Network A d m i s s i on C on trol ( NA C ) Pascal D e lp r at p d e lp r at @ ci sco . co m
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
1
Agenda NAC Concepts
NAC Appl i a nce O v er v i ew
NAC F r a m ew or k O v er v i ew NAC / NAP Q & A
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
2
N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
3
P er i m et er S ec u r i t y I s N o t E no u gh T h r ea t v ector s h a v e ch a ng ed : f r i end l y u ser s ca n b e th e w ea k est l i nk i n y ou r netw or k ’s secu r i ty C om p l i cat ed b y :
User types: em pl o yees, c o n tra c to rs g u ests, pa rtn ers D ev m a n A c c L A N
i c e types: l a pto ps, P D A s, d esk to ps a g ed , u n m a n a g ed ess types: rem o te/ V P N , w i rel ess , b ra n c h o f f i c es ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
Does each user have:
➾ Windows Updates? ➾ A nti-v ir u s sof twar e? ➾ A nti-spy war e sof twar e?
4
W h at I s N et w o r k Adm i s s i o n C o nt r o l ? N etw th e n n etw po l i c
o rk A d m i ssi o n C o n tro l ( N A C ) i s a so l u ti o n th a t u ses etw o rk i n f ra stru c tu re to en su re a l l d ev i c es seek i n g o rk a c c ess c o m pl y w i th a n o rg a n i z a ti o n ’s sec u ri ty y
iden t it y
Please enter username:
device s ecu r it y
N A C
n et w o r k s ecu r it y Si
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
Si
5
N et w o r k Adm i s s i o n C o nt r o l NAC Appliance and NAC Framework N A C
A ppl ianc e ( C l ean A c c ess)
T h e b est tu r nk ey appl ianc e pr odu c t f or al l v er tic al s
REMEDIATION
Cl e a n A cce ss A g e n t
DIS C OV ERY ENF ORC EMENT
N A C
AU TH ENTIC ATION P OL IC Y
A d d r es s im m ed ia t e p a inp oint s w it h C C A
F r am ewor k
REMEDIATION ( V ENDOR)
POLICY
Cisco T r u st A g e n t
DIS C OV ERY ENF ORC EMENT
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
Cisco S e cu r e AU TH ENTIC ATION A CS P OL IC Y (A A A )
C is c o C o n fid e n tia l
T h e b est tec h nol og ic al appr oac h f or E nter pr ise Begin Long-T er m E nt er p r is e S ol u t ion w it h int egr a t ed p r od u c t a nd s er v ic es
6
N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
7
N AC
Ap p l i anc e O v er v i ew : C o m p o nent s
Cis co Clean Acces s S erv er
Serves as an in-b and o r o u t -o f -b and d evic e f o r net w o rk ac c ess c o nt ro l
Cis co Clean Acces s M anag er
C ent ral iz es m anag em ent f o r ad m inist rat o rs, su p p o rt p erso nnel , and o p erat o rs
Cis co Clean Acces s Ag ent
O p t io nal l ig h t w eig h t c l ient f o r d evic e-b ased reg ist ry sc ans in u nm anag ed enviro nm ent s
R u le-s et U pdat es
Sc h ed u l ed au t o m at ic u p d at es f o r ant i-viru s, c rit ic al h o t -f ix es and o t h er ap p l ic at io ns ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
8
N AC
Ap p l i anc e O v er v i ew : C o m p o nent s
C rit ic al W ind o w s U p d at es
W i n d ow s V i st a, X P , 2 0 0 0 , 9 8 , M E
Anti-V ir u s U p d a te s
Anti-Sp y w a r e U p d a te s
O th e r 3
rd
P a r ty C h e c k s
Customers can easily add customized checks ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
9
C i s c o N AC
Ap p l i anc e P ar t ner s h i p s
Cisco N A C is committed to p rotecting customer’s inv estments in p artner ap p lications N A C
A ppl ianc e S u ppor ts P ol ic ies f or 2 5 0 + A ppl ic ations, I nc l u ding T h ese V endor s:
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
10
N AC
Ap p l i anc e O v er v i ew : P r o c es s F l o w T H E G O A L 1 . E nd u ser attem pts to ac c ess a Web pag e or u ses an optional c l ient
Netw o r k access is b lo ck ed u ntil w ir ed o r w ir eless end u ser pr o vides lo g in inf o r m atio n
2 . User is
r edir ec ted to a l og in pag e
NAC Appliance validates u ser nam e and passw o r d, also per f o r m s device and netw o r k scans to assess vu lner ab ilities o n th e device
3 a. D ev ic e is nonc om pl iant or l og in is inc or r ec t
U ser is denied access and assig ned to a q u ar antine r o le w ith access to o nline r em ediatio n r eso u r ces
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
Au th enti c ati o n S erv er
NAC Ap p l i anc e S erv er
Q u aranti ne R o le
NAC Ap p l i anc e M anag er Intranet/ Netw o rk
3 b . D ev ic e is “c l ean”
M ach ine g ets o n “cer tif ied devices list” and is g r anted access to netw o r k
11
N AC
Ap p l i anc e O v er v i ew : Agent
L o g in S c reen
Scan is performed
(types of checks depend on user role)
Scan fail s
R emediat e
4 .
