Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series, Version 5.2
Configuring Network Admission Control
Downloads: This chapterpdf (PDF - 291.0KB) The complete bookPDF (PDF - 4.16MB) | Feedback

Configuring Network Admission Control

Table Of Contents

Configuring Network Admission Control

Uses, Requirements, and Limitations

Configuring a Connection to an Access Control Server

Configuring the Access Control Server Group

Adding an ACS to the ACS Group

Assigning the ACS Server Group as the NAC Authentication Server

Enabling NAC and Assigning NAC Properties to a Group Policy

Changing Global NAC Settings


Configuring Network Admission Control


This chapter includes the following sections.

Uses, Requirements, and Limitations

Configuring a Connection to an Access Control Server

Enabling NAC and Assigning NAC Properties to a Group Policy

Changing Global NAC Settings

Uses, Requirements, and Limitations

Network Admission Control (NAC) protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as a condition for production access to the network. We refer to these checks as posture validation. You can configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on a host establishing an IPSec session are up-to-date. Posture validation can include the verification that the applications running on the remote hosts are updated with the latest patches. NAC supplements the identity-based validation that IPSec and other access methods provide. It is especially useful for protecting the enterprise network from hosts that are not subject to automatic network policy enforcement, such as home PCs.


Note When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access Control Server, requiring that you install a minimum of one Access Control Server on the network to provide NAC authentication services. ASA support for NAC is limited to remote access IPSec and L2TP over IPSec sessions. NAC on the ASA does not support WebVPN, non-VPN traffic, IPv6, and multimode.


Configuring a Connection to an Access Control Server

The instructions in the following sections assume you have added at least one Access Control Server to the network to support NAC:

Configuring the Access Control Server Group

Adding an ACS to the ACS Group

Assigning the ACS Server Group as the NAC Authentication Server

Configuring the Access Control Server Group

You must configure an Access Control Server group even if the network has only one Access Control Server.

Configure an Access Control Server group, as follows:


Step 1 Choose Configuration > Properties > AAA Setup > AAA Server Groups, then click Add to the right of the AAA Server Groups table.

The AAA Server Groups window opens (Figure 9-1).

Figure 9-1 Add AAA Server Group Window

Step 2 See the following descriptions to assign values to the attributes in this window.

Server Group—Enter a name for the server group.


Note If a RADIUS server is configured to return the Class attribute (#25), the security appliance uses that attribute to authenticate the Group Name. On a RADIUS server, the attribute must be in the format OU=groupname, where groupname is identical to the Server Group name on the security appliance.


Protocol—Indicates whether this is a RADIUS or an LDAP server group. Select RADIUS for an Access Control Server group.

Accounting Mode—(RADIUS and TACACS+ protocols only) Click Simultaneous to configure the security appliance to send accounting data to all servers in the group, or click Single to send accounting data to only one server.

Reactivation Mode—Click Depletion to reactivate connections to failed servers only after all of the servers in the group become inactive, or click Timed to reactivate them after 30 seconds of downtime.

Dead Time—(for Depletion mode only) Enter the number of minutes that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers.

Max Failed Attempts— Enter an integer in the range 1 through 5 to configure the number of failed connection attempts the security appliance allows before declaring a nonresponsive server inactive.

Step 3 Click OK.

ASDM displays the group you added in the AAA server groups table in the Configuration > Properties >AAA Setup > AAA Server Groups table.


Use the next section to add the server to the group.

Adding an ACS to the ACS Group

Add one or more Access Control Servers to an ACS group as follows:


Step 1 Choose Configuration > Properties > AAA Setup > AAA Server Groups.

The AAA Server Groups table lists the groups configured on this security appliance.

Step 2 Select the ACS group you created in the previous section.

ASDM highlights the group and displays the contents of the group in the Servers in the selected group table.

Step 3 Click Add to the right of the Servers in the selected group table.

The Add AAA Server window opens (Figure 9-2).

Figure 9-2 Add AAA Server Window

Step 4 Assign values to the attributes in this window consistent with those configured on the ACS. The attribute descriptions are as follows:

Server GroupDisplay only. Shows the name of the server group to which you are the ACS server.

