NAC Framework is a Cisco-led industry initiative to provide posture validation using embedded software in Cisco network access devices (NAD) such as routers, switches, VPN concentrators, Cisco ASA, wireless access points, and others. Many vendors are part of the Cisco NAC program. These Cisco partners include antivirus software vendors, remediation and patch management companies, identity software manufacturers, and others.
NOTE To obtain the latest list of NAC program vendors/partners, go to http://www.cisco.com/go/ nac and click on NAC program.
Similar to NAC Appliance, NAC Framework has three basic components:
•
NAC Agent•
NAD•
Policy Server (Cisco Secure ACS or NAC Manager)Optionally, you can use other vendor products such as external policy servers, remediation servers, and audit servers to provide more comprehensive admission control features. The NADs enforce policies configured in a centralized manager, while relaying the security credentials/information presented by the end-host NAC Agent. NAC Framework supports four different mechanisms when performing security posture validation on end-host machines:
•
NAC Layer 3 IP:Uses EAP over UDP (EoU) and is typically deployed in Cisco IOS routers, Cisco ASA, and VPN 3000 concentrators.•
NAC Layer 2 IP: Uses EoU and is typically deployed in Cisco Catalyst switches. Address Resolution Protocol (ARP) and DHCP are the trigger mechanisms.•
NAC Layer 2 802.1x: Combines the traditional IBNS identity features and services with in-depth security posture validation.The basic diagram shown in Figure 1-17 illustrates the NAC Framework from a high- level view.
Figure 1-17 NAC Framework High-Level Overview
The following steps are illustrated in Figure 1-17:
Step 1 The NAD (a switch in this example) challenges the end-host to present its credentials. This is done via EoU or EAP over 802.1x.
Step 2 The NAD forwards the end-host credentials to the NAC Manager (Cisco Secure ACS server in this example) using the EAP protocol over RADIUS.
Step 3 Optionally, the Cisco Secure ACS forwards user or machine credentials to an external vendor server. This server can be an antivirus vendor server, authentication server, or any other external policy server. The vendor server replies to the Cisco Secure ACS with a token, based on the posture results for the end-host that is attempting to connect to the network.
Step 4 The Cisco Secure ACS receives the token or checks its internal policies.
Step 5 The Cisco Secure ACS sends the posture information to the NAD. Subsequently, the NAD enforces policies based on the posture of the end- host device.
Vendor Server Cisco Secure ACS
Catalyst Switch Host with
NAC Agent
5 EAP Over RADIUS
1
EAP Over UDP or EAP Over 802.1x
2
4 EAP Over RADIUS
NOTE The NAD periodically polls the end-hosts to determine if a change has been made in their posture. The NAC Agent alerts the NAD of any changes on the client machine. The NAD uses this information to issue full revalidation and posture assessment. This mechanism prevents hosts from being validated but not checked if their security posture has changed after they have been granted access to the network.
NAC Agentless Hosts (NAH) are devices on which the Cisco NAC Agent has not been installed. These devices can be printers, IP Phones, scanners, and other systems such as contractor and guest workstations. If a device does not have the NAC Agent, it cannot respond to the EoU or 802.1x request from the NAD. Separate policies can be configured on the NAD to exclude the NAH MAC or IP address, or a range of addresses. In addition, a global policy can be configured on Cisco Secure ACS.
Cisco developed a protocol called Generic Authorization Message Exchange (GAME). Third-party audit servers use this protocol to communicate with Cisco Secure ACS when performing elaborate scans and audits on NAC nonresponsive hosts. An example of an audit server vendor is Qualys. Cisco Secure ACS is responsible for triggering the audit process for nonresponsive hosts with the audit server. Audit servers can scan the nonresponsive device for known threats and vulnerabilities to further determine their security posture.
NOTE For more information about the Cisco-Qualys NAC solution, go to http://www.cisco.com/
web/partners/downloads/partner/WWChannels/programs/nac_qualys_sol_guide.pdf or to the Qualys website at http://www.qualys.com/products/qgent/integrations/nac/.
It is recommended that you use an event correlation and reporting system, such as CS-MARS, in conjunction with NAC. The process of collecting, correlating,
troubleshooting, and trending NAC event information enables you to make necessary real-time corrections and ongoing improvements to the security posture of your end-host devices. This subsequently decreases the risk of known and unknown security threats in your organization.
NOTE This chapter introduces the basics of the NAC Framework solution. For information about the detailed deployment, configuration, and troubleshooting, refer to the Cisco Press books titledCisco Network Admission Control, Volume I: NAC Framework Architecture and Design and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.
Chapter 2 demonstrates how to deploy NAC Framework to provide posture validations while preparing your network and infrastructure to self-protect against security threats.