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
12
N AC
Ap p l i anc e O v er v i ew : W eb L o gi n L og in S c r een
S c an is per f or m ed
( t y p e s of ch e ck s d e p e n d on u se r r ol e / O S )
C l ic k -th r ou g h r em ediation
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
13
Adm i n C o nt r o l w i t h R eal -T i m e I nf o r m at i o n A DM I N
U S E R
L og s can b e v iew ed l ocal l y or sent v ia Sy sl og t o an off-b ox col l ect ion eng ine for cu st om report s ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
14
N AC
C h ec k s f o r E ndp o i nt S ec u r i t y Ap p s
N A C A ppl iance is preconfig u red w it h ch eck s for popu l ar ant iv iru s, ant i-spy w are, and ot h er h ost secu rit y appl icat ions, l ik e C SA
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
15
C AS : V i r t u al G at ew ay & R eal I P G at ew ay Clean Acces s S erv ers at t h e mos t b as ic lev el can pas s t raf f ic in one of t wo way s : B r id g e d M o d e = V ir tu a l G a te w a y R o u te d M o d e
= R e a l I P G a te w a y / N AT G a te w a y
Any CAS can b e conf ig u red f or eit h er met h od, b u t a CAS can only b e one at a t ime
G at eway mode s elect ion af f ect s t h e log ical t raf f ic pat h D oes not af f ect wh et h er a CAS is in L ay er 2 mode, L ay er 3 mode, I n B and or O u t of B and
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
16
C AS : V i r t u al G at ew ay Direct Bridging: Frame Comes I n, Frame G oes O u t V L A N I Ds are eith er p assed th rou gh u ntou ch ed or map p ed f rom A to B
DH CP and Cl ient R ou tes p oint directl y to netw ork dev ices on th e T ru sted side CA S is an I P p assiv e b u mp in th e w ire, l ik e a transp arent f irew al l ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
17
C AS : R eal I P / N AT G at ew ay CA S is R ou ting, P ack et Comes I n, P ack et G oes O u t V L A N I Ds terminate at th e CA S , no p ass-th rou gh or map p ing
DH CP and Cl ient R ou tes u su al l y p oint to th e CA S f or /3 0 CA S is an activ e I P rou ter, can al so N A T ou tb ou nd p ack ets * * ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
18
C AS : E dge D ep l o y m ent E a sie st d e p lo y m e nt o p tio n to u nd e r sta nd C AS is lo g ic a lly inline , a nd P h y sic a lly inline
Su p p o r ts a ll C a ta ly st Sw itc h e s V L AN I D s a r e p a sse d str a ig h t th r o u g h w h e n in V G W 1 0 1 0
I nsta lla tio ns w ith m u ltip le Ac c e ss L a y e r c lo se ts c a n b e c o m e c o m p le x
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
19
C AS : C ent r al D ep l o y m ent M os t common deploy ment opt ion
CAS is log ically inline, NO T ph y s ically inline
S u pport s 6 5 0 0 / 4 5 0 0 / 3 7 5 0 / 3 5 6 0
V L AN I D s are mapped wh en in V G W : 1 1 0 1 0 E as ies t ins t allat ion
M os t s calab le in larg e env ironment s ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
20
C AS : L ay er 2 M o de Client is L ay er 2 Adj acent t o t h e CAS
M AC addres s is u s ed as a u niq u e ident if ier S u pport s b ot h V G W and R eal I P G W
S u pport s b ot h I n B and and O u t of B and M os t common deploy ment model f or L ANs ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
21
C AS : L ay er 3 M o de Client is NO T L ay er 2 Adj acent t o t h e CAS
I P Addres s is u s ed as a u niq u e ident if ier S u pport s b ot h V G W and R eal I P G W S u pport s I n B and M ode* *
