Preparing for Deployment
Topics in this chapter include:
•Determination of Required Endpoint Profiles
•Collecting Endpoint Data from Active Directory Servers
•Considerations for NetMap in Cisco NAC Profiler System Deployments
•Cisco NAC Profiler System Configuration Workflow
Before deploying and configuring Cisco NAC Profiler, there are a number of planning tasks to complete, based on how Cisco NAC Profiler will interact with the existing infrastructure. As outlined in Chapter 2, "Overview: Cisco NAC Profiler Architecture", the Cisco NAC Profiler system consists of a Cisco NAC Profiler Server component which runs on a dedicated standalone Profiler appliance or optionally as an HA pair of Profiler appliances.
The NAC Profiler system will also include one or more Cisco NAC Profiler Collectors.The Collector service can run on the NAC Server appliances (NAC-3310 only, or NAC-3350) deployed as part of the Cisco NAC Appliance system. Alternatively, the NAC Profiler Collector may be deployed on appliances running only the Profiler Collector service on NAC Servers (e.g, without the NAC Server services enabled). The NAC Profiler Server manages and receives collected endpoint data from the NAC Profiler Collectors deployed in the system over an encrypted TCP connection.
Chapter 1, "Introduction to the Cisco NAC Profiler" provided an overview of Endpoint Profiling and Identity Monitoring emphasizing the flexible nature of Cisco NAC Profiler and approaches that may be employed in engineering a system that meets the needs of each environment. The various data collection techniques outlined can be selected and combined to create a system that utilizes the sources of endpoint data that can be provided to it in each environment.
The following steps guide the collection of data and considerations to be taken into account prior to implementing Cisco NAC Profiler in a given enterprise network. Note that this list is not exhaustive. There are other options such as the use of external data sources such as NetFlow and RADIUS accounting, and the options to use the NetInquiry module for Active Profiling of endpoints. These topics are covered in later chapters of this guide.
The following steps are designed to assist with the initial configuration of Cisco NAC Profiler systems that can be built upon via tuning of the system and employment of optional capabilities as the endpoint profiling strategy is developed and implemented for a given enterprise network environment.
Step 1 Determine Cisco NAC Profiler System IP Configurations
Step 2 Determine Digital Certificate Parameters for Cisco NAC Profiler Server
Step 3 Determine Cisco NAC Profiler System License Requirements
Step 4 Internal Network Address Blocks
Step 5 Network Device List
Step 6 DHCP Traffic Analysis
Step 7 Monitoring Interface Requirements
Step 8 SNMP Trap Configuration
Determine Cisco NAC Profiler System IP Configurations
Cisco NAC Profiler is managed via secure HTTP as described in Chapter 2, "Overview: Cisco NAC Profiler Architecture". The Cisco NAC Profiler Server provides system management for all components of the NAC Profiler system and those components communicate with one another and with network devices and services via TCP/IP. The NAC Profiler server utilizes the eth0 interface of the appliance it is running on for communication with the other system components by default. The NAC Profiler Server startup scripts allow for the configuration of this interface with basic IP parameters to enable it for network communications.
The Cisco NAC Profiler Collectors use the eth0 interface of the NAC Server for communication with the NAC Profiler Server. When the Collector service is running on the NAC Server, the same network interface on the appliance used for management of the NAC Server is used for management of the Collector service as well. When the Collector service is running on the NAC Server, it utilizes the IP configuration of the eth0 interface completed during startup configuration of the NAC Server services.
Note When the Collector service is deployed on a NAC Server that does not have the NAC Server services running, the startup of the NAC Server appliance in accordance with the NAC Appliance configuration is required so that the OS and network services required by the Profiler Collector are configured.
Determine the following operating environment-specific parameters for the Management Interface of Profiler Server appliance:
•IP host address and netmask
•IP address for the default gateway to be used by the system
•IP address of the Name Server
•DNS Name or IP Address of NTP server(s) to configure the NAC Profiler Server for NTP.
Note If the NAC Profiler Server is to be implemented as an HA-pair, the above parameters for both appliances in the pair must be determined. In addition, there are several other parameters specific to the HA pair configuration such as the VIP for the pair.
Note For NAC Profiler Server HA-pairs, configuration of NTP on both members of the HA pair is mandatory, and highly recommended for standalone systems. As part of pre-deployment of the NAC Profiler system, internal NTP servers that will be used by the NAC Profiler Servers should be identified.
The IP configuration the NAC Profiler Server (or HA pair VIP) is required when performing the initial configuration of the NAC Profiler Collectors. It needs to be determined prior to initial Collector startup as described in Chapter 4, "Installing and Performing an Initial Configuration".
In addition, the IP addresses of each of the Collectors that are to be deployed in the NAC Profiler system should be determined and noted. As mentioned previously, if the NAC Profiler Collectors on Cisco NAC Appliance NAC Servers and rely on the underlying OS and IP configuration of the NAC Server. Having the IP addresses of the NAC Profiler Collectors deployed on the NAC Servers in the system will facilitate the configuration of the Profiler Server as described in Chapter 6, "Configuring the Cisco NAC Profiler Server".
