Enabling LDAP Integration
Topics in this chapter include:
•Support for MAC Authentication/MAC Authentication Bypass
•Cisco NAC Profiler LDAP Synchronization
•Enabling the Cisco NAC Profiler System for LDAP Integration
•Initial LDAP Synchronization
•Cisco NAC Profiler LDAP Parameters
•Verifying Availability of Cisco NAC Profiler LDAP Service
The contextual endpoint inventory maintained by the Cisco NAC Profiler is extensible to other systems such as Cisco Secure ACS via the standard Lightweight Directory Access Protocol (LDAP). The NAC Profiler Server (or HA-pair) can be configured to replicate selected endpoint data (by Profile) to an LDAP-enabled directory that runs in parallel with the Profiler database and maintained by the NAC Profiler Server. The NAC Profiler system can be configured to publish endpoints in selected Profiles to the directory such that other systems such as Cisco Secure ACS can query the NAC Profiler system in order to get contextual information about endpoints using the MAC address of the endpoint as the identifier. The LDAP subsystem of the Cisco NAC Profiler system is a high-performance and scalable solution that can be utilized to augment authentication systems such as IEEE 802.1X port-based authentication, particularly for the purposes of automating the discovery and authentication of endpoints unable to participate in the 802.1X protocol using the existing authentication infrastructure.
The NAC Profiler Server includes an LDAP-enabled directory which runs in parallel with the Profiler Endpoint Database when the system is enabled for LDAP integration as described later in this chapter. In response to an LDAP query containing an endpoint MAC address initiated by another entity such as a Cisco Secure ACS system attempting to authenticate an endpoint by MAC address, the NAC Profiler LDAP subsystem checks the onboard directory to determine the most current information about the endpoint: if the endpoint has been discovered and is currently Profiled by the NAC Profiler system. Selected Profiles are enabled for authentication via LDAP integration, enabling the endpoints in that profile for authentication by MAC. The NAC Profiler administrator selectively designates which Profiles the NAC Profiler system will respond to LDAP queries for in the profile configuration. In other words, the NAC Profiler system will only respond about endpoints that it has discovered and profiled into the endpoint profiles that have been explicitly configured for LDAP enablement. In implementations where another authentication mechanism is primary, 802.1X for example, the Profiles for endpoints unable to authenticate via the primary mechanism are enabled for LDAP integration on the NAC Profiler system. Profiles for devices such as printers, IP Phone, and wireless access points are examples of Profiles that are typically enabled for LDAP integration for cases where the NAC Profiler system is being utilized for MAC Authentication Bypass in 802.1X environments. In some deployments however, all NAC Profiler endpoint profiles may be configured to authenticate by MAC when MAC authentication is used as the primary endpoint authentication mechanism as an alternative to 802.1X deployment.
A successful authentication response from NAC Profiler to the Authentication Server includes the current Profile name (e.g., Printer) in the response to the query for a given MAC which can be used by the Authentication Server in the determination of the proper network access policy to assign to the endpoint. Again, the NAC Profiler system will only respond to queries about MAC addresses that it has discovered and Profiled into a Profile that is designated for LDAP enablement by the NAC Profiler administrator.
LDAP queries for MAC addresses that are not known by the system (not yet discovered by NAC Profiler) or for an endpoint are currently Not Profiled or not in an LDAP-enabled Profile, will be handled by the NAC Profiler system as an authentication failure when responding to an LDAP query for a given MAC. In this way, the system is able to differentiate by endpoint type those endpoints that should and should not be authenticated via their MAC address when queried by an external system.
Support for MAC Authentication/MAC Authentication Bypass
To accommodate endpoints in 802.1X-enabled networks that are unable to authenticate via 802.1X, Cisco Systems and other switch vendors with 802.1X support have implemented a feature within their switch firmware to revert to MAC authentication when endpoints connect to their ports and do not initiate the EAPoL process. A device not initiating the EAPoL process is indicative of a non-802.1X capable endpoint connecting to an access port that has 802.1X enabled. This feature is used primarily to authenticate known, non-802.1X corporate assets attempting to connect to the network on access ports with 802.1X port-based authentication enabled. In addition, many RADIUS Authentication Server implementations support MAC authentication as well so that they will interoperate with access switches including MAC authentication bypass in the 802.1X implementation.
