Cisco Network Admission Control Agent Software For Mac

Posted on by

The Cisco Network Admission Control (NAC) agent on Mac OS X does not verify the X.509 certificate of an Identity Services Engine (ISE) server during an SSL session, which allows man-in-the-middle attackers to spoof ISE servers via an arbitrary certificate, aka Bug ID CSCub24309. OpenNAC supports these network devices; Cisco 2960, Cisco 2950, Cisco 3500XL, Cisco 356 0, Cisco 1920, Cajun P 120, Avaya P133 G2, 3COM HUB PS40, Enterasys vh4802. Baseline Network Admission Control based on users, ports, and MAC addresses Easy network configuration, Cisco IOS Software updates, and troubleshooting using Cisco Network Assistant software QoS for traffic classification and shaping to prioritize various applications. Network access control, or NAC, solutions support network visibility and access management through policy enforcement on devices and users of corporate networks. Watch overview of ISE (2:45) Cisco Identity Services Engine (ISE) Solution. As it develops the next generation of network security infrastructure, Cisco is planning to cease development on its network admission control (NAC) client, the Cisco Trust Agent (CTA), and submit.

Components That Make Up the NAC Framework Solution

The following sections examine the individual components that make up the NAC Framework solution. Although only an overview is provided here, each component is covered in detail in its associated chapter in this book.

Cisco Trust Agent

Cisco Trust Agent (CTA) is a small software application (approximately 3MB) that is installed locally on a PC and that allows Cisco Secure ACS to communicate directly with the PC to query it for posture credentials. Some common posture credentials are the OS name, the service pack installed, and specific hotfixes applied. Table 1-1 lists the posture credentials that CTA supports or for which CTA is a broker.

Table 1-1. Posture Credentials Supported by CTA

Application

Posture Credentials

CTA (version 2)

CTA version

Operating system name

Operating system version

Installed service packs

Installed hotfixes

Custom credentials returned through the optional scripting interface

Cisco Security Agent (CSA)*

CSA version

CSA status (enabled/disabled)

Fully qualified domain name (FQDN) of Cisco Security Agent Management Center (CSA-MC)

Last poll of CSA

Antivirus*

Antivirus software name or identifier

Software version

Scan engine version

DAT/pattern file version

DAT/pattern file release date

Antivirus enabled/disabled

On-access scan enabled

Other software*

Varies by vendor

Cisco Network Admission Control Agent Software For Mac Download

CTA is a core component of NAC and is the only communications interface between the NAD and the applications that reside on the PC. It receives posture credential queries from Cisco Secure ACS, brokers them to the correct application, and then forwards the application responses to Cisco Secure ACS. CTA has three key responsibilities (see Figure 1-4):

  • Communication—Provides a communications link with the NAD using EAPoUDP or EAP-FAST.
  • Security—Authenticates the device requesting posture credentials and ensures that all information is sent out encrypted on the wire.
  • Broker—Provides an application programming interface (API) to query other applications running on the system and notifies them of the current system posture so they can react to posture changes.

CTA also includes an 802.1X supplicant bundled with it that supports EAP-FAST when running NAC. The 802.1X supplicant is needed to implement NAC-L2-802.1X. However, the 802.1X supplicant is limited to wired interfaces only—no wireless interfaces.

Chapter 2, 'Cisco Trust Agent,' fully covers the installation, configuration, operation, and troubleshooting of CTA.

Cisco Security Agent

Cisco Security Agent (CSA) is the Cisco award-winning host-based intrusion-prevention system (HIPS) installed on a desktop or server PC that protects it from known and unknown threats. CSA adds a shim into the network layer and into the kernel layer (to watch both network traffic and API calls to kernel). This allows CSA to not only be a personal firewall, but also to protect against buffer-overflow attacks and spyware/adware. In addition, it provides file protection, malicious application protection, and operating-system integrity protection. CSA is one of the few HIPS products that provide true protection against 'Day Zero' attacks.

Starting with version 4.5, CSA integrates seamlessly with NAC through CTA. CTA queries CSA to establish the presence of the agent and determine whether it is in protect mode. This information is part of the posture credentials returned to Cisco Secure ACS and is used to determine the end host's overall security posture. Based on this posture, Cisco Secure ACS can apply a policy that alters the state of CSA. CSA's state change dynamically activates additional rules within CSA, thereby providing another level of protection to the host.

