cisco network admission control (nac) architectures · 2019-12-14 · title:...
TRANSCRIPT
![Page 1: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/1.jpg)
Cisco Network Admission Control (NAC) Architectures
Copyright 20081
Cisco MidAtlantic Users Group MeetingJanuary 2009
Rob Chee CCIE #8188
![Page 2: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/2.jpg)
Agenda
• NAC Overview• Cisco NAC Terminology• Cisco NAC Architectures
Copyright 20082
![Page 3: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/3.jpg)
NAC Overview
• Security Policy Enforcement– Enforce the company security policies– Minimize attack vectors used by worms and viruses– Meet compliance requirements
• Enable granular network access– Ensure only authorized users can access the network
Copyright 2008
– Ensure only authorized users can access the network– Easier guest user access
• Network Inventory (secondary measure)– Reports show computer information– Computer MAC Addresses shown in certified device li st
and online users list
3
![Page 4: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/4.jpg)
NAC Overview > NAC Components
• NAC Appliance Manager (NAM)– Central management– All policy configuration done here– All licensing tied to MAC on this device
• NAC Appliance Server (NAS)
Copyright 2008
• NAC Appliance Server (NAS)– Enforcement point– Each NAS can only support one mode
(L3 OOB Real IP GW, L2 IB VG,…)
• Agent– NAC Agent (aka Clean Access Agent)– Web Agent (aka Temporal Agent)
• No remediation 4
![Page 5: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/5.jpg)
NAC Overview > High Level View
Copyright 20085
From Cisco Live 2008“Deploying NAC”
![Page 6: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/6.jpg)
NAC Overview > Traffic Flows
Copyright 20086
From Cisco Live 2008 “Deploying NAC”
![Page 7: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/7.jpg)
NAC Overview > PCI Compliance
PCIRequirement Number
Description
5 Use and regularly update anti-virus software
6 Develop and maintain secure systems and applications
7 Restrict access to cardholder data by business need-to-know
Copyright 2008
know
12 Maintain a policy that addresses information security
7
From Cisco Live 2008: Enforcing PCI Security Compliance with Cisco PACE
![Page 8: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/8.jpg)
NAC Overview > The Process
Steps
1. Authenticate and Authorize
Copyright 20088
2. Scan and Evaluate
3. Quarantine (if necessary)
4. Update and Remediate (if necessary)
![Page 9: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/9.jpg)
NAC Overview > The Process
Authenticate and Authorize
Scan and Evaluate Quarantine Update and
Remediate
•Authentication • Manual Login• VPN SSO
Copyright 20089
• VPN SSO• AD SSO
• Authorization/User role • Login name• RADIUS attributes• LDAP attributes
![Page 10: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/10.jpg)
NAC Overview > The Process
2. Scan and EvaluateApplication Check(check shown)
Service Check(check shown)
Authenticate and Authorize
Scan and Evaluate Quarantine Update and
Remediate
Copyright 200810
(check shown)
Registy Check(check shown)
File Check(check shown)
![Page 11: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/11.jpg)
NAC Overview > The Process
2. Scan and Evaluate
AV/AS Updates(requirement-rule shown)
Authenticate and Authorize
Scan and Evaluate Quarantine
Update and
Remediate
Copyright 200811
Microsoft Updates(requirement shown)
Nessus Scans(Plugins shown)
![Page 12: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/12.jpg)
NAC Overview > The Process
Authenticate and Authorize
Scan and Evaluate Quarantine Update and
Remediate
•Place in quarantine/temporary role for remediation
Copyright 200812
• Allow access to only remediation/update resources• Microsoft Update Server• Antivirus Definition Update Server