In these deployments, the RADIUS Authentication Server must somehow be provisioned with the list of MAC addresses in an internal database (e.g., white list) or support querying an external database of the MAC addresses of endpoints in the environment that are known to be non-802.1X capable and should be authenticated by MAC. Cisco Secure ACS and many other Authentication Server solutions from other vendors support mechanisms to reference an external database via LDAP to proxy MAC authentication to another system, alleviating the need to maintain the local database (e.g., white list) on the Authentication Server.
The external LDAP database mechanism implemented in these solutions provided the base model for the engineering of the NAC Profiler LDAP subsystem. The NAC Profiler LDAP integration functionality described earlier in this chapter provides the opportunity to utilize the Endpoint Profiling and Identity Monitoring functionality of NAC Profiler to automate the management of non-802.1X capable endpoints in enterprise, providing an easily accessible and up-to-date list of the endpoints that are to be authenticated by their MAC address. In this model, whenever a non-802.1X capable endpoint attaches to any port with 802.1X/MAC Authentication Bypass enabled the switch reverts to MAC authentication for the endpoint, and in turn the RADIUS server queries Cisco NAC Profiler to determine if the endpoint should be allowed to access the network. For authentication successes, the Profile that the endpoint is currently in is returned to the RADIUS server which can be mapped to an access policy should it be assigned based on the endpoint type (profile). This allows different device types authenticating via MAC authentication to be allowed onto the network with the appropriate level of access.
MAC authentication fallback (or ''MAC Authentication Bypass,'' or ''MAB'' as the feature is called by Cisco Systems) implemented in the switch firmware is designed to provide an alternative authentication path for endpoints that connect to an 802.1X-enabled port and do not initiate the 802.1X authentication protocol. Figure 17-1 (from Cisco Systems documentation) shows how a Cisco switch that has 802.1X authentication with the MAC Authentication Bypass feature enabled will proceed when a non-802.1X capable device connects to one of its access ports:
Figure 17-1 Cisco MAC Authentication Bypass
The lack of EAPoL packets from the endpoint connecting on the 802.1X enabled port with MAB enabled results in the switch reverting to an attempt to use MAC authentication to enable access for the endpoint. The NAS (RADIUS client) on the switch will send a MAC authentication request to the RADIUS server, which will determine if the MAC is known to be a non-802.1X capable endpoint, (on the ''white list'') and if so, what policy should it be assigned. This is communicated back to the switch so the enforcement action such as the assignment of a VLAN can be carried out at the access port. For devices that fail MAC authentication (e.g., an unknown non-802.1X endpoint) the RADIUS server will also likely have a policy for device that cannot be authenticated via this mechanism, which may result in the unknown endpoint being provisioned for no network access or perhaps some limited access (e.g., guest privileges only) depending on the environment and security policy.
Operating in concert with support for MAC authentication, the RADIUS Authentication Server must contain a mechanism for maintaining the list of MAC addresses that should be authenticated via MAC, those endpoints owned by the organization but that are known to be not 802.1X supplicant-capable. In order for this approach to be deployed and utilized effectively, the environment must have a means of identifying the devices in the environment that are not capable of 802.1X authentication, and maintaining an up-to-date database of these devices over time as moves, adds and changes occur. This list needs to be populated and maintained on the Authentication Server or another accessible repository either manually, or via some alternative means to ensure that the devices enabled for authentication via MAC is complete and valid at any point in time. This in turn ensures that when one of these endpoints connects to the network on a port enabled for authentication and does not initiate the EAPoL process, the MAC authentication succeeds because the Authentication Server is able to authenticate the MAC address of the endpoint.