Cisco Security Agent Management Center (CSA MC) provides a powerful, scalable application used to manage all agents. When an agent is installed on a host, it first registers with CSA MC and downloads any updates to its rule set. Thereafter, the agent periodically polls CSA MC to check for any new software or rule updates. Besides the configuration and software update function, CSA MC receives real-time security events from the agents and immediately displays them in the Event Monitor for the network administrator to see. In addition, CSA MC correlates the events, received from all agents in the network, to detect suspicious activity across several hosts. If similar threats are detected across several agents, CSA MC creates and deploys dynamic rules to all the agents to provide an additional layer of protection against this newly spreading threat.

Chapter 9, 'Cisco Security Agent,' covers the installation, configuration, and operation of CSA.

See Chapter 9 for installation and configuration information about CSA and CSA MC.

Network-Access Devices

NADs query the CTA installed on the endpoint. In NAC Phase I, the NAD could be only an IOS router. In Phase II, any of the following devices can be a NAD:

  • Cisco IOS router
  • Cisco Catalyst Switch running Cisco IOS or CAT OS
  • Cisco VPN 3000 series concentrator
  • Cisco ASA 5500 series adaptive security appliances and PIX 500 series security appliances
  • Cisco wireless access device

Cisco IOS Router

Cisco IOS routers first supported NAC in Cisco IOS Release 12.3(8)T, in the Advanced Security, Advanced IP Services, or Advanced Enterprise Services feature sets. Table 1-2 lists Cisco IOS routers by platform and current NAC capability.

Table 1-2. NAC Support in IOS Routers

Cisco Router Platform

NAC Support

7500 series

Yes

7300 series

Yes

7200 series

Yes

7100 series

No

4500 series

No

3800 series

Yes

3700 series

Yes

3640, 3640A, 3660-ENT series

Yes

3620, 3660-CO series

No

2800 series

Yes

2600XM series, 2691

Yes

2600 series (non-XM Models)

No

1800 series

Yes

1701, 1711, 1712, 1721, 1751, 1751-V, 1760

Yes

1710, 1720, 1750

No

830 series

Yes

AS5850, AS5400, AS5400HPX, AS5350

No

When NAC is implemented on a router, this is called NAC-L3-IP. That is, the security enforcement point becomes the Layer 3 gateway instead of the physical port into which the end host is plugged.

Posture validation is triggered by defining an intercept ACL on the router's interface. Any traffic arriving on the interface from a nonpostured source that matches the intercept ACL triggers the posture-validation process, as illustrated in Figure 1-1. When the overall security posture of the host is determined, Cisco Secure ACS sends a host-based downloadable ACL to the router to restrict, prohibit, or permit that client's access to the network. Thus, policy enforcement takes place at Layer 3 with an ACL on the router's interface.

See Chapter 5, 'Configuring Layer 3 NAC on Network-Access Devices,' for more information on configuring and troubleshooting NAC on a Cisco IOS router.

Cisco Catalyst Switch Running Cisco IOS or CAT OS

Catalyst switches first supported NAC in the summer of 2005 across various platforms and release trains. One benefit of adding NAC on the switch is enhanced posture-enforcement capabilities through containment. On Cisco IOS routers, policy enforcement was applied with a downloadable ACL on the router's interface. This enabled the administrator to restrict (or even deny) the endpoint's access through the router. However, the endpoint could not be restricted from sending packets to Layer 2–adjacent devices (because those packets did not traverse the router and, therefore, would not be subject to the downloadable ACL). However, on access switches, the endpoints are typically directly connected to a physical port on the switch. This allows for policy enforcement (through VLAN or ACL) as well as containment (because the endpoint is typically the only device connected to that port).

Catalyst switches can implement NAC on a per-port basis at Layer 2 or Layer 3. As mentioned previously in this chapter, when NAC is implemented at Layer 2, it is known as NAC-L2-802.1X because 802.1X is used as the underlying Layer 2 transport protocol. When NAC is implemented on a switch at Layer 3, it is known as NAC-L2-IP.

NAC-L2-802.1X and NAC-L2-IP have several administrative and operational differences that you should fully consider before selecting which one to deploy.