![Page 13: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/13.jpg)
NAC Overview > The Process
Authenticate and Authorize
Scan and Evaluate Quarantine Update and
Remediate
Copyright 200813
![Page 14: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/14.jpg)
NAC Overview > Network Inventory
Report
Copyright 200814
Certified Device
List
![Page 15: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/15.jpg)
NAC Overview > Sizing
Copyright 200815
From Cisco NAC Chalktalk 1
![Page 16: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/16.jpg)
Agenda
• NAC Overview
• Cisco NAC Terminology• Cisco NAC Architectures
Copyright 200816
![Page 17: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/17.jpg)
Cisco NAC Terminology
• Authentication VLAN• Access VLAN• L2• L3• Virtual Gateway
Common Combinations
�L3 OOB Real-IP Gateway�Central Deployments
Copyright 2008
• Real-IP Gateway• In-Band (IB)• Out-of-Band (OOB)
17
�Central Deployments�L3 In-Band Virtual Gateway
�Remote Access VPN
![Page 18: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/18.jpg)
Cisco NAC Terms > Authentication VLAN
Copyright 200818
![Page 19: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/19.jpg)
Cisco NAC Terms > Access VLAN
Copyright 200819
![Page 20: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/20.jpg)
Cisco NAC Terms > L2
• Client is on the same subnet as NAC Server• NAC Server can see MAC addresses of clients
Copyright 200820
![Page 21: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/21.jpg)
Cisco NAC Terms > L3
• Not on the same subnet as the NAC Server• MAC address of clients provided by Agent
Copyright 200821
![Page 22: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/22.jpg)
Cisco NAC Terms > Virtual Gateway
• NAC Server acts as a bridge• Traffic directed through NAC Server in two ways
– Route traffic through the NAC Server– Accept traffic requests using “Managed Subnets” (pr oxy
arp)
Copyright 200822
![Page 23: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/23.jpg)
Cisco NAC Terms > Virtual Gateway
• Use “Managed Subnets” for L2 adjacent clients– Use an unused IP in config– Provides a NAS IP for proxy arp
services
Copyright 200823
![Page 24: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/24.jpg)
Cisco NAC Terms > Virtual Gateway
• VLAN Trunking– 802.1q VLAN trunk on interfaces is best practice
• Allows for additional managed VLANs to be easily ad ded• Allows for admin interface on separate VLAN
– Use VLAN Mapping to retag untrusted VLAN to a trust ed VLAN
Copyright 2008
• Use only when VLAN trunking is used
24
![Page 25: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/25.jpg)
Cisco NAC Terms > Real IP Gateway
• NAC Server acts as a router• Routing Protocols are not supported• Route Configuration Notes
– Default route is to the internal network– Create static routes for authentication
VLAN networks in L3 mode
Copyright 200825
![Page 26: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/26.jpg)
Cisco NAC Terms > In-Band (IB)
• Traffic always flows through the NAC Server• Mostly used for VPN and Wireless scenarios• Advantages
– Can limit bandwidth based on policy– User role policy enforced on NAC Server
• Disadvantages
Copyright 2008
– Bandwidth limited by what can flow through the NAC server
26
![Page 27: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/27.jpg)
Cisco NAC Terms > Out-of-Band (OOB)
• Traffic is still in-band for authentication
• Traffic moved OOB by VLAN change on access switch
• VLAN change via SNMP from NAM to switch
Copyright 2008
• VLAN change via SNMP from NAM to switch• Removes BW limitation by NAC Server• Relies on using Cisco supported switches
27
![Page 28: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/28.jpg)
Cisco NAC Terms > Out-of-Band (OOB)
Copyright 200828
Snm
p
DHCPRenew
![Page 29: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/29.jpg)