Needed f or W AN and V P N deploy ment s
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
22
C AS : I n B and E as ies t deploy ment opt ion
CAS is I nline ( in t h e dat a pat h ) b ef ore and af t er pos t u re as s es s ment S u pport s any s wit ch , any h u b , any AP
R ole B as ed Acces s Cont rol G u es t , Cont ract or, E mploy ee ACL Filt ering and B andwidt h T h rot t ling ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
23
C AS : O u t o f B and M u lt i-G ig T h rou g h pu t deploy ment opt ion
CAS is I nline f or P os t u re As s es s ment O nly S u pport s mos t common Cis co S wit ch es * * P ort V L AN B as ed and R ole B as ed Acces s Cont rol
ACL Filt ering and B andwidt h T h rot t ling f or P os t u re As s es s ment O nly ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
24
C AM : C o nf i gu r at i o n Servers are centrally managed through the CAM
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
25
C AM : O u t o f B and
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
26
C AM : P r e-C o nf i gu r ed C h ec k s
Automati c up dates f or p re-conf i gured check s
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
27
C AM : L o ggi ng and M anagem ent
F i ne tune Admi ni strati ve ri ghts and p ri vi leges
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
28
N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
29
N AC
F r am ew o r k Ar c h i t ec t u r e S u b j ec t
E nf or c em ent
( Ma n a g e d o r U n m a n a g e d h o s t)
D ec ision & R em ediation A CS
L A N
D ir e ct or y S e rv e r P ost u r e V a l id a t ion S e r v e r ( s) A u d it S e rv e r
W A N
P a t ch S e rv e r R e p or t in g S e rv e r
R em ot e
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
30
N AC
Adm i s s i o n F l o w
H ost A ttem pting N etwor k A c c ess
K ey :
C isc o S ec u r e A C S
N etwor k A c c ess D ev ic es ( N A D s)
C red enti al s
No ti f i c ati o n 8
S tatu s 9
L D A P , O T P
3
EAPo802.1x EAPoU D P
C isc o T r u st A g ent ( C T A )
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
E A P
P ol ic y S er v er D ec ision P oints & A u dit 4a Id enti ty
1 T raf f i c tri g g ers c h al l eng e 2 C red enti al s
O ptional M andator y
5 C o m p l i ant?
H CA P
R A D IU S
7 E nf o rc em ent
4b P o s tu re
6 Au th o ri z ati o n
4c Au d i t G A M E : H T T P S
C is c o C o n fid e n tia l
D ir e ct or y S e rv e r
P ol icy V e n d or S e rv e r (P V S )
A u d it S e rv e r (A S )
31
N AC
C o m p l i anc e: Q u ar ant i ne t o H eal t h y
H ost A ttem pting N etwor k A c c ess
C isc o S ec u r e A C S
N etwor k A c c ess D ev ic es ( N A D s)
5a Id enti ty
2 R ev al i d ati o n / S tatu s -Q u ery 4
3 C red enti al s
C red enti al s EAPo802.1x EAPoU D P
10
H eal th y !
C isc o T r u st A g ent ( C T A )
9 No ti f i c ati o n
1 U p d ate AV
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
6 C o m p l i ant
E A P
8 7 E nf o rc em ent Au th o ri z ati o n: ( V L AN, AC L , H E AL T H Y U R L red i rec t)
C is c o C o n fid e n tia l
P ol ic y S er v er D ec ision P oints
Au th enti c ati o n P as s
5b P o s tu re
DAT s v al i d
D ir e ct or y S e rv e r
A n t i-V ir u s P ol icy S e rv e r
32
N AC
Agent l es s H o s t ( N AH )
H ost A ttem pting N etwor k A c c ess
C isc o S ec u r e A C S
N etwor k A c c ess D ev ic es ( N A D s)
1 T raf f i c tri g g ers c h al l eng e
2
No C T A
7
6 E nf o rc em ent ( V L AN, AC L , U R L red i rec t)
Q U AR ANT INE !
