NAC is part of the Cisco Self-Defending Network Initiative that helps you identify, prevent, and adapt to security threats in your network. Because of the increased threat and impact of worms and viruses to networked businesses, NAC allows you to check and validate the antivirus status of endpoints or clients before granting network access. NAC provides posture validation for routed traffic on Catalyst series switches. Posture validation reduces the exposure of a virus to the network.
This feature allows network access based on the antivirus credentials of the network device that is requesting network access. These credentials may be antivirus software, a virus definitions file, or a particular virus scan engine version.
Based on the antivirus credentials of the host, the requesting device is allowed access to the network or is restricted from network access. If the client host fails the credential validation, then partial access to the network can be allowed by using the remediation feature. The remediation process redirects HTTP traffic from the client host to a web page URL that provides access to the latest antivirus files.
The URL used by the remediation process resolves to a remediation server address defined as a part of the network access policy. The remediation server is where the latest antivirus files are located. These antivirus files can be downloaded or upgraded from this location. The devices in the network have specific roles when you use NAC as shown in Figure Figure Posture Validation Devices.
The following devices that support NAC on the network perform these roles:. The host, which is running the Cisco Trust Agent software, requests access to the LAN and switch services and responds to requests from the switch. This endpoint system is a potential source of virus infections, and its antivirus status needs to be validated before the host is granted network access. The Cisco Trust Agent software is also referred to as the posture agent or the antivirus client.
The switch relays Extensible Authentication Protocol EAP messages between the endpoints and the authentication server. The authentication server validates the antivirus status of the client, determines the access policy, and notifies the switch whether the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the EAP message exchange between the switch and authentication server is transparent to the switch. The authentication server is also referred to as the posture server.
The AAA down policy is a method of allowing a host to remain connected to the network if the AAA server is not available. If the AAA server cannot be reached when the posture validation occurs, instead of rejecting the user that is, not providing the access to the network , an administrator can configure a default AAA down policy that can be applied to the host.
This policy is advantageous for the following reasons:. Typically, during revalidation when the AAA server goes down, the policies being used for the host are retained. The device host or client can be a PC, a workstation, or a server that is connected to the switch access port through a direct connection, an IP phone, or a wireless access point, as shown in Figure The switch checks the antivirus status of the endpoint devices or clients and enforces access control policies. When DHCP snooping occurs initiating posture validation, it takes precedence over initiating posture validation when ARP snooping occurs.
When posture validation is initiated, the switch creates an entry in the session table to track the posture validation status of the host and follows this process to determine the NAC policy:. If the host is in the exception list, the switch applies the user-configured NAC policy to the host.
If EoU bypass is enabled, the switch sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host. If no response is received from the host after the specified number of attempts, the switch classifies the host as clientless, and the host is considered to be a nonresponsive host.
The switch sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host. An exception list has local profile and policy configurations.
Use the identity profile to statically authorize or validate devices based on the IP address, MAC address, or device type. An identity profile is associated with a local policy that specifies the access control attributes. You can bypass posture validation of specific hosts by specifying those hosts in an exception list and applying a user-configured policy to the hosts. After the entry is added to the EAPoUDP session table, the switch compares the host information to the exception list.
If the host is in the exception list, the switch applies the configured NAC policy to the host. The switch can use the EoU bypass feature to speed up posture validation of hosts that are not using the Cisco Trust Agent. If EoU bypass is enabled, the switch does not contact the host to request the antivirus condition. If EoU bypass is enabled and the host is nonresponsive, the switch sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host.
If EoU bypass is enabled and the host uses Cisco Trust Agent, the switch also sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host. While posture validation occurs, the switch enforces the default access policy. If no response is received from the host after the specified number of attempts, the switch classifies the host as nonresponsive.
After the ACS validates the credentials, the authentication server returns an Access-Accept message with the posture token and the policy attributes to the switch. The switch updates the EAPoUDP session table and enforces the access limitations, which provides segmentation and quarantine of poorly postured clients, or by denying network access.
There are two types of policies that apply to ports during posture validation:. The operation of the URL-Redirect deny ACEs typically to bypass the redirection of the HTTP traffic destined to remediation servers is that the traffic to these ACEs is forwarded in hardware without applying the default interface and the downloaded host policies. Note If a DHCP snooping binding entry for a client is deleted, the switch removes the client entry in the session table, and the client is no longer authenticated.
