.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global IP-Based Traffic Policies Edit IP-Based Policy 1. Go to User Management > User Roles > Traffic Control > IP. 2. Click the Edit icon for the role policies you want to edit (Figure 8-4). Figure 8-4 3. The Edit Policy form for the role policy appears (Figure 8-5). Figure 8-5 4. Note 5. Edit IP Policy Edit IP Policy Form Change properties as desired.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global Host-Based Traffic Policies Note that you cannot change the policy priority directly from the Edit form. To change a Priority, click the Up or Down arrows for the policy in the Move column of the IP policies list page.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global Host-Based Traffic Policies Figure 8-6 Note Add Trusted DNS Server 3. Optionally type a description for the DNS server in the Description field. 4. The Enable checkbox should already be selected. 5. Click Add. The new policy appears in the Trusted DNS Server column.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global Host-Based Traffic Policies Step 7 To add additional custom hosts for the roles, follow the instructions for Add Allowed Host, page 8-10. Note See Retrieving Cisco NAC Appliance Updates, page 9-12, for complete details on configuring Updates.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global Host-Based Traffic Policies View IP Addresses Used by DNS Hosts You can view the IP addresses used for the DNS host when clients connect to the host to update their systems. Note that these IP addresses are viewed per Clean Access Server from the CAS management pages. 1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles > Allowed Hosts. 2.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Add Global Layer 2 Ethernet Traffic Policies Proxy Servers and Host Policies You can allow users to access only the host sites enabled for a role (e.g. Temporary or Quarantine users that need to meet requirements) when a proxy server specified on the CAS is used.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Control Bandwidth Usage 2. Select either Allow or Block from the Action dropdown menu. 3. Specify the type of Layer 2 Ethernet traffic to either allow or block in the Protocol dropdown menu. Note Except for allowing all Layer 2 traffic, only the “IBM Systems Network Architecture (SNA)” protocol is available in Cisco NAC Appliance.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Control Bandwidth Usage Figure 8-10 Note Bandwidth Form for User Role Alternatively, you can go to User Management > User Roles > List of Roles and click the BW icon next to the role. 4. Set the maximum bandwidth in kilobits per second for upstream and downstream traffic in Upstream Bandwidth and Downstream Bandwidth.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure User Session and Heartbeat Timeouts Note If bandwidth management is enabled, devices allowed via device filter without specifying a role will use the bandwidth of the Unauthenticated Role. See Global Device and Subnet Filtering, page 2-10 for details.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure User Session and Heartbeat Timeouts In-Band (L2) Sessions For In-Band configurations, a user session is based on the client MAC and IP address and persists until one of the following occurs: • The user logs out of the network through either the web user logout page or the Agent logout option. • An administrator manually removes the user from the network.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure User Session and Heartbeat Timeouts Configure Session Timer (per User Role) Step 1 Go to User Management > User Roles > Schedule > Session Timer. Figure 8-11 Session Timer Step 2 Click the Edit icon next to the role for which you want to configure timeout settings. Step 3 Select the Session Timeout check box and type the number of minutes after which the user’s session times out.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure User Session and Heartbeat Timeouts Step 4 Click Update to save your settings. Note that logging a user off the network does not remove them from the Certified Devices List. However, removing a user from the Certified Devices List also logs the user off the network. An administrator can drop users from the network individually or terminate sessions for all users at once.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure Policies for Agent Temporary and Quarantine Roles expires, the user must log in again to continue using the network. For example, if the timer is set for 5 minutes, and the user removes the system from the network for 6 minutes, the user must log in again to use the network. Step 4 Click Update to enable the Heartbeat Timeout.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure Policies for Agent Temporary and Quarantine Roles Figure 8-14 Schedule Tab 3. Click the Edit icon for the Temporary Role. 4. The Session Timer form for the Temporary Role appears (Figure 8-15). Figure 8-15 Session Timer—Temporary Role 5. Click the Session Timeout checkbox. 6. Type the number of minutes for the user session to live (default is 4 minutes).
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure Policies for Agent Temporary and Quarantine Roles Figure 8-16 IP Traffic Policies—Temporary Role 11. To configure an IP policy, click the Add Policy link next to the Temporary role. For example, if you are providing required software installation files yourself (e.g.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure Policies for Agent Temporary and Quarantine Roles 2. Type a Role Name and Role Description of the role. For a quarantine role that will be associated with a particular login role, it may be helpful to reference the login role and the quarantine type in the new name. For example, a quarantine role associated with a login role named “R1” might be “R1-Quarantine.” 3. In the Role Type list, choose Quarantine Role. 4.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Configure Policies for Agent Temporary and Quarantine Roles Configure Traffic Control Policies for the Quarantine Role 1. From User Management > User Roles > List of Roles, click the Policies icon next to the role (or you can click the Traffic Control tab, choose the quarantine role from the dropdown menu and click Select). 2. Choose the Quarantine Role from the role dropdown, leave Untrusted->Trusted for the direction and click Select.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Example Traffic Policies Example Traffic Policies This section describes the following: • Allowing Authentication Server Traffic for Windows Domain Authentication, page 8-24 • Allowing Traffic for Enterprise AV Updates with Local Servers, page 8-24 • Allowing Gaming Ports, page 8-24 • Adding Traffic Policies for Default Roles, page 8-27 Allowing Authentication Server Traffic for Windows Domain Authentication If you want users on the
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Example Traffic Policies Microsoft Xbox The following are suggested policies to allow access for Microsoft Xbox ports: • Kerberos-Sec (UDP); Port 88; UDP; Send Receive • DNS Query (UDP); Port 53; Send 3074 over UDP/tcp • Game Server Port (TCP): 22042 • Voice Chat Port (TCP/UDP): 22043-22050 • Peer Ping Port (UDP): 13139 • Peer Query Port (UDP): 6500 Other Game Ports Table 8-1 shows suggested policies to allow access for other game
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Example Traffic Policies Table 8-1 Traffic Policies for Other Gaming Ports 1 Protocol Port Protocol 9999 TCP 47624 TCP 2300-2400 TCP 2300-2400 UDP 6073 UDP 2302-2400 UDP 47624 TCP 2300-2400 TCP 2300-2400 UDP 5120-5300 UDP 6500 UDP 27900 UDP 28900 UDP 3782 TCP 3782 UDP 27910 TCP, UDP 6073 UDP 2302-2400 UDP 47624 TCP 2300-2400 TCP 2300-2400 UDP 4000 TCP 7777 TCP, UDP 4000 TCP 27015-27020 TCP
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Example Traffic Policies Adding Traffic Policies for Default Roles Create Untrusted -> Trusted traffic policies for the default roles (Unauthenticated, Temporary, and Quarantine) to allow users access to any of the resources described below.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Example Traffic Policies Table 8-2 Typical Traffic Policies for Roles Resource Role Example Policies (Untrusted -> Trusted) IP-Based Traffic Policies Logo/right-frame content for Login page (logo.jpg, file.htm) Unauthenticated IP (Files on CAM or External Server): Allow TCP *.* / 255.255.255.255: https (443) User Agreement Page (UAP.htm) Redirect URL after blocked access (block.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Troubleshooting Host-Based Policies Figure 8-19 Example Traffic Policies for File Distribution Requirement (File is on CAM) Troubleshooting Host-Based Policies For host-based policies, the CAS needs to see DNS responses in order to allow the traffic. If having trouble with host-based policies, check the following: • Make sure allowed hosts are enabled.
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule Troubleshooting Host-Based Policies Cisco NAC Appliance - Clean Access Manager Configuration Guide 8-30 OL-28003-01
CH A P T E R 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment This chapter describes how to configure Agent distribution and installation for client machines, as well as configure client posture assessment in the Cisco NAC Appliance system.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Overview Note Most requirement remediation actions (like Windows Updates and AV/AS support updates) require the user to have administrator privileges on the client machine. Therefore, Cisco recommends you ensure that users of client machines undergoing posture assessment and remediation have administrator-level privileges.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Add Default Login Page Agent Configuration Steps The basic steps needed to configure Agent distribution, installation, and posture assessment are: Step 1 Add Default Login Page, page 9-3 Step 2 Configure Agent Roles and User Profiles, page 9-3 Step 3 Require Agent Login for Client Machines, page 9-3 Step 4 Retrieving Cisco NAC Appliance Updates, page 9-12 Step 5 Setting Up Agent Distribution/Installation, page
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines Figure 9-1 General Setup Step 2 Select the User Role for which users will be required to use the Agent. Step 3 Select an Operating System from the items available in the dropdown menu. Note Make sure the Operating System is correctly configured for the role to ensure the Agent download page and/or Cisco NAC Web Agent launch page is properly pushed to users.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines Note The Require use of Agent and Require use of Cisco NAC Web Agent options are not mutually exclusive.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines Figure 9-3 Cisco NAC Web Agent Launch Page Configure Out-of-Band Logoff Caution To avoid disconnecting users currently logged into the Cisco NAC Appliance network, Cisco strongly recommends disabling the Out-of-Band Heartbeat Timer during a planned network outage, as changing this setting could kick all current users from the Out-of-Band Online Users list.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines • In order for Agent Out-of-Band Logoff to function correctly in a deployment requiring VLAN change based on user role (in both Layer 3 Out-of-Band deployments and Layer 2 Out-of-Band environments where the client machine IP address is refreshed following login), you must enable the VLAN change detection option as per the guidelines in Configure Access to Authentication VLAN Cha
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines • In Layer 3 network topology, when users are moving from one location to another using same CAS name as the Discovery Host, it is recommended to use DNS to resolve the name to the IP of the CAS that is closest to the user.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines – Block discovery packets from all non-NAC networks to the CAS untrusted interface IP address (discovery packets that arrive on the trusted interface of the CAS are blocked by default) Note These scenarios are not specific to OOB logoff feature and represent general Cisco NAC Agent behavior for some Out-of-Band topologies.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines • Check whether the client machine is able to reach CAS using the name/IP address after successful login to Access VLAN. This will update the client IP address in Access VLAN in the CAM web console. • If using the name to reach the CAS, perform a DNS Lookup of the CAS using its Fully Qualified domain name (FQDN).
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Require Agent Login for Client Machines network using the role you assign for restricted network access, regardless of their assigned user role. For more information, see Windows Cisco NAC Agent User Dialogs, page 10-3 and Cisco NAC Web Agent User Dialogs, page 10-28. Note that: • Restricted network access users appear on the In-Band Online Users list denoted by blue shading.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Retrieving Cisco NAC Appliance Updates Retrieving Cisco NAC Appliance Updates A variety of updates are available from the Clean Access Updates server, available under Device Management > Clean Access > Updates. You can perform updates manually as desired or schedule them to be performed automatically.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Retrieving Cisco NAC Appliance Updates OS Detection Fingerprint: By default, the system uses the User-Agent string from the HTTP header to determine the client OS. In addition, platform information from JavaScript or the OS fingerprinting from the TCP/IP handshake can also be compared against the OS signature information in the CAM database to determine the client OS.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Retrieving Cisco NAC Appliance Updates Cisco NAC Web Agent Facilitator (ActiveX/Applet) Displays the current version of the Cisco NAC Web Agent ActiveX/Java Applet the CAM uses to install the temporal Agent on the client machine when users access Cisco NAC Appliance and choose to use the Cisco NAC Web Agent.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Retrieving Cisco NAC Appliance Updates Figure 9-5 Device Management > Clean Access > Updates > Update Step 3 To configure automatic updates on your CAM, click the checkbox for Automatically check for updates starting from [] every [] hours, type a start time in 24-hour format (such as 13:00:00), and type a “repeat” interval (1 hour is recommended).
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Retrieving Cisco NAC Appliance Updates Step 11 When you retrieve updates, the following status messages are displayed at the bottom of the page: • Cisco auto-update schedule (if enabled) • Latest version of Windows NAC Agent Installer (if available) • Latest version of Macintosh Clean Access Agent Installer (if available) • Latest version of the Compliance Module update for Windows • Latest version of Cisco
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Step 2 Click the HTTP Settings subtab. Figure 9-6 Device Management > Clean Access > Updates > HTTP Settings Step 3 Click the “Use an HTTP proxy server to connect to the update server” option if your CAM goes through a proxy server to get to the Internet. Step 4 Specify the Proxy Hostname and Proxy Port the CAM uses to connect to the Internet.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation To enable users to download and install the Agent installation file or launch the Cisco NAC Web Agent, you must Require Agent Login for Client Machines, page 9-3. For new Agent users, the Agent download page appears after the user logs in for the first time via the web login.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Agent Stub file needed. or more information on the CCAAgentStub.exe file, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1). • Mac Clean Access Agent Current Version—The version for the Macintosh Clean Access Agent installation file.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation • Allow downgrade of Compliance Module—Checking this option enables you to provide an earlier version of the AV/AS support package for users logging in via the Cisco NAC Windows Agent.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Figure 9-7 • Agent Installation Page Discovery Host—This field is used by the Agent to send a proprietary, encrypted, UDP-based protocol to the Clean Access Manager to discover the Clean Access Server in Layer 3 deployment. The field automatically populates with the CAM’s IP address (or DNS host name).