N O
C isc o T r u st A g ent ( C T A )
4 C o m p l i ant?
A u dit
3a Au d i t A u d it S e rv e r
5 Au th o ri z ati o n: Q U AR ANT INE
3c
W i nd o w s X P S P 2 W i nd o w s F i rew al l No v u l nerab i l i ti es 3b Au d i t
N ot e: N A H in 8 0 2 . 1 x cu rrent l y u nsu pport ed! ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
33
C i s c o N AC
P ar t ner P r o gr am
The NAC Partner Program is a third-p arty -tec hnol ogy integration p rogram
O v er 7 0 indu stry l eading sec u rity and management p rogram p artic ip ants w ith 2 5 c ertif ied, ship p ing sol u tions. S p ec if ic API s are av ail ab l e f or p rodu c t integration in areas of assessment, remediation, and monitoring/ rep orting of an integrated NAC sol u tion
U sef u l f or NAC c u stomers w ith ex isting or p l anned inv estments in these p artners’ p rodu c ts F or a c omp l ete p artner l ist, see: w w w . c isc o. c om/ go/ nac / p rogram
A sse ssm e n t
R e m e d ia t ion Cisco T r u st A g e n t
A u d it
AU TH ENTIC ATION P OL IC Y
DIS C OV ERY
P ol icy
A A A ( A CS )
ENF ORC EMENT ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
34
N AC
P r o gr am
P ar t i c i p ant s
http://w w w . c i s c o . c o m /g o /n a c /pr o g r a m
S H IP P IN G
DE V E L O P I N G ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
35
E AP ( E x t ens i b l e Au t h ent i c at i o n P r o t o c o l ) R F C
3 7 4 8 ( o b so l et es 2 2 8 4 ) h t t p : / / w w w . iet f . o rg / rf c / rf c 3 7 4 8 . t x t
T ransp o rt s au t h ent ic at io n inf o rm at io n in t h e f o rm
o f E A P p ay l o ad s
E st ab l ish es and m anag es c o nnec t io n; al l o w s au t h ent ic at io n b y enc ap su l at ing vario u s t y p es o f au t h ent ic at io n ex c h ang es P reval ent E A P t y p es
E AP-TL S : u ses x . 5 0 9 v 3 PK I c ertif ic ates and the TL S mec hanism f or au thentic ation
PE AP: p rotec ted E AP tu nnel mode E AP enc ap su l ator; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S ) E AP-F AS T: designed to not req u ire c ertif ic ates; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S )
E A P t y p ic al l y ru ns d irec t l y o ver d at a l ink l ay ers su c h as P o int -t o -P o int P ro t o c o l ( P P P ) o r I E E E 8 0 2 , w it h o u t req u iring I P E A P P ay l oad 8 0 2 . 1 x H ead er E t hern et H ead er ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
E A P P ay l oad R A DI U S U DP I P H ead er 36
W h at D o es E AP D o ? T r a nsp o r ts a u th e ntic a tio n inf o r m a tio n in th e f o r m
o f E AP p a y lo a d s
E sta b lish e s a nd m a na g e s c o nne c tio n; a llo w s a u th e ntic a tio n b y e nc a p su la ting v a r io u s ty p e s o f a u th e ntic a tio n e x c h a ng e s P r e v a le nt E AP ty p e s
E AP-TL S : u ses x . 5 0 9 v 3 PK I c ertif ic ates and the TL S mec hanism f or au thentic ation
PE AP: p rotec ted E AP tu nnel mode E AP enc ap su l ator; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S ) E AP-F AS T: designed to not req u ire c ertif ic ates; tu nnel s other E AP ty p es in an enc ry p ted tu nnel ( TL S )
E A P P ay l oad 8 0 2 . 1 x H ead er E t hern et H ead er ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
E A P P ay l oad R A DI U S U DP I P H ead er 37
IE E E 8 0 2 .1 x Standard set by the IEEE 802.1 working group
Is a f ram ework designed to address and prov ide port-based ac c ess c ontrol using authentic ation
P rim aril y 802.1x is an enc apsul ation def inition f or EA P ov er IEEE 802 m edia—EA P O L ( EA P ov er L A N ) is the key protoc ol
