In this course, you'll learn how to design and implement a Cisco NAC Appliance solution to suit your network. You will learn basic configuration tasks such as NAM and NAS deployment modes, authentication (including Windows SSO), role-based access control, posture assessment, and remediation.
Cisco Systems offers two solutions for Network Admissions Control: NAC Appliance and NAC Framework. If the NAC solution you are planning includes the following elements, then this NAC Appliance course, CANAC v2.1, is right for you:
Labs
Lab 1: Remote Lab Familiarization
The purpose of this lab is to introduce you to the Global Knowledge Remote Lab Environment used for this class. You will have access to four Microsoft Windows XP PC system desktops, four Windows 2003 Servers, one Windows 2000 Server, an ASA 5520 firewall, a Catalyst 3560 L3 switch, 2811 IOS router, two NAC Appliance Managers (NAMs), and one NAC Appliance Server (NAS). This lab will demonstrate how to access the various pieces of equipment, what features are available with them, and how they are connected in the topology.
- Log in to the Remote Lab Environment
- Launch and Log in to the Remote Lab Virtual PCs
- Set Time Zone on Remote Lab Virtual PCs
- Log in to and Manage Remote Lab Equipment
Lab 2: Bootstrap Primary NAM & NAS
The purpose of this lab is to introduce you to the Linux Command Line Interface of the NAC Appliance Manager (NAM) and NAC Appliance Server (NAS). In this exercise, you will initialize the Primary NAM and NAS to test basic network connectivity. You will also learn some basic NAM scripts to automate system administration tasks. During this lab, you will get a chance to explore the changes to the directory structure in NAC Appliance version 4.5.
- Run setup scripts on NAM and NAS
- Log in to the Web Administration Environment
- View a Common Routing Issue for the Hosts on the Same Subnet as the NAS
- See some newer password enhancements in 4.5 software code
Lab 3: Configuring User Roles and Traffic Policies
In this lab, you will configure the roles on the Cisco NAM. These roles each have a specific access policy that will permit or deny traffic through the NAS, allowing the association of users to roles for access privileges. All users begin in the unauthenticated role with the least amount of access to your network. You will have to modify this basic profile's policy to allow the most basic communication to take place through the NAS from the untrusted network to the trusted network including DNS, LDAP, authentication, and NTP.
- Configure Default User Web Pages Based Upon Where a User is Coming From
- Create User Roles on the NAM
- Create Traffic Policies that Map to Each User Role
- Configure New Users in the Local Database
Lab 4: Configure NAS In-Band Virtual Gateway
Now you are ready to put your NAS between your untrusted network and your trusted network. Any host that attempts to send a packet through the NAS will cause the NAS to present to the user for authorization your previously created Login Page. Upon successful authentication, the user will download and install the NAA. In this lab, you will be looking only for successful authentication and not for posture validation. That is, you will not perform any other sort of software or compliance check before the user can enter your network.
- Connect an In-Band NAS to the NAM
- Configure NAS as Virtual Gateway
- Configure VLAN Mapping
- Install the NAA for the First Time and Determine the Rights Needed
- Install the Stub Installed
- Use the Web Agent to Scan an Outside User's PC Who Does Not Have Local Admin Rights
Lab 5: Create a High Availability NAM Cluster
The purpose of this lab is to configure NAM High Availability. You will configure a secondary Cisco NAM device to function on the same network as the current primary NAM. A virtual IP will be used to allow communication to the NAM cluster and obtain high availability for the NAS communication to the NAM pair. Investigate the times required for failover to work by shutting down a NAM.
- Configure the Secondary NAM
- Confirm Connectivity between Primary & Secondary NAM
- Export the Private Key and SSL Certificate of the Primary NAM
- Import the Private Key and SSL Certificate into the Secondary NAM
- Configure Network and Failover Settings on Primary & Secondary NAM
- Verify NAM Database Synchronization
- Test Failover
Lab 6: Configuring Active Directory Single Sign-On (AD SSO)
In this lab, you'll get an introduction to integrating the NAM with Microsoft Active Directory for Single Sign-On (SSO). The process includes configuration of Kerberos mappings on the AD Domain Controller, and you will create a policy access list on the NAM to allow authentication traffic through the NAS. This lab is a great reference for you in your own network environment. It includes the majority of standard implementation with the NAC appliance.
