This document provides a step-by-step guide on how to configure the Cisco Network Admission Control (NAC) Appliance (formerly Cisco Clean Access) for remote access VPN in In-band Virtual Gateway mode. The Cisco NAC Appliance is an easily deployed NAC product that uses the network infrastructure to enforce security policy compliance on all devices that seek to access network computing resources. With the NAC Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. It identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with the security policies of your network and repairs any vulnerabilities before access to the network is permitted.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This document uses this network setup:
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Complete these steps in order to configure the NAC Appliance (Cisco Clean Access).
Login to the Clean Access Manager (CAM) using the administrative account.
Choose Device Management > CCA Servers and go to the New Server tab in order to add the Cisco Clean Access Server (CAS) to the Cisco CAM.
In this example, the IP address of the CAS is 10.10.20.162. Enter the server location for reference purposes. In this example, the CAS is located behind the Cisco ASA that is configured for remote access VPN. The Server Location information is VPN Remote Access CAS. Select Virtual Gateway for the Server Type.
The CAS configured as a virtual gateway acts like a bridge for the managed network. The virtual gateway configuration is good when managed clients share a subnet with trusted clients and you do not want to modify the existing gateway or architecture. There is no need to define static routes on any of the routing devices.
The CAS appears under the List of Servers. Make sure that the Status reads Connected. Click on Manage in order to access the CAS configuration.
Troubleshooting Tip: If the CAM fails to import the CAS, make sure that connectivity is not an issue. You can attempt to ping the CAS from the CAM CLI when you log in as root. You can also attempt an SSH connection from the CAM to the CAS. Make sure that you have done the initial configuration in the CAS. You can use the service perfigo config command in order to initialize the CAS via its CLI.
Go to the Network tab.
The CAS is typically configured such that the untrusted interface is connected to a trunk port with multiple VLANs trunked to the port. In such a situation, the management VLAN ID is the VLAN ID of the VLAN to which the IP address of the CAS belongs.
Check Enable Layer 3 support in order to allow users to be more than one hop away from the CAS. Since this case is a VPN configuration, you need to enable this option.
Under the CCA Server Advanced tab click VLAN Mapping and enter the VLAN information in order to map VLAN 10 (untrusted) with VLAN 20 (trusted).
Create a filter for the Cisco ASA to be able to communicate with the protected network behind the CAS. Choose Device Management > Filters > Devices > New and add the MAC address and the IP address of the Cisco ASA (00:15:C6:FA:39:F7/10.10.20.100 in this example).
The CAM on each CAS automatically adds devices to the Certified Devices list after the user authenticates and the device passes network scanning with no vulnerabilities found and/or meets Clean Access Agent requirements. Certified devices are considered clean until removed from the list. You can remove devices at a specified time or interval from the Certified Devices list in order to force them to repeat network scanning/agent checking.
Note that devices for Clean Access Agent users are always scanned for requirements at each login. A floating device requires Clean Access certification at every login and is certified only for the duration of a user session. Floating devices are always added manually.
In this case the CAS performs security posture for VPN Clients terminated on the Cisco ASA. The Cisco ASA needs to communicate with devices such as the Cisco Secure ACS server in the trusted side. It is recommended to add the ASA as a floating device. Click on Clean Access under Device Management and choose Certified Devices > Add Floating Device. Enter the MAC address of the ASA (00:15:C6:FA:39:F7 in this example). Set type to 1 to never exempt the ASA from certification list and enter a description.
In this example, you create two different roles (sales and engineering). Choose User Management > User Roles and click New Role in order to create a new role. Enter the Role Name and a Description. In this example, the Role Name is sales with its respective description. Click Create Role.
Repeat step 9 and create the engineering role. This window displays when you are done.
Choose User Management > User Roles and go to the Traffic Control tab in order to configure the policies used by each user role. Under the desired role click on Add Policy.
This window shows that the policy for the sales users is configured. The sales users should only have access to the 10.1.1.0/24 subnet. All TCP traffic to the SALES subnet is allowed in this example.
This window shows all the policies configured for each user role. Step 11 was repeated to allow UDP and TCP traffic for the sales and engineering users to their respective subnets. ICMP is also allowed for both groups. The Quarantined users only have access to a remediation server with the IP 172.18.85.123 over TCP.
Choose Device Management > Clean Access, go to the General Setup tab, and click Agent Login.
For each role, check Require use of Clean Access Agent. Requiring the use of the Clean Access Agent is configured per user role and operating system. When the Agent is required for a role, users in that role are forwarded to the Clean Access Agent download page after authenticating for the first time using web login. The user is then prompted to download and run the Agent installation file. At the end of the installation, the user is prompted to log into the network using the Agent.