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Step 3 The Installation Options are enabled by default for Windows. Step 4 Use the Agent configuration XML file upload option if you want to customize login and session behavior on Windows client machines with the Cisco NAC Agent installed: a. Create an Agent configuration XML file entitled NACAgentCFG.xml and ensure you have saved it on a local machine.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation No—The Agent Login screen does not appear after the Agent is installed. The user must double-click the Agent shortcut on the desktop to start the Agent and display it on the taskbar. The Agent can be verified to be installed under Control Panel > Add/Remove Programs > Cisco NAC Agent.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation • “overwrite”—the XML setting specified in the Agent configuration XML file automatically takes precedence over any existing value currently on the client machine.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation 30 120 0 Note If the configuration file consists of any invalid parameter, that parameter will not be updated in the client machines.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-1 Customize Cisco NAC Agent Login/Logout Dialog Behavior (continued) Default Value Parameter Valid Range Description/Behavior BypassSummaryScreen yes yes or no If you are employing auto-remediation for Cisco NAC Agent requirements, this setting enables you to make the Agent session dialog more “automated” by skipping the Agent posture assessment summary screen
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation 1. Cisco NAC Agent log files are recorded and stored in the C:\Documents and Settings\All Users\Application Data\Cisco\Cisco NAC Agent\logs directory. After the first Agent login session, two files reside in this directory: one backup file from the previous login session, and one new file containing login and operation information from the current session.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-5 Specify Server Rule Names Parameter Default Value Valid Range ServerNameRules — FQDN This parameter consists of comma separated names of servers. The server names available in this list are used for authorization of CAS by client machine. If this list is empty, then the authorization is not performed.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-7 Additional SWISS Discovery Customization Parameter Default Value Valid (Decimal) Range SwissTimeout 1 DisableL3SwissDelay 0 >1 0 or 1 Description/Behavior • If this setting is 1, the Agent performs SWISS discovery as designed and no additional response packet delay timeout value is introduced.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-8 HTTP Discovery Customization Parameter Default Value (Seconds) HttpDiscoveryTimeout 30 Valid Range 3 and above Description/Behavior The default timeout is 30 seconds. This is the time for which the HTTPS discovery from Agent waits for the response from Clean Access Server. If there is no response for the specified time, then the discovery is timed out.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-9 Access to Authentication VLAN Change Detection on Clients with Multiple Active NICs (continued) Parameter Default Value Valid (Decimal) Range PingMaxTimeout 1 1-10 VlanDetectInterval 1 0 2, 5 3 0, 5-900 4 EnableVlanDetectWith- 0 outUI 0,1 Description/Behavior Poll using ICMP and if no response in seconds, then declare ICMP polling failure.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-10 Client-Side MAC Address Management Parameter Default Value Valid Range ExceptionMACList — Valid If you specify one or more MAC addresses in this MAC setting, the Agent does not advertise those MAC address addresses to the CAS during login and authentication to help prevent sending unnecessary MAC addresses over the network.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Table 9-13 Agent Configuration XML File “Locale” Parameter Settings Language ID Abbreviated Name Full Name Catalan (Spain) 1027 ca Catalan Chinese_simplified 2052 zh-cn ChineseSimplified Chinese_traditional 1028 zh-tw ChineseTraditional Czech 1029 cs Czech Danish 1030 da Danish Dutch (Standard) 1043 nl Dutch English US 1033 en English Finnish
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation The following parameters can be customized: • Logo • Agent Login Screen • Predetermined Set of Agent Strings and Fields Logo The Cisco logo that appears in all the NAC Agent screens can be replaced with your brand logo. The image should be a .gif file, not exceeding 67 x 40 pixels. The logo image should be named as “nac_logo.gif”.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation • In the “nacStrings_xx.xml” file, the “xx” indicates the locale. You can find a complete list of the files in the “C:\Program Files\Cisco\Cisco NAC Agent\UI\cues_utility” directory. Note The files are available in the directories mentioned above when the Agent is installed at the default location.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation Login as Different User Remove Oldest Login Session The above file has been modified to customize the login screen as shown in Figure 9-9. Figure 9-9 Cisco NAC Agent Login—Customized Screen Notice that the “Remember Me” checkbox has been removed.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation There is at least one mandatory requirement failing. You are required to update your system before you can access the network. Network Usage Terms and Conditions are rejected. You will not be allowed to access the network.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Setting Up Agent Distribution/Installation a directory on the client machine along with an Agent configuration XML file (NACAgentCFG.xml) containing the appropriate Discovery Host address telling the client machine where to look for the Cisco NAC Appliance network. Step 1 Download the nacagentsetup-win.msi or nacagentsetup-win.zip installer file from the Cisco Software Download Site at http://www.cisco.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Configuring Agent-Based Posture Assessment This section describes how to configure requirements on the CAM so that the Agent can perform posture assessment and remediation on client machines.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Rules In all but one case—the Windows Server Update Service (WSUS) “Severity” option requirement type—you must map rules to requirements to ensure client machines meet security standards. A rule is the unit the Agent uses to validate client machines and assess whether or not a requirement has been met.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Agent Posture Assessment Process Figure 9-10 details the Cisco NAC Appliance client posture assessment process (with or without network scanning) when a user authenticates via the Agent.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Note The Cisco NAC Web Agent only supports Go To Link manual remediation and File Distribution functionality. Cisco NAC Web Agent does not support Update or Launch remediation actions, nor does it perform Auto Remediation. AV Rules incorporate extensive logic for antivirus vendors and are associated with AV Definition Update requirements.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-12 Required AV Definition Update (Mac OS X Agent) AV Rules and AS Rules Antivirus rules (AV Rule) and anti-spyware rules (AS Rule) are preconfigured rule types that are mapped to the matrix of vendors and products sourced in the Supported AV/AS Product List. There is no need to configure checks with this type of rule.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment The steps to create AV Definition Update Requirements are as follows: Step 1 Verify AV/AS Support Info, page 9-44 Step 2 Create an AV Rule, page 9-47 Step 3 Create an AV Definition Update Requirement, page 9-50 Step 4 Map Requirements to Rules, page 9-90 Step 5 Apply Requirements to User Roles, page 9-92 Step 6 Validate Requirements, page 9-93 The steps to create
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment baseline version of the Agent needed for product support. You can compare the client’s AV or AS information against the AV/AS Support Info page to verify if a client’s definition file is the latest. If running multiple versions of the Agent on your network, this page can help troubleshoot which version must be run to support a particular product.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 3 Figure 9-15 AV/AS Support Info — Windows AS Vendor Example Figure 9-16 AV/AS Support Info — Mac OS X AS Vendor Example Choose a corresponding vendor (Antivirus Vendor or Anti-Spyware Vendor) from the dropdown menu. Note Regular updates for Anti-Spyware definition date/version will be made available via Cisco Updates.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Your selection populates the following tables: • Minimum Agent Version Required to Support AV/AS Products: shows the minimum Agent version required to support each AV/AS product. For example: – A 4.1.3.0 or later Windows Agent can log into a role that requires Aluria Security Center AntiVirus 1.x, but for any earlier Agent version, this check will fail. – A 4.6.0.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-17 New AV Rule—Windows Figure 9-18 New AV Rule—Mac OS X Step 3 Type a Rule Name. You can use digits and underscores, but no spaces in the name. Step 4 Choose a specific Antivirus Vendor, or choose ANY vendor, from the dropdown menu.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Note Cisco recommends specifying vendor names when appropriate because choosing the ANY option can affect the Agent’s performance (the process takes longer) on the client machine. Step 5 From the Type dropdown menu, choose either Installation or Virus Definition. This enables the checkboxes for the corresponding Installation or Virus Definition column in the table below.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-19 Note New AV Rules Appear at the Bottom of the Rule List—Mac OS X Example When configuring AV Rules, the “ANY” Antivirus vendor option and the vendor-specific “ANY Product/ANY Version” option work differently: • For ANY vendor, the Agent needs to query the server to verify whether the installed products are from a supported vendor.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Note Mac OS X users can only resolve ClamWin AV Definition Update requirements by navigating to the ClamXAV download site at http://www.clamav.net. Cisco recommends using the pre-defined host policy list for the Unauthenticated Role on the CAM (User Management > User Roles > Traffic Control > Host). Use the following steps to create an AV Definition Update requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Note Step 5 The Mac OS X Agent does not support automatic remediation. Therefore, the Remediation functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) do not serve any purpose when creating requirement types for Macintosh client remediation. If you want to enable and configure Auto Remediation for the Agent: a.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-21 Mac OS X Agent Assessment Report AV Definition Update Requirement Display Create an AS Rule Note Your CAM/CAS must be running Cisco NAC Appliance release 4.5 or later and have the latest Cisco AV/AS support updates in order to perform client remediation using version 4.5.0.0+ of the Mac OS X Agent. Use the following steps to configure an AS rule.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-23 New AS Rule—Mac OS X Step 3 Type a Rule Name. You can use digits and underscores, but no spaces in the name. Step 4 Choose an Anti Spyware Vendor from the dropdown menu, or choose ANY to select any supported AS vendor or product.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment • Note Step 9 Spyware Definition checks whether the spyware definition files are up to date on the client for the specified product. In a definition rule, the Agent first confirms whether or not the product is installed, then checks whether or not the definition file is up-to-date. Click Add Rule.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-25 New AS Definition Update Requirement Step 2 For Requirement Type choose AS Definition Update Step 3 Choose an Enforce Type from the dropdown menu: • Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it. • Optional— Do not enforce requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process. c. Enter the Retry Count [].
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment using Cisco Rules can provide for quicker client validation and user login. However, client machines are only checked against “Critical” hotfixes encompassed by the Cisco Rules. For details on pr_rules, see Configuring Custom Checks, Rules, and Requirements, page 9-70.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 2 Map Windows Server Update Service Requirement to Windows Rules, page 9-63 Step 3 Apply Requirements to User Roles, page 9-92 Step 4 Validate Requirements, page 9-93 Create Windows Server Update Service Requirement Use the following steps to configure a Windows Server Update Service (WSUS) requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if this is a Mandatory requirement and it fails, the Agent does not continue past that point until that requirement succeeds.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment features some of the updates, the WSUS installer still automatically installs all of the updates specified by the requirement type.) As a result, validating client matches based on severity can take a longer period of time to assess and remediate.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Note Step 9 Step 10 Note Windows Service Pack updates traditionally take a long time to download and install. Before you require users to update their Windows operating system with a full service pack installation, be sure you extend the session timeout period for Temporary Role users to accommodate the long install and update process.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 13 Click one or more of the following checkboxes to set the Operating System(s) for the requirement: • Windows XP (All) or one or more of the specific Windows XP operating systems • Windows Vista (All) or one or more of the specific Windows Vista operating systems • Windows 7 (All) or one or more of the specific Windows 7 operating systems • Windows 8(All) or one
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Map Windows Server Update Service Requirement to Windows Rules Perform the steps in this section if you configured a Windows Server Update Service requirement for Windows Updates Validation by Cisco Rules. (See Create Windows Server Update Service Requirement, page 9-59.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment dropdown to be able to view and select the pr_hotfix rules for each of those OS flavors (e.g. pr_XP_Hotfixes, pr_XP_TabletPC_Hotfixes, and pr_XP_MCE_Hotfixes, respectively) in the “Rules for Selected Operating System” list. b.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Windows operating systems can be customized in many ways to include hotfixes and service packs as part of the operating system installation. In some cases, the Agent may not be able to detect hotfix key values in the registry when the hotfix is part of the operating system.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Create a Windows Update Requirement Use the following steps to configure a Windows Update requirement. Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement. Figure 9-28 New Windows Update Requirement Step 2 From the Requirement Type dropdown menu, choose Windows Update.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if this is a Mandatory requirement and it fails, the Agent does not continue past that point until that requirement succeeds.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment • Windows Vista (All) or one or more of the specific Windows Vista operating systems • Windows 7 (All) or one or more of the specific Windows 7 operating systems • Windows 8 (All) or one or more of the specific Windows 8 operating systems • Windows 8.1 (All) or one or more of the specific Windows 8.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Map Windows Update Requirement to Windows Rules Use the following steps to map a Windows Update requirement to one or more rules. Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment – All selected rules succeed (default)—all the rules must be satisfied for the client to be considered in compliance with the requirement. – Any selected rule succeeds—at least one selected rule must be satisfied for the client to be considered in compliance with the requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment shown in Figure 9-31, a rule can combine several checks with Boolean operators, “&” (and), “|” (or), and “!” (not). A requirement can rely on more than one rule, specifying that any selected rule, all rules, or no rule must be satisfied for the client to be considered in compliance with the requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Custom Checks A check is a condition statement that examines a feature of the client system, such as a file, registry key, service, or application. Table 9-14 lists the types of custom checks available and what they test.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Configuration Summary The steps to create custom requirements are as follows: Step 1 Create Custom Check, page 9-73 Step 2 Create a Custom Rule, page 9-77 Step 3 Validate Rules, page 9-79 Step 4 Create a Custom Requirement, page 9-80 Step 5 Map Requirements to Rules, page 9-90 Step 6 Apply Requirements to User Roles, page 9-92 Step 7 Validate Requirements, page 9
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment • Windows XP (All) or one or more of the specific Windows XP operating systems • Windows Vista (All) or one or more of the specific Windows Vista operating systems • Windows 7 (All) or one or more of the specific Windows 7 operating systems • Windows 8 (All) or one or more of the specific Windows 8 operating systems • Windows 8.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment c. d. For Registry Value searches, enter a Value Data Type: 1. For a “Number” Value Data Type (Note: REG_DWORD is equivalent to Number), choose one of the following Operators from the dropdown: equals, greater than, less than, does not equal, greater than or equal to, less than or equal to 2.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment a. For File Path, select: – SYSTEM_DRIVE – checks the C:\ drive – SYSTEM_ROOT – checks the root path for Windows systems – SYSTEM_32 – checks C:\WINDOWS\SYSTEM32 – SYSTEM_PROGRAMS – checks C:\Program Files b. For Operator, select: – exists or does not exist – File Existence check – earlier than, later than, same as – File Date or File Version check c.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Application Check • Application Status – Whether an application is currently running on the system. Figure 9-35 Application Check Type a. Enter an Application Name. b. Select an Operator: running or not running. Create a Custom Rule A rule is an expression made up of checks and operators.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment The adawareLogRecent check and either the NorAVProcessIsActive check or the SymAVProcessIsActive check must be satisfied for the rule to be considered met.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment For a simple rule that tests a single check, simply type the name of the check: SymAVProcessIsActive Step 6 Click Add Rule. The console validates the rule and, if formed correctly, the rule appears in the Rule List. From there, you can delete the rule, modify it, or copy it (create a new rule by copying this one).
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 6 Click Save Rule. Step 7 Make sure any requirement based on this rule is also corrected as described in Validate Requirements, page 9-93. Create a Custom Requirement Custom requirements map a specified collection of rules for an operating system to the files, distribution links, or instructions that you want pushed to the user via Agent dialogs.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment available to users via File Distribution is 50MB.) For the Agent to download this file, you should create a traffic policy allowing HTTPS access only to the CAM for the Temporary role. See Adding Traffic Policies for Default Roles, page 8-27.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-41 Step 3 Example Mac OS X Agent Assessment Report Local Check Requirement Display Choose an Enforce Type from the dropdown menu: • Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it. • Optional— Do not enforce requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-43 shows an example of how requirement configuration fields display in the Cisco NAC Agent.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Configuring a Launch Programs Requirement Note The Cisco NAC Agent is required to use this feature. This feature applies to Windows 8.1/8/7/Vista/XP machines only. The Mac OS X Agent and the Cisco NAC Web Agent do not support this requirement type. The Launch Programs Requirement Type allows administrators to launch a qualified (signed) remediation program through the Agent.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment How the Agent Verifies Digital Signature and Trust on an Executable Program On client machines where users will launch executables, you must add a Trust key in the Windows registry for the executable you want to run. It is the administrator's responsibility to populate the required registry keys for the programs to be trusted by the Cisco NAC Agent service.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Table 9-16 Supported Launch Program Executable Keys for Trusted Digital Signature (continued) Registry Key Default Value Valid (Decimal) Range Certificate — FileVersionInfo — — — Supported Value Names • 2.5.4.3 - COMMON_NAME or • 2.5.4.3 - SUBJECT_NAME • 2.5.4.4 - SUR_NAME • 2.5.4.5 - DEVICE_SERIAL_NUMBER • 2.5.4.6 - COUNTRY_NAME • 2.5.4.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Create a Launch Programs Requirement Use the following steps to configure a Launch Programs requirement. Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement. Figure 9-44 New Launch Program Requirement Step 2 For Requirement Type choose Launch Programs.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process. c. Enter the Retry Count [].
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Map Requirements to Rules Once the requirement is created and the remediation links and instructions are specified, map the requirement to a rule or set of rules.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 4 For the Requirements met if option, choose one of the following options: • All selected rules succeed—if all the rules must be satisfied for the client to be considered in compliance with the requirement. • Any selected rule succeeds—if at least one selected rule must be satisfied for the client to be considered in compliance with the requirement.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-46 Step 7 Select Rules to Map to Requirement Click Update. Apply Requirements to User Roles Once requirements are created, configured with remediation steps, and associated with rules, they need to be mapped to user roles. This last step applies your requirements to the user groups in the system.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 4 Check the Login checkbox for each requirement you want to apply to users in the role during login. Step 5 Check the Passive checkbox for each requirement you want to apply Passive Re-assessment. See Role Properties, page 6-9 for more details on Passive Re-assessment. Step 6 Click Update.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-48 Requirement List Configuring an Optional/Audit Requirement You can make any requirement Mandatory, Optional, or Audit-only using the Enforce Type dropdown menu in the New Requirement or Edit Requirement form.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-49 Optional/Audit Requirement Step 2 Choose a Requirement Type from the dropdown. Step 3 Choose Optional (do not enforce) or Audit (silent assessment) as the Enforce Type from the dropdown menu. For an Optional requirement, the user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog).