Consider any ACLs or other potential issues with network communication between the Collectors and the NAC Profiler Server, and between the Collectors and the network devices (for example, switches, routers and Active Directory Servers), and the computer that will be used to manage Cisco NAC Profiler via HTTPS.
Note SSH is utilized for command line access to Cisco NAC Profiler components over the network. Enabling SSH access from the management computer to the Profiler Server and Collectors should also be considered.
Determine Digital Certificate Parameters for Cisco NAC Profiler Server
The Cisco NAC Profiler user interface is secured using HTTPS and supports the use of Digital Certificates so that the authenticity of the embedded web server can be verified by the browser as it connects for access to the Cisco NAC Profiler user interface.
During the startup of the NAC Profiler Server, a self-signed digital certificate and CSR are created which will require the entry of organization-specific information. The following information is entered to create the self-signed certificate and CSR:
1. FQDN of the NAC Profiler system. (Note: for HA systems, this should be for the VIP/Service Address of the NAC Profiler Server HA-pair.)
2. Organization Unit Name
3. Organization Name
4. City Name
5. State or Province Name
6. 2-letter Country code
Note The Certificate Signing Request (CSR) created during startup can be submitted to a CA for digital signature, and the self-signed certificate created during Profiler Server startup replaced the CA-signed certificate. Having the desired digital certificate parameters established before the startup of the NAC Profiler Server will allow the creation/download of the CSR once at system startup facilitating installation of the signed certificate as outlined in Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment".
Determine Cisco NAC Profiler System License Requirements
The licensing for the Cisco NAC Profiler system is managed by the Cisco NAC Profiler Server. Whenever the NAC Profiler Server starts, and periodically while it is running, the license subsystem checks for the presence of the required license key files.
There are two types of license key files for NAC Profiler: Profiler (Server) and Collector licenses. Both Profiler and Collector license key files are generated using the eth0 MAC Address of the Profiler Server appliance. The Profiler and Collector license key files are specific to a NAC Profiler Server appliance or pair of appliances in the case of HA pair. They will only be validated if the eth0 MAC of the appliance(s) matches the MAC(s) encoded in the license file.
When licensing NAC Profiler Server HA-pairs, the license file generation site allows the creation of what is termed a ''Failover Bundle" license key which enables the encoding of the eth0 MAC address of both Cisco NAC Profiler Appliances in a single license key file. This allows a single license key file to be loaded on both members of a NAC Profiler Server HA pair and will be validated by either NAC Profiler Server that is the Primary node of the pair and running the Server for the system.
Both Profiler (Server) and Collector licenses can be generated. The use of the Failover Bundle license option for Cisco NAC Profiler Systems running in HA mode is highly recommended.
Figure 3-1 provides a flow chart that guides the determination of the licensing requirements for standalone NAC Profiler servers, and NAC Profiler Server HA pairs.
Figure 3-1 Cisco NAC Profiler Licensing Flow Chart
Note The online license key generator will generate a file with the .lic extension for each Profiler and Collector license key file successfully generated. There is no designation within the filename that allows determination that a key file is a Profiler versus Collector license, or the MAC address that is encoded in the file. When creating Cisco NAC Profiler license keys it is a good practice to create separate directories for Profiler and Collector licenses and save the files to the proper directory as the key files are generated.
Once a license key file is successfully uploaded to a NAC Profiler Server, the Type (for example, Server or Collector) is displayed in the Cisco NAC Profiler UI along with an easy to interpret indicator that the license file does or does not contain the MAC (or MACs in the case of HA pairs/failover bundle licenses) of the eth0 MAC address(es) of the Profiler Server appliance(s). See Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment".
Internal Network Address Blocks
The Cisco NAC Profiler configuration specifies the range of host addresses of the devices that should be Profiled by the system. These address blocks consist of typically one or more IP subnets or networks that are used for assigning host IP addresses to the endpoints on the physical networks for which Cisco NAC Profiler will provide Endpoint Profiling and Behavior Monitoring. This prevents the system from maintaining profile information on endpoints with source addresses outside the address space controlled by the organization.
Collect the address block(s) (CIDR format: x.x.x.x/mask bits) that specify the host addresses of all the endpoints to be profiled in the network(s) targeted for the Cisco NAC Profiler deployment.
In 3.1 and later versions, the ability to specify ''exclude'' network blocks was added so that one or more address ranges could be specified as exclusion ranges so that the NAC Profiler Collectors will not collect IP-learned endpoint data for host addresses on the excluded nets/subnets. For example, if the 10.0.1.0/24 through the 10.0.10.0/24 networks were used within an organization, but it is not desirable to include hosts on the 10.0.5 and 10.0.6 subnets, these subnets could be excluded from endpoint data collection by specifying them in the "exclude" blocks for the Organization Name within the My Network configuration.
