Gain the real-world skills and knowledge you need to deploy and successfully maintain Cisco NAC Appliances in this course. You won't find another NAC course with this level of exclusive and enhanced content.
We took Cisco's standard course material, built on the version 4.0 software, and completely re-wrote and re-organized it. We updated it to use version 4.8 software, and we added coverage of Cisco Profiler.
We expanded our exclusive labs, adding more content and taking the standard course from just three days to a content-packed five days. You'll train for four days on the NAC Appliance, followed by a full day on the Cisco Profiler.
Enhancements you'll find only in our course include:
•Updated Student Guide material, with NAC version 4.8 screen shots and content
•Feature-enhancement discussions, including out-of-band (OOB) logoff, Passive Re-Assessment, and external authentication for management sessions
•Log data and configuration file locations on CLI
•Real-world ASA SSL VPN scenarios
•Detailed certificate discussions surrounding HA and using a Microsoft CA
•NAC Appliance Agent (NAA) version 4.8
•Client configuration file using XML without the older registry settings
•NAC Profiler discussion providing an overview and covering setup and HA
You'll receive five extra security e-lab credits (good for 30 days) to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training.
What You'll Learn
•Given client network security requirements, how a NAC Appliance deployment scenario will meet or exceed those expectations
•Configure the common elements of a NAC Appliance solution
•Configure Active Directory Single Sign-On (AD SSO)
•Configure VPN Single Sign-On using an ASA with the standard IPSec client and the AnyConnect 3.0 client (SSL)
•Configure the NAC Appliance in-band and OOB implementation options
•Implement the NAM and NAS High Availability to protect against downtime
•Configure Network Scanning to audit clients and clientless hosts
•Configure compliance checking using manual and automated settings in version 4.8 of code
•Learn the elements of code signing applications needed for remediation
•Create custom web page portals based on the location of clients
•Allow Active Directory (AD) LDAP Authorization to map AD groups to NAC Appliance Roles
•Walk through and configure three different network topologies: in-band, VPN in-band, and OOB
•See for yourself the privilege rights needed for installing the Cisco NAA customizing client XML settings
•Learn to monitor, maintain, and troubleshoot a NAC solution
•NAC Profiler overview, design, and deployment
Course Outline
Cisco NAC Appliance Solution (NAS)
1. Cisco Self-Defending Networks
•Changing Security Landscape
•Cisco Host-Protection Strategy
•Cisco SDN Initiative
•Trust and Identity
•Cisco NAC Products
2. Cisco NAC Appliance
•Cisco NAC Appliance Solution
•Features and Components
•Compliance Scenarios
•Deployment Options
•Configuration Overview
•User Interface
3. Cisco NAC Appliance Deployment Options
•Out-of-Band (OOB) Deployment
•In-Band Deployment
•Deployment Options Comparison
•NAS Operating Modes
•Virtual vs. Real-IP Gateways
•Layer 2 vs. Layer 3
NAC Appliance Implementation
4. Configure User Roles
•What a User Role Is
•Create User Roles
•Define and Configure Traffic Policies for User Roles
•Create Local User Accounts
5. Implement Cisco NAC Appliance In-Band Deployment
•In-Band Process Flow
•In-Band Deployment Configurations
•Configure the Cisco NAS for In-Band Deployment
•Add the Cisco NAS to the Managed Domain
•Configure Cisco NAS Interfaces
•Add Managed Subnets
•Configure Cisco NAS VLAN Settings
6. Configure NAM High Availability (HA)
•HA for Cisco NAMs
•Establish a Serial Connection Between Managers
•Digital Certificate Requirements
•Configure the Primary and Standby Cisco NAMs
7. Configure Cisco NAS HA
•HA for NAS
•Implementation Considerations
•Digital Certificate Requirements
•Configure the Primary and Standby NAS
•Complete the Standby NAS HA Configuration
•Test the NAS HA Configuration
•Configure DHCP Failover
8. Configure External Authentication
•Configure External Authentication Providers
•Authenticate Cisco NAC Appliance Users
•Kerberos
•RADIUS
•LDAP
•NT Domain
•Map Users to User Roles
•Test User Authentication
•Configure RADIUS Accounting for Users
•Add Custom RADIUS Attributes
9. Implement Windows AD SSO
•Kerberos Ticket Exchange
•Confirming a NAS Ticket
•Communications Between the NAS and Active Directory
•AD SSO Configuration Checklist
•TCP and UDP Ports Required for AD SSO
•Configure the NAS for AD SSO
•Install Support Tools for Windows 2000 or 2003 Server
•Configure the Domain Controller with ktpass.exe
10. Implement Virtual Private Network Single Sign-On (VPN SSO)
•Configuration Checklist
•Configure a Traffic Filter
•Add VPN Authentication Server to NAM
•Map VPN Users to Roles on NAM
•Enable VPN SSO on the NAS
•Adding a VPN Device to the NAS
•Configure RADIUS Accounting
•Configure the VPN Gateway as a Floating Device
•Test VPN SSO
11. Implement Cisco NAC Appliance OOB Deployment
•OOB Process Flow
•OOB Deployment Considerations
•Layer 2 Central and Edge Deployment
•Layer 3 Virtual Gateway and Real-IP Gateway
•Layer 2 and 3 Clientless Host Options
•Cisco NAC Appliance OOB vs. In-Band Setup
•Implement Cisco NAS OOB Operating Modes
12. Manage Switches
•Implement Switch Management
•Configure the Network for OOB Deployment
•Configure Group, Switch, and Port Profiles
•Configure Port Profiles Adding Switches to the Managed Domain
•Configuring SNMP Advanced Settings