The Cisco NAC Profiler can automate the process of identifying non-authenticating endpoints, those without 802.1X supplicants, and maintaining the validity of these endpoints in networks of varying scale via the Endpoint Profiling and Identity Monitoring functionality. Through a standard LDAP interface, the NAC Profiler system can serve as an External Database or Directory of the endpoints to be authenticated via MAB—the so-called ''white list'' of devices known to be unable to authenticate via 802.1X. The NAC Profiler directory is accessed as necessary by the Authentication Server when access switches attempt to authenticate an endpoint by MAC address via the MAB feature. Upon receiving a MAB request from the edge infrastructure, the Authentication Server will query the NAC Profiler system to determine whether or not a given endpoint should be admitted to the network based on most current information about the endpoint known by Cisco NAC Profiler, obviating the need for a manual initial configuration and ongoing maintenance of the ''white list'' of devices that should be authenticated by MAC.
Beyond automating the discovery of non-802.1X capable endpoints, and monitoring the identity attributes of those endpoints, implementing support of non-802.1X endpoints using the NAC Profiler system in this manner enables these endpoints to connect to any access port configured for MAB across the enterprise. Each time one of these endpoints connects to a port and is unable to complete the EAPoL process, the Authentication Server queries the NAC Profiler system to determine how the endpoint should be handled: if access should or should not be provided, and the access policy.
Cisco NAC Profiler in Basic MAC Authentication Deployments
Although the 802.1X with MAB case has been emphasized thus far in the chapter, it is worth noting that the LDAP integration capability of Cisco NAC Profiler can be used in deployments of traditional MAC authentication, without the enablement of 802.1X and deployment/management of supplicants on endpoints that support them. In this case, the MAC authentication capability available on Cisco Systems as well as several other vendors edge equipment is enabled so that only known endpoints (MAC addresses) are admitted to the network as they attempt to gain access. This is an approach to ''Agentless Authentication'' solution where the edge switches authenticate each endpoint joining the network using the MAC address of the endpoint's network interface as the primary credential. The endpoints themselves do not require any additional functionality to participate in the authentication protocol. As the endpoint joins the network (physically connected to a switch), the access port of the switch does not forward traffic for the endpoint until the switch receives a successful authentication of the endpoint via RADIUS, which may also include policy information such as VLAN assignment for the endpoint.
Basic MAC authentication then is similar to the MAB functionality outlined previously in this section except that MAC Authentication is the primary (only) authentication method for all endpoints, not the fallback for endpoints that cannot perform the 802.1X authentication process (non-supplicant capable) as it is in the MAB case. For many environments, enabling basic MAC authentication for all endpoints joining the network might be the first step toward the ultimate goal of strong, 802.1X-based authentication rolled out enterprise-wide.
Basic MAC authentication deployments however still face the fundamental challenge of discovering the endpoints that should be provided network access, differentiating between endpoint types, and maintaining the master list of endpoints in an extensible format such that RADIUS can easily access the data necessary to authenticate and provide differentiated access based on endpoint type.
From a NAC Profiler configuration standpoint, deployment in basic MAC Authentication environments is essentially the same as in full 802.1X deployments with the exception that more (in some cases all) endpoint profiles are enabled for LDAP, enabled for MAC authentication to accommodate the fact that all endpoints that will be allowed onto the MAC authenticated network need to be known to the authentication Server. Cisco NAC Profiler automates both the discovery and management of the list of endpoints that should be authenticated in the basic MAC-authentication-enabled network.
Similarly the Identity Monitoring capability of Cisco NAC Profiler continues to provide a valuable second credential for basic MAC authentication environments. If special purpose devices begin exhibiting attributes of general purpose computers (e.g., printer with PC attributes), that is an event of interest on the MAC authenticated network that needs to be brought to the attention of network security. The NAC Profiler system provides that functionality, as well as providing the option to force re-authentication of endpoints changing profile as described in Chapter 12, "Configure Cisco NAC Profiler Events".