Interface Name—Select the network interface through which the security appliance connects to the server.

Server Name or IP Address—Enter a name or the IP address of the AAA server.

Timeout—Enter the timeout interval, in seconds. The security appliance gives up on the request to the primary AAA server after this timer expires. If a standby AAA server is present in the configuration and the connection to the primary server times out, the security appliance sends the request to the backup server.

Server Authentication Port—Enter the number of the server port for user authentication. The default port is 1645.


Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.


Server Accounting Port—Enter the server port to use for user accounting. The default port is 1646.

Retry Interval—Enter the number of seconds before reattempting a connection after sending a query to the server and receiving no response. Enter the number of seconds in the range 1 through 10. The default value is 10 seconds.

Server Secret Key—Enter the server secret key (also called the shared secret) to use for encryption; for example, C8z077f. The secret is case-sensitive. The field displays only asterisks. The security appliance uses the server secret to authenticate to the Access Control Server. The server secret you configure here should match the one configured on the Access Control Server. The maximum field length is 64 characters.

Common Password—Enter the common password for the group. The password is case-sensitive. The field displays only asterisks. If you are defining a RADIUS server to be used for authentication rather than authorization, do not provide a common password.

A RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS authorization server administrator must configure the RADIUS server to associate this password with each user via this security appliance. Be sure to provide this information to your RADIUS server administrator. Enter a common password for all users who are accessing this RADIUS authorization server through this security appliance.

If you leave this field blank, each user password will be the username. As a security precaution never use a RADIUS authorization server for authentication. Using common passwords or usernames as passwords is much less secure than using a strong password for each user.


Note The password field is required by the RADIUS protocol and the RADIUS server requires it; however, users do not need to know it.


ACL Netmask Convert—Select the method by which the security appliance handles netmasks received in downloadable access lists. The security appliance expects downloadable access lists to contain standard netmask expressions. A wildcard mask has ones in bit positions to ignore and zeroes in bit positions to match. The ACL Netmask Convert list helps minimize the effects of these differences on how you configure downloadable access lists on your RADIUS servers.

If you choose Detect Automatically, the security appliance attempts to determine the type of netmask expression used. If it detects a wildcard netmask expression, it converts it to a standard netmask expression; however, because some wildcard expressions are difficult to detect unambiguously, this setting may occasionally misinterpret a wildcard netmask expression as a standard netmask expression.

If you choose Standard, the security appliance assumes downloadable access lists received from the RADIUS server contain only standard netmask expressions. The security appliance does not translate wildcard netmask expressions.

If you choose Wildcard, the security appliance assumes downloadable access lists received from the RADIUS server contain only wildcard netmask expressions, and it converts them all to standard netmask expressions when the access lists are downloaded.

Step 5 Click OK.

ASDM displays the server you added in the Servers in selected group table.

Now that you have added the ACS server to the server group, use the instructions in the next section to assign the server group to the group policy.


Assigning the ACS Server Group as the NAC Authentication Server

Add the ACS Server Group as the NAC Authentication Server for the default tunnel group, or to alternative tunnel groups for which you want to configure support for NAC, as follows:


Step 1 Choose Configuration > VPN > General > Tunnel Group.

Step 2 Double-click the tunnel group named DefaultRAGroup or an alternative tunnel group configured for remote access (Type is "ipsec-ra") on which you want to configure NAC support, or click Add > IPSec for Remote Access to add a new tunnel group.

Step 3 Click the General tab > Authentication tab. (Figure 9-3).

Figure 9-3 General Tab > Authentication Tab

Step 4 Set the attributes in this window, as follows:

Authentication Server Group—Lists the available authentication server groups, including the LOCAL group (the default setting). You can select None. Selecting an option other than None or Local makes available the Use LOCAL if Server Group Fails check box. (The Advanced tab lets you assign an authentication server group to each interface.)

Use LOCAL if Server Group fails—Check this attribute to enable fallback to the LOCAL database if the group specified by the Authentication Server Group attribute fails. Uncheck to disable fallback.