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.) For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements, page 9-98. Note The Cisco NAC Web Agent does not support Auto Remediation.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Figure 9-50 Example Cisco NAC Agent Dialog for Optional Requirement Figure 9-51 Example Mac OS X Agent Dialog for Optional Requirement Cisco NAC Appliance - Clean Access Manager Configuration Guide 9-98 OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Configuring Auto Remediation for Requirements You can configure Auto Remediation for all requirement types except File Distribution and Local Check. Note This configuration example is specific to the Cisco Clean Access Agent. The Mac OS X Agent and Cisco NAC Web Agent do not support Auto Remediation.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Configuring Agent-Based Posture Assessment Step 4 Enter a value for the Interval [] Secs setting: • Interval [] Secs—Default is 0. Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Post-Configuration and Agent Maintenance on the CAM Once you have configured Agent login and client posture assessment, and users are able to successfully access the Cisco NAC Appliance network, you can use the following topics to manage Agent versions on client machines in your network: Note • Manually Uploading the Agent to the CAM, page 9-100 • Downgrading the
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Note The CAM does not accommodate Cisco NAC Agent installation files (nacagentsetup-win.tar.gz) and Windows Clean Access Agent Setup files (CCAAgentSetup-4.x.y.z.tar.gz) simultaneously. If you upload an older Windows Clean Access Agent Setup file, you will wipe out the existing Cisco NAC Agent installation and XML Agent configuration files, and vice-versa.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Step 6 Create a Local Check requirement that provides instructions to the end user to uninstall the Agent (e.g. 4.1.x.y) and perform weblogin again to download the downgraded Agent (e.g. 4.1.2.1). Note The Mac OS X Agent does not support downgrade.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Step 3 Click Update. Disable Mandatory Agent Auto-Upgrade on the CAM New installs of the CAM/CAS automatically enable mandatory auto-upgrade by default. For CAM/CAS upgrades, the current setting (enabled or disabled) will be carried over to the upgraded system.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Uninstall Cisco NAC Agent The Agent installs to C:\Program Files\Cisco\Cisco NAC Agent\ on the Windows client.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Step 3 Choose Show Package Contents and double-click NacUninstall. Step 4 This will uninstall the Agent on Mac OS X. In the previous versions of Mac OS X Agent, there are two steps to uninstall the Agent: Step 1 Perform any one of the following: • Open up a Terminal.
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment Post-Configuration and Agent Maintenance on the CAM Agent Auto-Upgrade Compatibility The newest version of the Agent installation files are automatically included with the CAM software for each Cisco NAC Appliance software release. Every version of the Agent is compatible with the same version of the server product. For example: • 4.9.5.6 Cisco NAC Agent works with 4.9(5) CAS/CAM By design, every new 4.9.5.
CH A P T E R 10 Cisco NAC Appliance Agents This chapter presents overviews, login flow, and session termination dialogs for the following Cisco NAC Appliance access portals: Note • Cisco NAC Agent, page 10-1 • Cisco NAC Web Agent, page 10-25 • Mac OS X Cisco NAC Agent, page 10-44 For details on the Windows versions of the Clean Access Agent that are still supported in release 4.9(5), refer to the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent administrator privileges do not need this file.) After successful Cisco NAC Agent installation, the user is not required to have administrator privileges on the client machine, nor is the CCAAgentStub.exe Agent Stub file needed.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent You can distribute Agent Upgrades to clients by configuring auto-upgrade options in the web console. Agent Upgrades are retrieved on the CAM via Retrieving Cisco NAC Appliance Updates, page 9-12. Configuration Steps for the Windows Cisco NAC Agent The basic steps needed to configure the Windows Cisco NAC Agent are as follows: 1.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-2 2. The user logs into the web login page and is redirected to the Agent Download page (Figure 10-3) for the one-time download of the Cisco NAC Agent installation file. Figure 10-3 3. Note Login Page Cisco NAC Agent Download Page The user clicks the Launch Cisco NAC Windows Agent Installer button (the button displays the version of the Agent being downloaded).
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Note If the existing CAS certificate is not trusted on the client, the user must accept the optional certificate in the Security Alert dialog that appears before the user can download the Agent. Figure 10-4 4. ActiveX Installation Notice If the user’s web browser settings are configured to verify actions like installing an ActiveX control on the client machine, the user may need to verify the action.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-5 Note Java Installation Notice If the version of the Agent being downloaded from the CAM is “unsigned” (if it has been handed over directly from Cisco Support as a patch version, for example), the user may see an additional Java Security Notice like the one in Figure 10-6.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent 5. After the user allows the ActiveX control to install the Agent files or acknowledges the Java certificate security warning and chooses to accept the Java applet contents, the client machine goes to work downloading the Agent installer and all required ancillary files and saving them on the client machine and the browser window displays a “Cisco NAC Agent was successfully installed!” message (Figure 10-7).
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-8 8. Before the Agent installation process can continue, the user must first click the I accept the terms in the license agreement option in the “End User License Agreement” dialog and click Next (Figure 10-9). Figure 10-9 9.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-10 Cisco NAC Agent Installation—Setup Type 10. The Cisco NAC Agent Client - InstallShield Wizard dialog appears (Figure 10-11). Figure 10-11 Cisco NAC Agent InstallShield Wizard—Ready to Install 11. The setup wizard prompts the user through the short installation steps to install the Cisco NAC Agent to C:\Program Files\Cisco\Cisco NAC Agent.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-12 Cisco NAC Agent Installation In Progress Figure 10-13 Cisco NAC Agent Installation Complete 12. When the InstallShield Wizard completes and the user clicks Finish, the Cisco NAC Agent login dialog pops up (Figure 10-14) and the Cisco NAC Agent taskbar icon appears in the system tray.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-14 Cisco NAC Agent Login Dialog 13. The user enters credentials to log into the network. Similar to the web login page, the user can choose an authentication provider from the Server list (if configured for multiple authentication providers). Note If multiple authentication providers are available in the Server list, when a user logs in with invalid credentials, the Server automatically changes to the default authentication provider.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-15 Cisco NAC Agent Taskbar Menu Taskbar menu options are as follows: Login/Logout—This toggle reflects the login status of the user. Login means the user is behind a Clean Access Server and is not logged in. Logout means the user is already logged into Cisco NAC Appliance. Disabled (grey) Login occurs when there is no SWISS response from the CAS to the Cisco NAC Agent.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Note The Discovery Host field can be made editable by changing the DiscoveryHostEditable parameter in the Agent configuration XML file. See Cisco NAC Agent XML Configuration File Settings, page 9-23 for more details. Figure 10-16 Properties About—Displays the version of the Cisco NAC Agent. Exit—Exits the application, removes the Cisco NAC Agent icon on the taskbar, and automatically logs off the users in both In-Band and Out-of-Band mode.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Auto-Upgrade for Already-Installed Agents: When the Cisco NAC Agent is already installed, users are prompted to auto-upgrade at each login, unless you disable upgrade notification. You can optionally force logout at machine shutdown (default is for users to remain logged in at machine shutdown). You can configure auto-upgrade to be mandatory or optional.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-18 Temporary Access—Requirement Not Met If the user clicks Show Details, the Cisco NAC Agent displays a list of the requirements the user must resolve before Cisco NAC Appliance grants the client machine network access based on the user’s assigned role (Figure 10-19). Figure 10-19 Temporary Network Access—Show Details To close the Security Compliance Summary dialog, click Hide Details. 17.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-20 AV Definition Update Requirement Example For an AS Definition Update requirement (Figure 10-21), the user clicks the Update button to update the definition files for the Anti-Spyware software on the client system.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-22 Windows Update Requirement Example For a Windows Server Update Service requirement (Figure 10-23), the user clicks the Update button to set the Windows Server Update Service and force updates on the client system.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-24 Launch Program Requirement Example For a File Distribution requirement (Figure 10-25), the button displays Download instead of Go To Link. When the user clicks download, the Save file to dialog appears. The user needs to save the installation file to a local folder, and run the executable file from there. (The maximum file size you can make available to users via File Distribution is 500MB.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-26 Link Distribution Requirement Example 18. Clicking Cancel at this stage stops the login process. 19. For each requirement, the user needs to click Skip to proceed after completing the action required (Update, Go To Link, Download). The Cisco NAC Agent again performs a scan of the system to verify that the requirement is met. If met, the Agent proceeds to the next requirement configured for the role.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-27 Network Policy Dialog See Configure Network Policy Page (Acceptable Use Policy) for Agent Users, page 9-11 for details on configuring this dialog. 21. When all requirements are met (and Network Policy accepted, if configured), the user is transferred from the Temporary role to the normal login role and the login success dialog appears (Figure 10-28). The user is free to access the network as allowed for the normal login role.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent 22. If you have enabled the Allow restricted network access in case user cannot use Cisco NAC Agent or Cisco NAC Web Agent” option under Device Management > Clean Access > General Setup > Agent Login, or the Agent is currently failing a mandatory requirement, the Get Restricted Network Access button appears in the Cisco NAC Agent authentication dialogs and the user can choose to accept restricted network access.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-30 Successful Logout 24. Once a user has met requirements, the user will pass these Cisco NAC Agent checks at the next login unless there are changes to the user’s computer or Cisco NAC Agent requirements. 25. If a required software installation requires users to restart their computers, the user should log out of the network before restarting.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-31 2. Windows Agent Login Dialog If the associated RADIUS server has been configured to authenticate users with additional credentials, the user is presented with one or more additional challenge-response dialogs (like the password renewal scenario shown in Figure 10-32) for which they must provide additional credentials to authenticate and connect.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Agent Figure 10-32 3. Additional Windows RADIUS Challenge-Response Session Dialog Once the additional challenge-response(s) are validated, the RADIUS server notifies the Clean Access Manager that the user has successfully authenticated and should be granted remote access.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-33 Windows RADIUS Challenge-Response Authentication Successful Cisco NAC Web Agent This chapter describes how to configure the Cisco NAC Web Agent to allow users to log in to the network without requiring a permanent, dedicated network access application on the client machine.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent requirements for the user login role. You can set up a “restricted” user role to provide access to only limited applications/network resources in the same way you configure a standard user login role according to the guidelines in Adding a New User Role, page 6-7.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent You can find complete Operating System Compatibility and Browser Support information for all Cisco NAC Appliance Agents in the Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later. In Windows 8, Web Agent does not support Metro Mode and Toast Notification. ActiveX and Java Applet Requirements • If you plan to use the Java applet version to install the Web Agent files, the client must already have Java version 1.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent b. Configuring a Windows Server Update Services Requirement, page 9-57 c. Configuring a Windows Update Requirement, page 9-64 d. Configuring Custom Checks, Rules, and Requirements, page 9-70 e. Configuring a Launch Programs Requirement, page 9-85 f. Map Requirements to Rules, page 9-90 g. Apply Requirements to User Roles, page 9-92 h. Validate Requirements, page 9-93 i.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent 2. Note The user enters their credentials in the web login page and is redirected to the Cisco NAC Web Agent Launch page (Figure 10-36) where they can choose to launch the Cisco NAC Web Agent ActiveX or Java Applet installer. You determine the installer launch method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration screen.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-37 4. ActiveX Installation Notice If the user’s web browser settings are configured to verify actions like installing an ActiveX control on the client machine, the user may need to verify the action. For example, in the case of Microsoft IE, the user may need to click on a status bar that appears in the browser window and choose the Install ActiveX Control option from the resulting pop-up to validate the ActiveX process.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-38 Note ActiveX Installation Notice If the version of the Agent being downloaded from the CAM is “unsigned” (if it has been handed over directly from Cisco Support as a patch version, for example), the user may see an additional Java Security Notice like the one in Figure 10-39.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent If both the ActiveX and Java applet Web Agent download and install methods fail, the user sees a notification screen like the one in Figure 10-40 and is presented with a Windows dialog informing the user that Cisco NAC Web Agent login failed (Figure 10-41).
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-41 5.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-43 6. When the ActiveX control or Java Applet session completes, the Cisco NAC Web Agent automatically checks whether the client system meets the requirements configured for the user role. (See Figure 10-44.) Figure 10-44 7.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Note 8. For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 11-5 in Cisco NAC Web Agent Status Codes, page 11-40.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-45 Mandatory AV Definition Requirement Not Met Figure 10-46 Mandatory AS Definition Update Requirement Not Met Cisco NAC Appliance - Clean Access Manager Configuration Guide 10-36 OL-28003-01
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-47 Mandatory File Distribution Requirement Not Met Figure 10-48 Mandatory Link Distribution Requirement Not Met Cisco NAC Appliance - Clean Access Manager Configuration Guide OL-28003-01 10-37
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-49 Mandatory Local Check Requirement Not Met Figure 10-50 Mandatory Windows Upgrade Requirement Not Met 9. Note If the Web Agent scan determines that an optional application, process, or update is missing, the user receives a “Host is compliant with network security policy” message (Figure 10-51), is assigned to the Cisco NAC Web Agent Temporary role for the session timeout indicated in the dialog (typically 4 minutes by default).
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent 10. The user can choose to do one the following: – Click Continue to complete Web Agent launch. – Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues. The reports are available in the following formats: Web Archive, Single File (*.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent 11. If the Web Agent scan determines that the client machine is compliant with the Agent requirements you have configured for the user’s role, the user receives a “Host is compliant with network security policy” message within a green banner (Figure 10-52). Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 11-5 in Cisco NAC Web Agent Status Codes, page 11-40. 12.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Note The first time users launch the Cisco NAC Web Agent on a client machine, they will likely see a pop-up blocker message at the top of the browser window after clicking “Accept” to continue past the Network Usage Policy. Figure 10-53 (Optional) Network Usage Policy Dialog 14.
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-54 Successful Cisco NAC Web Agent Login It is possible that, even after the Cisco NAC Web Agent launched, installed, and initiated a login session without any issues, or that following manual remediation, the user was able to bring the client machine into compliance and successfully “re-scan” the client, another issue might keep the Cisco NAC Web Agent from logging the user into the network, resulting in a “You will not be allowed to a
Chapter 10 Cisco NAC Appliance Agents Cisco NAC Web Agent Figure 10-55 Cisco NAC Web Agent Login Failed Figure 10-56 Cisco NAC Web Agent Connection Status Window (Including Logout Button) 15. To logout of the Cisco NAC Appliance user session and disengage the Cisco NAC Web Agent, the user clicks the Logout button. The web interface logs the user out of the network, removes the session from the client machine, and the user ID disappears from the Online Users list.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Note To log off the network and disengage the Cisco NAC Web Agent, the user can also right-click a Agent icon in the system tray and select Logout.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Configuration Steps for the Mac OS X Cisco NAC Agent The basic steps needed to configure the Mac OS X Cisco NAC Agent are as follows: 1. Make sure to follow the steps in Agent Configuration Steps, page 9-3 to enable distribution and download of the Mac OS X Cisco NAC Agent, including Require Agent Login for Client Machines, page 9-3 and Setting Up Agent Distribution/Installation, page 9-17. 2.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent • The Mac OS X Agent fully supports UTF-8. Therefore, if a requirement from the CAM is configured in any language other than English (like Traditional Chinese, for example), the Mac OS X Agent is still able to display Agent text correctly. The administrator just needs to create a different user interface file (.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent • Agent Setting configuration options are done in the /Applications/CCAAgent/Contents/Resources/setting.plist. The setting.plist is used to configure the parameters globally for all the users except the “RememberMe” and “AutoPopup” options. Example setting.plist File Template: PAGE 461Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Table 10-1 Mac OS X Cisco NAC Agent Configuration Parameters (continued) Parameter Default Value Valid Range DiscoveryHost — This setting specifies the Discovery Host address the IP address Agent uses to connect to the Cisco NAC Appliance system in a Layer 3 deployment. or FQDN RetryDetection 3 0 and above If ICMP or ARP polling fails, this setting configures the Agent to retry times before refreshing the client IP address.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent 3. In Release 4.9 and later, the VLAN Detect is automatically disabled when the client machine is on VPN connection. The following VPN clients are supported: - Cisco VPN Client - AnyConnect - Apple Native VPN Client to Cisco IPSEC - Shimo(User Interface for Cisco IPSEC client) 4. During the discovery, all the VLAN Detect parameters are set to their default values and these values cannot be overridden.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent • AV Definition and AS Definition Updates—These requirement types are used to report on and update the definition files on a client for supported antivirus or antispyware products. Note • For a list of support AV/AS applications, see the “Clean Access Supported AV/AS Product List” section of the corresponding Release Notes for Cisco NAC Appliance.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-58 3. Download Cisco NAC Agent Setup Executable to Desktop The user double-clicks the CCAAgent.pkg file and the Mac OS installer for the Cisco NAC Agent starts up (Figure 10-59). Figure 10-59 Double-Click CCAAgent.pkg to Start Cisco NAC Agent Installer 4. The user clicks the Continue button to proceed to the Read Me screen of the installer. 5.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-60 Mac OS X Agent Installation—Select a Destination Figure 10-61 Mac OS X Agent Installation—Install/Upgrade Button 6. The user clicks the Install/Upgrade button to perform the installation (Figure 10-61). When done, the user clicks Close.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Note If the Cisco NAC Agent has never been installed on the machine, the Installation screen displays an Install button. If the Agent was installed at one point, even if there is no Agent currently in the system when the installer is invoked, the Upgrade button is displayed.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent 7. After installation, the Cisco NAC Agent login dialog appears. The Agent icon is now available from the Tool Menu (Figure 10-64).