Cisco NAC Profiler LDAP Synchronization
The Cisco NAC Profiler LDAP subsystem includes a synchronization function that is used to maintain the NAC Profiler database and the directory in synch. The NAC Profiler database maintained by the Server module is the master, and the directory is updated continuously to ensure that it reflects the current state of the database. Full synchronization of the directory to the database occurs when LDAP is initially enabled on a NAC Profiler system to perform an initial population/synchronization of the directory. Full synchronization of the LDAP-enabled directory also occurs whenever the NAC Profiler system is restarted (Apply Changes -> Update Modules or Re-model) when the system is enabled for LDAP. During steady-state operation of the NAC Profiler system, a full synchronization is also performed every six hours to further ensure that the database and directory remain in synch.
On a running NAC Profiler system enabled for LDAP integration, as endpoints are discovered and profiled into Profiles that are enabled for LDAP, the LDAP synchronization code updates the LDAP directory upon the change. Similarly, if an endpoint is re-profiled from an LDAP-enabled profile to another that is not LDAP enabled, the directory is updated effectively revoking the ability of the endpoint to authenticate by MAC due to the re-profiling. This functionality keeps the directory up-to-date with the database between full synchronizations. This process operates on an endpoint-by-endpoint basis as opposed to the full synchronization described earlier which verifies the entire directory against the NAC Profiler database, an obviously more intensive operation particularly in very large systems.
The Identity Monitoring functionality of the NAC Profiler system is fully utilized in the monitoring of endpoints in the LDAP-enabled directory. In situations where an endpoint is observed by Cisco NAC Profiler exhibiting identity attributes that result in a Profile change, specifically from a Profile enabled for LDAP authentication to another Profile not LDAP-enabled, the directory will be immediately updated such that the endpoint changing Profile will no longer successfully authenticate via MAC authentication. For example, if an endpoint that is currently in the LDAP-enabled Printer Profile is observed by the NAC Profiler system exhibiting identity attributes that are more consistent with a higher-certainty Windows User Profile, the NAC Profiler Modeler will re-Profile the endpoint from the LDAP-enabled Printers Profile, to the non-LDAP enabled Windows User Profile. (Windows Users in this example are assumed to be able authenticate by a method other than by MAC address—802.1X for example) Any subsequent re-authentication, including one forced by the Active Response functionality enabled on profile change, of that MAC address will fail because the endpoint transitioned to a Profile that is not enabled for LDAP authentication by MAC. This change happens nearly concurrently with the Collector report of the change in identity attributes of the endpoint.
LDAP Synchronization in HA-pairs
For NAC Profiler Server HA-pairs enabled for LDAP integration, there is one additional synchronization operation that is occurring in the background. Understanding that upon failover of an HA-pair, the Server module on the Secondary node is started as it is promoted to Primary node. As described above, a full synchronization of the directory will occur as part of the Server module startup when the Secondary takes over as Primary node for the HA-pair.
To expedite this process, the Secondary node in an LDAP-enabled NAC Profiler Server pair will perform a full synchronization of the directory to the NAC Profiler database (which is being continuously updated by the HA protocol) every 30 minutes. This keeps the directory on the Secondary node relatively up-to-date with the Profiler database being maintained by the Primary node. In the event of a failover event then, the full synchronization of the directory will occur significantly faster and with less impact on the system as the changes that have occurred in the last thirty minutes (worst case) will be outstanding.