The following are attributes of NAC-L2-802.1X:

  • 802.1X authentication must be implemented on the switch.
  • The client's 802.1X supplicant triggers authentication and posture validation.
  • The client's 802.1X supplicant must be CTA aware.
  • Posture enforcement is provided by VLAN assignment only.
  • EAP-FAST authenticates CTA to Cisco Secure ACS; therefore, no client-side certificate is needed.
  • Endpoints must be directly connected, or be connected through an IP phone.

The following are attributes of NAC-L2-IP:

  • Posture validation is triggered when the switch receives Address Resolution Protocol (ARP) packets from the endpoint. Optionally, Dynamic Host Configuration Protocol (DHCP) snooping can be enabled on the port to trigger posture validation when the switch receives the first DHCP packet.
  • Posture enforcement is provided by downloadable ACLs.
  • VLAN assignment is not supported.
  • EAPoUDP is used to communicate between CTA and the NAD. PEAP is used between CTA and Cisco Secure ACS.
  • URL redirection of the endpoint's web browser to a remediation server is supported.
  • Endpoints can be directly connected, connected through an IP phone, or connected through a shared-media device (hub, non-NAC-capable switch, and so on.)

No 'right' or 'wrong' choice exists between the two. But there is a best choice for your network. If you don't know what that choice is, read Cisco Network Admission Control, Volume I: NAC Architecture and Design, which walks through several design scenarios, discusses the options available, and provides the rationale for the choices made.

An additional consideration (and probably the most important one) is which one will run on your existing switch hardware. Table 1-3 should come in handy in making that determination; it lists the various models of Catalyst switches and their NAC capabilities based on the OS.

Table 1-3. NAC Support in Catalyst Switches

Platform, Supervisor

OS

NAC-L2-802.1x

NAC-L2-IP

NAC-L3-IP

NAC Agentless Host

6500 - Sup32, Sup720

Native IOS

Planned

Yes, 12.2(18)SXF2

Planned

Yes, NAC-L2-IP

6500 – Sup2

Native IOS

No

No

No

No

6500 – Sup32, Sup720, Sup2

Hybrid

Yes, 8.5

Yes, 8.5

No

Yes, NAC-L2-IP

6500 – Sup32, Sup720, Sup2

Cat OS

Yes, 8.5

Yes, 8.5

No

Yes, NAC-L2-IP

6500 – Sup1A

All

No

No

No

No

5000 Series

All

No

No

No

No

4900 Series

IOS

Yes, 12.2(25)SG

Yes, 12.2(25)SG

Planned

Yes, NAC-L2-IP

4000/4500 Series – SupII+, II+TS, II+10GE, IV, V, V-10GE

Cisco IOS

Yes, 12.2(25)SG

Yes, 12.2(25)SG

Planned

Yes, NAC-L2-IP

4000 – SupI, II, and III

All

No

No

No

No

3750, 3560

Cisco IOS; advanced IP services, IP services, IP base

Yes, 12.2(25)SED

Yes, 12.2(25)SED

No

Yes, NAC-L2-IP

3550

Cisco IOS; IP services and IP base

Yes, 12.2(25)SED

Yes, 12.2(25)SED

No

Yes, NAC-L2-IP

3500XL, 2900XL

All

No

No

No

No

2970

Cisco IOS; LAN base

Yes, 12.2(25)SED

No

No

No

2960

Cisco IOS; LAN base

Yes, 12.2(25)SED

No

No

No

2950

Cisco IOS; EI, SI

Yes, 12.1(22)EA6

No

No

No

2955, 2940

Cisco IOS

Yes, 12.1(22)EA6

No

NO

No

2948G-GE-TX

Cat OS

No

No

No

No

1900

All

No

No

No

No

Express 500

Cisco IOS

No

No

No

No

Network

Catalyst switches are an integral part of the NAC solution, providing protection and containment of hosts that do not meet corporate security policies at the access layer. As such, Cisco is committed to providing NAC support on all new switch hardware.

See Chapter 4 for more information on configuring and troubleshooting NAC on a Catalyst switch.