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-65 9. Mac OS X Agent—New Agent Version Available Clicking OK in the above dialog brings up the setup wizard to upgrade the Mac OS X Agent to the newest version. After Agent upgrade and user login, requirement checking proceeds. If the upgrade is optional and a newer version of the is Agent available from the CAM, users can choose to Cancel the upgrade and continue with the login process (Figure 10-66). 10.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent b. Ready and waiting—The Agent is connected to the CAS and ready to log in. c. Lost focus—When the Agent window is not the top application on the desktop, the status icon shows “CLICK” and “FOCUS” repeatedly. Once the user clicks on the status icon, the Agent window becomes the active window on the desktop.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent g. Error—When an error occurs (for example, if the client cannot validate the CAS certificate, sees an invalid CAS certificate, or domain name resolution fails) the status icon changes to the exclamation point (!) icon. 14.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-67 Mac OS X Agent Assessment Report Dialog 15. The user clicks the Remediate button to begin updating the client machine to meet the requirement criteria.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-68 Mac OS X Agent Requirement Resolution If the Name and/or Description for a given requirement are too long to display completely in the Assessment Report window, users can still view the complete text in a pop-up (or “drawer”) that appears in addition to the Assessment Report. 17. If an error occurs during remediation, the Assessment Window displays the error message text above the requirement list.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-69 Mac OS X Agent Requirement Failed If one or more mandatory requirements still fail following the remediation process, the user can only choose Cancel in the Assessment Report window and cannot log into the Cisco NAC Appliance system. (See Figure 10-70.) Figure 10-70 Previous Mac OS X Agent Mandatory Requirement(s) Failed 18. Users can also choose to “Skip” optional requirements in the Assessment Report (see Figure 10-71).
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-71 Mac OS X Agent Optional Requirement Figure 10-72 Mac OS X Agent Optional Requirement Failed The Mac OS X Agent behaves similarly if the user chooses not to perform remediation for an optional requirement type by disabling the particular requirement entry before clicking the Remediate button (see Figure 10-73).
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-73 Mac OS X Agent Optional Requirement Skipped 19. When all requirements pass remediation, the user sees the Complete button at the bottom of the Assessment Report window and can log into the Cisco NAC Appliance system. (See Figure 10-74.) Figure 10-74 All Mac OS X Agent Requirements Passed 20. The user clicks the Complete button once all mandatory requirements are met and successfully logs into the network.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-75 Mac OS X Agent Login Successful Mac OS X Cisco NAC Agent Application File Locations The Cisco NAC Agent application itself is installed under Macintosh HD > Applications > CCAAgent.app (Figure 10-76). Figure 10-76 Cisco NAC Agent—Application Installation Location The Cisco NAC Agent event.log debug file and preference.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-77 Cisco NAC Agent—event.log and preference.plist File Locations The preference.plist file (Figure 10-78) includes: Note • Whether AutoPopup Login Window is checked in the Menu (AutoPopup). • Whether Remember Me is checked in the Login screen (RememberMe). • How frequent the agent will perform Access to Authentication VLAN change detection (VlanDetectInterval). The Mac Agent automatically creates a preference.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-78 Cisco NAC Agent—preference.plist File Contents RADIUS Challenge-Response Mac OS X Cisco NAC Agent Dialogs If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the end-user Cisco NAC Agent login session may feature extra authentication challenge-response dialogs not available in other dialog sessions—beyond the standard user ID and password.
Chapter 10 Cisco NAC Appliance Agents Mac OS X Cisco NAC Agent Figure 10-79 3. Additional Mac OS X RADIUS Challenge-Response Dialogs Once the additional challenge-response(s) are validated, the RADIUS server notifies the Clean Access Manager that the user has successfully authenticated and should be granted remote access.
CH A P T E R 11 Monitoring and Troubleshooting Agent Sessions This chapter provides information on compiling and accessing various Cisco NAC Appliance Agent reports and log files and troubleshooting Agent connection and operation issues: • Viewing Agent Reports, page 11-1 • Create Agent Log Files Using the Cisco Log Packager, page 11-6 • Manage Certified Devices, page 11-10 • Report Settings, page 11-18 • Online Users list, page 11-28 • Agent Troubleshooting, page 11-36 Viewing Agent Reports T
Chapter 11 Monitoring and Troubleshooting Agent Sessions Viewing Agent Reports Figure 11-1 Agent Administrator Report The Reports page also enables you to filter the list of user session reports by activating and defining additional client report display criteria.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Viewing Agent Reports • System Domain—Allows you to display only client reports based on the system domain into which the client machine has been logged in • User Domain—Allows you to display only client reports based on the user domain with which client System User ID is associated Click the Filter button after selecting and defining parameters for any of the search options to display a summary of all client report entries that match the criter
Chapter 11 Monitoring and Troubleshooting Agent Sessions Viewing Agent Reports Figure 11-3 Example Agent Report Cisco NAC Appliance - Clean Access Manager Configuration Guide 11-4 OL-28003-01
Chapter 11 Monitoring and Troubleshooting Agent Sessions Viewing Agent Reports In addition to user, operating system, Agent version, and domain information, the Agent report lists the requirements applicable for the user role (both mandatory and optional). Requirements that the user met are listed in green, and failed requirements are listed in red. The individual checks making up the requirement are listed by status of Passed, Failed, or Not executed.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Create Agent Log Files Using the Cisco Log Packager • Click Save, navigate to a directory on your local machine where you want to save the Agent report file, enter a name for the file, and click Save in the navigation dialog so you can view the report at a later date. Limiting the Number of Reports You can limit the number of reports in the log under Device Management > Clean Access > Clean Access Agent > Reports > Report Setting.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Create Agent Log Files Using the Cisco Log Packager Step 2 Click Collect Data and wait for the Cisco Log Packager to complete compiling the Agent log information. This step takes anywhere from several seconds to a couple of minutes or so. The process is complete when you see a “Log file has been archived” message in the Cisco Log Packager display window and the Copy to Clipboard and Locate Log File buttons become active (Figure 11-6).
Chapter 11 Monitoring and Troubleshooting Agent Sessions Create Agent Log Files Using the Cisco Log Packager Use the CiscoSupprtReport.zip log file to help diagnose and troubleshoot Agent login/operation issues. Users can send the .zip file to their respective Cisco NAC Appliance system administrator or, if performing local troubleshooting, extract and view the contents of the various Cisco Log Packager files on the client machine. For details on the files included in the CiscoSupprtReport.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Create Agent Log Files Using the Cisco Log Packager Table 11-1 Cisco Log Packager Files Agent Log File Name Contents/Description NACAgentLogOld.log This is an encrypted log file that contains output from the previous active Cisco NAC Agent session and is also used to help debug Cisco NAC Agent issues.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Manage Certified Devices This section describes the following: • Add Exempt Device, page 11-12 • Clear Certified or Exempt Devices Manually, page 11-13 • View Reports for Certified Devices, page 11-13 • View Switch/WLC Information for Out-of-Band Certified Devices, page 11-13 • Configure Certified Device Timer, page 11-14 • Add Floating Devices, page 11-16 The Clean Access Manager web console provides two import
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Agreement Page (for web login users) or the Network Policy Page (for Agent users) if either page was configured for the role. See Table 1-2 “Web Login—General Setup Configuration Options” and Table 1-3 “Web Login User Page Summary” for details on these pages. A certified device remains on the Certified Devices List until: • The list is automatically cleared using a Certified Devices Timer.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Though devices can only be certified and added to the list per Clean Access Server, you can remove certified devices globally from all Clean Access Servers or locally from a particular CAS only (see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x) for additional details.) For additional information, see also Out-of-Band Users, page 3-68.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Figure 11-10 Clean Access Certified Devices List Clear Certified or Exempt Devices Manually To clear device MAC addresses, go to Device Management > Clean Access > Certified Devices > Certified Devices List and click: • Clear Exempt to remove only the MAC addresses that were added manually with the Add Exempt button.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Configure Certified Device Timer You can configure Certified Device Timers to automatically clear the Certified Device list at specified intervals. The Certified Devices List no longer needs to be cleared in its entirety each time the timer is applied. Administrators can now: Step 1 • Clear the Certified Devices List per Clean Access Server, User Role, or Authentication Provider, or a combination of all three.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Figure 11-12 New Certified Devices Timer Step 3 Type a Timer Name for the timer. Step 4 Type an optional Description of the timer. Step 5 Click the checkbox for Enable this timer to apply the timer right away after configuration. Step 6 Click the checkbox for Keep Online Users if you only want to remove client devices from the Certified Devices List without removing the users from the network.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Step 11 Type a Minimum Age in days to only clear devices that have been on the Certified Devices List for the number of days specified. Typing 0 clears all devices regardless of how long they have been on the Certified Devices List. Step 12 Choose a clearing Method for how much of the Certified Devices List (sorted by Criteria) this timer should clear at one time. Options are: Step 13 Note a.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Manage Certified Devices Figure 11-13 Note Floating Devices For VPN concentrator/multihop L3 deployment, administrators must add the MAC address of the router/VPN concentrator to the Floating Device list (example entry: 00:16:21:11:4D:67 1 vpn_concentrator). See “Integrating with Cisco VPN Concentrators” in the Cisco NAC Appliance Clean Access Server Configuration Guide, Release 4.9(x). To configure a floating device: 1.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Report Settings The Monitoring > Reporting tab can be used to enable or disable the reporting and user activity logging, to view the current system information, to customize the reports, and to view the preset reports.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Note The Current Status tab displays the “last refreshed” date and time at the top-right corner of the page. The current system information is automatically refreshed every 10 minutes. You can also refresh the page manually by clicking the Current Status tab.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings CCA Servers The CCA Servers view displays the details of CASs added to the CAM. It displays the online status (green if online), location, current memory usage, number of users currently connected to the CAS and last access time. Last access time is always the last successful access time for CAS by the CAM. If the CAS status is down (it would be shown in red), but the last access time would be the time CAS was last reachable.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Note Managed ports column for wireless LAN controllers will be empty as managed ports are applicable to switches only and not to WLAN controllers. . Figure 11-17 Dashboard > Managed Switches Authentication Servers The status and other details of the authentication servers used by NAC are under the Auth Servers view. NAC does not actively check the authentication servers for their reachability to display the status here.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings User Statistics This tab displays the summary of current user statistics. Total number of users in the system is the total count of users currently in all roles in the systems. It includes users in temporary roles also (users undergoing posture assessment). Number of users that failed login in the last 24 hrs is count of users who have failed login due to posture requirements only.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Figure 11-20 Generate Reports Cisco NAC Appliance - Clean Access Manager Configuration Guide OL-28003-01 11-23
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Generating a Report Under the New Report panel, you can select the Report Type and the required Report Format from the dropdown. Report Type—Select the type of report from the drop-down list. For each type of the report, a set of fields are included in the report by default. You can include other information to the report by checking the fields that are available under Optional Fields.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Table 11-2 Report Types and the Fields Included (continued) Report Type Mandatory Fields1 Optional Fields Role Specific Reports (Select the Role from the dropdown that appears when you select this option) Login status, User, Client IP, Requirement Sys Name, Login Time, All the default and optional fields MAC Address, Requirement Status, Report time For each record, a link is available to view the failed and passed requirement
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Note Login Time, Report Time, Start Date, and End Date under report Filters are not considered for Scheduled Report and Saved Template. View Saved Templates You can view the saved templates by navigating to Monitoring > Reporting > Custom Reports > Saved Templates. Figure 11-21 Saved Templates Clicking the Template Name navigates to the New Report tab and the saved report settings are displayed.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Report Settings Configuration Use the Monitoring > Reporting > Configuration tab to enable Dashboard and Custom Reports. Figure 11-23 Configuration • Check the Enable Dashboard and related tasks checkbox to enable the Dashboard page. • Check the Enable User Activity Logging checkbox to save the user information in the User Activity Log (UAL) files. – Enabling Include Posture Report in UAL logging seriously impacts system performance.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list The following details are stored in the UAL files: • Username • Activity Time—login time, logout time, or role change time • Activity Reason—Reason for logout. The reasons may be “Logout”, “Timeout”, or “Admin Action” • User Location—VPN, switch, port, VLAN, etc. (whatever is applicable) • User Reports—Applicable for login and role change, not on logout • Activity Result— The result is reported as success or failure.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list – Removing a user from the Out-of-Band Online Users list causes the VLAN of the port to be changed from the Access VLAN to the Authentication VLAN. You can additionally configure the Port profile to bounce the port (for a Real-IP gateway). See Out-of-Band Users, page 11-31 and Out-of-Band Users, page 3-68 for details. Both Online Users lists are based on the IP address of users.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list The Heartbeat Timer applies to L2 IB deployments only and is set for all users regardless of role. It can be set globally for all Clean Access Servers using the form User Management > User Roles> Schedule > Heartbeat Timer, or for a specific Clean Access Server using the local form Device Management > CCA Servers > Manage [CAS_IP] > Misc > Heartbeat Timer.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list A device listed on the View Online Users page but not in the Clean Access Certified Devices List generally indicates the device is in the process of certification. In-Band Users Clicking the In-Band link brings up the View Online Users page for In-Band users (Figure 11-24). The In-Band Online Users list tracks the In-Band users logged into the Clean Access network.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list Note Removing an OOB user from the Certified Devices List also removes the user from Out-of-Band Online Users list and changes the port from the Access VLAN to the Auth VLAN.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list Table 11-3 View Online Users Page Controls Item Search Criteria: Description CCA Server Provider Role Location Select Field Controls: • Any Clean Access Server • • Any Provider • • Any Role • Unauthenticated Role • Temporary Role • Quarantine Role • • Any Switch or Wireless LAN Controller • • Us
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list View Users by Clean Access Server, Authentication Provider, or Role 1. From the View Online Users page, select a specific Clean Access Server, or leave the first field as Any CCA Server. 2. Select a specific authentication provider, or leave as Any Provider. 3. Select a specific user role, or leave as Any Role. 4. Click View to display users by Clean Access Server, provider, role or any combination of the three.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Online Users list Display Settings Figure 11-26 shows the Display Settings page for In-Band users. Figure 11-26 Note Display Settings—In-Band Role—the role assigned to the user upon login. Figure 11-27 shows the Display Settings page for Out-of-Band users.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting Figure 11-27 Display Settings—Out-of-Band To choose what information is displayed on the View Online Users page: Step 1 Click the Display Settings tab. Step 2 Select the check box next to an item to display it in the list. Step 3 Click Update. Step 4 Click the View Online Users tab to see the desired settings displayed.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting Debug Logging for Cisco NAC Appliance Agents This section describes how to view and/or enable debug logging for Cisco NAC Appliance Agents. Refer to the following sections for steps for each Agent type: • Generate Cisco NAC Agent Debug Logs • Cisco NAC Web Agent Logs • Generate Mac OS X Agent Debug Log Copy these event logs to include them in a customer support case.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting Step 2 Highlight and right-click the CCAAgent.app icon to bring up the selection menu. Step 3 Choose Show Package Contents > Resources. Step 4 Choose setting.plist. Step 5 If you want to change the current LogLevel setting using Mac Property Editor (for Mac OS 10.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting To Troubleshoot L2 Deployments: 1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd) and type ipfconfig or ipconfig /all to check the client IP address information. 2. If necessary, type ipconfig /release, then ipconfig /renew to reset the DHCP lease for the client. To Troubleshoot L3 Deployments: Note 1.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting AV/AS Rule Troubleshooting To view administrator reports for the Agent, go to Device Management > Clean Access > Clean Access Agent > Reports. To view information from the client, right-click the Agent taskbar icon and select Properties. When troubleshooting AV/AS Rules, please provide the following information: 1. Version of CAS, CAM, and Agent. 2. Client OS version (e.g. Windows XP SP2) 3.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting Known Issue for Windows Script 5.6 Windows Script 5.6 is required for proper functioning of the Agent. Most older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6.