Cisco Secure ACS gets information about the antivirus status of the endpoint system and validates the antivirus condition of the endpoint. ACL -IP- name - number. When the downloadable ACL is applied to an interface after posture validation is complete, the source address is changed from any to the host source IP address.
The ACEs are prepended to the downloadable ACL applied to the switch interface to which the endpoint device is connected. The switches use these cisco-av-pair VSAs as follows:.
These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device and forward the client web browser to the specified redirect address from which the latest antivirus files can be downloaded. The ACL must be defined on the switch. Traffic that matches a permit entry in the redirect ACL will be redirected.
These AV pairs may be sent if the host's posture is not healthy. These devices are described as agentless or nonresponsive. The NAC architecture has been extended to incorporate audit servers.
An audit server is a third-party server that can probe, scan, and determine security compliance of a host without the need for presence of Cisco trust agent on the host. The result of the audit server examination can influence the access servers to make host-specific network access policy decisions instead of enforcing a common restrictive policy for all nonresponsive hosts. You can build more robust host audit and examination functionality by integrating any third-party audit operations into the NAC architecture.
Figure shows how audit servers fit into the typical topology. The architecture assumes that the audit server can be reached so that the host can communicate with it. Explanation This message means that the system memory is not sufficient to perform the specified operation. Recommended Action Reduce other system activity to ease memory demands.
You can also allocate more memory resources. If the ACL is not configured or does not specify the traffic to be redirected, the switch does not redirect requests from the hosts.
Explanation This message means that the number of entries in the authentication proxy posture cache which are in INIT state exceeds the limit. This happens when the switch has an authentication proxy configured for posture validation and the switch receives requests from a large number of unique hosts with source IP addresses. This could be a denial-of-service attack. When the number of entries in the posture cache count is below the maximum, new cache entries can be created.
Recommended Action No action required. Explanation This message means that the switch sent a request to the authentication, authorization, and accounting AAA server to get the specified ACL. Recommended Action No action is required.
Explanation This message means that the specified policy is enforced or removed for the specified host. The first and second [chars] are the actions that the switch takes to enforce or remove the policy, and the third [chars] is the ACL or redirect URL. Explanation This message means that the switch created an entry for the host in the authentication proxy posture cache and initiated the posture validation process. Explanation This message means that the posture validation state of the specified host in the authentication proxy posture validation cache changed.
Note The Catalyst , , , , , , , , , and switches, as well as the Catalyst router, support all the messages in this section. Recommended Action Reload the device.
Recommended Action If this message recurs, reload the device. Explanation This message means that the specified process stopped. The first [chars] is the process, and the second [chars] is the action taken on the process. Explanation This message means that the switch could not bind the port to a valid IP address.
Recommended Action Configure a valid IP address on the switch port. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the error by using the Output Interpreter. Use the Bug Toolkit to look for similar reported problems. If you still require assistance, open a case with the TAC, or contact your Cisco technical support representative, and provide the representative with the gathered information.
Explanation This message means that the switch could not start posture validation for the specified host. Explanation This message means that the switch received an EAP-failure response from the authentication, authorization, and accounting AAA server that the host antivirus condition could not be validated.
Explanation This message means that the authentication status for the specified host is Success or Failure. Explanation This message means that the authentication type for the specified host is [chars].
Explanation This message means that the CTA was detected for the specified host. If the specified policy is enforced, the posture of switch is not validated. Explanation This message means that the switch received an access policy from the AAA server to enforce against the specified host. Explanation This message means the posture validation status for the specified host changed.
Explanation This message means that an entry was created or deleted for the host on the specified interface. Explanation This message means that the result of the status query for the specified host failed or is invalid.
Enter configuration commands, one per line. Switch config ip admission name nac eapoudp. Switch config access-list 5 permit any any. Switch config-if ip access-group 5 in. Switch config-if ip admission name nac. Switch config aaa authentication eou default group radius. Switch config ip device tracking probe count 2. Switch config radius-server host admin key rad Switch config radius-server vsa send authentication.
Switch show ip admission configuration. Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch-list is disabled.
Switch show ip device tracking all. Switch config eou logging. Switch config eou allow clientless. Switch config eou timeout revalidation Switch config eou revalidate. Switch config-if eou timeout status-query Switch config-if end. Switch show eou. Switch config identity policy policy1.