Cisco VPN 3000 Series Concentrator

NAC support for the VPN 3000 series concentrators was first added in Release 4.7. The concentrator is a Layer 3 NAD and postures remote-access IPSec (or Layer 2 Tunneling Protocol [L2TP] over IPSec) clients. The posturing process is almost identical to that of NAC-L3-IP, described previously in the section 'NAC: Phase I' (refer to Figure 1-1). The only difference is that the router is replaced with a VPN 3000 concentrator, and an IPSec tunnel is first established to the concentrator before the EAPoUDP session starts.

When the EAPoUDP session starts, a PEAP session is established between the client and the Cisco Secure ACS so posture validation can take place. Cisco Secure ACS then notifies the concentrator (through RADIUS) of the client's posture and passes down a filter list to be applied to the client. The filter list is the 3000's equivalent to a downloadable ACL.

One unique option that the concentrator provides is that clients can be excluded from posture validation based solely on OS type. This is because the Cisco VPN client sends its OS information during IPSec tunnel establishment, which occurs before NAC posture validation. Host exemption, along with all other NAC configuration, is specified under the group policy settings on the 3000. NAC configuration on the VPN 3000 concentrator is covered in detail in Chapter 6, 'Configuring NAC on Cisco VPN 3000 Series Concentrators.'

Cisco ASA 5500 Series Adaptive Security Appliance and PIX 500 Series Security Appliance

The NAC implementation on the Cisco 5500 series Adaptive Security Appliances (ASA) and PIX 500 series security appliances is identical to the implementation on the VPN 3000 concentrators. NAC-L3-IP is supported starting with Version 7.2(1) on all IPSec and L2TP over IPSec remote-access tunnels. Posture enforcement is provided by way of a downloadable ACL from Cisco Secure ACS. Additionally, just as with the VPN 3000, remote-access clients can be exempted from NAC posture validation based on OS type.

The ASA and PIX also support clientless authentication. Those hosts connecting through a remote-access tunnel that do not have CTA installed are marked as clientless. Cisco Secure ACS can then apply the clientless policy to those hosts, to limit (or remove entirely) their access to the network. Chapter 7, 'Configuring NAC on Cisco ASA and PIX Security Appliances,' contains the complete configuration of NAC on the ASA 5500 series appliances and PIX 500 series security appliances.

Cisco Wireless Devices

NAC Framework support for wireless devices is available on autonomous Access Points (AP), lightweight access points running the Lightweight Access Point Protocol (LWAPP), and the Wireless LAN Services Module (WLSM) for the Catalyst 6500. Table 1-4 lists the wireless devices and minimum supported software.

Table 1-4. NAC Support in Wireless Devices

Wireless Device

Minimum Supported Software

Autonomous APs running IOS:

Aironet 1100, 1130AG, 1200, 1230AG, 1240AG, 1300 IOS-based access points

Cisco IOS Release 12.3(7)JA or later

Lightweight APs running LWAPP:

Aironet 1000, 1130AG, 1200, 1230AG, 1240AG, 1500 + WLAN Controller 2000, 4100, or 4400

Cisco Unified Wireless Network Software Release 3.1 or later

Catalyst 6500 series WLSM

Cisco IOS Release 1.4.1 or later

Wireless devices are Layer 2 termination devices and, as such, support NAC-L2-802.1x as the posturing method. The process that a wireless client connecting to a wireless device goes through for posture validation is the same as for a wired client. Figure 1-3 depicts this posture. Note that wireless devices provide posture enforcement through VLAN only. This means that, to support NAC, the wireless devices must be configured for multiple VLANs per service set identifier (SSID).

Configuration and troubleshooting of NAC on Cisco wireless access points is covered along with other Layer 2 network-access devices in Chapter 4.

Cisco Secure Access Control Server

The Cisco Secure Access Control Server (ACS) for Windows is another core required component of NAC. Cisco Secure ACS first supported NAC in Version 3.3, which was launched concurrently with Phase I in the summer of 2004. Cisco Secure ACS 4.0, released in the fall of 2005, added support for NAC Phase II, including all the NADs listed in the previous section.

Cisco Secure ACS is the central controller for all NAC policy decisions. It receives posture credentials from all agents and either processes them locally or forwards them on to partner validation servers for processing. If the posture credentials are forwarded on, Cisco Secure ACS waits to receive the application posture token (APT) back from the external validation server. It then combines this APT with the local APTs it created based on the defined policy; the result is an overall system posture token (SPT).