Chapter 11 Monitoring and Troubleshooting Agent Sessions Agent Troubleshooting Option 1 (Cisco Recommended Option) Create a new Link requirement in the CAM web console to check for KB873333, using the following steps: Note 1. Create a rule to check for the presence of KB873333. To create this rule, go to the Rules section of the web console and click New Rule. Give the rule a name (e.g.
CH A P T E R 12 Configuring Network Scanning Note Nessus-based network scanning capabilities only apply to users accessing the Cisco NAC Appliance network via UNIX operating system-based client machines. The Cisco NAC Agent does not support Nessus-based network scanning. This chapter describes how to set up network scanning for Cisco NAC Appliance.
Chapter 12 Configuring Network Scanning Overview language but usually are written in the Nessus Attack Scripting Language (NASL). NASL is Nessus' own language, specifically designed for vulnerability test writing. Each plugin is written to test for a specific known vulnerability and/or industry best practices. NASL plugins typically test by sending very specific code to the target and comparing the results against stored vulnerable values. — Anderson, Harry.
Chapter 12 Configuring Network Scanning Overview Network Scanning Implementation Steps The following sections describe the steps required to set up network scanning: Step 1 Configure the Quarantine Role, page 12-6 Step 2 Load Nessus Plugins into the Clean Access Manager Repository, page 12-6 Step 3 Configure General Setup, page 12-9 Step 4 Apply Plugins, page 12-10 Step 5 Configure Plugin Options, page 12-12 Step 6 Configure Vulnerability Handling, page 12-13 Step 7 Test Scanning, page 12-16
Chapter 12 Configuring Network Scanning User Page Summary User Page Summary Table 12-1 summarizes the web pages that appear to users during the course of login and perform Nessus Scanning, and lists where they are configured in the web admin console.
Chapter 12 Configuring Network Scanning User Page Summary Table 12-1 User Page Summary (continued) Page Configured in: Purpose Block Access Page Device Management > Clean Access > General Setup > Web Login If enabled, a web login user sees this page if blocked from the network when vulnerabilities are found on the client system after network scanning, See Customize the User Agreement Page, page 12-19.
Chapter 12 Configuring Network Scanning Configure the Quarantine Role For additional details on configuring Agent Requirements, see Configuring Agent-Based Posture Assessment, page 9-39. Configure the Quarantine Role See Configure Network Scanning Quarantine Role, page 8-21 for details. Load Nessus Plugins into the Clean Access Manager Repository When the Clean Access Manager is first installed, its Nessus scan plugin repository is empty (Figure 12-2).
Chapter 12 Configuring Network Scanning Load Nessus Plugins into the Clean Access Manager Repository If a plugin you want to add has dependent plugins, you must load those dependencies or the plugin is not applied. When customizing a plugin, Cisco recommends giving the plugin a unique name, so that it is not overwritten later by a plugin in a Nessus update set. The plugin’s description appears in the Plugins form of the Scan Setup submenu (Figure 12-4 on page 12-8).
Chapter 12 Configuring Network Scanning Load Nessus Plugins into the Clean Access Manager Repository Figure 12-4 Plugins Page After Upload The default view on the Plugins page is “Selected.” If Nessus plugins have not yet been checked and updated for the user role, the default view (i.e. Selected Plugins) shows no plugins. To view the plugins you have uploaded, choose one of the other views (for example, “All,” “Backdoors,” etc.) from the “Show...Plugins” dropdown. Note 5.
Chapter 12 Configuring Network Scanning Configure General Setup Configure General Setup After loading the scan plugins, you can configure scanning by user role and operating system. Before starting, make sure user roles appropriate for your environment are created.
Chapter 12 Configuring Network Scanning Apply Plugins – Exempt certified devices from web login requirement by adding to MAC filters—(Optional) this allows users that have met network scanning requirements to bypass web login altogether by adding the MAC address of their machines to the device filters list.
Chapter 12 Configuring Network Scanning Apply Plugins Note The default view on the Nessus plugin page (Device Management > Clean Access > Network Scanner > Scan Setup > Plugins) is “Selected.” Note that if Nessus plugins have not yet been checked and updated for the user role, the default view (i.e. Selected Plugins) shows no plugins. To select plugins, the administrator must choose one of the other views (for example, “All,” “Backdoors,” etc.) from the “Show...Plugins” dropdown. 4.
Chapter 12 Configuring Network Scanning Configure Plugin Options Note If the plugin is dependent on other plugins in the repository, those plugins are enabled automatically. 6. When finished, click Update. This transfers the selected plugins to the Vulnerabilities page so that you can configure how these vulnerabilities are handled if discovered on a client system. If the plugin has configurable parameters, you can now use the Options form to configure them, as described in the following procedures.
Chapter 12 Configuring Network Scanning Configure Vulnerability Handling Note Cisco recommends using the Agent for host registry checks. In order to use Nessus Windows registry checks, you will need to have a common account (with access to the registry) on all the machines you want to check. This can be configured under Device Management > Clean Access > Network Scanner > Scan Setup > Options | Category: Login configurations | Preference Name: [SMB account/domain/password]. For details on Nessus 2.
Chapter 12 Configuring Network Scanning Configure Vulnerability Handling Figure 12-9 3. Vulnerabilities For Enabled Plugins (plugins that have been enabled through the Plugins menu) select the following: ID: This is the number of the plugin that will be listed on the scan report. Name: Name of the plugin. Vulnerable if: These dropdown controls configure how the Clean Access Manager interprets the scan result for the plugin.
Chapter 12 Configuring Network Scanning Configure Vulnerability Handling An INFO result on the report is considered a vulnerability and the client will be put in the quarantine role. An INFO result indicates status information such as what services (e.g. Windows) may running on a port, or NetBIOS information for the machine. Choosing this level of vulnerability will quarantine any client that returns status information.
Chapter 12 Configuring Network Scanning Test Scanning Test Scanning The Test form lets you try out your scanning configuration. You can target any machine for the scan, and specify the user role to be assumed by the target client for the purpose of the test. For this type of testing, the test is actually performed against copies of the scan plugins that are kept in the Clean Access Manager.
Chapter 12 Configuring Network Scanning View Scan Reports Show Log Clicking the Show Scan Log button on the Device Management > Network Scanner > Scan Setup > Test page brings up a debug log (Figure 12-12) for the target computer tested (sourced from /var/nessus/logs/nessusd.messages). The log shows which plugins were executed, the results of the execution, which plugins were skipped and the reason (dependency, timeout, etc). Administrators can check this log to debug why a scan result is not as expected.
Chapter 12 Configuring Network Scanning View Scan Reports Figure 12-13 • Choose Anytime from the Time dropdown menu to view all reports. • To view only selected reports, choose a different Time, or enter search Text or Plugin ID, and click View. If choosing a “User Defined” Time interval, type the “begin” year-month-day and time in the first text box (e.g. 2006-03-22 13:10:00) and the “end” year-month-day and time in the second text box (e.g.2006-03-23 11:25:00), then click View.
Chapter 12 Configuring Network Scanning Customize the User Agreement Page Figure 12-15 CleanAccess Network Scanning Event Log Customize the User Agreement Page You can enable a User Agreement Page (“Virus Protection Page”) for web login users to provide network usage policy information, virus warnings and/or links to software patches or updates after login and successful network scanning. Only uncertified users will see the User Agreement Page.
Chapter 12 Configuring Network Scanning Customize the User Agreement Page Figure 12-16 • General Setup Tab The page contents for a user role are configured under Device Management Clean Access > Network Scanner > Scan Setup > User Agreement Page (Figure 12-17).
Chapter 12 Configuring Network Scanning Customize the User Agreement Page Figure 12-17 User Agreement Page Content Configuration Form Figure 12-18 illustrates what the default generated page looks like to an end user. The User Agreement Page is not a popup but an HTML frame-based page made up of several components: Note • The Information Page Message (or URL) component, which contains the contents you specify. • The Acknowledgement Instructions frame component.
Chapter 12 Configuring Network Scanning Customize the User Agreement Page Figure 12-18 Note User Agreement Page (Quarantine Role Example) The page content (“Virus Protection Information”) shown in Figure 12-18 is the default content shown to the end user, if no other information message or URL is specified for the User Agreement Page. Note that this default content is not displayed in the Information Page Message (or URL) text area of the configuration form.
Chapter 12 Configuring Network Scanning Customize the User Agreement Page 2. Choose the User Role and Operating System for which the page applies. The Clean Access Manager determines the operating system of the user’s system at login time and serves the page you have specified for that operating system. If selecting a quarantine role, the Acknowledgement Instructions and button fields will be disabled. 3.
Chapter 12 Configuring Network Scanning Customize the User Agreement Page Cisco NAC Appliance - Clean Access Manager Configuration Guide 12-24 OL-28003-01
CH A P T E R 13 Monitoring Event Logs This chapter describes the Monitoring module of Cisco NAC Appliance. Topics include: • Overview, page 13-1 • Interpreting Event Logs, page 13-4 • Configuring Syslog Logging, page 13-9 • Cisco NAC Appliance Log Files, page 13-11 • SNMP, page 13-12 Overview Figure 13-1 Monitoring Module The Monitoring pages provide operational information for your deployment, including information on user activity, syslog events, network configuration changes.
Chapter 13 Monitoring Event Logs Overview Figure 13-2 Monitoring > Summary Page The page includes the information shown in Table 13-1. Table 13-1 Monitoring > Summary Page Item Description Current Windows NAC Agent The current Windows version of the Agent installed with the CAM Version software or manually uploaded (reflects the contents of the Version field).
Chapter 13 Monitoring Event Logs Overview Table 13-1 Monitoring > Summary Page (continued) Item Description Online users (In-Band / Out-of-Band) These entries list: • Total number of IB and/or OOB online user names • Total number of IB and/or OOB online MAC addresses • Number of IB and OOB online users per user role Note Per-role user tallies are links to the Monitoring > Online Users > View Online Users page. Clicking a link displays the IB or OOB online user list for the particular role.
Chapter 13 Monitoring Event Logs Interpreting Event Logs Interpreting Event Logs Click the Event Logs link in the Monitoring module to view syslog-based event logs in the admin console. There are three Event Logs tabs: Log Viewer, Logs Settings, and Syslog Settings. View Logs Figure 13-3 shows the Log Viewer pane.
Chapter 13 Monitoring Event Logs Interpreting Event Logs Table 13-2 describes the navigation, searching capabilities, and actual syslog displayed on the Log Viewer page. Table 13-2 Column Log Viewer Page Description These navigation links page through the event log. The most recent events appear first in the Navigation First Page/Previo Events column. The Last link shows you the oldest events in the log.
Chapter 13 Monitoring Event Logs Interpreting Event Logs Table 13-2 Search criteria Log Viewer Page (continued) Column Description Type Search by Type column criteria (then click Filter): Category Time • Any Type • Failure • Information • Success Search by Category column criteria (then click Filter): • Authentication 1 • Administration • Client • Clean Access Server • Clean Access • SW_Management (if OOB is enabled) • DHCP • Guest Registration • SSL Communication • Mi
Chapter 13 Monitoring Event Logs Interpreting Event Logs Table 13-2 Column Status Display Log Viewer Page (continued) Description Type • Red flag ( ) = Failure; indicates error or otherwise unexpected event. • Green flag ( ) = Success; indicates successful or normal usage event, such as successful login and configuration activity. • Yellow flag ( ) = Information; indicates system performance information, such as load information and memory usage.
Chapter 13 Monitoring Event Logs Interpreting Event Logs Table 13-3 Event Column Fields (continued) Value Description Mem Total: 528162816 bytes These are the memory usage statistics. There are 6 numbers shown here: total memory, used memory, free memory, shared memory, buffer memory, and cached memory.
Chapter 13 Monitoring Event Logs Configuring Syslog Logging Limiting the Number of Logged Events The event log threshold is the number of events to be stored in the Clean Access Manager database. The maximum number of log events kept on the CAM, by default, is 100,000. You can specify an event log threshold of up to 200,000 entries to be stored in the CAM database at a time. The event log is a circular log. The oldest entries will be overwritten when the log passes the event log threshold.
Chapter 13 Monitoring Event Logs Configuring Syslog Logging Step 1 Go to Monitoring > Event Logs > Syslog Settings. Step 2 In the Syslog Server Address field, type the IP address of the Syslog server (default is 127.0.0.1). Note Multiple IP Addresses are not accepted. Step 3 In the Syslog Server Port field, type the port for the Syslog server (default is 514). Step 4 Specify a Syslog Facility from the dropdown list.
Chapter 13 Monitoring Event Logs Cisco NAC Appliance Log Files Cisco NAC Appliance Log Files Table 13-5 lists common Clean Access Manager and Clean Access Server logs in Cisco NAC Appliance. Table 13-5 Cisco NAC Appliance Log Files File Description /var/log/messages Startup /perfigo/control/tomcat/logs/nac_manager.log Perfigo service logs for release 4.5 and later 1,2 /perfigo/control/data/details.html /perfigo/control/data/upgrade.html CAM upgrade logs /var/nessus/logs/nessusd.
Chapter 13 Monitoring Event Logs SNMP Note Cisco recommends to increase the count and limit moderately. Note Use service perfigo restart to pickup the new logging configuration. For additional details see also: • Support Logs, page 14-42 • Certificate-Related Files, page 14-24. • Backing Up the CAM Database, page 14-58 SNMP You can configure the Clean Access Manager to be managed/monitored by an SNMP management tool (such as HP OpenView).