- Add AD SSO Authentication Server
- Configure Traffic Policies for the Unauthenticated Role
- Enable the NAS to Use AD SSO
- Use ktpass.exe to Prepare the Domain Controller
- Enable and Test Agent-Based AD SSO
Lab 7: Configuring VPN Remote Access
The purpose of this lab is to allow your VPN users to use the NAS for network compliance prior to accessing the corporate network. You will use software version 8.x on the ASA and you will discuss enhancements to NAC in this version of software. You will examine the changed VPN topology and authentication methods being used for VPN SSO.
- Configure the ASA as a Filter Device
- Configure NAC Appliance to use an ASA 5520 as a Floating Device
- Add VPN Authentication Server to the NAM
- Map VPN Users to Roles for SSO
- Add a RADIUS Accounting Server to the NAS
- Map the ASA 5520 to the Accounting Server
- Configure VLAN Mappings to allow Internet Access through the NAS
- Modify IP Filters to allow Returning Internet Traffic Back Through
- Test VPN SSO
Lab 8: Configuring NAC VPN SSO
In this lab, you will configure the VPN tunnel groups on the ASA to forward authentication credentials to the RADIUS software running on the (Security-Srv). Part of the configuration requires you to create additional IP VPN pools and assign them to the Employees and Consultants VPN tunnel groups. You will adjust the NAM attribute mappings for the VPN to work with the user roles. At the end of this lab, you should have a successful VPN SSO deployment.
- Configure the ASA to Communicate with the RADIUS and Accounting Server
- Adjust Traffic Filters for Additional VPN Address Pools
- Use Framed-IP-Address Fields in the Accounting Packet to Map VPN Users to NAC Appliance Roles
- Use Kiwi CatTools to load ASA Version 8.x Code and the AnyConnect Client Config
- Test VPN SSO
Lab 9: Configure Switch for Out-Of-Band Operation
This lab requires the reconfiguration of the lab topology. VLAN 7 will be used exclusively for user authentication to the network and not for user traffic. Once user authentication is successful, the user's port will transition from VLAN 7 to the VLAN assigned to the Port/Role. All subsequent traffic will no longer be traversing through the NAS. The lab will take you through a complete re-configuration of the NAM as well as adding switches and community strings.
- Delete the In-Band NAS from the NAM
- Reconfigure the NAS as OOB Virtual Gateway
- Configure VLAN Mapping
- Verify Switch SNMP Configuration
- Configure Group and Switch Profiles
- Configure the NAM as an SNMP Trap Receiver
- Add Switches and Configure Ports on the NAM
- Test Your Configuration
Lab 10: Configuring the NAC Appliance Agent (NAA) for Specific Threats
Up to this point you have verified that your authentication is working through your NAS device. You have transitioned from creating a Layer 2 In-Band Virtual Gateway to a VPN SSO solution and, finally, Out of Band Virtual Gateway. You have been dealing solely with authentication. In this lab, you will turn compliance checking on and explore the checks you can perform with NAC. You will perform basic and advanced compliance checking to see that your users have installed some required software. If they do not, you will point them to your remediation server to download the fixes.
- Configure the General Setup for NAA
- Allow DNS Packets to Your Network in the Temporary Role
- Create Checks and Rules
- Create a New Requirement for Users
- Associate the Requirement to a Role
- Remediation Types and Appropriate Rights for Each
- AV Check and File Distribution
- Local Application Launch
- Code Signing Requirements
- Compare Manual and Automatic Remediation
- Verify the Configuration
Lab 11: Enhanced SSO with LDAP Group Authorization
To be sure the lab environment in this class is as close as possible to the typical scenarios you will encounter in the real world, in this lab, we will enhance our SSO for Active Directory by mapping groups in Active Directory to roles in the NAC Appliance.
- Configure an LDAP Lookup Server
- Configure Authorized Groups in Active Directory
- Associate the Lookup Server with an Authentication Provider
- Test the Solution