LDAP Integration Debug Logs
The system will log LDAP synchronization activity. Viewing the Server log on a system (Utilities -> System Summary -> Display Server Logs) with LDAP enabled will show entries for full synchronization that look as follows:
LDAP_SYNC: LDAP Synchronization END [add 0, rm 1]
LDAP_SYNC: LDAP Synchronization START
An example of a log entry for an individual synch action upon new endpoint discovery, or change in profile is provided below:
LDAP_SYNC: LDAP Update (00:04:23:d6:5f:ba) END [add mac: 0 add to profile: 0 rem: 0]
From the NAC Profiler system (console or ssh) the Server log may be examined for entries related the LDAP integration, directory synchronization specifically. The log entries will include the string ''LDAP_'' as shown in the examples above. The following are typical commands that may be used for viewing these log entries:
To show all LDAP-synch related log messages in the Server log:
$grep LDAP_ /usr/beacon/logging/Server.out | less
To display related log messages as they happen:
$tail -f /usr/beacon/logging/Server.out | grep LDAP_
Tip Troubleshooting the success or failure of MAC Authentication attempts proxied to Cisco NAC Profiler by Cisco Secure ACS is done via the RADIUS logs maintained by ACS. The Cisco NAC Profiler logging functionality encompasses only synchronization activities. LDAP queries and their success or failure is logged typically by the system making the LDAP query.
Enabling LDAP Integration
Configuration of the NAC Profiler system for integration with external systems via LDAP is straightforward, and consists of three distinct steps:
Step 1 Designating the Profile(s) that contain the endpoints that should be successfully authenticated via MAC address. There are both design aspects to this task such as determining which endpoint profiles will contain endpoints that should be authenticated by MAC (and which profiles do not), as well as a system configuration task to enable selected profiles for LDAP as described in Chapter 9, "Endpoint Profile Configuration: Part 1.".
Step 2 Enabling the system for accepting LDAP queries and auto synchronization of the LDAP directory with the NAC Profiler database.
Step 3 Performing an Apply Changes -> Update Modules to save the previous configuration changes and perform an initial synchronization of the LDAP Directory.
The procedure for each of these steps is outlined in the remainder of this section. Once these steps are completed for the NAC Profiler system, the external system that will query NAC Profiler via LDAP is configured to use the NAC Profiler system as an external database in accordance with the technical documentation for that solution.
Refer to Leveraging Cisco NAC Profiler as an External MAB Database in the User Guide for the Cisco Secure Access Control System 5.1 for how to configure ACS for external LDAP database for MAB support.
Enabling Profiles for LDAP Authentication
The NAC Profiler system utilizes the Endpoint Profile configuration for determining which endpoints will successfully authenticate via MAC upon an LDAP query. On a per Profile basis, selected Profiles can be designated for LDAP enablement, or LDAP can be disabled. MAC authentication requests to NAC Profiler for endpoints not currently in an LDAP-enabled Profile will result in the LDAP query returning zero results, and treated as a MAC authentication failure. By default, the pre-configured Profiles included with the system, and newly created Endpoint Profiles are not LDAP enabled. Therefore, as part of the configuration of the NAC Profiler system for MAC Authentication support via LDAP, the Endpoint Profiles containing endpoints that should be MAC Authenticated must have the LDAP function enabled.
Tip Failure to enable one or more Endpoint Profiles for LDAP will result in all queries to NAC Profiler returning zero results and the inability to authenticate endpoints by MAC.
The primary task in this step is to identify the Profiles that contain endpoints that are desired to be authenticated via MAC in the environment, and then enable those Profiles for LDAP. Typically, these are the Endpoint Profiles which contain devices owned by the organization that should be provided network access, yet are known to be unable to authenticate. In an 802.1X environment for example, the devices in this category would be devices known not to have an 802.1X supplicant, and unable to authenticate via the 802.1X protocol. Typically these are Profiles that contain printers, IP Phones or manageable UPSs as common examples.
For example, if printers profiled by NAC Profiler were placed in a Profile named 'Printers,' and IP Phones in a profile named `IP Phones,' for example, then these Profiles would need to be enabled for LDAP such that the endpoints placed in those Profiles by the NAC Profiler endpoint profiling functionality would result in them being successfully authenticated as known IP Phones and Printers in the environment via MAC authentication/MAC Authentication Bypass.
Configuring an enabled Profile for LDAP requires that the LDAP radio button adjacent to the 'yes' in the Endpoint Profile configuration be selected, as shown in Figure 17-2 and detailed in Chapter 9, "Endpoint Profile Configuration: Part 1":
Figure 17-2 Enabling a Profile for LDAP
After making the change to the LDAP parameter for the Profile, select the Save Profile button at the bottom of the form to save the changes.