NAC Authentication Server Group—Select an ACS group consisting of at least one server configured to support NAC. The list displays the names of all server groups of type RADIUS configured on this security appliance that are available for remote access tunnels.

Step 5 Click OK.


Enabling NAC and Assigning NAC Properties to a Group Policy

Enable NAC on the default group policy or on alternative IPSec group policies, and view or modify its default settings, as follows:


Step 1 Choose Configuration > VPN > General > Group Policy.

Step 2 Double-click the policy named DfltGrpPolicy or an alternative group policy configured for remote access (Tunneling Protocol is "IPSec") for which you want to enable NAC, or click Add > Internal Group Policy to add a new group policy.

Step 3 Open the NAC tab (Figure 9-4).

Figure 9-4 NAC Tab on the DfltGrpPolicy and an Alternative Group Policy


Note If you check the Inherit check box in an alternative group policy, the policy uses the setting on the default group policy. Clearing the Inherit check box allows you to customize an alternative group policy setting, making it independent from the default group policy setting.


Step 4 Set the attributes in this window, as follows:

Enable NAC—Click Enable to execute Network Admission Control procedures to validate eligible hosts associated with this group policy and assign them the ACL downloaded from the Access Control Server if they pass posture validation checks, or click Disable to not perform NAC procedures.


Note The remaining attributes are effective only if NAC is enabled.


Status Query Timer—After each successful posture validation, the security appliance starts a status query timer. The expiration of this timer triggers a query to the remote host for changes in posture since the last posture validation. A response indicating no change resets the status query timer. A response indicating a change in posture triggers an unconditional posture revalidation. The security appliance maintains the current access policy during revalidation.

By default, the interval between each successful posture validation and the status query, and each subsequent status query, is 300 seconds (5 minutes). The group policy inherits the value of the status query timer from the default group policy unless you change it. To do so, enter a number in the range 300 to 1800 seconds (5 to 30 minutes).

Revalidation Timer—After each successful posture validation, the security appliance starts a revalidation timer. The expiration of this timer triggers the next unconditional posture validation. The security appliance maintains the current access policy during revalidation. By default, the interval between each successful posture validation is 36000 seconds (10 hours). The group policy inherits the value of the revalidation timer from the default group policy unless you change it. To do so, enter a number in the range 300 to 86400 seconds (5 minutes to 24 hours).

Default ACL—The security appliance applies the ACL identified by this attribute to hosts that are eligible for NAC, before posture validation. Following posture validation, the security appliance replaces the default ACL with the one obtained from the Access Control Server for the remote host. It applies this ACL if revalidation fails. if clientless authentication is enabled, the security appliance also applies this ACL to hosts that do not have a Cisco Trust Agent to respond to posture validation requests. Select the ACL to use as the default ACL for NAC sessions, or use the default setting, None, to not apply a default ACL.

To add an ACL to the drop-down list, view the configuration of the ACLs in the list, or modify an ACL in the list, click Manage. The ACL Manager window opens. For instructions, see "Managing ACLs and ACEs" on page 2-13.

Posture Validation Exception List—A Yes value in the Enabled column indicates that the associated operating system is exempt from posture validation. A No value indicates that the exemption entry is present in the configuration, but that the security appliance ignores it. The Filter is optional. In addition to exempting the computer from posture validation, the security appliance applies the ACL identified in the Filter column to filter the traffic if the computer's operating system matches and the Enabled value is Yes. To add or modify an entry in the list, click Add, or double-click the entry to be modified. The Add or Edit Posture Validation window opens (Figure 9-5).

Figure 9-5 Add Posture Validation Exception

Step 5 (Applies only if you are modifying the Posture Validation Exception List.) Set the attributes in the window, as follows:

Operating System—Select the operating system running on the remote computer that you want to exempt from posture validation, or enter its name. For example, enter Windows XP.

Enable—Check to enable the exemption. The default setting is unchecked, which disables the entry in the exemption list without removing it from the list.