Chapter 13 Monitoring Event Logs SNMP • SNMP Traps—The Clean Access Servers can be configured to send traps by adding trap sinks. A trap sink is any computer configured to receive traps, typically a management box. All traps sent are version 1 (v1) traps. A copy of each trap will be sent to each trapsink.
Chapter 13 Monitoring Event Logs SNMP Figure 13-4 Monitoring > SNMP Page Step 2 Click the Enable button preceding SNMP on NAC Manager to activate SNMP polling and SNMP traps in the Clean Access Manager. Step 3 Click the Enable button preceding SNMP on NAC Servers to activate the SNMP polling and SNMP traps in all the Clean Access Servers connected to the Clean Access Manager.
Chapter 13 Monitoring Event Logs SNMP Add New Trapsink The Clean Access Manager can be configured to send traps by adding trap sinks. All traps sent are version 1 (v1) traps. A copy of each trap will be sent to each trapsink. Step 1 Click the Add New Trapsink link in the upper-right-hand corner of the pane to bring up the Add New Trapsink form as shown in Figure 13-5. Figure 13-5 Add New Trapsink Step 2 Enter a Trapsink IP. Step 3 Enter a Trapsink Community string.
Chapter 13 Monitoring Event Logs SNMP Note The trapsink configured are used by all the Clean Access Servers connected to the Clean Access Manager. A trap will contain the following contents: Trap Contents Description Type: Enterprise-Specific(1) SNMP Trap OID (1.3.6.1.6.3.1.1.4.1.0) Set to DISMAN-EVENT-MIB 2.0.1 (1.3.6.1.2.1.88.2.0.1) The contents of a DISMAN mteObjectsEntry: mteHotTrigger (OID 1.3.6.1.2.1.88.2.1.
Chapter 13 Monitoring Event Logs SNMP on Individual CAS SNMP on Individual CAS The configuration settings in Enable SNMP Polling/Alerts, page 13-13 are applied to all the Clean Access Servers connected to the Clean Acces Manager. If you want to change the configuration settings for one of the Clean Access Servers, you can specify the settings in the corresponding CAS, using any one of the following: • In the CAS web console, navigate to Administration > SNMP and modify the configuration.
Chapter 13 Monitoring Event Logs SNMP on Individual CAS Step 4 Step 5 Specify values for the following fields: • Read-Only Community String: Specify a string to enable the Clean Access Server to respond to snmpget and snmpwalk requests with the correct community string. Leave this field blank to disable all Clean Access Server responses to SNMP polling of the Clean Access Server.
CH A P T E R 14 Administering the CAM This chapter discusses the Administration pages for the Clean Access Manager.
Chapter 14 Administering the CAM Network Figure 14-1 Administration Module The CCA Manager pages of the Administration module allows you to perform the following administration tasks: • Change network settings for the Clean Access Manager. See Network, page 14-2. • Set up Clean Access Manager High-Availability mode. See the Cisco NAC Appliance Hardware Installation Guide, Release 4.9(x). • Manage Clean Access Manager system time. See Set System Time, page 14-5.
Chapter 14 Administering the CAM Network Note The service perfigo config configuration utility script also lets you modify CAM network settings. Because the configuration utility is used from the command line, it is particularly useful if the admin console web server is not responsive due to incorrect network or VLAN settings. For further details, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.9(x). To modify CAM network settings: Step 1 Go to Administration > CCA Manager > Network.
Chapter 14 Administering the CAM Failover Step 3 Click Reboot to restart the Clean Access Manager with the new settings. Failover You can view or change the Clean Access Manager’s failover settings from Administration > CCA Manager > Failover page. Changes to the network settings generally require a reboot of the Clean Access Manager machine to take effect.
Chapter 14 Administering the CAM Set System Time Set System Time For logging purposes and other time-sensitive tasks (such as SSL certificate generation), the time on the Clean Access Manager and Clean Access Servers needs to be correctly synchronized. The System Time tab lets you set the time on the Clean Access Manager and modify the time zone setting for the Clean Access Manager operating system.
Chapter 14 Administering the CAM Set System Time To manually modify the system time: 1. In the System Time form, either: 2. Type the time in the Date & Time field and click Update Current Time. The time should be in the form: mm/dd/yy hh:ss PM/AM 3. Or, click the Sync Current Time button to have the time updated by the time servers listed in the Time Servers field.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Manage CAM SSL Certificates This section describes the following: • SSL Certificate Overview, page 14-7 • Web Console Pages for SSL Certificate Management, page 14-8 • Typical SSL Certificate Setup on the CAM, page 14-9 • Generate Temporary Certificate, page 14-11 • Generate and Export a Certification Request (Non-FIPS CAM Only), page 14-12 • Manage Signed Certificate/Private Key, page 14-14 • Manage Trusted Certificate Authorities,
Chapter 14 Administering the CAM Manage CAM SSL Certificates In Cisco NAC Appliance Release 4.8 and later, you can no longer export private keys and you cannot generate CSRs using a FIPS 140-2 compliant CAM/CAS. To adhere to FIPS compliance guidelines, you can only import certificates from trusted third-party resources. For details on managing SSL certificates for the CAS, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x).
Chapter 14 Administering the CAM Manage CAM SSL Certificates • Import (FIPS and non-FIPS) and export (non-FIPS only) Private Keys. For non-FIPS appliances, you can use this feature to save a backup copy of the Private Key on which the CSR is based. When a CA-signed certificate is returned from the Certificate Authority and imported into the CAM (FIPS and non-FIPS), this Private Key must be used with it or the CAM cannot communicate with any associated machines via SSL.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Step 6 (Non-FIPS appliances only) Export the Private Key to a local machine for safekeeping If you are altering your Cisco NAC Appliance SSL configuration, it is always a good idea to back up the Private Key corresponding to the current certificate to a local hard drive for safekeeping. See Generate and Export a Certification Request (Non-FIPS CAM Only), page 14-12.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Step 5 Add the appliance to your existing production environment. Generate Temporary Certificate The following procedure describes how to generate a new temporary certificate for the CAM. Any time you change basic configuration settings on the CAM (date, time, associated DNS server, etc.) you should generate a new temporary certificate.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Step 3 Type appropriate values for the following fields: • Full Domain Name or IP—The fully qualified domain name or IP address of the Clean Access Manager for which the certificate is to apply. For example: camanager. • Organization Unit Name—The name of the unit within the organization, if applicable. • Organization Name—The legal name of the organization.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Figure 14-6 Export CSR/Private Key Step 2 Click Generate Certification Request to expose the fields required to construct a certificate request. Step 3 Type appropriate values for the following fields: • Full Domain Name or IP—The fully qualified domain name or IP address of the Clean Access Manager for which the certificate is to apply. For example: camanager.
Chapter 14 Administering the CAM Manage CAM SSL Certificates When you receive the CA-signed certificate back from the certification authority, you can import it into the Clean Access Manager as described in Manage Signed Certificate/Private Key, page 14-14. After the CA-signed cert is imported, the “currently installed certificate” is the CA-signed certificate. You can always optionally Export the currently installed certificate if you need to access a backup of this certificate later.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Note Any certificate that is not provided by a public CA or that is not the self-signed certificate is considered a non-standard certificate by the CAM/CAS. When importing certificates to the CAM, make sure to obtain CA-signed certificates for authentication servers. To import a certificate and/or Private Key for the CAM: Step 1 Go to Administration > CCA Manager > SSL > X509 Certificate (Figure 14-7).
Chapter 14 Administering the CAM Manage CAM SSL Certificates If you try to upload a root/intermediate CA certificate for the CAM that is already in the list, you may see an error message reading “This intermediate CA is not necessary.” In this case, you must delete the uploaded Root/Intermediate CA in order to remove any duplicate files. Export Certificate and/or Private Key Note You cannot export the Private Key for a FIPS 140-2 compliant CAM. You can only export certificates.
Chapter 14 Administering the CAM Manage CAM SSL Certificates To view and/or remove Trusted CAs from the CAM: Step 1 Go to Administration > CCA Manager > SSL > Trusted Certificate Authorities (Figure 14-8). Figure 14-8 CAM Trusted Certificate Authorities Viewing Trusted CAs Step 2 If you want to refine the list of Trusted CAs displayed in the CAM web console: a.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Figure 14-9 Certificate Authority Information Removing Trusted CAs Step 3 Select one or more Trusted CAs to remove by clicking on the checkbox for the respective Trusted CA in the list. (Clicking on the empty checkbox at the top of the Trusted CAs display automatically selects or unselects all 10, 25, or 100 Trusted CAs in the viewable list.) Step 4 Click Delete Selected. All viewable selected items will be deleted.
Chapter 14 Administering the CAM Manage CAM SSL Certificates b. Click Export and specify a location on your local machine where you want to save the resulting “caCerts” file.
Chapter 14 Administering the CAM Manage CAM SSL Certificates View Currently Certificate or Certificate Chain You can view CAM Private Key and End Entity, Root CA, and Intermediate CA certificates by exporting and opening the saved file in Wordpad or a similar text editor tool to bring up a dialog like the one in Figure 14-11 (BEGIN CERTIFICATE/END CERTIFICATE).
Chapter 14 Administering the CAM Manage CAM SSL Certificates Troubleshooting Certificate Issues Issues can arise during Cisco NAC Appliance certificate management, particularly if there are mismatched SSL certificates somewhere along the certificate chain.
Chapter 14 Administering the CAM Manage CAM SSL Certificates Note Starting with Cisco NAC Appliance Release 4.8, the CAM or CAS generates event log messages to indicate the certificate expiry in addition to the message displayed in the CAM/CAS web console.
Chapter 14 Administering the CAM Manage CAM SSL Certificates • Agent Troubleshooting, page 11-36 Private Key in Clean Access Server Does Not Match the CA-Signed Certificate This issue can arise if a new temporary certificate is generated but a CA-signed certificate is returned for the Certificate Signing Request (CSR) generated from a previous temporary certificate and Private Key pair.
Chapter 14 Administering the CAM System Upgrade Certificate-Related Files For troubleshooting purposes, Table 14-1 lists certificate-related files on the Clean Access Manager. For example, if the admin console becomes unreachable due to a mismatch of the CA-certificate/Private Key combination, these files may need to be modified directly in the file system of the Clean Access Manager. Table 14-1 Clean Access Manager Certificate-Related Files File Description /root/.tomcat.key Private key /root/.
Chapter 14 Administering the CAM Licensing • State after upgrade It is normal for the “state before upgrade” to contain several warning/error messages (e.g. “INCORRECT”). The “state after upgrade” should be free of any warning or error messages. Licensing The Clean Access Manager and Clean Access Servers require a valid product license to function. The licensing model for Clean Access incorporates the FlexLM licensing standard.
Chapter 14 Administering the CAM Licensing 3. Note Repeat this step for each Clean Access Server license file you need to install (you should have received one license file per PAK submitted during customer registration). The status information at the bottom of the page will display total number of Clean Access Servers enabled per successful license file installation. The Standby CAM does not read the License file till it becomes Active.
Chapter 14 Administering the CAM Licensing Remove Product Licenses 1. Go to Administration > CCA Manager > Licensing. 2. Click the Remove All Licenses button to remove all FlexLM license files in the system. 3. The Clean Access Manager License Form will reappear in the browser, to prompt you to install a license file for the Clean Access Manager.
Chapter 14 Administering the CAM Policy Import/Export Policy Import/Export The Policy Import/Export feature allows administrators to propagate device filters, traffic and remediation policies, and OOB port profiles from one CAM to several CAMs. You can define policies on a single CAM and configure it to be the Policy Sync Master. You can then configure up to a maximum of 10 CAMs or 10 CAM HA-pairs to be Policy Sync Receivers.
Chapter 14 Administering the CAM Policy Import/Export – VLAN Profiles Note Cisco recommends that you configure auto update settings on the Master CAM (under Device Management > Clean Access > Updates > Update) to ensure the Master CAM has the latest Cisco Updates before you perform a Policy Sync. Note Policy Sync exports all global device filters created on the Master CAM to the Receiver CAMs.
Chapter 14 Administering the CAM Policy Import/Export • After a Policy Sync: – For the Receiver CAM: Role A is created and configured with traffic and posture assessment policies from the Master CAM. The administrator still needs to map the Agent Login settings to require use of the Agent for Role A. Master is configured, Receiver is configured: • For the Master CAM: – Role A is configured with traffic and posture assessment policies – Role A requires use of the Agent for Windows ALL.
Chapter 14 Administering the CAM Policy Import/Export Step 2 Identify the CAM you want to designate as the Policy Sync Master.
Chapter 14 Administering the CAM Policy Import/Export Configure the Master Step 1 From the Policy Sync tab, click the Configure Master link (Figure 14-15).
Chapter 14 Administering the CAM Policy Import/Export Step 3 Click the Update button. You must click Update each time you change the set of policies to include for Policy Sync. Step 4 Add each Receiver to the Master as follows: a. In the Receiver Host Name/IP text box, type the domain name or IP address of the receiver CAM. For HA-CAMs, type the Service IP of the CAM HA pair. b. Type an optional Receiver Description c. Click the Add button.
Chapter 14 Administering the CAM Policy Import/Export Figure 14-17 d. Note Note Authorizing the Receiver on the Master CAM Click the Add button. (To delete a Receiver, you can click the “X” icon in the Action column.) Policy Sync supports a maximum of 10 CAMs or 10 HA-CAM pairs. Authorization must be configured on both the Master and Receiver CAMs for the Master to successfully push policies and for the Receiver to accept them.
Chapter 14 Administering the CAM Policy Import/Export Figure 14-19 Policy Sync Receiver (Displays Red Product Banner) Configure the Receiver This step consists of authorizing the Master CAM on the Receiver CAM. Step 1 From the web console of the Receiver CAM, go to Administration > CCA Manager > Policy Sync > Configure Receiver (Figure 14-20). Figure 14-20 Step 2 Configure Receiver Authorize the Master CAM with the following steps: a.
Chapter 14 Administering the CAM Policy Import/Export – Click the View icon to bring up the Certificate Authority Information dialog – Copy the DN entry (Figure 14-21). Figure 14-21 Step 3 Copying the DN Information from the Master CAM b. On the Receiver CAM, navigate to Administration > CCA Manager > Policy Sync > Configure Receiver. c. Paste the DN from the SSL certificate of the Master CAM in the Authorized Master text box (Figure 14-20). Click Update.
Chapter 14 Administering the CAM Policy Import/Export Perform Manual Sync Step 1 On the Master CAM, make sure only the policies you want to manually sync are enabled on Configure Master (Figure 14-15) page. Make sure to click the Update button if changing the settings. Step 2 On the Master CAM go to Administration > CCA Manager > Policy Sync > Manual Sync (Figure 14-22) Figure 14-22 Manual Sync Step 3 All configured Policy Receivers appear under the Receiver Host Name/IP column on the page.
Chapter 14 Administering the CAM Policy Import/Export Figure 14-24 Step 8 Successful Manual Sync Click OK to return to the main screen. Perform Auto Sync Note Cisco strongly recommends performing a Manual Sync and verifying that it is working successfully before enabling Auto Sync between your Clean Access Managers. Step 1 On the Master CAM, make sure only the policies you want to enable for auto sync are selected on the Configure Master page (Figure 14-15).
Chapter 14 Administering the CAM Policy Import/Export Step 7 Click the Update button to set the schedule. The Master CAM will perform Auto Policy Sync at the interval you specified and will display log results on the History page as “Auto sync” and in the Master CAM’s Event Logs. Verify Policy Sync Step 1 Go to the Receiver CAM and confirm the Master policies are pushed via Policy Sync.
