Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
21222324252627282930
1-3
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
FIPS Compliance in the Cisco NAC Appliance Network
Appliance encapsulates SWISS communications between client machines and CASs, including
Discovery packet transmission/acknowledgement, authentication, and posture assessment results using
the HTTPS protocol. The SWISS mechanism also features an enhanced handler that uses 3DES
encryption for SWISS protocol functions.
In addition, there are several specific tasks you must perform to ensure your Cisco NAC Appliance
network remains FIPS compliant:
Obtain appropriate next generation FIPS-compliant hardware as described in the “Cisco NAC
Appliance Hardware Platforms” chapter of the Cisco NAC Appliance Hardware Installation Guide,
Release 4.9(x)
Install and appropriately configure the same next generation FIPS-compliant hardware as described
in the “Installing the Clean Access Manager and Clean Access Server” chapter of the Cisco NAC
Appliance Hardware Installation Guide, Release 4.9(x)
If necessary, enable the TLSv1 option in Internet Explorer version 6 by following the guidelines in
the “Enabling TLSv1 on Internet Explorer Version 6” installation troubleshooting section of the
Cisco NAC Appliance Hardware Installation Guide, Release 4.9(x)
Ensure your CAM/CAS SSL certificates adhere to the guidelines outlined in Manage CAM SSL
Certificates, page 14-7 and the “Manage CAS SSL Certificates” section in the Cisco NAC Appliance
- Clean Access Server Configuration Guide, Release 4.9(x)
Specify the appropriate encryption protocols for Out-of-Band switch management according to the
guidelines in Configure SNMP Receiver, page 3-44
Configure connections to external RADIUS authentication servers according to the guidelines in
RADIUS, page 7-6 and Add a FIPS 140-2 Compliant RADIUS Auth Provider Using an ACS Server,
page 7-8
Configure Cisco NAC Appliance to perform VPN SSO via a Cisco ASA in a FIPS-compliant
network according to the guidelines in the “Adding/Editing VPN Concentrator Entries,
Adding/Editing Accounting Server Entries,” and “Configure VPN SSO in a FIPS 140-2 Compliant
Deployment” sections of the Cisco NAC Appliance - Clean Access Server Configuration Guide,
Release 4.9(x)
Configure Cisco NAC Appliance to perform AD SSO for Windows Client machines in a FIPS 140-2
compliant network according to the guidelines in “Configure Active Directory for FIPS 140-2
Compliant AD SSO” section of the Cisco NAC Appliance Hardware Installation Guide, Release
4.9(x).
Ensure you disable Network Time Protocol (NTP) server authentication on both the CAM and CAS
using the instructions at Set System Time, page 14-5 and the “Synchronize System Time” section of
the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x)
Note Cisco NAC Appliance Release 4.7(0), 4.8, and 4.9 are the only tested FIPS 140-2 compliant releases.
Cisco NAC Profiler and Cisco NAC Guest Server are not supported in FIPS-compliant deployments in
Release 4.7(0), 4.8, and 4.9.