Switch config-identity-policy access-group group1. Switch config identity profile eapoudp. Switch config-identity-prof device authorize ip address Switch show identity policy. Switch show identity profile. Switch config ip device tracking. Switch config ip device tracking probe count 3. Switch config ip device tracking probe interval Switch config end. Switch config ip dhcp snooping. Switch config ip dhcp snooping vlan 8. Switch show ip dhcp snooping. Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled.
Switch show ip dhcp snooping binding. Switch config arp access-list arp-list. Switch config-arp-nacl deny ip host Switch config-arp-nacl permit ip Switch config-arp-nacl exit. Switch config ip arp inspection vlan Switch config ip arp inspection filter arp-acl vlan Switch show ip arp inspection vlan Switch show ip arp inspection statistics. Switch config ip arp inspection vlan 8.
Switch show ip arp inspection vlan 8. Switch show ip arp inspection statistics vlan 8. Switch config aaa new-model. Switch config aaa authorization network default local. Switch config-identity-policy ac. Switch config-ext-nacl permit ip any any. Switch config-ext-nacl exit. Switch config radius-server host Switch config radius-server dead-criteria tries 3. Switch config radius-server attribute 8 include-in-access-req. Switch config-if exit. Switch show aaa servers.
State: current UP, duration s, previous duration 9s. Response: unexpected 1, server error 0, incorrect 0, time ms. Response: unexpected 0, server error 0, incorrect 0, time 0ms.
Switch show eou all. Switch show eou ip Switch config aaa authorization auth-proxy default group radius. Switch config identity policy policy Switch config-identity-policy description Admin policy for the engineering group. Switch config-identity-prof device authorize mac-address Switch config eou max-retry 2. Switch config-if eou max-retry 1.
Switch config eou ratelimit Switch config-if eou default. Switch config-if eou revalidate. Switch config eou timeout retransmit Switch config-if eou timeout revalidation Switch config ip admission name rule11 eapoudp. Switch config ip admission name rule11 eapoudp bypass list Switch config ip admission name rule11 eapoudp bypass auth-cache-time Switch config ip admission name rule11 eapoudp bypass.
Switch config ip device tracking probe count 4. The range is from 10 to If this keyword is not set, the burst value is set to Switch config mls rate-limit layer2 ip-admission Switch config-identity-policy redirect tftp Table 4 show eou Field Descriptions Field. Default or no value. Defines the default port ACL by using a source address and wildcard.
Enables the IP device tracking table. Displays the NAC configuration or network admission cache entries. The antivirus state includes information such as version of antivirus software, virus definitions, and version of scan engine. Network admission control systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network. The key component of the Cisco Network Admission Control program is the Cisco Trust Agent, which resides on an endpoint system and communicates with Cisco routers on the network.
The Cisco Trust Agent collects security state information, such as what antivirus software is being used, and communicates this information to Cisco routers.
The ACS directs the Cisco router to perform enforcement against the endpoint. Before configuring the Network Admission Control feature, the following concepts need to be understood:. Virus infections are the single largest cause of serious security breaches for networks and often result in huge financial losses.
Sources of virus infections are insecure endpoints for example, PCs, laptops, and servers. Although the endpoints may have antivirus software installed, the software is often disabled. Even if the software is enabled, the endpoints may not have the latest virus definitions and scan engines.
A larger security risk is from devices that do not have any antivirus software installed. Although antivirus vendors today are making it more difficult to disable the antivirus software, they are not addressing the risk of outdated virus definitions and scan engines. Endpoint systems, or clients, are normally hosts on the network, such as PCs, laptops, workstations, and servers.
The endpoint systems are a potential source of virus infections, and their antivirus states have to be validated before they are granted network access. When an endpoint attempts an IP connection to a network through an upstream Cisco network access device typically a Cisco IOS router , the router challenges the endpoint for its antivirus state.
The endpoint systems run a client called Cisco Trust Agent, which collects antivirus state information from the end device and transports the information to the Cisco network access device. This information is then communicated to a Cisco Secure ACS where the antivirus state of the endpoint is validated and access control decisions are made and returned to Cisco network access devices.
The network devices either permit, deny, or quarantine the end device. The Cisco Secure ACS may in turn use back-end antivirus vendor-specific servers for evaluating the antivirus state of the endpoint. All network devices must be validated for their antivirus states upon their initial IP connections through the router. The endpoint system gains access to the network if it complies with the network admission control policy as evaluated by the Cisco Secure ACS.