Filter to apply an ACL to filter the traffic if the operating system running on the computer matches the value of the Operating System attribute. Use the default option, None, if you do not want to apply a filter. Otherwise, select an ACL from the drop-down list.

To add an ACL to the drop-down list, view the configuration of the ACLs in the list, or modify an ACL in the list, click Manage. The ACL Manager window opens. For instructions, see "Managing ACLs and ACEs" on page 2-13.

Click OK after setting the attributes in the Add or Edit Posture Validation window. The NAC tab displays the new or modified entry in the Posture Validation Exception List.

Step 6 Click OK, then Apply to save the changes to the running configuration.


Changing Global NAC Settings

The security appliance provides default settings that apply to all NAC sessions. Use the instructions in this section to adjust these settings for adherence to the policies in force in your network.

The ASA provides default settings for the attributes that specify communications between the security appliance and the remote host. These attributes determine the maximum values of the expiration counters that impose limits on the communications with the Cisco Trust Agent on the remote host, and specify the port no. to communicate with the Cisco Trust Agent.

The global NAC settings also let you enable or disable clientless authentication, which applies a policy to hosts that do not have a Cisco Trust Agent to respond to posture validation requests.

View or modify the global NAC settings, as follows:


Step 1 Choose Configuration > VPN > NAC.

Step 2 ASDM opens the NAC window (Figure 9-6).

Figure 9-6 NAC


Note The attributes in this window are effective only if NAC is enabled on a group policy that the security appliance applies to an IPSec session.


Step 3 Set the attributes in this window, as follows:

Retransmission Timer—When the security appliance sends an EAP over UDP request for a posture validation to a remote host, it waits for a response. If it fails to receive a response within the number of seconds assigned to this attribute, it resends the EAP over UDP message. By default, the retransmission timer is 3 seconds. Enter a value in the range 1 to 60 to change the duration of the wait period.

Hold Timer—If the EAPoUDP Retries counter matches the EAPoUDP Retries value, the security appliance terminates the EAP over UDP session with the remote host and starts this timer. If this attribute equals n seconds, the security appliance establishes a new EAP over UDP session with the remote host. By default, the maximum number of seconds to wait before establishing a new session is 180 seconds. Enter the number of seconds in the range 60 to 86400 (24 hours) to change it.

EAPoUDP Retries—When the security appliance sends an EAP over UDP message to the remote host, it waits for a response. If it fails to receive a response, it resends the EAP over UDP message. By default, it retries up to 3 times. Enter a value in the range 1 to 3 to change it.

EAPoUDP Port—Enter the port no. on the client endpoint to be used for EAP over UDP communication with the Cisco Trust Agent. The default port no. is 21862. Enter a value in the range 1024 to 65535 to change it.

Enable Clientless Authentication—Check to apply a policy to hosts that do not have a Cisco Trust Agent to respond to posture validation requests.

When a host attempts to establish an IPSec session, the security appliance applies the default access policy, sends the EAP over UDP request for posture validation, and the request times out. If the security appliance is not configured to request a policy for clientless hosts from the Access Control Server, it retains the default access policy already in use for the clientless host.

If clientless authentication is enabled, and the security appliance fails to receive a response to a validation request from the remote host, it sends a clientless authentication request on behalf of the remote host to the Access Control Server. The request includes the login credentials that match those configured for clientless authentication on the Access Control Server. The Access Control Server then provides the access policy to be enforced by the security appliance.


Note The remaining attributes apply only if you check Enable Clientless Authentication.


Username—Enter the username configured on the Access Control Server to support clientless hosts. The default username is "clientless". If you change it on the Access Control Server, you must also do so on the security appliance. You can enter 1 to 64 ASCII characters, excluding leading and trailing spaces, pound signs (#), question marks (?), quotation marks ("), asterisks (*), and angle brackets (< and >).

Password—Enter the password configured on the Access Control Server to support clientless hosts. The default password is "clientless". If you change it on the Access Control Server, you must also do so on the security appliance. You can enter 4 - 32 ASCII characters.

Confirm PasswordEnter the Password again for verification.

Step 4 Click Apply to save the changes to the running configuration.