Network Device List
Cisco NAC Profiler maintains a model of the network infrastructure and communicates with the network infrastructure devices (switches and routers) via SNMP to gather information about the network topology when available. In order to utilize this functionality, Cisco NAC Profiler must be provided a list of the IP addresses of the network devices, and SNMP Read Only community strings in order to enable this communication. If SNMP is not enabled on the edge devices, it is highly recommended that SNMP be enabled in order to allow polling by Cisco NAC Profiler in order for the system to maintain a model of the network topology.
Note In 3.1 and later versions of Cisco NAC Profiler include an Active Response option for NAC Profiler Events. Active Response to selected events can include bouncing or forcing re-authentication of an endpoint, or can be used to administratively down a port when specified events occur. Use of this feature requires that the Cisco NAC Profiler also have the read-write community string of devices in order to perform the active response function via SNMP.
A list of network devices (switches and routers) that provide connectivity to the endpoints to be profiled should be compiled including IP address, device name, and read-only community string, preferably in a spreadsheet in CSV format to facilitate the data entry task. Chapter 8, "Managing Network Devices" describes the addition of network devices to Cisco NAC Profiler configuration in detail.
Many Network Management software solutions provide the capability to export device lists in CSV format with the information required by Cisco NAC Profiler. Cisco NAC Profiler provides the capability to import network device information provided in CSV format.
For basic, read-only connectivity with read-only devices compile a list of network devices in a CSV file formatted as follows:
If Cisco NAC Profiler will be used to provision infrastructure devices to facilitate network management tasks associated with the deployment and management of NAC as described in Chapter 2, "Overview: Cisco NAC Profiler Architecture" or with Active Response Events, the Read-write community string must also be provided so that Cisco NAC Profiler can perform SNMP sets to network devices. In order to use Cisco NAC Profiler in the port provisioning mode, create a list of network devices in a CSV file formatted as follows:
DHCP Traffic Analysis
Cisco NAC Profiler can utilize DHCP requests from endpoints as sources of data for Endpoint Profiling. If some or all of the hosts to be Profiled are using DHCP for their addressing, consideration should be given to making DHCP requests from endpoints visible to Cisco NAC Profiler. If Cisco NAC Profiler is not able to collect the DHCP requests directly (for example, not on the same LAN as the hosts using DHCP) a way to accomplish this is the use of the IP Helper Address used to redirect broadcast DHCP request packets from the router interfaces connecting the LANs to the rest of the network or by simply using SPAN or RSPAN to send the traffic from Ethernet ports to which the DHCP servers connect.
In the case of redirection, an IP-Helper address can be added to the configuration file of the router(s) specifying the appliance interface IP address of the desired Collector that should process DHCP information (more specifically the NetWatch module on that Collector). With this configuration, the router(s) forwards DHCP broadcasts not only to the DHCP server(s), but also to Cisco NAC Profiler for analysis for Endpoint Profiling and Identity Monitoring purposes.
Cisco NAC Profiler does not get involved in the DHCP process regardless of how it receives DHCP requests. It simply passively collects the request packets and uses the data for the purposes of endpoint profiling and or behavior monitoring, and therefore has no effect on the DHCP service for the network.
Note NetWatch performs the DHCP analysis function. NetWatch cannot be run on the trusted interface (eth0) of the Profiler Collector running on the NAC Server. To use IP Helper redirection with NetWatch, an unused interface must be numbered (given an address) and the IP Helper configuration set to forward the DHCP packets to that interface.
Monitoring Interface Requirements
A Cisco NAC Profiler Collector service can utilize unused network interfaces on the NAC Server appliance to collect and analyze packets useful for Endpoint Profiling and Identity Monitoring. These passive analyzer interfaces are used to gather network traffic for analysis by the NetWatch collector component module running on the Collector. For standalone (non-HA) NAC Servers, the eth2 and or eth3 interfaces can be used as NetWatch monitor interfaces. If the NAC Server is deployed as an HA-pair, only the eth3 interface can be used to receive traffic of interest redirected via SPAN or RSPAN.
One of the most useful sources of endpoint profiling information for Cisco NAC Profiler is DHCP. If DHCP is in use in the environment, placing a NetWatch monitoring interface on the link that services the DHCP server or servers can provide highly useful data to Cisco NAC Profiler. As an alternative, routers servicing the LAN segments can be configured with an IP helper-address as described in DHCP Traffic Analysis.
Note The use of IP Helper for the redirection of DHCP requests to the NAC Profiler system requires that the NetWatch monitoring interface be configured with an IP configuration so that the packets forwarded by the routers via IP helper can be delivered to the NAC Server interface. The procedure for the configuration of these interfaces is provided in Chapter 4, "Configuring Profiler Collectors to Use with DHCP Analysis via IP Helper" section on page 4-60.
Consideration should be given to using the eth3 interface for receiving re-directed traffic (through the use of SPAN, RSPAN) of endpoint traffic traversing from the edge of the network to server farms and the Internet link which yield traffic useful for endpoint profiling and behavior monitoring.
Refer to Chapter 7, "Configuring Collector Modules" for additional information.