The SPT has one of the following values: Healthy, Checkup, Quarantine, Infected, or Unknown, which are mapped to a network access policy. The network-access policy and SPT are then transmitted to the NAD as part of policy enforcement. Optionally, Cisco Secure ACS can send a user-notification message that CTA displays on the end host. This message usually indicates the posture of the system along with some instructions (for the un-Healthy hosts). Cisco Secure ACS can also send a URL redirect to the end host via the NAD if either NAC-L3-IP or NAC-L2-IP is being used.

Chapter 8 covers installation, configuration, and troubleshooting of Cisco Secure ACS.

Event Monitoring, Analysis, and Reporting

Protecting the network from threats is the first step toward securing it. However, event monitoring, analysis, and reporting are also vital pieces in understanding the network's security posture:

  • Event monitoring—The process of receiving events (or alerts) from the network and presenting them to the user in real time and in a meaningful way. This is usually provided with some sort of 'dashboard' where new events are displayed as they come in.
  • Analysis—The process of taking the events received and normalizing and correlating them to produce the most relevant set of data. The correlation process takes multiple streams of events from various device types and finds similarities in their data that can be linked to provide a detailed composite picture. The normalization process then removes the redundant data and improves data consistency.
  • Reporting—The process of querying historical data for specific events and presenting those events in a useful way to the user.

Monitoring, analysis, and reporting are powerful tools that show the network administrator the state of the network at any given point in time. These tools are very important in networks where NAC is enabled because the volume of events that each network device generates for each postured host is huge. Monitoring the network devices individually for problems or anomalies is neither practical nor efficient. This is why Cisco has enhanced its Cisco Security Monitoring, Analysis, and Reporting System (CS-MARS) to support NAC.

The CS-MARS appliance is a topologically aware, high-performance event-correlation system. Syslogs, NetFlow data, Simple Network Management Protocol (SNMP) traps, and other network logging information can be sent to it from a variety of network sources. This includes routers, switches, firewalls, intrusion-prevention devices, Cisco Secure ACS, and even end hosts. All this information is then correlated within CS-MARS to detect network attacks and other types of security threats. When an attack is detected, an incident is fired and the attacker, victim, and path from attacker to victim are displayed in the CS-MARS interface. Additionally, based on the attack vector, CS-MARS can inform the user of the best way to mitigate the attack.

In support of NAC, CS-MARS parses, normalizes, correlates, and reports on posture-validation events for NAC-L3-IP, NAC-L2-IP, and NAC-L2-802.1X. Predefined reports enable network administrators to view the number of hosts in Healthy, Quarantined, Clientless, or other states throughout the entire network. Administrators can further drill down to determine the posture status on a per-device basis. They may also choose to receive daily reports (via e-mail) of the number and location of nonhealthy hosts in their network.

Help-desk support teams can use CS-MARS to identify problems reported from end users. CS-MARS can display IP addresses, machine/usernames, and the logical switch port number the user is connected to, along with the posture information or authentication information of end hosts. This information can be displayed in real time and allows the help-desk teams to quickly and easily identify problems end users are having.

Chapter 17, 'Monitoring the NAC Solution Using the Cisco Security Monitoring, Analysis, and Response System,' covers the configuration and operation of CS-MARS in a NAC Framework solution.

Operational Overview

This section describes how NAC determines admission compliance and how it then uses the network to enforce the policy to endpoints.

Network Admission for NAC-enabled Endpoints

This section describes the process in which a noncompliant endpoint device is discovered and is denied full access until it is compliant with the admission policy. This scenario is shown in Figure 6-2.

Figure 6-2 Admission Process for Noncompliant Endpoint

The following list is a summary of the admission process for a noncompliant endpoint shown in Figure 6-2:

  1. An endpoint attempts to access the network.
  2. The NAD notifies the policy server (Cisco Secure ACS) that an endpoint is requesting network access.
  3. Cisco Secure ACS checks the NAC policy to determine whether the endpoint is compliant.
  4. Cisco Secure ACS forwards specific information to other partner policy servers.
    1. Identity information is sent to a directory server for authentication validation.
    2. Host credentials are sent to an antivirus policy server for posture determination.
  5. Cisco Secure Access uses information from the all-policy servers and decides the endpoints authorization. In this example, the endpoint is not compliant and is assigned a quarantine posture.
  6. Quarantine enforcement actions are sent from Cisco Secure ACS to the NAD servicing the endpoint.
  7. NAD enforces admission actions and communicates posture to Posture Agent.
  8. Posture Agent notifies the user that the endpoint is quarantined.