L ayer 2 protoc ol f or transporting authentic ation m essages ( EA P ) between suppl ic ant ( user/ P C ) and authentic ator ( switc h or ac c ess point) A ssum es a sec ure c onnec tion
A c tual enf orc em ent is v ia M A C -based f il tering and port-state m onitoring ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
38
NAC Assessment Methods W AN
NAC
In te r n e t
R em o te Ac c es s
NAC
NAC L 2 IP NAC L 2 80 2. 1x
L 3 IP
L 3 IP
N A C
L AN
N A C N A C
N A C
N A C
NAC L 2 80 2. 1x
W i rel es s
M ethods to p erf orm a p ostu re assessment
In-b and : ob ta i n a ppli ca ti on sta te v i a C T A (a n a g ent), a nd a ssess i t i n the poli cy system O u t-o f -b and : dyna m i c a ssessm ent (a udi t) of endpoi nt, m a i nly for ‘A g entless’ endpoi nts E x c ep ti o ns : crea te sta ti c ex cepti on ha ndli ng for know n a ssets (M A C , I P , port)
NAC assessment methods
NAC L 3 IP : a t a la yer 3 hop v i a I P , such a s the peri m eter, W A N , or di stri b uti on la yer NAC L 2 IP : a t a la yer 2 sw i tch port v i a I P , i ndependent 8 0 2 . 1 x NAC L 2 80 2. 1x : v i a 8 0 2 . 1 x a t a n L 2 connecti on poi nt (sw i tch port or w i reless A P )
Agentl ess assessment u sef u l f or dy namic asset identif ic ation & risk
C a lled NAC Ag entl es s H o s t, “non-responsi v e a udi t”, or out-of-b a nd a ssessm ent M ost A g entless technolog i es req ui re I P connecti v i ty to endpoi nt (sca nni ng , log i n, or w eb dow nloa d), others ti e i nto i nv entory da ta b a se system s ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
39
N AC
L 3 IP
A ssess P ost u re ( O nl y ) at t h e P erimet er u sing E A P oU D P H o s t
Netw o rk Ac c es s Dev i c e
No n-res p o ns i v e Au d i t S erv er
P o lic y V al i d ati o n S erv er
G AME
S e cu r it y A p p
E AP o U DP
CT A
R ADIU S
H C AP AAA
U se C a se Sc e na r io s: L 3 p erim et er: W A N
ed g e, ex t ranet , V P N / rem o t e ac c ess
I nt erio r net w o rk seg m ent at io n: no n-p ro d u c t io n/ l ab net w o rk s, int erd ep art m ent , d ist rib u t io n l ay er, d at a c ent er ac c ess
R em o t e A c c ess – I P sec and d ial -in rem o t e ac c ess ag g reg at io n ing ress
T r ig g e r : I P p a c k e ts f o r w a r d e d f r o m ne w so u r c e I P a d d r e ss E nf o r c e m e nt: AC L s ( L 3 / 4 c o ntr o ls) & U R L r e d ir e c tio n ( p r o v id e s N AH fe e d b a c k ) M a y b e u se d se r ia lly f o r u se r & d e v ic e v a lid a tio n ( e . g . I P se c , a u th -p r o x y ) ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
40
N AC
L 2 IP
A ssess P ost u re ( O nl y ) at t h e A ccess-L ay er u sing E A P oU D P H o s t
S e cu r it y A p p
Netw o rk Ac c es s Dev i c e CT A
No n-res p o ns i v e Au d i t S erv er
E AP o U DP
P o lic y V al i d ati o n S erv er
G AME
R ADIU S
H C AP AAA
U se C ase Sc enario : assess p o st u re at t h e L A N
T rig g er: L ay er 3 via D H C P & A R P req u est s f ro m E nf o rc em ent :
St at ic V L A N
ac c ess l ay er
new so u rc es
assig nm ent
A C L s ( L 3 / 4 c o nt ro l s) & U R L red irec t io n ( p ro vid es N A H
T h ere are d if f erent A C L t ec h no l o g ies ( P o rt A C L s, V L A N A C L s)
f eed b ac k )
A C L s, P o l ic y -B ased
C an b e p erf o rm ed af t er 8 0 2 . 1 x au t h ent ic at io n ( t o t al l y ind ep end ent ) M ic ro so f t 8 0 2 . 1 x su p p l ic ant u se-c ase ( u nt il it su p p o rt s N A C ) ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
41
N AC
L 2 8 0 2 .1 x
I denti ty a nd P ostu r e Assessment H o s t
S e cu r it y A p p
U T E V P M E
Netw o rk Ac c es s Dev i c e P ost u r e P l u g in
C T A
E AP o 80 2. 1x