SNMP Trap Configuration
The NetTrap module running on one or more NAC Profiler Collectors in the Cisco NAC Profiler system can utilize traps from edge devices in performing the Endpoint Profiling and Identity Monitoring functions. Network devices providing endpoint connectivity to endpoints aRE configured to send SNMP Traps for Link State changes and MAC-address-change notification traps (the latter being available on only Cisco switches) to a Collector for processing by NetTrap. Ensure that infrastructure devices providing endpoint connectivity are configured to send Link State and New MAC Notification traps (when available) to the IP address of the management interface of the Collector designated to receive traps for the NAC Profiler system. Refer to the device manufacturer's documentation for detailed instructions on the configuration of SNMP traps.
An illustrative SNMP trap configuration for Cisco IOS-based switches is provided below:
The following notes provide instruction for configuration access switches to send desired traps to a Cisco NAC Profiler Collector. The configuration commands shown are applicable to most Cisco IOS-based switches with the most recent releases of firmware. Some switches may not support all trap-types, check the documentation and release notes to determine the SNMP trap capability of the switch types deployed in the network the NAC Profiler System is being deployed on.
The following IOS commands will enable the sending of desired SNMP traps to a Cisco NAC Profiler Collector:
(config)# snmp-server enable traps mac-notification
(config)# snmp-server enable traps snmp linkup linkdown
(config)# snmp-server host <Collector eth0-IP-address> traps version 1 <community-string>
This will enable link-status traps for all interfaces and configure the switch to potentially send MAC-address-change notification traps. For MAC-address-change notifications to actually occur, the following command must be utilized for each interface of interest:
(config)# interface GigabitEthernet 2/29
(config-iface)# snmp trap mac-notification change added
MAC-address-change notification should be enabled on access switch ports where endpoints connect. Of particular interest are ports connecting wireless controllers (such as the Cisco WLC). MAC-address-change notification should never be enabled on inter-switch links (for example, trunk) ports.
The network devices should be configured such that the Collector receives only Link State and MAC-address-change notification traps. Forwarding all network device traps to a Profiler Collector is undesirable in that it provides no additional useful information to the NAC Profiler system and can potentially negatively impact system performance.
Determination of Required Endpoint Profiles
As outlined in detail in the Chapter 1, "Introduction to the Cisco NAC Profiler", profiles are logical containers used to discover, locate and classify devices into device-types or classes that have similar operating characteristics, capabilities and limitations. Cisco NAC Profiler is a rule-based system. It collects endpoint data and evaluates that data against the rules in the enabled profiles to find a ''best match.'' Refer to Table 1-1 on page 1-4 that outlined the endpoint identity attributes available to the system, and how they are collected (for example, by which Collector component module).
Understanding that the overarching goals in most Cisco NAC Profiler deployments is to discover all endpoints, and accurately profile each discovered endpoint, the determination of the required profiles and how they will be configured in terms of rules is the ''heavy lifting'' of both the initial implementation and ongoing tuning the system will require in production.
Endpoints remaining in the Not Profiled state are anathema to the Cisco NAC Profiler administrator. That being said, eventually it boils down to answering the following questions about each of the major endpoint types using the network and needing to be profiled:
1. What attributes of endpoint identity available to the Cisco NAC Profiler System could be used to uniquely identify an endpoint of the given type?
2. How and where can the data by which the identity attribute is exhibited by endpoints of this type be collected by the available NAC Profiler Collectors?
The answer to these questions have implications for both the configuration of Profiles and profile rules, as well as Collector placement and required data feeds to those Collectors and component module configuration. That is why this discussion is included in the system planning chapter.
In order to provide the Cisco NAC Profiler administrator with a head start on this process, Cisco NAC Profiler ships with a number of Endpoint Profiles pre-configured based on deployment experience to date. Many of these profiles utilize tried and true approaches for profiling endpoints that are universally applicable (for example, they don't depend on environment-specific attributes). That is, they rely on endpoint identity attributes such as MAC Vendor and DHCP Vendor Class Identifiers that are consistent across all network environments and provided that the Collectors are provided with the data feeds necessary for the collection of this data, will begin profiling endpoints out-of-the box.
Tip Using the Cisco NAC Profiler factory profiles that are enabled by default, the quickest path to the Profiling of endpoints requires that at least one Collector be enabled for NetWatch processing of DHCP traffic using one of the techniques outlined earlier in the chapter along, with initiating polling of network devices by NetMap.
Several of the existing profiles that ship pre-configured on the system may be applicable in the environment. The following are examples of pre-configured profiles that ship with the Cisco NAC Profiler product and are enabled by default:
•Cisco WLAN Access Point
•HP Jet Direct Printer
As part of the preparation for the deployment of the product, the types of endpoint devices known to be connected to the network, the needs for a contextual inventory along with plans for authentication and or NAC deployment should be discussed and a preliminary list of the required profiles developed and discussed so that as the system is initially configured, some measurable progress toward profiling discovered endpoints can be made early on.