The following sections explain each step in more detail.

Endpoint Attempts to Access the Network

In step 1, the admissions process begins when an endpoint attempts to access the network. What triggers the process is dependent upon the NAD's capabilities and configuration. The NAD initiates posture validation with Cisco Trust Agent using one of the following protocols:

  • EAPoUDP
  • EAPo802.1x

The protocol used is dependent upon the NAD to which the endpoint connects. Both of these protocols serve as a communication method between the endpoints using Cisco Trust Agent and the NAD. Cisco Trust Agent gathers credentials from NAC-enabled security applications such as antivirus.

NAD Notifies Policy Server

In step 2, the NAD notifies the policy server (Cisco Secure ACS) that an endpoint is requesting network access. A protected tunnel is set up between the policy server and the endpoints posture agent. Once communication is established, the credentials from each of the posture plug-ins are sent to Cisco Secure ACS.

Cisco Secure ACS Compares Endpoint to NAC Policy

In step 3, Cisco Secure ACS looks at the admission control policy and compares the endpoint credentials to the policy to determine whether it is compliant. It determines which of the following posture states to assign to the endpoint:

  • Healthy—Endpoint is compliant; no network access restrictions.
  • Checkup—Endpoint is within policy, but an update is available. This state is typically used to proactively remediate a host to the Healthy state or to notify a user that a more recent update is available and recommend remediation.
  • Transition—This state became available in NAC phase 2. The endpoint posturing is in process; provide an interim access, pending full posture validation. This state is applicable during an endpoint boot in which all services may not be running or audit results are not yet available.
  • Quarantine—Endpoint is out of compliance; restrict network access to a quarantine network for remediation. The endpoint is not an active threat but is vulnerable to a known attack or infection.
  • Infected—Endpoint is an active threat to other endpoint devices; network access should be severely restricted or totally denied all network access.
  • Unknown—Endpoint posture cannot be determined. Quarantine the host and audit or remediate until a definitive posture can be determined.
Cisco Network Admission Control Agent Software For Mac

Cisco Secure ACS Forwards Information to Partner Policy Servers

In step 4, Cisco Secure ACS can optionally send user login (4a) and credentials (4b) to other policy decision servers. When this is done, Cisco Secure ACS expects to receive authentication status and a posture state from each of the policy decision servers.

In step 4a when NAC L2-802.1x is used, Cisco Secure ACS can send identity information to an authentication server. It confirms that the username and password are valid and returns a passed authentication message to Cisco Secure ACS. If identity authentication fails, no posture is checked and the endpoint fails authentication, resulting in no network access.

In step 4b in this example, an antivirus policy server determines that the device is out of compliance and returns a quarantine posture token to Cisco Secure ACS.

Keep in mind that NAC partner policy servers vary and offer a variety of compliance checks besides antivirus. For example, some vendors offer checking for spyware and patch management.

Cisco Secure ACS Makes a Decision

In step 5, Cisco Secure ACS compares all the posture states and determines which posture is the worst; infected is the worst and healthy is the best. It always assigns the worst state and takes the action for that posture. In this example, the user has passed authentication but the endpoint has been assigned a quarantine posture.

Cisco Secure ACS Sends Enforcement Actions

Cisco Secure ACS takes the actions assigned to a quarantine state. In this quarantine example, they can include the following:

  • Enforce quarantine access; this varies based on the NAD.
    - For NADs using NAC-L3-IP, the enforcement actions include a quarantine Access Control List (ACL) being applied to the endpoint.
    - For NADs using NAC-L2-IP, the enforcement actions include a quarantine ACL being applied to the endpoint.
    - For NADs using NAC-L2-802.1x, the enforcement action includes a quarantine virtual LAN (VLAN) being applied to the endpoint device.
  • Optionally, the endpoint device may be assigned a URL redirect to the remediation server.
  • Optionally, a notification message can be sent to the user, indicating that their device is not compliant and is being redirected for remediation.