Determining active (currently enabled and containing at least one endpoint) Profiles that currently LDAP-enabled and that should result in successful MAC authentication of endpoints contained in those Profiles can be ascertained by checking the Endpoint Directory. To view the Endpoint Directory, navigate to the Endpoint Console Tab, and select Endpoint Directory. An example Endpoint Directory with LDAP-enabled Profiles is shown in the figure below.
Figure 17-3 Endpoint Directory Showing LDAP-Enabled Profile
In the example in Figure 17-3, the LDAP column of the Endpoint Directory shows the current LDAP status of each enabled Profile on the system that contains one or more endpoint.
Tip The LDAP column of the Endpoint Directory is only displayed when the NAC Profiler Server module has been configured to enable LDAP as described in the next section. Failure of this column to display is an indicator that the Server module configuration has not been completed.
Profiles with 'yes' in the column are enabled for LDAP. LDAP queries by MAC to the NAC Profiler system for endpoints in a profile enabled for LDAP will be successful. Cisco NAC Profiler will indicate that the MAC is known by the system and be able to provide the current Profile name to the external system so that an appropriate policy for the endpoint can be determined.
Enabling the Cisco NAC Profiler System for LDAP Integration
Configuration of the NAC Profiler Server module to enable the LDAP subsystem of the Endpoint Profiler is accomplished via the Configure Server form. The Configure Server form and configuration of the NAC Profiler Server module in general were covered in detail in Chapter 6, "Cisco NAC Profiler Server Configuration."
Midway down the Configure Server form is the LDAP Configuration section containing two parameters as shown in Figure 17-4.
To enable the NAC Profiler Server module for LDAP integration, perform the following steps:
Figure 17-4 NAC Profiler Server LDAP Parameters
Step 1 Check the Enable LDAP checkbox
This parameter enables the onboard directory on the NAC Profiler system and prepares the system for processing LDAP queries by external systems such as Cisco Secure ACS.
Tip By default, the NAC Profiler LDAP service listens for LDAP version 3 requests on port 389 received on the management interface of appliance running the Server module. (In the case of HA pairs, the HA pair will respond to LDAP queries forwarded to the VIP for the HA pair.)
Step 2 Enable Verbose Logging as desired
Checking this parameter enables verbose logging of the LDAP synchronization process to the NAC Profiler Server.out file described earlier in the chapter, which is recommended for systems with this option enabled.
Step 3 Select the 'Update Server Module' button at the bottom of the form to save the changes to the Server module configuration.
Proceed with the instructions in the next section to commit the Profile and Server Module configuration changes to the system configuration and perform an initial synchronization of the onboard LDAP store on the NAC Profiler system.
Initial LDAP Synchronization
When the Enable LDAP checkbox is selected in the Server configuration as outlined in the previous section, the enablement of the synchronization of the NAC Profiler LDAP directory upon Apply Changes -> Update Modules and Re-model occurs automatically. Henceforth, whenever an Update Modules or Re-model is executed on a NAC Profiler System with LDAP enabled, as part of the restart and remodel that occurs, the NAC Profiler system will synchronize the endpoint database and the LDAP data store to ensure that the LDAP data store mirrors the database.
Tip After Enabling LDAP on a NAC Profiler system, an Apply Changes -> Update Modules or Re-model must be performed to ensure that the endpoints currently Profiled into Profiles enabled for LDAP are synchronized into the LDAP directory.
Once the steps outlined in the previous sub-sections have been completed, the LDAP functionality of the NAC Profiler system will be ready to respond to LDAP queries. LDAP is enabled on the NAC Profiler system, as endpoints are Profiled into any of the LDAP-enabled Profiles, they are automatically added to the LDAP directory, and enabled for MAC Authentication. Conversely, if an endpoint is re-Profiled by the NAC Profiler system from a Profile enabled for LDAP, to another that is not, the endpoint will be removed from the LDAP directory, and subsequent attempts by RADIUS to authenticate that endpoint via MAC against the NAC Profiler data store will result in an authentication failure.