The NAC Appliance (Cisco Clean Access) provides integration with Cisco VPN Concentrators and the Cisco ASA (in this example). Cisco Clean Access can enable Single Sign-On (SSO) capability for VPN users. This functionality is achieved with the use of RADIUS accounting. The CAS can acquire the IP address of the client from either Framed_IP_address or Calling_Station_ID RADIUS attributes for SSO purposes. VPN users do not need to login to the web browser or the Clean Access Agent because the RADIUS accounting information sent to the CAS/CAM by the VPN Concentrator provides the user ID and IP address of users who log into the VPN Concentrator (RADIUS Accounting Start Message). In order to do this, you need to add the Cisco VPN device (Cisco ASA in this example) as an authentication server.
Choose User Management > Auth Servers > New Server.
Choose Cisco VPN Server from the drop-down menu.
Choose the user role assigned to users authenticated by the Cisco VPN Concentrator.
Unauthenticated Role is selected in this example. This default role is used if not overridden by a role assignment based on MAC address or IP address, or if RADIUS mapping rules do not result in a successful match.
Enter an optional description of the Cisco ASA for reference and click Add Server.
Choose User Management > Auth Servers > New Server and select RADIUS from the drop-down menu in order to add the Cisco Secure ACS server (RADIUS server).
This list provides a description of the settings on this window:
Provider Name—(optional) Type a unique name for this authentication provider. Enter a meaningful or recognizable name if web login users are able to select providers from the web login page.
Server Name—The fully qualified host name (for example, auth.cisco.com) or IP address of the RADIUS authentication server. 172.18.124.101 is the IP address of the Cisco Secure ACS server in this example.
Server Port—The port number on which the RADIUS server listens.
RADIUS Type—The RADIUS authentication method. Supported methods include EAPMD5, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft (MS-CHAP). PAP is used in this example.
Timeout (sec)—The timeout value for the authentication request.
Default Role—Choose the unauthenticated role as the user role assigned to users authenticated by this provider. This default role is used if not overridden by a role assignment based on MAC address or IP address, or if RADIUS mapping rules do not result in a successful match.
Shared Secret—The RADIUS shared secret bound to the IP address of the specified client.
NAS-Identifier—The NAS-Identifier value to be sent with all RADIUS authentication packets. Either a NAS-Identifier or a NAS-IP-Address must be specified to send the packets.
NAS-IP-Address—The NAS-IP-Address value to be sent with all RADIUS authentication packets. Either a NAS-IP-Address or a NAS-Identifier must be specified to send the packets.
NAS-Port—The NAS-Port value to be sent with all RADIUS authentication packets.
NAS-Port-Type—The NAS-Port-Type value to be sent with all RADIUS authentication packets.
Enable Failover—This enables sending a second authentication packet to a RADIUS failover peer IP if the primary RADIUS authentication server response times out.
Failover Peer IP—The IP address of the failover RADIUS authentication server.
Allow Badly Formed RADIUS Packets—This enables the RADIUS authentication client to ignore errors in badly-formed RADIUS authentication responses as long as the responses contain a success or failure code. This can be required for compatibility with older RADIUS servers.
Complete these steps in order to enable Single Sign-On (SSO) on the CAS.
Choose Device Management > CCA Servers and select the server (in this case 10.10.20.162).
Go to the Authentication tab and choose VPN Auth.
Check Single Sign-On and Auto Logout and enter the RADIUS Accounting Port (only port 1813 is supported).
Under the VPN Concentrators sub-tab enter the ASA information and click Add VPN Concentrator.
Under the Accounting Servers sub-tab enter the RADIUS Accounting Server information and click Add Accounting Server.
Under the Accounting Mapping sub-tab select the ASA from the VPN Concentrator pull-down menu (asa1.cisco.com [10.10.20.100] in this example) and select the Accounting Server (acs1.cisco.com [172.18.85.181:1813] in this example).
This section demonstrates how to configure the Cisco ASA using the Adaptive Security Device Manager (ASDM). The VPN wizard lets you configure basic LAN-to-LAN and remote access VPN connections. Use ASDM in order to edit and configure advanced features.
Choose Configuration > VPN and click Launch VPN Wizard in order to launch the VPN Wizard.
Use the VPN Tunnel Type panel in order to select the type of VPN tunnel to define, remote access or LAN-to-LAN, and to identify the interface that connects to the remote IPsec peer.
Click Remote Access in order to create a configuration that achieves secure remote access for VPN Clients, such as mobile users. This option lets remote users securely access centralized network resources. When you select this option, the VPN Wizard displays a series of panels that let you enter the attributes a remote access VPN requires.
Select the interface that establishes a secure tunnel with the remote IPsec peer (the outside interface is used in this example, since the VPN Clients connect from the Internet). If the Security Appliance has multiple interfaces, you need to plan the VPN configuration before you run this wizard and identify the interface to use for each remote IPsec peer with which you plan to establish a secure connection. Enable inbound IPsec sessions to bypass interface access lists. This enables IPsec authenticated inbound sessions to always be permitted through the Security Appliance (that is, without a check of the interface access-list statements). Be aware that the inbound sessions bypass only the interface access control lists (ACLs). Configured group-policy, user, and downloaded ACLs still apply. Click Next.
Select the remote access client type. Cisco VPN Client Release 3.x or higher, or other Easy VPN Remote product is used in this example, since the clients use the Cisco VPN Client. Click Next.