Cisco Network Admission Control Agent Software For Mac Pro

NAD Enforces Actions

In step 7, the NAD receives the quarantine policy enforcement from Cisco Secure ACS and responds accordingly. In this example, such a response would be to quarantine the endpoint, enforce an endpoint URL redirect to the remediation server, and send a quarantine message to the posture agent.

Posture Agent Actions

In step 8, the posture agent displays the quarantine message, and the user is redirected to the remediation server.

Actions available vary by NAC partner products. Cisco Secure ACS is capable of sending different application actions from HCAP-compliant policy servers to their specific application plug-ins. This can trigger actions such as the following:

  • Force an auto-remediation to a designated remediation server
  • Force an auto-patch by instructing the host to download and apply a patch automatically
  • Restart a stopped application service

In this example, the endpoint is now quarantined, and the user has been notified by a message. The user can elect to do nothing and remain quarantined, or comply and allow their computer to be updated.

The admission control process can take very little time, as little as milliseconds. The time varies and is based on many factors, including:

  • Where the endpoint is located in relation to the policy server and optional partner policy servers
  • Where the remediation server is located
  • NADs performance capability
  • Network bandwidth
  • How busy the policy servers are

As shown in Figure 6-3, an endpoint is changing from quarantine to healthy posture state.

Figure 6-3 Admission Process for Endpoint Changing from Quarantine to Healthy State

The following list explains the process shown in Figure 6-3:

  1. Endpoint remediated.
  2. Endpoint polled for change of compliance.
  3. Host credentials gathered from endpoint.
  4. Host credentials passed to Cisco Secure ACS.
  5. Cisco Secure ACS rechecks the NAC policy to determine whether the endpoint is compliant.
  6. Cisco Secure ACS forwards specific information to other partner policy servers.
    1. Identity information is sent to a directory server for authentication validation.
    2. Host credentials are sent to an antivirus policy server for posture determination.
  7. Cisco Secure Access uses information from all policy servers and decides the endpoints authorization. In this example, the endpoint is compliant and is assigned a healthy posture.
  8. Healthy enforcement actions are sent from Cisco Secure ACS to the NAD servicing the endpoint.
  9. NAD enforces admission actions and communicates healthy posture to Posture Agent.
  10. Posture Agent can notify the user that the endpoint is healthy. Many businesses prefer that a healthy posture be transparent to the user with no message notification displayed.

Endpoint Polled for Change of Compliance

Once an endpoint has been assigned a posture, it stays in effect and is not checked again until a NAC timer has expired or a posture agent trigger occurs.

The following are configurable timers for NAC:

  • Status Query—Ensures that an endpoint remains compliant with the admission policy. The timer begins at policy enforcement for the endpoint; compliance is rechecked after the timer expires. Different Status Query timers can exist for different posture states. A shorter amount of time is beneficial for noncompliant states such as quarantine; the device can be rechecked sooner than a healthy device, in order to regain full network access.
  • Revalidation—A time in which the posture remains valid. It can be set lower when an outbreak occurs, to force all endpoints to go through the admission policy process again. This enables endpoints to timeout at different intervals depending on where their timers are, versus forcing all endpoints to go through the validation process at the same time.

    In phase 2 with NAC-L2-802.1x, there is no capability to send a status query from the NAD by way of 802.1x. To overcome this, beginning with version 2 of Cisco Trust Agent, an asynchronous status query capability exists. Cisco Trust Agent can send an Extensible Authentication Protocol Over Lan (EAPOL)-Start to the NAD, or CTA can frequently poll all registered NAC application posture plug-ins looking for a change in credentials. If a change exists, it will trigger an EAPOL-Start signaling for a new posture validation.

    In step 10 of Figure 6-3, the quarantine status query timer has expired.

The NAD is aware that the timer has expired for the endpoint, so it begins rechecking for compliance. The posture agent gathers credentials from the posture plug-ins of NACenabled security applications such as antivirus.

Revalidation Process

From step 11 through step 18, the process is the same as the example described in Figure 6-2. The NAD notifies the policy server (Cisco Secure ACS) that an endpoint requests network access. This time, the Cisco Secure ACS determines that the posture is healthy for all admission checks and that the user login is valid. Authentication is successful, and Cisco Secure ACS assigns the healthy policy.