Chapter 14 Administering the CAM Policy Import/Export Figure 14-26 History Logs for Master CAM Figure 14-27 History Logs for Policy Sync Receiver Cisco NAC Appliance - Clean Access Manager Configuration Guide 14-40 OL-28003-01
Chapter 14 Administering the CAM Policy Import/Export Figure 14-28 Log File for Master Figure 14-29 Log File for Receiver Troubleshooting Manual Sync Errors Failed sanity check with [x.x.x.x]. Receiver denied access. This CAM is not authorized as Policy Sync Master. This message displays on the Master CAM if the Receiver does not have the Master’s DN configured or if the Master’s DN is misconfigured on the Configure Receiver page.
Chapter 14 Administering the CAM Support Logs Failed sanity check with [x.x.x.x]. The certificate's subject DN of this receiver is not authorized. This message displays on the Master CAM if the Master does not have the Receiver DN configured or if the Receiver’s DN is misconfigured under Configure Master page.
Chapter 14 Administering the CAM Support Logs To Download CAM Support Logs: Step 1 Go to Administration > CCA Manager > Support Logs. Figure 14-30 Support Logs Step 2 Specify the number of days of debug messages to include in the file you will download for your Cisco customer support request. Step 3 Click the Download button to download the cam_logs..tar.gz file to your local computer. Step 4 Send this .tar.gz file with your customer support request.
Chapter 14 Administering the CAM Support Logs To Change the Loglevel for CAM Logs: Step 1 Go to Administration > CCA Manager > Support Logs. Step 2 Choose the CAM log category to change: • CCA Manager General Logging: This category contains the majority of logging events for the system. Any log event not contained in the other four categories listed below will be found under CCA Manager General Logging (e.g. authentication failures).
Chapter 14 Administering the CAM Support Logs For details on the Event Log, see Chapter 13, “Monitoring Event Logs.” Filtering Logs by CAS and/or Agent IP Starting from Cisco NAC Appliance Release 4.9, you can filter the CAM Logs by CAS and/or Agent machine by specifying the IP Addresses. If the CAS in HA setup, then the service IP and eth0 addresses of both Active and Standby CAS should be entered for the filtering to happen properly.
Chapter 14 Administering the CAM Agent Logs The CAM log statements are stamped by Agent and CAS IP address. The CAS log statements are stamped by Agent IP address. Agent Logs The Agent Logs page is available starting from Cisco NAC Appliance 4.9 and can be used to decrypt and upload the Agent Logs to the CAM. These Agent Logs are bundled with the CAM Support Logs into one tar file that can be sent to TAC to be included in the support case.
Chapter 14 Administering the CAM Admin Users • Note Click the Delete icon next to the file name to remove the log file. You can upload a maximum of five Agent Logs files to the CAM. When you upload the sixth file, the first file is automatically removed. Admin Users This section describes how to add multiple administrator users in the Administration > Admin Users module of the CAM web admin console.
Chapter 14 Administering the CAM Admin Users Figure 14-33 Step 2 Admin Groups Click the New link to bring up the new Admin Group configuration form.
Chapter 14 Administering the CAM Admin Users Figure 14-34 New Admin Group Step 3 Click the Disable this group checkbox if you want to initially create but not yet activate this new administrator group, or if you want to disable an existing administrator group. Step 4 Enter a Group Name for the custom admin group. Step 5 Enter an optional Description for the group.
Chapter 14 Administering the CAM Admin Users Step 6 Set the access options next to each individual Clean Access Server as no access, view only, add-edit, or local admin.
Chapter 14 Administering the CAM Admin Users • Full-Control users can add, edit, and delete all applicable aspects of the web admin console. • Only Full-Control admin users can add, edit, or remove other admin users or groups. • Custom group users (part of the “Help-Desk” admin group type, for example) can be configured to have a combination of access privileges, as described in Add/Edit a Custom Admin Group, page 14-47.
Chapter 14 Administering the CAM Admin Users Figure 14-36 New Admin User Step 2 Click the Disable this account checkbox if you want to initially create but not yet activate this new administrator user profile, or if you want to disable an existing administrator user. Step 3 Enter an Admin User Name.
Chapter 14 Administering the CAM Admin Users Figure 14-37 Step 2 Admin Users List Click the Edit icon next to the admin user. Figure 14-38 Edit Admin User Step 3 Change the Password and Confirm Password fields, or other desired fields. Step 4 Click Save Admin. Note You can edit all properties of the system admin user, except its group type.
Chapter 14 Administering the CAM Admin Users If an admin user opens a browser, closes it, then opens a new browser, two entries will remain for a period of time on the Active Session list. The Last Access time does not change for the ended session, and eventually the entry will be removed by the Auto-logout feature. Figure 14-39 Admin User Active Sessions The Active Sessions page includes the following elements: • Admin Name—The admin user name.
Chapter 14 Administering the CAM Admin Users Figure 14-40 Administrator User Access Restrictions Step 2 Check the Enforce IP Access Restriction checkbox. Step 3 In the IP Restriction White List box, enter the IP Addresses to be allowed by the CAM and CAS. Type one address per line. Step 4 Click Update. Step 5 Both the CAM and CAS are enabled with the list of IP Addresses provided. Note The access list is applied only to the CAS that is already added to the CAM.
Chapter 14 Administering the CAM Manage System Passwords Note Once you complete the above steps, both the CAM and CAS are accessible. If you are using HA pairs, you must execute the steps for both the CAMs. Manage System Passwords Note For new installations of Cisco NAC Appliance, the root administrator user password must conform to the strong password guidelines outlined below. Existing root administrator user passwords are preserved during upgrade.
Chapter 14 Administering the CAM Manage System Passwords Change the CAM Web Console Admin Password To change the Clean Access Manager web console admin user password, use the following procedure. Step 1 Go to Administration > Admin Users > List. Step 2 Click the Edit icon for user admin. Step 3 Type the new password in the Password field. Step 4 Type the password again in the Confirm Password field. Step 5 Click the Save Admin button. The new password is now in effect. .
Chapter 14 Administering the CAM Backing Up the CAM Database https:///admin where is the trusted interface IP address of the CAS. For example, https://172.16.1.2/admin Step 2 Log in with the admin user name and password. Step 3 Click the Admin Password link from the left side menu. Step 4 In the Old Password field, type the current password. Step 5 Type the new password in the New Password and the Confirm Password fields. Step 6 Click Update.
Chapter 14 Administering the CAM Backing Up the CAM Database Note For further details on database logs, refer to Cisco NAC Appliance Log Files, page 13-11.
Chapter 14 Administering the CAM Backing Up the CAM Database Figure 14-41 Backup Snapshot Note The file still physically resides on the Clean Access Manager machine. For archiving purposes, it can remain there. However, to back up a configuration for use in case of system failure, the snapshot should be downloaded to another computer. Step 3 To download the snapshot to another computer, click either the Download icon or the Tag Name of the snapshot that you want to download.
Chapter 14 Administering the CAM Backing Up the CAM Database Step 2 If you need to upload the snapshot image from an external machine first, click the Browse button next to the Snapshot to Upload field, find the file in the external directory structure, and click Upload Snapshot. Step 3 Log into the CAM CLI console and shut down services on the CAM using the service perfigo stop command. Step 4 Enter the /perfigo/dbscripts/dbbackup.sh command.
Chapter 14 Administering the CAM Backing Up the CAM Database Step 5 Step 6 Navigate to the Administration > Backup web console page on the HA-Primary CAM, click the Browse button next to the Snapshot to Upload field, find the file in the external directory structure, and click Upload Snapshot. Log into the HA-Primary CAM CLI console and shut down services on the CAM using the service command. perfigo stop Step 7 Enter the /perfigo/dbscripts/dbbackup.sh command.
Chapter 14 Administering the CAM Backing Up the CAM Database For high-availability pairs, Authorization settings are not automatically passed from the HA-Primary CAM/CAS to the HA-Secondary when deployed as a high-availability pair.
Chapter 14 Administering the CAM Backing Up the CAM Database Step 3 Upload the new tar file to the destination CAM/CAS for backup or to populate an HA-Standby CAM/CAS. [root@cam1]# scp authorization.tar.gz root@ root@'s password: authorization.tar.gz 100% 1107 Step 4 1.1KB/s 00:00 Telnet or SSH to the command line interface of the secondary CAM/CAS, navigate to the /root/.perfigo/ directory, and extract the contents of the uploaded tar file.
Chapter 14 Administering the CAM API Support • Backups made before and after failover events • Manual snapshots created by the administrator via the web console Although the web console already allows you to manually create and upload snapshots (via Administration > Backup), the CLI tool presents additional detail. The tool provides a menu that lists the snapshots from which to restore, and the uncompressed size and table count. Note that a file which is corrupt or not in the proper format (e.g. not .
Chapter 14 Administering the CAM API Support Cisco NAC Appliance - Clean Access Manager Configuration Guide 14-66 OL-28003-01
A P P E N D I X A Error and Event Log Messages Client Error Messages Login Failed Clean Access Server is not properly configured, please report to your administrator. A login page must be added and present in the system in order for both web login and Agent users to authenticate. If a default login page is not present, Agent users will see this error dialog when attempting login. See also Add Default Login Page, page 5-3.
Appendix A Error and Event Log Messages CAM Event Log Messages Users Cannot Log In During CAS Fallback Recovery Failed to add user to the list During CAS fallback recovery (where the CAS is reconnecting to the CAM), a login dialog appears to users accessing the Cisco NAC Appliance network via the CAS, but they are unable to authenticate and login for approximately 2 minutes. (Until CAS fallback recovery completes, users see a “Failed to add user to the list” error message when attempting to log in.
Appendix A Error and Event Log Messages CAM Event Log Messages Table A-1 Event Log Messages (Sheet 2 of 4) Message Explanation Severity Invalid user credentials, Username and password invalid. Error Invalid authentication provider, User authentication server invalid. Error is inaccessible! Heartbeat between Clean Access Manager and Clean Access Server failed; the Clean Access Server is offline.
Appendix A Error and Event Log Messages CAM Event Log Messages Table A-1 Event Log Messages (Sheet 3 of 4) Message Explanation Severity Could not connect to Clean Access Server could not be added to the Error Clean Access Manager administration domain; the Clean Access Server is offline or not reachable by the Clean Access Manager.
Appendix A Error and Event Log Messages CAM Event Log Messages Table A-1 Event Log Messages (Sheet 4 of 4) Message Explanation Severity System Stats Runtime statistics for the identified Clean Access Server. The information is: N/A Unable to process Out-of-Band login request from [ ] . Cause: connected device [] not found. • load factor – Current number of packets in the queue that the server is processing (i.e.
Appendix A Error and Event Log Messages CAM Event Log Messages Cisco NAC Appliance - Clean Access Manager Configuration Guide A-6 OL-28003-01
A P P E N D I X B API Support This chapter discusses API support for the Clean Access Manager.
Appendix B API Support Authentication Requirements Authentication Requirements Authentication over SSL is required to access the API. Two authentication methods are supported: • Session-Based Authentication With this method, the administrator uses the adminlogin and adminlogout functions to create a cookie-based session with the server.
Appendix B API Support Device Filter Operations adminlogout The adminlogout function logs out the administrator and invalidates the session. Required In Parameters: • op: adminlogout Out Parameters: comment • Success: mesg value of 0 • Failure: error string Device Filter Operations The following APIs perform operations on the CAM’s Device Filter List (devices which bypass the user login requirement).
Appendix B API Support Device Filter Operations • role: Specifies a role name. The role parameter is not required for the unauthenticated role (default) but is required for “userole” or “check”. • desc: Provides a description. • ssip: Specifies the IP address used for configuring a Clean Access Server to Clean Access Manager. The default is global.
Appendix B API Support Device Filter Operations Or: In the device filter string: – “IP=x.x.x.x” is only given for filters with an IP address configured. – “CAS=y.y.y.y” is only given for server specific filters. – “ROLE=zzz” is only given for filters with ROLE/CHECK types.
Appendix B API Support Device Filter Operations addsubnet The addsubnet function adds a subnet to the Devices list. Required In Parameters: • op: addsubnet • subnet: Supported formats a.b.c.d for subnet address. e.g.: subnet=10.210.0.0 • mask: Mask in CIDR format. e.g.: mask=16. Optional In Parameters: • type: One of the Strings [deny, allow, userole]. Default is deny. • role: Specify role name. Default is unauthenticated. Required if type is userole. • desc: Any description string.
Appendix B API Support Synchronizing with ISE Profiler Operations • mask: Mask in CIDR format (e.g.: mask=16) Optional In Parameter: • ssip: Default is global. Provide the IP address used for configuring Clean Access Server to Clean Access Manager. Synchronizing with ISE Profiler Operations The following API commands are used while synchronizing Cisco ISE Profiler endpoints with NAC Manager.
Appendix B API Support Certified Devices List Operations • clearcertified, page B-9 addcleanmac The addcleanmac function adds one or more MAC addresses to the Certified Devices list as exempted devices. Required In Parameters: Note • op: addcleanmac • mac: Specifies the MAC addresses to add. Supported formats 00:01:12:23:34:45 or 00-01-12-23-34-45 or 000112233445 If you do not use session-based authentication, the admin and passwd arguments are required. See Authentication Requirements, page B-2.
Appendix B API Support User Operations clearcertified The clearcertified function deletes all of the existing entries from the Clean Access Certified Devices list. Required In Parameter: • Note op: clearcertified If you do not use session-based authentication, the admin and passwd arguments are required. See Authentication Requirements, page B-2.
Appendix B API Support User Operations • Failure: error string kickuserbymac The kickuserbymac function terminates the active session by MAC address of one or more logged-in In-Band users and removes the user(s) from the In-Band Online Users list. Required In Parameters: Note • op: kickuserbymac • mac: Specifies one MAC address or a comma separated list of MAC addresses. If you do not use session-based authentication, the admin and passwd arguments are required.
Appendix B API Support User Operations Out Parameters: comment • Success: mesg value of 0; another comment with an IP list and session time remaining for each IP entry • Failure: error string renewuserstime The renewuserstime function renews the logged-in In-Band users session timeout by a session. Required In Parameters: Note • op: renewuserstime • list: Specifies a comma-separated list of IP addresses. Supported format: 10.1.10.10, 10.1.10.11, 10.1.10.
Appendix B API Support Guest Access Operations Required In Parameters: Note • op: changeloggedinuserrole • ip: Specifies the IP address of a logged-in user. To specify multiple users, use a comma-separated IP list. • role: Specifies a new role for the user. If you do not use session-based authentication, the admin and passwd arguments are required. See Authentication Requirements, page B-2.
Appendix B API Support OOB Switch Management Operations • Success: mesg value of 0; shows the number of users returned and is followed by same number of comments of form • Failure: error string addlocaluser The addlocaluser function adds a new local user account. Required In Parameters: Note • op: addlocaluser • username: Specifies a new local user account user name. • userpass: Specifies the user password for the new local user account.
Appendix B API Support Report Operations • bounceportbymac, page B-14 bounceport The bounceport function bounces an OOB port in a switch that a client connects to given the switch ID and port number. Required In Parameters: • op: bounceport • switch: ID of the switch as inserted in the CAM DB table ‘switch’. • port: OOB Port in the switch to be bounced. Out Parameters: Comment of form is returned.
Appendix B API Support Report Operations getversion The getversion function returns the version number of the CAM. Required In Parameters: • op: getversion Out Params: • Comment of form is returned.
Appendix B API Support Report Operations getoobuserinfo Given an IP address, MAC address or username, the getoobuserinfo function retrieves information about the logged-in Out-of-Band (OOB) users, or given the qtype “all”, the system generates a list of information about all logged-in OOB users. If multiple users match the criteria, the system generates a list of users.