Also of note is the fact that when one or more NetWatch modules has network traffic delivered to its monitor interface(s), the Cisco NAC Profiler system will begin collecting endpoint identity attributes observed for endpoints on the network with no specific configuration. NetWatch will collect all identity attributes available from DHCP, TCP Open Ports, Web User Agents, Web and SMTP Server banners, Network Stack Information attributes from the traffic received on the monitor interface. The Cisco NAC Profiler administrator can view this data to find identity attributes exhibited by endpoints of a particular type and collected by the Cisco NAC Profiler system in order to configure new profiles or add rules to existing ones. Endpoint Profiling on large enterprise networks with a large and diverse endpoint population is inherently an iterative process.
Collecting Endpoint Data from Active Directory Servers
The underlying principle of Active Directory® endpoint data collection is to use the Active Directory (AD) as a certified source of information about endpoints on the network, specifically the computer objects that are members of the Domain. This data can be particularly useful for positive identification of the Microsoft® Windows® computer assets owned by the organization.
The collection of this data is performed by the NetMap collector component module via LDAP queries of AD Servers on the network maintaining the Domain infrastructure. In order to perform this form of endpoint data collection, the Cisco NAC Profiler system must be configured with the information for the AD Server(s) that contain the computer objects of interest, including credentials (username and password) of a user with LDAP query privileges, and the base DN from which to begin the query for computer objects. In multiple-Collector and Cisco NAC Profiler systems, AD Server collection can be distributed amongst the NetMap modules running on the Collectors.
Note The Global Catalog Server does not contain all the endpoint information that the Cisco NAC Profiler uses for profiling so it should not be added to the Cisco NAC Profiler configuration as an AD Server. For the feature to function as implemented currently, the Cisco NAC Profiler system must be provided direct information via configuration about each AD Server on the network that contains computer objects of interest so that collection of endpoint AD data can be performed. The system is not currently able to utilize LDAP referrals to find additional AD Servers in a domain by querying a single AD Server in the domain.
It is important to the understanding of this feature to know that within AD, computer objects are not identified by MAC or IP address; they are identified by the computer (also sometimes called common) name. Therefore, in order for the Cisco NAC Profiler to attribute endpoint data collected from AD to a specific endpoint MAC in the Cisco NAC Profiler database, the endpoint must have been discovered and had name information saved for it previous to the collection of AD data. This is accomplished via the analysis of DHCP Discover and Request packets from endpoints that contain the hostname for the endpoint which in most environments, exactly matches the name of the computer object in AD.
To summarize, for endpoints that do not currently have a matching DHCP host name attribute stored to the Cisco NAC Profiler database, AD information cannot be attributed to the endpoint and stored in the database. See the Configuring Profiler Collectors to Use with DHCP Analysis via IP Helper, page 4-60 for more information on options for providing the Cisco NAC Profiler system with visibility into endpoint DHCP information.
Adding Active Directory Servers to the Cisco NAC Profiler Configuration
As outlined previously, enabling AD Collection requires configuration of the system with an entry for each AD Server containing endpoint information to be collected by the Cisco NAC Profiler system for use in Endpoint Profiling. Within the Cisco NAC Profiler UI, AD Servers are characterized as Network Devices.
Navigating to the Configuration Tab in version 3.1 and later, the Configure Network Devices menu includes two options used for managing AD Servers in the Cisco NAC Profiler system configuration. Those options are titled Add Active Directory and List Active Directory in the Cisco NAC Profiler UI and are accessed from the Configuration Tab and selecting the Network Devices option.
Adding an Active Directory server is accomplished via the Add Active Directory Server form. For each AD Server containing computer object endpoint data to be collected by the Cisco NAC Profiler, one (or more) entries for the AD Server is configured using this form. AD Server entries previously saved to the configuration can be viewed and edited using the List Active Directory form.
An AD Server entry in the Cisco NAC Profiler configuration consists of the following information about the Server to be queried by the Cisco NAC Profiler:
•Server Name -- The Fully-Qualified Domain Name (preferable) of the AD Server, or alternatively the IP address.
•Description -- enables the entry of free-form text to provide a description of each AD Server added to the Cisco NAC Profiler configuration.
•Designated Collector Module -- Each AD Server entry effectively assigns regular LDAP query responsibilities to the system, specifically to a NetMap module on one of the Collectors. Each AD Server entry should have a designated Collector module assigned to query it.
•Username -- The username of an AD user that has LDAP query privileges, preferably a Domain Administrator or Super User should be used.
Note The AD username to be used by the Cisco NAC Profiler for LDAP queries to the AD Server should be specified in the Cisco NAC Profiler configuration using the Fully Qualified Domain Name (FQDN) format. For example: firstname.lastname@example.org
•Password -- the password for the user specified.
•Base DN -- the Base DN specifies the point in the AD that should be used when querying this server to find the computer objects in the directory. Choice of an appropriate Base DN is very important, and covered in much more detail later in this section.