Cisco NAC Terms > Out-of-Band (OOB)
• Advantages– Bandwidth not limited by NAC Server
• Disadvantages– User role not limited by NAC Server– Relies on reliable NAM to switch communication
Copyright 200829
![Page 30: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/30.jpg)
Agenda
• NAC Overview• Cisco NAC Terminology
• Cisco NAC Architectures
Copyright 200830
![Page 31: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/31.jpg)
NAC Architectures Notes
• Showing Common Scenarios• Best Practices can still change as NAC changes
– Simplify Login Process• (4.0) AD SSO option
– Updates to assist with IP phone integration• (4.1.0) DHCP release/renew through Agent
Copyright 2008
• (4.1.0) DHCP release/renew through Agent• (4.1.1) DHCP release/renew through Agent Stub
– Enhanced Features• (4.5) Wireless can be OOB with NAC 4.5 and WLC 5.1
31
![Page 32: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/32.jpg)
NAC Arch > Mapping
Network Design NAC Architecture
Remote Access VPN Users L3 IB Virtual Gateway
Wireless Users L2 IB Virtual Gateway or L2 OOB Virtual Gateway (ver 4.5)
Collapsed Backbone (VLAN trunkingto NAS)
L2 IB or OOB Virtual Gateway
Distributed Backbone (L3 pushed to L3 OOB Real-IP Gateway
Copyright 2008
Distributed Backbone (L3 pushed to the edge)
L3 OOB Real-IP Gateway
Remote Office NAC Server at Remote Office• L2 or L3 IB Virtual Gateway
NAC Server at Central Site• L3 OOB Real IP Gateway
32
![Page 33: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/33.jpg)
NAC Arch > Remote Access VPN Users
• L3 In-Band Virtual Gateway
• VPN SSO when using RADIUS for authentication
Copyright 200833
![Page 34: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/34.jpg)
NAC Arch > Remote Access VPN Users
Copyright 2008
L3 In-Band Virtual Gateway
34
![Page 35: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/35.jpg)
NAC Arch > Wireless Users
• Wireless users must always be L2 adjacent to NAS
• Pre 4.5 was only L2 In-Band Virtual Gateway
• 4.5 allows for L2 Out -of -Band Virtual Gateway
Copyright 2008
• 4.5 allows for L2 Out -of -Band Virtual Gateway
35
![Page 36: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/36.jpg)
NAC Arch > In-Band Wireless Users
Copyright 200836
L2 In-Band Virtual Gateway
![Page 37: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/37.jpg)
NAC Arch > Out-of-Band Wireless Users
Copyright 200837
L2 Out-of-Band Virtual Gateway
![Page 38: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/38.jpg)
NAC Arch > Collapsed Backbone
• Switches use 802.1q VLAN trunks from access switches to the NAS at the core
• L2 In-Band Virtual Gateway• L2 Out-of-Band Virtual Gateway• Not as common
Copyright 200838
![Page 39: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/39.jpg)
NAC Arch > Distributed Backbone
• L3 pushed to the edge• L3 Out-of-Band Real IP Gateway• Relies on Cisco NAC supported switches
Copyright 200839
![Page 40: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/40.jpg)
NAC Arch > Dist BBone > Communication Options
• ACL• PBR• VRF-Lite• GRE Tunnel
Copyright 200840
![Page 41: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/41.jpg)
NAC Arch > Dist BBone > Comm Option > ACL
• Most popular method today• Restrict authentication VLAN at the edge• Advantage
– Easier to implement
• Disadvantage– Guest Users need a special URL to login
Copyright 2008
– Guest Users need a special URL to login– ACLs must be added to all access routers/switches
41
ACL
![Page 42: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/42.jpg)
NAC Arch > Dist BBone > Comm Option > ACL
Authentication VLAN ACL Access VLAN ACL
Ip access-list extended authenticationremark allow NAC Server trafficpermit ip any host 10.1.1.1remark allow WSUS updatespermit tcp any host 10.2.2.10 eq 80remark allow AV trafficpermit tcp any host 10.2.2.11 eq 80