If the endpoint system does not comply, the device is either denied access or quarantined. Cisco Network Admission Control functionality may have an Intercept ACL, which determines connections that are intercepted for network admission. Connections from endpoints that match the access list are intercepted by Network Admission Control and are challenged for their antivirus states over a Layer 3 association before they are granted network access. Cisco Trust Agent is a specialized software that runs on endpoint systems.
Cisco Trust Agent responds to challenges from the router about the antivirus state of an endpoint system. If an endpoint system is not running the Cisco Trust Agent, the network access device router classifies the endpoint system as "clientless. The policy attributes that are associated with this username are enforced against the endpoint system.
Cisco Secure ACS returns access control decisions to the network access device on the basis of the antivirus credentials of the endpoint system. These AV pairs are sent to the network access device along with other access-control attributes. This support mechanism redirects all HTTP requests from a source to a specified web page URL to which the latest antivirus files can be downloaded.
It is possible that network admission control and authentication proxy can be configured for the same set of hosts on a given interface.
IP admission proxy with proxy authentication should be configured first, followed by IP admission control. These properties can be viewed and modified by performing various SNMP get and set operations. Many of the values of the table objects can also be viewed or modified by configuring corresponding command-line interface CLI commands on a router.
The parameter information obtained from the SNMP get operation is the same as the output from the show eou command. Similarly, performing an SNMP get operation on the table cnnEouIfConfigTable provides interface-specific parameters that can also be viewed in output from the show eou command.
SNMP set operations are allowed for table objects that have corresponding CLI commands, which can be used to modify table object values. The initialization and revalidation actions can also be accomplished by performing SNMP set operations on the objects of the cnnEouHostValidateAction table. The cnnEouHostQueryTable is used to build the query. The results of the query are stored as a row in the cnnEouHostResultTable.
Network admission control is applied in the inbound direction at any interface. Applying network admission control inbound at an interface causes network admission control to intercept the initial IP connections of the intercept end system through the router.
Do one of the following:. Creates IP network admission control rules. The rules define how you apply admission control. The rules are as follows:. You can associate the named rule with an ACL, providing control over which hosts use the admission control feature. If no standard access list is defined, the named admission rule intercepts IP traffic from all hosts whose connection-initiating packets are received at the configured interface.
The list option allows you to apply a standard, extended 1 through or named access list to a named admission control rule. IP connections that are initiated by hosts in the access list are intercepted by the admission control feature. To configure an EAPoUDP association that can be changed or customized for a specific interface that is associated with network admission control, perform the following steps. Identity is a common infrastructure that is used to specify local profile and policy configurations.
The identity profile allows you to statically authorize or validate individual devices on the basis of IP address, MAC address, or device type. Each statically authenticated device can be associated with a local policy that specifies the network access control attributes. Hosts are added to this "exception list" using the identity profile command, and corresponding policies are associated with these hosts using the identity policy command.
If the client is part of the identity that is, the client is on the exception list , the status of the client is set on the basis of the identity configuration. An exception list has local profile and policy configurations. Use the identity profile to statically authorize or validate devices based on the IP address, MAC address, or device type.
An identity profile is associated with a local policy that specifies the access control attributes. You can bypass posture validation of specific hosts by specifying those hosts in an exception list and applying a user-configured policy to the hosts.
After the entry is added to the EAPoUDP session table, the switch compares the host information to the exception list. If the host is in the exception list, the switch applies the configured NAC policy to the host.
The switch can use the EoU bypass feature to speed up posture validation of hosts that are not using the CTA. If EoU bypass is enabled, the switch does not contact the host to request the antivirus condition. If EoU bypass is enabled and the host is nonresponsive, the switch sends a nonresponsive-host request to the Cisco Secure ACS and applies the access policy from the server to the host.
While posture validation occurs, the switch enforces the default access policy. If no response is received from the host after the specified number of attempts, the switch classifies the host as nonresponsive. After the ACS validates the credentials, the authentication server returns an Access-Accept message with the posture token and the policy attributes to the switch.
The switch updates the EAPoUDP session table and enforces the access limitations, which provides segmentation and quarantine of poorly postured clients, or by denying network access.
The operation of the URL-redirect deny ACEs typically to bypass the redirection of the HTTP traffic destined to remediation servers is that the traffic to these ACEs is forwarded in hardware without applying the default interface and the downloaded host policies.