It is highly recommended that the Cisco NAC Profiler administrator consult with the Active Directory administrator to gather the information required for the Cisco NAC Profiler configuration. When provided with the configuration requirements listed immediately above, the AD Administrator should in most cases be able to provide the Cisco NAC Profiler administrator with the information required to configure the Cisco NAC Profiler to begin successfully collecting endpoint data from AD Servers.
In cases where consultation with the AD admin is not practical, the following guidance is provided to assist in the proper configuration of this Cisco NAC Profiler feature. It is not intended however to replace consultation with the local AD expert. Using the Active Directory Service Interfaces Editor (ADSI Edit), which is an LDAP editor provided by Microsoft, the Cisco NAC Profiler administrator can determine and verify the parameters for adding an AD Server to the Cisco NAC Profiler configuration.
ADSI Edit is used in the following example, but other LDAP browsers provide similar functionality. If the reader is familiar with other LDAP browsers, the same procedures outlined in subsequent sections are applicable for verifying credentials and determination of appropriate base DN.
For those unfamiliar with ADSI Edit, complete instructions for downloading and installing the ADSI Edit tool can be found in the following Microsoft Technet article at:
The following example shows how ADSI Edit can be used on a non-Domain Member Windows PC to establish LDAP communication with a selected Microsoft AD Server. Using this example, verification of user credentials and determination of a correct Base DN are demonstrated.
From a Windows PC, use ADSI Edit to establish an LDAP connection to the selected AD Server by following the steps outlined below:
Step 1 Start, run MMC.
Step 2 Click File, and click Add/Remove Snap-in.
Step 3 Click Add, and click Select ADSI Edit.
Step 4 Click Close, and click OK.
Step 5 Right-click ADSI Edit, select Connect To which connects you to your domain if possible (if the computer is not currently logged into a domain, a dialog will display).
Step 6 Click OK in dialog that displays.
Step 7 Select 'Select or type a domain or server'.
Step 8 Enter the FQDN of the target AD server (such as, example.ad.mydomain.com), and click Advanced.
Step 9 Select the Specify Credentials check box, enter the user name and password provided that should allow LDAP access to the specified AD Server.
Step 10 Enter or specify port 389 for the connection.
Step 11 Click OK.
Step 12 If the supplied credentials are valid, the target AD server should display in a directory tree beneath the ADSI edit (this verifies the username and password is correct, and has LDAP query access to the Server).
Using ADSI Edit to Determine Base DNs for Profiler Queries
The Cisco NAC Profiler is interested only in the Computer Objects within the Active Directory. As described in this guide, domain member computers that have a matching common name in the directory to a hostname collected by the Cisco NAC Profiler via analysis of DHCP transactions, the AD information for the endpoint will be collected/stored to the Cisco NAC Profiler database.
In order to make the most efficient query via LDAP, the base DN to initiate the query for computer objects within the directory should be specified for the AD Server configuration within the Cisco NAC Profiler. The location of computer objects within the directory varies based on the setup of the AD as configured by the AD administrator.
When configuring this feature, it is recommended to consult with the administrator of target AD servers to determine the base DN from which to initiate a search for all computer objects in the directory. Note that in some cases, computer objects may be stored in more than one location in the directory. In this scenario it is important to choose a base DN or base DNs, which result in queries that collect all computer objects.
Tip In larger AD implementations consisting of servers with 2,500 or more computer objects per server, it may be preferable to configure multiple instances for a single physical AD Server in the Cisco NAC Profiler configuration by specifying two or more base DNs from which to initiate LDAP queries for computer objects. It is perfectly valid, even preferable to have multiple instances for the same AD server rather than initiating a search at a base DN that results in unneeded traversal of directory branches that do not contain computer objects. Such traversals place a higher load on the AD server and Cisco NAC Profiler without any gains in the collection of data useful for Endpoint Profiling. Again, using information from your consultations with the AD admin, you will select a more proper base DN (or DNs) from which to initiate queries for computer objects via LDAP.
The ADSI Edit tool can provide some insight into the directory structure of a given AD Server and assist in the determination of the base DN (or DNs) that should be configured for the Cisco NAC Profiler. Return to the MMC session initiated to check the credentials and browse the Directory Structure to find a suitable base DN (or base DNs) as outlined in the following paragraphs.
Click to expand the tree view of the selected AD server using the ADSI Edit tool and the + signs next to the selected AD server as shown in Figure 3-2.
Figure 3-2 Browsing the AD Server Directory Using ADSI Edit
Note that the root DN is immediately below the selected AD server (oliver.ad.lab.bspruce.com) in this example (Figure 3-2), DC=ad,DC=lab,DC=bspruce,DC=com.
Immediately beneath the root are the subdirectories (or branches) of information stored in the directory itself. The subdirectories branches on a given AD server will vary widely from network to network. For the purposes of the Cisco NAC Profiler configuration, the objective is to determine where in this directory structure do computer objects for the domain member machines reside.