Ip access-list extended accessremark Deny Agent trafficdeny udp any any eq 8905deny udp any any eq 8906permit ip any any
Copyright 2008
permit tcp any host 10.2.2.11 eq 80deny ip any any
42
![Page 43: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/43.jpg)
NAC Arch > Dist BBone > Comm Option > PBR
• Base routing decisions based on source IP• Not Scalable b/c every router needs custom config
Copyright 200843
![Page 44: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/44.jpg)
NAC Arch > Dist BBone > Comm Option > VRF-Lite
• Provide a separate routing instance for authentication VLAN traffic
• Adds to complexity– New router must have VRF-Lite applied
• Recommended for networks already using VRF-Lite
Copyright 2008
Lite
44
![Page 45: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/45.jpg)
NAC Arch > Dist BBone > Comm Option > GRE Tunnels
• A tunnel is created between the access layer and NAC Server
• Difficult to scale• Can be used in conjunction with VRF Lite
Copyright 200845
![Page 46: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/46.jpg)
NAC Arch > Remote Offices
• Two Options– NAC Server at remote office– NAC Server at central office
• NAC Server Placement Guideline– Put NAC Server at large remote office
• Traffic Guidelines
Copyright 2008
• Traffic Guidelines– Apply QoS for NAC traffic (SNMP, NAC ports)
46
![Page 47: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/47.jpg)
NAC Arch > Remote Offices > Remote Office NAC Server
Description Architecture
One user subnet at remote site
L2 IB Virtual Gateway
Multiple subnets at remote site
L3 IB Virtual Gateway
Copyright 200847
![Page 48: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/48.jpg)
NAC Arch > Remote Offices > Remote Office NAC Server
• Can use NAC Module for 2800 and 3800 ISR routers– Can support
• L2 or L3• in-band or out-of-band• Real IP Gateway or Virtual Gateway
– Limitations
Copyright 2008
• No High Availability• No NAC Profiler support• No wireless OOB• 100 User Maximum
48
![Page 49: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/49.jpg)
NAC Arch > Remote Offices > Remote Office NAC Server
• Advantage– In-Band can limit traffic and bandwidth access by r ole– Fail-Open option
• Disadvantage– Cost– More devices to upgrade
Copyright 2008
– More devices to upgrade
49
![Page 50: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/50.jpg)
NAC Arch > Remote Offices > Central Office NAC Server
• L3 OOB Real IP Gateway• Use QoS to ensure SNMP and NAC traffic takes
precedence
Copyright 200850
![Page 51: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/51.jpg)
NAC Arch > Remote Offices > Central Office NAC Server
• Advantage– Less Expensive
• Disadvantage– Less Managablility
• No bandwidth limit• No traffic policy limit
Copyright 2008
• No traffic policy limit
– More traffic on the WAN• Agent updates
– Rely on reliable WAN connectivity
51
![Page 52: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/52.jpg)
Summary
• NAC Overview• Cisco NAC Terminology• Cisco NAC Architectures
Copyright 200852
![Page 53: Cisco Network Admission Control (NAC) Architectures · 2019-12-14 · Title: NAC-Architecture-CMUG-forpdf [Compatibility Mode] Author: rchee Created Date: 1/21/2009 10:33:18 AM](https://reader030.vdocuments.net/reader030/viewer/2022040404/5f0daea97e708231d43b900e/html5/thumbnails/53.jpg)
References
• Main Cisco NAC page– http://www.cisco.com/go/nac/appliance
• Cisco NAC Chalk Talks– http://www.cisco.com/en/US/prod/collateral/vpndevc/ ps5707/ps8418/ps61
28/prod_presentation0900aecd80549168.html
• Cisco NAC Wiki
Copyright 2008
• Cisco NAC Wiki– http://supportwiki.cisco.com/ViewWiki/index.php/Cat egory:Cisco_NAC_
Appliance_(Clean_Access)
• Miami of Ohio Mailing List– http://listserv.muohio.edu/scripts/wa.exe?A0=cleana ccess
• NAC Book by Jamey Heary• Netcraftsmen Security Blog
– http://security-blog.netcraftsmen.net
53