Cisco NAC Profiler LDAP Parameters
Regardless of what external system is connecting to the NAC Profiler LDAP store, there are some LDAP-specific parameters that will be required for the configuration of the system querying NAC Profiler via LDAP to enable successful connectivity. Those parameters are as follows:
•LDAP version 3
•LDAP Server IP address: IP address/DNS name of the management (eth0) interface of the appliance running the Server module for the NAC Profiler system. For HA pairs, the address/DNS name should be the Service IP (VIP) for the pair.
•Authentication required - yes
•Username (AdminDN) - cn=root,o=beacon - this is the bind DN (''Distinguished Name'') that should be used for LDAP access by external systems.
•LDAP bind password - GBSbeacon is the factory default password for the username (bind DN) cn=root,o=beacon used for external access.
Changing the LDAP Bind Password
The LDAP bind password for a NAC Profiler system can be changed from the factory default to a password of the NAC Profiler administrator's choosing as the system is enabled for LDAP integration. Complete the following steps:
Step 1 SSH to the NAC Profiler Server as the beacon system user. For HA-pairs, use the VIP to start the process with the current Primary node.
Step 2 Enter the following command at the command prompt:
ldappasswd -ASW -D cn=admin,o=beacon -h 127.0.0.1 -x cn=root,o=beacon
The system will prompt for the current password twice:
Then query for the new password, asking for re-entry to verify:
Step 3 The LDAP password change script will query for the LDAP password, which is actually for the DN cn=admin,o=beacon, used internally. This password is also GBSbeacon by default and should not be changed as it will interrupt the internal communications between the NAC Profiler Server and the directory:
At the successful completion of the script, the LDAP bind password for the cn=root,o=beacon DN has been changed and must be used by external systems accessing the system via LDAP for MAC authentication.
Note For NAC Profiler Server HA pairs, this procedure will have to be performed on both appliances in the pair to ensure that LDAP access to the HA pair is successful regardless of which appliance is currently Primary.
Configuration of LDAPS Option
In Cisco NAC Profiler Version 3.1, support for LDAPS and StartTLS was added to the NAC Profiler LDAP directory implementation to enable secure access to the LDAP directory. By default, these LDAP configuration options are disabled. Enabling LDAPS and StartTLS in NAC Profiler implementations that demand the additional security and in which the external systems querying NAC Profiler via LDAP are compliant will require running a script on the NAC Profiler appliance running the Server module. In systems that utilize NAC Profiler Server HA pairs, the process must be completed on both members of the pair.
To enable the LDAPS functionality on a NAC Profiler system, follow the following steps:
Step 1 1. Establish a console/SSH session and elevate to the root system account (su command).
Step 2 2. Enter the following command as the root system user to initiate LDAPS configuration:
#service profiler setupladps
(if you are not the root user, the following message will display:
You must be root to use the 'setupldaps' subcommand
use the su command to elevate, and re-enter the command.)
The following message will be displayed:
**** Secure LDAP Access *******************
Enable StartTLS and LDAPS secure access
Press ENTER to begin or CTRL+C to abort >
Step 3 Press the enter key to proceed. Select Ctrl-C to abort the setup once the script has started.
Step 4 The system will present the following option:
Would you like to disable non-LDAPS (port 389) connections? (y/n) [n]:
Selecting yes for this option will result in the appliance accepting only LDAPS connections. The default is no, which will result in the system accepting non-LDAPS connections on port 389 as well as LDAPS connections on 636.
Step 5 type y or n as desired and press enter. The system will report the following as LDAPS is started:
LDAPS is now enabled.
To disable LDAPS, run the script again and follow the prompt to disable LDAPS:
LDAPS is already enabled. Would you like to disable? (y/n) [n]: y
Note In the current version of Cisco NAC Profiler, enforcing only encrypted (StartTLS) port 389 access is not supported.