In this example, pre-shared keys are used for tunnel authentication. Enter the pre-shared key (cisco123 in this example) and the VPN Tunnel Group Name (vpngroup in this example). Click Next.
Use the Client Authentication panel in order to select the method by which the Security Appliance authenticates remote users. In this example, the VPN Clients are authenticated against a RADIUS server. Click New in order to configure a new AAA server group.
Provide this information in order to configure a new AAA server group that contains just one server:
Server Group Name—Type a name for the server group. You associate this name with users whom you want to authenticate using this server. The Server Group Name in this example is called authgroup.
Authentication Protocol—Select the authentication protocol the server uses. RADIUS is used in this example.
Server IP Address—Type the IP address for the AAA server. The RADIUS server is 172.18.124.101 in this example.
Interface—Select the Security Appliance interface on which the AAA server resides. The AAA server in this example is in the inside interface.
Server Secret Key—Type a case-sensitive, alphanumeric keyword of up to 127 characters. The server and Security Appliance use the key to encrypt data that travels between them. The key must be the same on both the Security Appliance and server. You can use special characters, but not spaces.
Confirm Server Secret Key—Type the secret key again.
Configure an address pool for the addresses to be assigned to the VPN Clients. Click New in order to create a new pool.
Add the name of the pool, the range, and the subnet mask.
Use the Attributes Pushed to Client (Optional) window in order to have the Security Appliance pass information about DNS and WINS servers and the default domain name to remote access clients. Enter the Primary and Secondary DNS and WINS server information. Also enter the Default Domain Name.
Use the IKE Policy window in order to set the terms of the Phase 1 IKE negotiations. 3DES, SHA, and Diffie-Hellman Group 2 are used in this example as the IKE policy for VPN Client connections.
Use this IPSec Encryption and Authentication window in order to select the encryption and authentication methods to use for Phase 2 IKE negotiations, which create the secure VPN tunnel. 3DES and SHA are used in this example.
Use the Address Translation Exemption (Optional) window in order to identify local hosts/networks which do not require address translation.
By default, the Security Appliance hides the real IP addresses of internal hosts and networks from outside hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by untrusted outside hosts, but might be improper for those who have been authenticated and protected by VPN.
For example, an inside host that uses dynamic NAT has its IP address translated by matching it to a randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN Clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these hosts, unless you configure a NAT exemption rule.
Verify that the information is accurate in the Summary window and click Finish.
This is a very important step. The Cisco ASA needs to send the RADIUS accounting messages to the CAS in order to do SSO and perform security posture checks.
Complete these steps in order to add a new AAA Server Group.
Choose Configuration > Properties > AAA Setup > AAA Server Groups and click Add.
Enter the Server Group name (CAS_Accounting in this example).
Select RADIUS as the Protocol.
Make sure that the Accounting Mode is Single and Reactivation Mode is Depletion.
Add a new AAA Server entry. In this case the AAA server is the IP address of the CAS (10.10.20.162) which resides in the inside interface. Configure the Server Authentication Port (1812) and Server Accounting Port (1813). Click OK.
The new AAA Server Group and AAA Server appears as this example window shows.
Complete these steps in order to add the CAS as the accounting server for the VPN group you configured (vpngroup in this example).
Choose Configuration > VPN > General > Tunnel Group.
Select the Tunnel Group.
Under the Accounting tab select the new AAA Server Group under the Accounting Server Group pull-down menu (CAS_Accounting in this example).
ASA Version 7.2(1)
enable password 8Ry2YjIyt7RRXU24 encrypted
description Outside Interface Facing the Internet
ip address 220.127.116.11 255.255.255.0
description Inside Interface
ip address 10.10.20.100 255.0.0.0
no ip address
no ip address
ip address 172.18.85.174 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
dns server-group DefaultDNS
access-list outside_cryptomap extended permit ip any 10.10.55.0 255.255.255.0
access-list something extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool pool1 10.10.55.1-10.10.55.254 mask 255.255.255.0
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
access-group something in interface outside
access-group something in interface inside
route inside 172.18.85.181 255.255.255.255 10.10.20.1 1
route inside 0.0.0.0 0.0.0.0 10.10.20.1 tunneled
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
route inside 172.18.85.0 255.255.255.0 10.10.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server authgroup protocol radius
aaa-server authgroup host 172.18.85.181
aaa-server test protocol radius
aaa-server test host 10.10.20.162
aaa-server CAS_Accounting protocol radius
aaa-server CAS_Accounting host 10.10.20.162
group-policy vpngroup internal
group-policy vpngroup attributes
wins-server value 172.18.108.40 172.18.108.41
dns-server value 172.18.108.40 172.18.108.41
default-domain value cisco.com
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map abcmap 1 set peer 22.214.171.124
crypto isakmp enable outside
crypto isakmp policy 1
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
tunnel-group vpngroup ipsec-attributes
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
match port tcp eq sip
match port udp eq sip
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.