Appendix B API Support Report Operations Note If you do not use session-based authentication, the admin and passwd arguments are required. See Authentication Requirements, page B-2. Optional Query Parameters: Table B-1 lists the query Parameters for the getreports function. Table B-1 Query Parameters for the getreports function Parameter Name Allowed Values Description status One of the following values: Reports only information for the specified status.
Appendix B API Support Report Operations Table B-1 Query Parameters for the getreports function (continued) Parameter Name Allowed Values Description os One of the following values: Reports information about the specified OS.
Appendix B API Support Report Operations Table B-1 Parameter Name os (continued) Query Parameters for the getreports function (continued) Allowed Values Description • WINDOWS_7_64_ULTIMATE (Windows 7 Ultimate x64) • WINDOWS_VISTA_ALL (Windows Vista (all)) • WINDOWS_VISTA_HOME_BASIC (Windows Vista Home Basic) • WINDOWS_VISTA_HOME_PREMIUM (Windows Vista Home Premium) • WINDOWS_VISTA_BUSINESS (Windows Vista Business) • WINDOWS_VISTA_ULTIMATE (Windows Vista Ultimate) • WINDOWS_VISTA_ENTERPRI
Appendix B API Support Report Operations Table B-1 Query Parameters for the getreports function (continued) Parameter Name Allowed Values Description timeRange timeFrom, timeTo Reports information collected within the specified time range.
Appendix B API Support Report Operations Table B-1 Query Parameters for the getreports function (continued) Parameter Name Allowed Values Description reqName Name of the AV or AS software requirement; empty quotes “any” (default) Restricts to reports containing this software requirement. reqStatus One of the following values: Restricts to reports where the software requirement is of this status (only if reqName is used).
Appendix B API Support Report Operations Out Parameters: The contents of the specified file name are displayed. getcannedreportslist The getcannedreportslist function fetches the list of all the canned report files in the canned directory: /perfigo/control/data/reports.
A P P E N D I X C MIB Support This chapter lists Objects and Object Identifiers (OIDs) for the Management Information Base (MIBs) supported by Clean Access Manager.
Appendix C Table C-1 MIB Support CLEAN ACCESS - MIB Object OID Description cleanaccessPort 1.3.6.1.4.1.16344.1.3.0 The port, the web management console is listening on versionString 1.3.6.1.4.1.16344.1.4.0 Version of Software running on the Clean Access Manager cleanaccessServerCount 1.3.6.1.4.1.16344.1.5.0 Number of Clean Access Servers managed by this Clean Access Manager alertCount 1.3.6.1.4.1.16344.1.6.0 Number of Alerts cleanaccessServerTable 1.3.6.1.4.1.16344.1.
Appendix C MIB Support Table C-1 CLEAN ACCESS - MIB Object OID alertTableText 1.3.6.1.4.1.16344.1.8.1.5 alertTableRowStatus 1.3.6.1.4.1.16344.1.8.1.6 Table C-2 Description SNMPv2-MIB Object OID sysDescr 1.3.6.1.2.1.1.1 sysObjectID 1.3.6.1.2.1.1.2 sysUpTime 1.3.6.1.2.1.1.3 sysContact 1.3.6.1.2.1.1.4 sysName 1.3.6.1.2.1.1.5 sysLocation 1.3.6.1.2.1.1.6 sysORLastChange 1.3.6.1.2.1.1.8 sysORID 1.3.6.1.2.1.1.9.1.2 sysORDescr 1.3.6.1.2.1.1.9.1.3 sysORUpTime 1.3.6.1.2.1.1.9.1.
Appendix C Table C-3 RFC1213-MIB (continued) Object OID ifOutUcastPkts 1.3.6.1.2.1.2.2.1.17 ifOutNUcastPkts 1.3.6.1.2.1.2.2.1.18 ifOutDiscards 1.3.6.1.2.1.2.2.1.19 ifOutErrors 1.3.6.1.2.1.2.2.1.20 ifOutQLen 1.3.6.1.2.1.2.2.1.21 ifSpecific 1.3.6.1.2.1.2.2.1.22 Table C-4 MIB Support IP-MIB Object OID ipForwarding 1.3.6.1.2.1.4.1 ipDefaultTTL 1.3.6.1.2.1.4.2 ipInReceives 1.3.6.1.2.1.4.3 ipInHdrErrors 1.3.6.1.2.1.4.4 ipInAddrErrors 1.3.6.1.2.1.4.5 ipForwDatagrams 1.3.6.1.2.1.4.
Appendix C MIB Support Table C-4 IP-MIB (continued) Object OID ipRouteType 1.3.6.1.2.1.4.21.1.8 ipRouteProto 1.3.6.1.2.1.4.21.1.9 ipRouteMask 1.3.6.1.2.1.4.21.1.11 ipRouteInfo 1.3.6.1.2.1.4.21.1.13 ipNetToMediaIfIndex 1.3.6.1.2.1.4.22.1.1 ipNetToMediaPhysAddress 1.3.6.1.2.1.4.22.1.2 ipNetToMediaNetAddress 1.3.6.1.2.1.4.22.1.3 ipNetToMediaType 1.3.6.1.2.1.4.22.1.4 ipRoutingDiscards 1.3.6.1.2.1.4.23 ipCidrRouteDest 1.3.6.1.2.1.4.24.4.1.1 ipCidrRouteMask 1.3.6.1.2.1.4.24.4.1.
Appendix C Table C-4 MIB Support IP-MIB (continued) Object OID ipv4InterfaceTableLastChange 1.3.6.1.2.1.4.27 ipv4InterfaceReasmMaxSize 1.3.6.1.2.1.4.28.1.2 ipv4InterfaceEnableStatus 1.3.6.1.2.1.4.28.1.3 ipv4InterfaceRetransmitTime 1.3.6.1.2.1.4.28.1.4 ipv6InterfaceTableLastChange 1.3.6.1.2.1.4.29 ipSystemStatsInReceives 1.3.6.1.2.1.4.31.1.1.3 ipSystemStatsHCInReceives 1.3.6.1.2.1.4.31.1.1.4 ipSystemStatsInHdrErrors 1.3.6.1.2.1.4.31.1.1.7 ipSystemStatsInNoRoutes 1.3.6.1.2.1.4.31.1.1.
Appendix C MIB Support Table C-4 IP-MIB (continued) Object OID ipSystemStatsInBcastPkts 1.3.6.1.2.1.4.31.1.1.42 ipSystemStatsHCInBcastPkts 1.3.6.1.2.1.4.31.1.1.43 ipSystemStatsOutBcastPkts 1.3.6.1.2.1.4.31.1.1.44 ipSystemStatsHCOutBcastPkts 1.3.6.1.2.1.4.31.1.1.45 ipSystemStatsDiscontinuityTime 1.3.6.1.2.1.4.31.1.1.46 ipSystemStatsRefreshRate 1.3.6.1.2.1.4.31.1.1.47 ipIfStatsTableLastChange 1.3.6.1.2.1.4.31.2 ipAddressPrefixOrigin 1.3.6.1.2.1.4.32.1.5 ipAddressPrefixOnLinkFlag 1.3.6.
Appendix C Table C-6 MIB Support HOST-RESOURCES-MIB (continued) Object OID hrSystemInitialLoadDevice 1.3.6.1.2.1.25.1.3 hrSystemInitialLoadParameters 1.3.6.1.2.1.25.1.4 hrSystemNumUsers 1.3.6.1.2.1.25.1.5 hrSystemProcesses 1.3.6.1.2.1.25.1.6 hrSystemMaxProcesses 1.3.6.1.2.1.25.1.7 hrMemorySize 1.3.6.1.2.1.25.2.2 hrStorageIndex 1.3.6.1.2.1.25.2.3.1.1 hrStorageType 1.3.6.1.2.1.25.2.3.1.2 hrStorageDescr 1.3.6.1.2.1.25.2.3.1.3 hrStorageAllocationUnits 1.3.6.1.2.1.25.2.3.1.
Appendix C MIB Support Table C-6 HOST-RESOURCES-MIB (continued) Object OID hrFSStorageIndex 1.3.6.1.2.1.25.3.8.1.7 hrFSLastFullBackupDate 1.3.6.1.2.1.25.3.8.1.8 hrFSLastPartialBackupDate 1.3.6.1.2.1.25.3.8.1.9 hrSWRunIndex 1.3.6.1.2.1.25.4.2.1.1 hrSWRunName 1.3.6.1.2.1.25.4.2.1.2 hrSWRunID 1.3.6.1.2.1.25.4.2.1.3 hrSWRunPath 1.3.6.1.2.1.25.4.2.1.4 hrSWRunParameters 1.3.6.1.2.1.25.4.2.1.5 hrSWRunType 1.3.6.1.2.1.25.4.2.1.6 hrSWRunStatus 1.3.6.1.2.1.25.4.2.1.7 hrSWRunPerfCPU 1.3.6.1.
Appendix C Table C-8 IF-MIB (continued) Object OID ifHCInUcastPkts 1.3.6.1.2.1.31.1.1.1.7 ifHCInMulticastPkts 1.3.6.1.2.1.31.1.1.1.8 ifHCInBroadcastPkts 1.3.6.1.2.1.31.1.1.1.9 ifHCOutOctets 1.3.6.1.2.1.31.1.1.1.10 ifHCOutUcastPkts 1.3.6.1.2.1.31.1.1.1.11 ifHCOutMulticastPkts 1.3.6.1.2.1.31.1.1.1.12 ifHCOutBroadcastPkts 1.3.6.1.2.1.31.1.1.1.13 ifHighSpeed 1.3.6.1.2.1.31.1.1.1.15 ifPromiscuousMode 1.3.6.1.2.1.31.1.1.1.16 ifConnectorPresent 1.3.6.1.2.1.31.1.1.1.17 ifAlias 1.3.6.1.2.1.
Appendix C MIB Support Table C-9 DISMAN-EVENT-MIB Object OID mteObjectsID 1.3.6.1.2.1.88.1.3.1.1.3 mteObjectsIDWildcard 1.3.6.1.2.1.88.1.3.1.1.4 mteObjectsEntryStatus 1.3.6.1.2.1.88.1.3.1.1.5 mteEventComment 1.3.6.1.2.1.88.1.4.2.1.2 mteEventActions 1.3.6.1.2.1.88.1.4.2.1.3 mteEventEnabled 1.3.6.1.2.1.88.1.4.2.1.4 mteEventEntryStatus 1.3.6.1.2.1.88.1.4.2.1.5 mteEventNotification 1.3.6.1.2.1.88.1.4.3.1.1 mteEventNotificationObjectsOwner 1.3.6.1.2.1.88.1.4.3.1.
Appendix C Table C-11 MIB Support UCD-SNMP-MIB (continued) Object OID memMinimumSwap 1.3.6.1.4.1.2021.4.12 memShared 1.3.6.1.4.1.2021.4.13 memBuffer 1.3.6.1.4.1.2021.4.14 memCached 1.3.6.1.4.1.2021.4.15 memSwapError 1.3.6.1.4.1.2021.4.100 memSwapErrorMsg 1.3.6.1.4.1.2021.4.101 dskIndex 1.3.6.1.4.1.2021.9.1.1 dskPath 1.3.6.1.4.1.2021.9.1.2 dskDevice 1.3.6.1.4.1.2021.9.1.3 dskMinimum 1.3.6.1.4.1.2021.9.1.4 dskMinPercent 1.3.6.1.4.1.2021.9.1.5 dskTotal 1.3.6.1.4.1.2021.9.1.
Appendix C MIB Support Table C-11 UCD-SNMP-MIB (continued) Object OID ssCpuIdle 1.3.6.1.4.1.2021.11.11 ssCpuRawUser 1.3.6.1.4.1.2021.11.50 ssCpuRawNice 1.3.6.1.4.1.2021.11.51 ssCpuRawSystem 1.3.6.1.4.1.2021.11.52 ssCpuRawIdle 1.3.6.1.4.1.2021.11.53 ssCpuRawWait 1.3.6.1.4.1.2021.11.54 ssCpuRawKernel 1.3.6.1.4.1.2021.11.55 ssCpuRawInterrupt 1.3.6.1.4.1.2021.11.56 ssIORawSent 1.3.6.1.4.1.2021.11.57 ssIORawReceived 1.3.6.1.4.1.2021.11.58 ssRawInterrupts 1.3.6.1.4.1.2021.11.
Appendix C Table C-12 UCD-DLMOD-MIB Object OID versionConfigureOptions 1.3.6.1.4.1.2021.100.6 versionClearCache 1.3.6.1.4.1.2021.100.10 versionUpdateConfig 1.3.6.1.4.1.2021.100.11 versionRestartAgent 1.3.6.1.4.1.2021.100.12 versionSavePersistentData 1.3.6.1.4.1.2021.100.13 versionDoDebugging 1.3.6.1.4.1.2021.100.20 snmperrIndex 1.3.6.1.4.1.2021.101.1 snmperrNames 1.3.6.1.4.1.2021.101.2 snmperrErrorFlag 1.3.6.1.4.1.2021.101.100 snmperrErrMessage 1.3.6.1.4.1.2021.101.
Appendix C MIB Support Table C-17 SNMP-TARGET-MIB Object OID snmpTargetSpinLock 1.3.6.1.6.3.12.1.1 snmpUnavailableContexts 1.3.6.1.6.3.12.1.4 snmpUnknownContexts 1.3.6.1.6.3.12.1.5 Table C-18 SNMP-USER-BASED-SM-MIB Object OID usmStatsUnsupportedSecLevels 1.3.6.1.6.3.15.1.1.1 usmStatsNotInTimeWindows 1.3.6.1.6.3.15.1.1.2 usmStatsUnknownUserNames 1.3.6.1.6.3.15.1.1.3 usmStatsUnknownEngineIDs 1.3.6.1.6.3.15.1.1.4 usmStatsWrongDigests 1.3.6.1.6.3.15.1.1.5 usmStatsDecryptionErrors 1.3.
Appendix C MIB Support Cisco NAC Appliance - Clean Access Manager Configuration Guide C-16 OL-28003-01
A P P E N D I X D Open Source License Acknowledgments Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). License Issues The OpenSSL toolkit stays under a dual license, i.e.
Appendix D Open Source License Acknowledgments Notices 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”.
Appendix D Open Source License Acknowledgments THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix D Open Source License Acknowledgments Cisco NAC Appliance - Clean Access Manager Configuration Guide D-4 OL-28003-01
INDEX A E Active Directory Event Logs 7-16, 7-27 13-4 Add Exempt Device 11-12 Event column Add Floating Device 11-16 Logs Setting admin console Server 13-9 Log Viewer messages 14-58 admin password, changing Agent 13-7 13-4 A-2 to A-5 Syslog Setting 14-56 13-10 9-1, 10-27 checks 9-72 reports 11-1 F File Upload 5-13 filter policies B by subnet Backup floating devices 14-59 Bandwidth 11-16 fragmentation, IP packet limiting usage bursting 2-27 8-13 8-14 G global setti
Index password, admin K Plugins Kerberos authentication settings 14-56 12-6 Provider dropdown 7-3 7-5 Kick All Users command 11-34 Q quarantine role, configuring L LDAP authentication, configuring local settings log events 7-16 R 2-9 Local Users 8-22, 12-6 6-15 RADIUS authentication A-2 to A-5 reboot Server logging 7-6 2-8 Reports event logs 13-4 user activity Logout Page Agent 13-4 11-1 network scanner 5-16 roles, user 6-2 to 6-14 default policies deleting M 12-17 8-2
Index overview Windows Script 5.
Index Cisco NAC Appliance - Clean Access Manager Configuration Guide IN-4 OL-28003-01