P o lic y V al i d ati o n S erv er R ADIU S
H C AP AAA
se C a se s: th e L AN a c c e ss la y e r u p o n w ir e d o r w ir e le ss link r ig g e r : L 2 link u p v ia 8 0 2 . 1 x p r o to c o l nf o r c e m e nt: Sta tic V L AN a ssig nm e nt o r AC L s ( L 3 / 4 : P o r t AC L s, L AN AC L s, P o lic y -B a se d AC L s & U R L r e d ir e c tio n) o stu r e a sse ssm e nt tr ig g e r e d a nd p e r f o r m e d a t L 2 in 8 0 2 . 1 x a y u se u se r a nd / o r d e v ic e a u th e ntic a tio n w ith 8 0 2 . 1 x AP -F AST r e q u ir e d f o r I d e ntity + P o stu r e a sse ssm e nt ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
42
N AC
M et h o d C o m p ar i s o n F ea t u re
T ri g g er m ec h a n i s m M a c h i n e I d en t i t y
N AC -L 2 -8 0 2 . 1 x Da t a L i n k Up √ √
U s er I d en t i t y
√
Pos t u re V L AN
√
a s s i g n m en t
U R L -R ed i rec t i on
D ow n l oa d a b l e AC L s
Pos t u re S t a t u s Q u eri es
R ea u t h en t i c a t i on / R eva l i d a t i on D evi c e
EAP over
F o r w a r d Pa c k e t
√
√
√
√
√
√
√
√
√
S w itc h o r A P
C is c o C o n fid e n tia l
N AC -L 3 -I P
DH C P o r A R P
6 5 0 0 -o n l y ( PB A C L s )
8 0 2 .1 x
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
N AC -L 2 -I P
S w itc h
UDP
√ √
R o u te r UDP
43
8 0 2 . 1 x E x t ens i o ns F eat u re 8 0 2 . 1 x G u e st V L AN 8 0 2 . 1 x Au th -F a il V L AN
8 0 2 .1 x V V ID 8 0 2 . 1 x I na c c e ssib le Au th B y p a ss 8 0 2 . 1 x W a k e -o n-L AN M AC -Au th -B y p a ss ( M AB ) W e b -Au th P r o x y
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
U se C ase N o su p p lic a nt, G u e sts, U nm a na g e d , O ld O Se s G u e sts, T e m p o r a r y Ac c e ss
I P P h o ne s AAA Se r v e r D o a c c e ss, d isa ste W o L C o m p a tib N o su p p lic a nt, N o su p p lic a nt, w ith id e ntity
w n: m inim u m r re c o v e ry ility ( N o t P X E ) Ap p lia nc e s G u e st o r U se r
44
N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
45
N AC
and M i c r o s o f t N AP I nt egr at i o n C l i ent
Partner System Health Agents (SHAs) N AP Agent (Q A) E AP Ho st Q E C E APo U D P
E APF ast
E A PF A S T 8 0 2 .1 x o rU D P
N A D s ( S w i tc h es R o u ters )
R A D I U S
C is c o A C S
H C A P
M S N PS
Partner Po l i c y S erv er
No NAC NAD e n h a n c e m e n ts r e q u ir e d
8 0 2 .1 x
C o mp o nents p art o f V i sta O / S
H C E P
H eal th R eg i s trati o n A u th o ri ty ( H R A )
R A D I U S
NAC/NAP interoperability ensures investment protection and future proofing CCA Ag ent w ill support V ista platform
CT A w ill not be supported on V ista/L ong h orn server – use native O S supplicant M icrosoft to distribute Cisco client NAC interoperability plug -in components via W indow s U pdate/W S U S - S implified client installation S upports h eterog eneous CT A/Q uarantine Ag ent environments ©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
46
N AC C o nc ep t s N AC Ap p l i anc e N AC F r am ew o r k N AC / N AP Q & A P a sc a l D e lp r a t p d e lp r a t@
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
c isc o . c o m
C is c o C o n fid e n tia l
47
R e tr o u v e z c h a q u e m o is l’a c tu a lité C isc o su r C isc o M a g , la ne w sle tte r d e C isc o F r a nc e Ab o nne m e nt : w w w . c isc o . f r / g o / c isc o m a g
Sém ina ir e L e r ése a u J e u d i2 4 m l’I nstitu t O
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
so lu tio ns : d e C a m p u s a i 2 0 0 7 e n m a tinée à c éa no g r a p h iq u e - P a r is
48
©2 0 0 6 C is c o S y s te m s , In c . A ll r ig h ts r e s e r v e d .
C is c o C o n fid e n tia l
49