Note For NAC Profiler Server HA pairs, this procedure will have to be performed on both appliances in the pair to ensure that LDAP access to the HA pair is successful regardless of which appliance is currently the Primary node.
Verifying Availability of Cisco NAC Profiler LDAP Service
Once the Cisco NAC Profiler system has been properly configured for LDAP, verification that the service is available on the system can be done simply and easily from any PC with IP connectivity with the NAC Profiler server, using a LDAP browser tool. LDAP browsers are readily available; there are several freeware versions that can be downloaded. One such LDAP tool is the LDAP Admin Windows LDAP Manager (http://ldapadmin.sourceforge.net/), which was used for the illustrations in this section.
Tip Stopping/starting the LDAP process (slapd) on the NAC Profiler system is not controlled by the "Enable LDAP" checkbox in the Server module config. If the "Enable LDAP" checkbox is cleared in the Server configuration, slapd still runs and the NAC Profiler Server will still accept LDAP binds, but the LDAP directory is not populated with endpoint information. Therefore the acceptance of LDAP binds alone is not sufficient verification that the LDAP integration functionality is fully functional. Follow the procedure in this section to verify that the LDAP synchronization process is populating the directory as expected.
The following example provides the steps necessary to verify basic NAC Profiler LDAP configuration by browsing the LDAP directory using the LDAP Admin tool. After starting the LDAP Admin application, select Start from the menu to open the drop-down menu then select Connect... This opens the Connections window which contains an icon entitled New connection. Double-click on New Connection to open the dialog which allows the entry of the LDAP-specific parameters for the NAC Profiler system being verified as by Figure 17-5.
Figure 17-5 Creating a Connection to the NAC Profiler LDAP Store
Tip Uncheck the 'Anonymous connection' checkbox in order to be able to enter the required Username which should always be cn=root,o=beacon and password credentials as shown above. The default password will be GBSbeacon.
Tip To verify LDAPS connectivity, select the UseSSL checkbox in the Connection part of the form. Note that the port changes to 636.
Before clicking OK, select the 'Test connection' button in the bottom left corner of the Connection properties dialog box. If the NAC Profiler system is responding to the LDAP bind request correctly, a dialog box indicating Connection is successful will appear, select OK to clear the dialog, and OK again to save the new connection.
Tip If an error dialog: LDAP Error: Server Down! results, this indicates that either the NAC Profiler system is not listening on the LDAP port (389), or that network communications between the PC running the LDAP Admin and the NAC Profiler system are being blocked (e.g., firewall or ACL). Verify network connectivity between the PC running LDAP Admin and the NAC Profiler system using PING.
Tip If an error dialog: LDAP Error: Invalid Credentials! results, this indicates that there is an error with the username and password provided. Verify that the password entered is the LDAP bind password specified in the last section: GBSbeacon, or the correct password if it was changed from the factory default.
Open the connection to the NAC Profiler LDAP directory by double-clicking the icon for the connection you created in the previous step. The view of the NAC Profiler LDAP directory tree should be displayed as shown in Figure 17-6.
Figure 17-6 Browsing the NAC Profiler LDAP Data Store
The part of the NAC Profiler LDAP directory that is germane to MAC Authentication is the ou=profiler tree. Expand the directory by clicking on the + to the left of the file icon for ou=profiler, then expand the directory further to open ou=BeaconProfiledMACs as shown in Figure 17-7.
Figure 17-7 LDAP-Enabled Profiles in NAC Profiler LDAP Data Store
In the example (Figure 17-7), Lexmark Printer is the only LDAP-enabled Profile on the NAC Profiler system. To see the endpoints currently in the Profile, double click on the cn=ProfileName which displays the following dialog on the example system (Figure 17-8).
Figure 17-8 Browse Endpoints in LDAP-Enabled Profile
The Members section of the dialog shown in Figure 17-8, shows the MAC address of each device in the LDAP-enabled Profile selected, and verifies the availability of the LDAP store on the NAC Profiler system.