In many AD implementations (certainly not all), the computer objects in the domain are stored in the CN=Computers branch of the directory immediately beneath the root. Expand the CN=Computers branch by clicking on the + to the left of the object as shown in Figure 3-3. All computer objects (7 in this example) in this part of the directory will be displayed.
Browsing Computer Objects in the Active Directory
The ADSI Edit tool can be used to query the entire directory on an AD Server to find all computer objects, along with their respective DNs. Use the following procedure to search for computer objects within the directory on a given AD server:
Step 1 Right click on the server object (such as, oliver.ad.lab.bspruce.com).
Step 2 Select File, New, and Query from the context-sensitive menu.
Step 3 Give the query a name (for example, find computer objects).
Step 4 Set the base DN for the search, click Browse, and click OK (this defaults to the root DN which is ideal for searching the entire directory on this AD Server).
Step 5 Enter the following query string exactly: objectClass=computer
Step 6 Leave the query scope at the default (subtree search) and click OK to save (the query is saved to the bottom of the directory tree, left pane).
Step 7 Run the query by expanding it in the directory tree view (left pane) when you click + adjacent to the query name.
Step 8 Click the query name to display the query results in their entirety in the right pane. All computer objects found in the directory are shown with their complete DN in the right pane as shown in Figure 3-4.
Figure 3-4 Search for Computer Objects
In the example, computer objects are found in the following locations in the directory on this AD server:
•OU=Domain Controller (the AD Server itself)
All of which are immediately underneath the root DN, DC=ad,DC=lab,DC=bspruce,DC=com
Armed with this information we are at a decision point regarding the correct base DN to use for the Cisco NAC Profiler configuration of this AD Server: should two AD Server instances be added to the Cisco NAC Profiler configuration (which is more efficient in terms of the traversal required on each query)?
Or as an alternative for the sake of ease of configuration: simply using the root DN and searching the entire directory via LDAP for computer objects which would also include collection of the object representing the Server itself? The decision you make is guided primarily by the number of computer objects and the overall directory structure (for example, the number of levels or subdirectories).
For AD Servers with a small number of computer objects (less than a thousand total), and relatively flat directory structure (one or two levels beneath the root DN), specifying the root as the base DN in the Cisco NAC Profiler configuration is recommended.
AD Servers containing greater than a thousand computer objects with computer objects residing more than two levels below the root DN should be configured as multiple AD Servers in the Cisco NAC Profiler configuration. Each of the configuration instances in this case should be configured with their respective Base DN specified to be as close to the computer objectives themselves as practical. Again, this ensures minimal impact on the AD server by avoiding queries that must traverse an expansive directory structure.
Continuing with our example, this would be accomplished by adding two AD Server instances to the Cisco NAC Profiler configuration for collection of AD information from this single physical Active Directory server. Both instances would have identical configuration except for the base DNs: one would be configured to begin the query at CN=computers, the other to begin the query at OU=testOU. The full base DN parameters for these entries would be as follows:
Considerations for NetMap in Cisco NAC Profiler System Deployments
SNMP polling of network devices is done at specified intervals by the Cisco NAC Profiler system according to system-level parameters. When link up/MAC notification traps and link down traps signalling an endpoint joining or leaving the network are received by a NetTrap module, the Server module will direct a designated NetMap module to poll for the port-specific parameters it needs to gather on an endpoint join or leave.
Each network device in the Cisco NAC Profiler configuration is assigned a NetMap module that will be responsible for the SNMP polling (regular and trap-based) of the device.
When planning the implementation of a Cisco NAC Profiler system with two or more Collectors it is good practice to distribute SNMP polling responsibility amongst the NetMap modules on the two or more Collectors so that the workload associated with endpoint data gathering by SNMP is split between the Collectors.
Tip The NetMap module polling assignment can be done per network device group rather than at the individual device level. All devices in a group will be assigned to an available NetMap module in accordance with the group configuration. The network device list referred to earlier in the chapter can be broken into multiple CSV files (for example, one CSV file per group/NetMap module and imported into the Cisco NAC Profiler system configuration per group.
SNMP trap processing by NetTrap and SNMP polling of network devices by NetMap are decoupled. Any NAC Profiler Collector receiving a Link State/MAC Notification trap will inform the Profiler Server, and the Server will in turn create a task for the responsible NetMap module to poll the network device to determine what changed on the port. It is not necessary for traps to be sent to the same Collector that the NetMap module is running on that is responsible for polling a given network device.
Tip In 3.1and later versions, the option to trust Cisco MAC notifications was added to the Profiler Server SNMP trap handling capability. When this option is selected in the Profiler Server configuration, the information in the MAC Notification trap is processed directly by the Profiler Server when forwarded by the receiving NetMap. A single poll from NetMap follows the MAC notification to collect only PAE MIB information from the trapping device.
Cisco NAC Profiler System Configuration Workflow
System configuration of Cisco NAC Profiler is a multi-step process. Prior to beginning implementation of the system, it is highly recommended that a system-level plan be developed. Of primary importance is understanding Cisco NAC Profiler components: how they will be addressed, where they will be placed in the network, and how polling of network devices will be distributed amongst the NetMap modules in the system running on the Collectors.