Cisco Secure ACS gets information about the antivirus status of the endpoint system and validates the antivirus condition of the endpoint. When the downloadable ACL is applied to an interface after posture validation is complete, the source address is changed from any to the host source IP address.
The ACEs are prepended to the downloadable ACL applied to the switch interface to which the endpoint device is connected. The switches use these cisco-av-pair VSAs as follows:. These AV pairs enable the switch to intercept an HTTP or HTTPS request from the endpoint device and forward the client web browser to the specified redirect address from which the latest antivirus files can be downloaded. The ACL must be defined on the switch. Traffic that matches a permit entry in the redirect ACL will be redirected.
These devices are described as agentless or nonresponsive. The NAC architecture has been extended to incorporate audit servers. An audit server is a third-party server that can probe, scan, and determine security compliance of a host without the need for presence of Cisco trust agent on the host. The result of the audit server examination can influence the access servers to make host-specific network access policy decisions instead of enforcing a common restrictive policy for all nonresponsive hosts.
You can build more robust host audit and examination functionality by integrating any third-party audit operations into the NAC architecture. Figure shows how audit servers fit into the typical topology.
The architecture assumes that the audit server can be reached so that the host can communicate with it. When a host endpoint device makes network access through the NAD configured for posture validation, the network access device eventually requests the AAA server Cisco Secure ACS for an access policy to be enforced for the host.
The AAA server can be configured to trigger a scan of the host with an external audit server. The audit server scan occurs asynchronously and can take several seconds to complete. During the time of the audit server scan, the AAA server conveys a minimal restrictive security policy to NAD for enforcement along with a short poll timer session-timeout. After the AAA server receives the audit result, it computes an access policy based on the audit result and is sent down to NAD for enforcement on its next request.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch, the switch applies the policy to traffic from the host connected to a Layer 2 port.
If the policy applies to the traffic, the switch forwards the traffic. If the policy does not apply, the switch applies the default ACL. If there is no default ACL configured, the traffic is permitted. The hold timer prevents a new EAPoUDP session from immediately starting after the previous attempt to validate the session fails. If the switch or authentication server continuously receives invalid messages, a malicious user might be trying to cause a denial-of-service attack.
The idle timer controls how long the switch waits for an ARP packet from the postured host or a refreshed entry in the IP device tracking table to verify that the host is still connected.
The idle timer works with a list of known hosts to track hosts that have initiated posture validation and the IP device tracking table. The idle timer is reset when the switch receives an ARP packet or when an entry in the IP device tracking table is refreshed. The default value of the idle timer is calculated as the probe interval times the number of probe retries.
By default, the idle timer default is 90 seconds which is the probe interval of 30 seconds times the number of probe retries of 3. The switch maintains a list of known hosts to track hosts that have initiated posture validation. When the switch receives an ARP packet, it resets the aging timers for the list and the idle timer. If the aging time of the list expires, the switch sends an ARP probe to verify that the host is present. If the host is present, it sends a response to the switch.
The switch updates the entry in the list of known hosts. The switch then resets the aging timers for the list and the idle timer. If the switch receives no response, the switch ends the session with the Cisco Secure ACS, and the host is no longer validated. The switch uses the IP device tracking table to detect and manage hosts connected to the switch. By default, the IP device tracking feature is disabled on a switch.
When IP device tracking is enabled, and a host is detected, the switch adds an entry to the IP device tracking table that includes this information:. For the IP device tracking table, you can configure the number of times that the switch sends ARP probes for an entry before removing an entry from the table and you can also configure the number of seconds that the switch waits before resending the ARP probe.
If the switch uses the default settings of the IP device tracking table, the switch sends ARP probes every 30 seconds for all the entries. When the host responds to the probe, the host state is refreshed and remains active. The switch can send up to three additional ARP probes at second intervals if the switch does not get a response. After the maximum number of ARP probes are sent, the switch removes the host entry from the table. Using the IP device tracking ensures that hosts are detected in a timely manner, despite the limitations of using DHCP.
If a link goes down, the IP device tracking entries associated with the interface are not removed, and the state of entries is changed to inactive. The switch does not limit the number of active entries in the IP device tracking table but limits the number of inactive entries. When the table reaches the table size limit, the switch removes the inactive entries.
0コメント