1

Network Admission Control to WLAN

at WIT

Presented by: Aidan McGrath B.Sc. M.A.

2

Why deploy a wireless LAN?

• Can be seen to be behind the technology by potential students if not deployed.

• Keep up with technology demands of modern students.• It will happen anyway, so why not take control from the start.• Students used to mobile phones, so why not mobile

computing?• Reduce demand on providing more PCs which then need to

be replaced.

3

What are the challenges of a WLAN?

• Disappearing security boundaries expose internal infrastructure and assets.

• To ensure policy compliance for all endpoint devices seeking network access.

• Providing sufficient access points – how many/where?• Does one size fit all?

4

What are the solutions?

• Turn on service and hope for the best – no checking of laptops for vulnerabilities.

• Manual intervention to assess laptops for risks.• Automatic posture assessment of laptop at time of

connection – network admission control (NAC).

5

Network Admission Control (NAC)

Please enter username:

devicesecurity

networksecurity

Use the network to enforce policies to ensure that incoming devices are compliant.

identity

SiSi SiSi

Who is the user? Is s/he authorised? What role does s/he get?

NACNAC Is OS patched? Does A/V or A/S exist? Is it running? Are services on? Do required files exist?

PLUS

Is policy established? Are non-compliant devices quarantined? Is remediation required? Is remediation available?

PLUS

6

Authenticate & AuthoriseEnforces authorisation policies and privileges

Supports multiple user roles

QuarantineIsolate non-compliant devices

from rest of network MAC and IP-based quarantine

effective at a per-user level

All-in-One Policy Compliance and Remediation Solution

Scan & EvaluateAgent scan for required

versions of hotfixes, AV, and other software

Network scan for virus and worm infections and port

vulnerabilities

Update & Remediate Network-based tools for vulnerability and threat

remediationHelp-desk integration

7

Clean Access Server (CAS)Serves as an in-band or out-of-band device for network

access control

Clean Access Manager (CAM)Centralises management for administrators, support

personnel, and operators

Clean Access AgentOptional lightweight client for device-based registry scans

in unmanaged environments

Rule-set UpdatesScheduled automatic updates for anti-virus, critical hot-

fixes and other applications

Cisco NAC Appliance (Cisco Clean Access) Components

8

Clean Access: Sampling of Pre-Configured Checks

Critical Windows UpdatesWindows XP, Windows 2000, Windows 98, Windows ME

Anti-Virus Updates

Anti-Spyware UpdatesOther 3rd Party Checks

Cisco SecurityAgent

9

Product User Flow Overview

The Goal

Intranet/Network

2. User isredirected to a login page

Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device

Device is noncompliant or login is incorrect

User is allowed 30min limited access to appropriate remediation sites

3a. Quarantine3b. Device is “clean”

Machine gets on “certified devices list” and is granted access to network

Clean AccessServer

Clean Access Manager

1. End user attempts to access a Web page or uses an optional client

Network access is blocked until wired or wireless end user provides login information

AuthenticationServer

10

Screen Shots (MS Client)

4.

LoginScreen

Scan is performed(types of checks depend on user role)

Scan fails

Remediate

11

Screen Shots (Web browser – non MS)

LoginScreen

Scan is performed(types of checks depend on user role/OS)

Guided self-remediation

12

Process Flow: Wireless Access

NAC Enforcement Point

1. Wireless user connects to WLC via LWAPP (open authentication)2. Wireless user obtains IP address from WLC3. Wireless user opens a browser and is redirected to download the Clean Access

Agent (if they don’t already have it loaded)

Auth ServerIP: 10.1.1.25

Clean Access ManagerIP: 10.1.1.30

Intranet Server

Role: “Unauthenticated”

Radius Accounting ServerIP: 10.1.1.26

DNS ServerIP: 10.20.20.20

LaptopIP: 192.168.50.3

L3 SwitchIP: 192.168.10.1Clean Access Server

IP: 192.168.10.2

WLC192.168.60.3 MgmtVLAN 60 192.168.50.2 User VLAN 50

13

Process Flow: Network Admission Control 1

NAC Enforcement Point

1. CAS determines that laptop MAC address is not in “certified device” list – not logged on recently

2. CAS puts laptop into the “Unauthenticated Role3. Laptop gets an IP address from DHCP server, but can not get past CAS acting as “IP filter.”4. Laptop user opens a browser and is redirected to a SSL based weblogin page.

• User enters credentials • User is asked to download the Clean Access Agent.

Auth Server (Radius)IP: 10.1.1.25 Clean Access Manager

IP: 10.1.1.30

InternetWeb Server

LaptopIP: 192.168.1.150

DNS Server

RouterIP: 192.168.1.1

Clean ServerIP: 192.168.1.2

Role: “Unauthenticated”

14

Process Flow: NAC 2

5. Clean Access Agent performs posture assessment and forwards them to the CAS to make network admission decision.

6. CAS forward posture report to CAM.• CAM determines that the laptop is NOT in compliance and

instructs the CAS to put the laptop into the “Temporary Role.”7. CAM sends remediation steps to Clean Access Agent.

Auth ServerIP: 10.1.1.25

Clean Access ManagerIP: 10.1.1.30

InternetWeb Server

LaptopIP: 192.168.1.150

NAC Enforcement Point DNS Server

IP: 10.20.20.20

RouterIP: 192.168.1.1Clean Access Server

IP: 192.168.1.2

Role: “Temporary”

15

Process Flow: NAC 3

8. Clean Access Agent displays access time remaining in “Temporary Role” for laptop.• CCA Agent guides user step-by-step through remediation. • Patches can be downloaded from update sites such as https://liveupdate.symantec.com

or http://windowsupdate.microsoft.com 9. CCA Agent informs CAS that the laptop has been successfully remediated.

Auth ServerIP: 10.1.1.25 Clean Access Manager

IP: 10.1.1.30

InternetWeb Server

LaptopIP: 192.168.1.150

NAC Enforcement Point

DNS/DHCP ServerIP: 10.20.20.20

RouterIP: 192.168.1.1

Clean Access ServerIP: 192.168.1.2

Role: “Temporary”

16

Process Flow: NAC 4

Auth ServerIP: 10.1.1.25 Clean Access Manager

IP: 10.1.1.30

InternetWeb Server

LaptopIP: 192.168.1.150

NAC Enforcement Point

DNS ServerIP: 10.20.20.20

RouterIP: 192.168.1.1

Clean Access ServerIP: 192.168.1.2

10. CAS puts MAC address of laptop into “Certified Device” list.• CAS assigns laptop to the “Clean Role” for 24 hour period.• Laptop is now allowed to complete access to the Internet.

Role: “Clean”

17

Internet

WIT Wireless Network

Cisco 4400 Wireless LAN Controller

LWAPP Encrypted Tunnel

Aironet 1100 AP

AP Network VLAN 216WLAN Network VLAN 215

Cisco ACS Server

Un trusted WLAN DMZ

Trusted WLAN DMZ

L3 6513 Switch

Laptop

ASA 5550

Clean Access Manager

Clean Access Server

18

WIT Wireless Network Future Developments

• Out of band wired access• Nesus vulnerability scanner http://www.nessus.org/ for

Mac OS X, Linux, Solaris and FreeBSD

19

WIT Wireless Network - Partners