The NAD receives the healthy policy enforcement from Cisco Secure ACS and responds accordingly by allowing full network access. The timers begin for the healthy state.

The NAD informs the posture agent of the healthy status, but no message is sent to the user this time. The user can now resume normal network activity.

Network Admission for NAC Agentless Hosts

The previous example described the admission process for a NAC-enabled endpoint running a posture agent, such as Cisco Trust Agent. This section describes the process for endpoints that do not have a posture agent.

NAC agentless hosts (NAH) can be accommodated by several methods, as shown in Table 6-2. A NAH exception list and whitelist can be created to identify known endpoints that do not have a posture agent installed and running. The option chosen is dependent upon the NAC Framework component and the NAD enforcement method used.

Table 6-2. NAC Agentless Host Exceptions and Whitelisting

Component

Administration Model

NAC-L2 IP

NAC-L3 IP

NAC-L2 802.1x

NAD

  • Distributed, managed at the device level
  • Does not scale

Device Type, IP, or MAC

Enforcement by intercept ACL (IP/MAC)

Device Type, IP, or MAC

Enforcement by intercept ACL (IP)

MAC-Auth-Bypass (identity + posture)

Cisco Secure ACS whitelist

  • Centralized
  • Scales

MAC(posture only)

MAC(posture only)

MAC-Auth-Bypass (identity + posture)

Audit

  • Centralized
  • Scales

Active network scan, remote login, browser object, hardware/software inventory

Active network scan, remote login, browser object, hardware/software inventory

Not supported at the time of this writing

Source: Cisco Systems, Inc.2

The audit server can be used for NAH in all enforcement methods and is a single centrally managed server. As shown in Figure 6-4, an audit server can be included as a decision policy server for NAH. The audit server can determine the posture credentials of an endpoint without relying on the presence of a posture agent.

Figure 6-4 Admission Control for NAC Agentless Host

The following list explains the process shown in Figure 6-4:

  1. An endpoint attempts to access the network. The trigger mechanism is dependent upon the NAD's capabilities and configuration. The NAD attempts to initiate posture validation with the posture agent, but no posture agent (Cisco Trust Agent) exists.
  2. The NAD notifies the policy server (Cisco Secure ACS) that an endpoint is requesting network access with no Cisco Trust Agent (CTA) present.
  3. Cisco Secure ACS cannot determine whether the NAH is compliant because no posture agent exists. Cisco Secure ACS performs the following:
    1. Assign a transition posture to grant a temporary, limited network access to the agentless host while the audit server is determining the full posture validation. The NAD enforces the transition admission policy.
    2. Notify the external audit server that the NAH is requesting admission.
  4. Cisco Secure ACS cannot determine whether the NAH is compliant, so it notifies the audit server using GAME to conduct a scan on the endpoint.
    1. The audit server scans the endpoint. It evaluates the endpoint's software information against the audit server's compliance policy. It determines that the operating system patch level is compliant or healthy, but the posture agent is missing, so it is considered noncompliant.
    2. Quarantine is the application posture token (APT) assigned by the audit server for this NAH and is communicated to Cisco Secure ACS.
  5. Cisco Secure ACS uses quarantine as the final posture, which is referred to as the system posture token (SPT), and takes the actions assigned to a quarantine state. The actions can include the following:
    - Enforce quarantine access—This varies based on the NAD.

    For NAC-L3-IP, the enforcement actions include a quarantine ACL being applied to the endpoint.

    For NADs using NAC-L2-IP, the enforcement actions include a quarantine ACL being applied to the endpoint.

    For NADs using NAC-L2-802.1x, the enforcement action includes a quarantine VLAN.

    - Enforce Redirection (optional)—In this example, the endpoint device is assigned a URL redirect to the remediation server.
  6. The NAD receives the quarantine policy enforcement from Cisco Secure ACS. It quarantines the endpoint and sends the endpoint a redirect URL to go to the remediation server.
  7. The endpoint is now quarantined and redirected to a remediation server. With NAH, the URL redirect is the only way to provide feedback to the user because there is no posture agent present. At this point, the user can elect to do nothing and remain quarantined, or comply and allow their host to remediate by installing Cisco Trust Agent.

From this point, the NAC Framework process is the same as the example in which the endpoint state changed from quarantine to healthy as shown in Figure 6-3.