This information should be well established prior to the startup of the Profiler Server and the Profiler Collector(s) that will comprise the Cisco NAC Profiler system. The startup procedure requires the input of these parameters as the system is setup and should be readily available by personnel performing the initialization as outlined in Chapter 4, "Installing and Performing an Initial Configuration".
Table 3-1 represents the workflow for configuration of Cisco NAC Profiler. The remaining chapters in this guide provide instructions for completion of the configuration tasks described in Table 3-1. The workflow begins with completion of the appliance startup procedures for the Profiler Server and the Collectors running on the NAC Servers to be deployed in the system.
Appliance start-up procedures are completed on each appliance using keyboard and monitor, or a terminal session. Detailed instructions for initial startup of Profiler Server appliance and NAC Profiler Collectors are provided in Chapter 4, "Installing and Performing an Initial Configuration". Once the Server and Collector(s) have been initially configured, all further system configuration is completed via the web interface.
Table 3-1 Task Flowchart
1. Appliance Start-Up
Complete appliance start-up procedure for the Profiler Server and Collector(s) by following procedures outlined in Chapter 4, "Installing and Performing an Initial Configuration". These steps initialize and address all components as well as enable network communications for all components. Establish web session with the Profiler Server to complete system configuration.
2. My Networks Configuration
Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment" outlines procedures for licensing the NAC Profiler system and for configuring Cisco NAC Profiler for the target environment. In addition it outlines the procedures for saving system configuration changes that are used for all future system configuration accomplished via the Cisco NAC Profiler User Interface.
3. Configure Profiler Server
Chapter 6, "Configuring the Cisco NAC Profiler Server" outlines the configuration procedure for the NAC Profiler Server component via the User Interface. Completion of the configuration of the Profiler Server, specifically the configuration of required Network Connections should be completed prior to adding the Profiler Collector(s) to the system configuration.
4. Add Collectors
Chapter 7, "Configuring Collector Modules" outlines the procedure for adding each of the Collectors to the system, and the configuration of each of the component modules (such as the Forwarder, NetMap, NetWatch, NetInquiry, and NetTrap) that run on each Collector as required for each Collector.
It is emphasized throughout the chapter that enablement of the Collector component modules is done selectively on a per-Collector basis: only the components necessary for the collection techniques planned for a given Collector should be configured/enabled.
5. Configure Network Devices
Chapter 8, "Managing Network Devices" outlines the procedures for adding the network devices to the system configuration. Polling of network devices is distributed amongst the NetMap modules running on the Collectors in the system. Network devices and the necessary SNMP information are added or imported to the system configuration, and a NetMap module is designated to poll each network device.
In 3.1 and later versions of Cisco NAC Profiler, NetMap collection of endpoint data from Active Directory Servers was added. If this optional collection technique will be used, it is configured at this juncture as well.
6. Configure Endpoint Profiles
Chapter 9, "Endpoint Profile Configuration: Part 1", Chapter 10, "Endpoint Profile Configuration: Part 2", and Chapter 11, "Using Advanced XML Rules" outline the procedures for enabling the endpoint Profiles included with the Cisco NAC Profiler, and for creating new Endpoint Profiles using the available endpoint attribute types. The use of the rule types used in Profile creation for both passive and active endpoint profiling is outlined in these chapters to provide guidance with the configuration of a workable Profile Hierarchy and the Endpoint Profiles that enable that design for Endpoint Profiling and Identity Monitoring in the target environment.
Endpoint Profile Tuning is an ongoing, iterative process in the operation of the Cisco NAC Profiler system, but from the outset, a basic profiling strategy is put into place using the guidance provided in these chapters.
7. Configure Cisco NAC Appliance Integration (Optional)
Chapter 13, "Integrating with the Cisco NAC Appliance" outlines instructions for enabling the integration between a Cisco NAC Profiler system and a Cisco NAC Appliance system.
If the NAC Profiler System will be employed alongside NAC Appliance, providing discovery and provisioning of non-responsive hosts, the integration between the systems is configured in accordance with the guidelines provided in this chapter
8. Configure LDAP Integration (Optional - for integration with Cisco Secure ACS)
Chapter 17, "Enabling LDAP Integration" outlines procedures for adding, editing, and deleting NAC Profile user accounts.
The remaining chapters of the Cisco NAC Profiler Installation and Configuration Guide provide guidance for the configuration of optional features and functionality provided by the system, for example NAC Profiler Events that can be used to both inform and act dynamically to events such as the discovery of a new endpoint of a specific type, or the change in Endpoint Profile of an endpoint as examples.
The operation of the system, use of the Endpoint Console and Utilities tab for viewing and reporting on endpoint and system data, as well as a command line reference for the NAC Profiler Server is also provided in the guide. At this time, if the Profiler Server and Collectors have yet to be initialized, collect the necessary information outlined in this chapter and proceed with initialization of the Server and each Collector as outlined in the next Chapter.