•Configure Switch Ports to Use Port Profiles
•Manage Switch Configuration Settings
NAC Appliance Implementation Options
13. Implement Cisco NAC Appliance on a Network
•General Setup Tab
•User Pages
•Configure Cisco NAA Support
•Manage Certified Devices
•Device Exemption
•Viewing User Reports
14. Implement Network Scanning
•Configure the Quarantine Role
•Implement Nessus Plug-Ins
•Test a Scanning Configuration
•Customize the User Agreement Page
•View Scan Reports
15. Configure the NAM to Implement Cisco NAA on User Devices
•Retrieve Updates
•Require the Use of the Cisco NAA
•Configure the Cisco NAA Temporary Role
•Introduce and Create Checks, Rules, and Requirements
•Map Requirements to Rules and Roles
16. Configure DHCP
•Cisco NAS DHCP Modes
•Enable the DHCP Module
•Configure IP Ranges (IP Address Pools)
•Work with Subnets
•Reserve IP Addresses
•Configure User-Specified DHCP Options
NAC Appliance Monitoring and Administration
17. Monitor a Cisco NAC Appliance Deployment
•Cisco NAC Appliance Monitoring
•Monitor Online Users
•Monitor NAS Health Event Logs
•Configure Basic SNMP Support
•Configure Syslog Support
18. Administer Cisco NAM
•Define the Cisco NAM Administration Module
•Set Network and Failover Parameters
•Manage Administration Groups and Users
•Manage User Passwords
•Administer the System Time
•Manage SSL Certificates
•Manage the Cisco NAC Appliance Software
•Protect Your NAM Configuration
NAC Profiler
19. NAC Profiler Fundamentals
Labs
Lab 1: Remote Lab Familiarization
•Log in to the remote lab environment
•Launch and log in to the remote lab virtual PCs
•Set time zone on remote lab virtual PCs
•Log in to and manage remote lab equipment
Lab 2: Bootstrap Primary NAM and NAS
•Run setup scripts on NAM and NAS
•Log in to the web administration environment
•View a common routing issue for the hosts on the same subnet as the NAS
•See newer password enhancements in 4.5 software code
Lab 3: Configuring User Roles and Traffic Policies
•Configure default user web pages based upon where they are coming from
•Create user roles on the NAM
•Create traffic policies that map to each user role
•Configure new users in the local database
Lab 4: Configure NAS In-Band Virtual Gateway
•Connect an in-band NAS to the NAM
•Configure NAS as virtual gateway
•Configure VLAN mapping
•Install the NAA for the first time and determine the rights needed
•Install the stub installed
•Use the web agent to scan an outside user's PC that does not have local admin rights
Lab 5: Create a High Availability NAM Cluster
•Configure the secondary NAM
•Confirm connectivity between primary and secondary NAM
•Export the private key and SSL certificate of the primary NAM
•Import the private key and SSL certificate into the secondary NAM
•Configure network and failover settings on primary and secondary NAM
•Verify NAM database synchronization
•Test failover
Lab 6: Configuring Active Directory Single Sign-On (AD SSO)
•Add AD SSO authentication server
•Configure traffic policies for the unauthenticated role
•Enable the NAS to use AD SSO
•Use ktpass.exe to prepare the domain controller
•Enable and test agent-based AD SSO
Lab 7: Enhanced SSO with LDAP Group Authorization
•Configure an LDAP lookup server
•Configure authorized groups in Active Directory (AD)
•Associate the lookup server with an authentication provider
•Test the solution
Lab 8: Configuring VPN Remote Access
•Configure the ASA as a filter device
•Configure NAC Appliance to use an ASA 5520 as a floating device
•Add VPN authentication server to the NAM
•Map VPN users to roles for SSO
•Add a RADIUS accounting server to the NAS
•Map the ASA 5520 to the accounting server
•Configure VLAN mappings to allow internet access through the NAS
•Modify IP filters to allow returning internet traffic back through
•Test VPN SSO
Lab 9: Configuring NAC VPN SSO
•Configure the ASA to communicate with the RADIUS and accounting server
•Adjust traffic filters for additional VPN address pools
•Use framed IP-address fields in the accounting packet to map VPN users to NAC appliance roles
•Use Kiwi CatTools to load ASA version 8.x Code and the AnyConnect client config
•Test VPN SSO
Lab 10: Configure Switch for Out-of-Band (OOB)Operation
•Delete the In-Band NAS from the NAM
•Reconfigure the NAS as OOB virtual gateway
•Configure VLAN mapping
•Verify switch SNMP configuration
•Configure group and switch profiles
•Configure the NAM as an SNMP trap receiver
•Add switches and configure ports on the NAM
•Passive Re-Assessment
•Examine reporting
Lab 11: Configuring the NAC Appliance Agent (NAA) for Specific Threats
•Configure the general setup for NAA
•Allow DNS packets to your network in the temporary role
•Create checks and rules
•Create a new requirement for users
•Associate the requirement to a role
•Remediation types and appropriate rights for each
•AV check and file distribution
•Local application launch
•Code signing requirements
•Compare manual and automatic remediation
•Verify the configuration
Lab 12: Bootstrapping Profiler
•Configure Profiler with basic settings
•Configure NAC integration
•Collector setup
•Network device collection
Lab 13: Profiling the Network
•Active profiling
•Profile reporting
Lab 14: Profiler HA
•Set up HA using a pair of profiler managers
•Cisco Profiler Solution
•Components
•Use Cases
•Management Interface
•Features and Profiling Options
20. Deploying NAC Profiler
•Deployment Options
•Active Collections
•Endpoint Discovery Fundamentals
•NAC and LDAP Integration
•Profiler Events
•High Availability
