Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco VPN 3000 Series Concentrators

VPN 3000 Network Access Device 4.7.0 NAC Administration and Configuration

Downloads

Document ID: 65115


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure NAC
      Task 1: Configure AAA Server Communication
      Task 2: Configure Global EAP Over UDP
      Task 3: Create a Filter Rule to Allow EAP over UDP Communication
      Task 4: Configure the NAC Exception List
      Task 5: Configure NAC for the Base Group and User Defined Groups
Monitor and Administer NAC Sessions
Enable EAP, EAPoUDP, and NAC Logging
Sample VPN 3000 Debug Logs
      Typical Successful Posture Validation Log
      Typical Clientless Log
Verify
Troubleshoot
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

Network Admission Control (NAC) provides a method you can use to validate a peer based on its state, a function referred to as posture validation. Posture validation can include the verification that the peer runs applications with the latest patches. Posture validation can also ensure that the anti-virus files, personal firewall rules, or intrusion protection software are up-to-date. NAC supplements the identity-based validation provided by PPP, IPSec, and other access methods.

The VPN Concentrator functions as both a NAC authenticator and a Cisco Secure Access Control Server (ACS) client.

As a NAC authenticator, the VPN Concentrator performs these tasks:

  • Initiates the initial exchange of credentials based on IPSec session establishment and periodically thereafter.

  • Relays credential requests and responses between the peer and the authentication (ACS) server with the use of Protected Extensible Authentication Protocol (PEAP).

  • Enforces network access policy for an IPSec session based on results from the ACS server.

  • Implements the configured EAP Status Query method.

  • Supports a local exception list based on the peer operating system.

  • Requests access policies from the ACS server for a clientless host.

As an ACS client, the VPN Concentrator supports:

  • EAP/RADIUS

  • RADIUS attributes required for NAC

NAC on the VPN 3000 Concentrator differs from that on Cisco IOSĀ® Layer 3 devices such as routers. Whereas routers trigger posture validation (PV) based on routed traffic, the VPN 3000 Concentrator configured with NAC uses the establishment of an IPSec VPN session as the trigger for PV. Cisco IOS routers configured with NAC use an Intercept access control list (ACL) in order to trigger PV based on traffic destined for certain networks. Because external devices cannot access the network behind the VPN 3000 Concentrator without starting a VPN session, the VPN 3000 Concentrator does not need an intercept ACL as a PV trigger. During posture validation, all IPSec traffic from the peer is subject to the Default ACL configured for the peer's group on the Base Group > NAC tab or the Groups > NAC tab.

Configure NAC on the Configuration > Policy Management> NAC window and the Configuration > User Management > Base Group/Groups > NAC tab.

Note: This document supplements instructions in these guides:

Prerequisites

Requirements

Because the VPN 3000 NAD is the enforcement device in NAC, it is recommended that you configure it last, especially if some hosts do not have Cisco Trust Agent (CTA) installed. This causes less disruption to network operations.

You can disable NAC on the VPN 3000 Concentrator if problems occur. In order to access the Enable NAC parameter, select Configuration > User Management > Base Group/Group > NAC.

Components Used

Ensure that the VPN 3000 Concentrator runs release 4.7 or later before you attempt to configure NAC.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

System error messages from Cisco devices are displayed in a different font. For example, a router restarted with the reload command displays the System returned to ROM by reload message, whereas a router restarted by power-cycle displays the System returned to ROM by power-on message.

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure NAC

These sections describe the NAC configuration tasks:

Task 1: Configure AAA Server Communication

NAC requires an ACS server for posture validation. Complete these steps in order to configure ACS as an authentication server:

  1. Use one of these paths in order to configure ACS as an authentication server:

    • In order to configure ACS as the global authentication server, select Configuration > System > Servers > Authentication.

    • In order to configure ACS as a group-specific authentication server, select Configuration > User Management > Groups > Authentication Servers > Add.

  2. Click Add or Modify.

    The Add or Modify window opens.

    This illustration shows the global authentication add server configuration window.

    vpn3k-nac-config-470-1.gif

  3. Set the parameters in this window as this list shows:

    • Server Type—The type of server used for posture validation. For NAC, it must be RADIUS.

    • Authentication Server—The IP address or hostname of the ACS.

    • Server Port—The port number of the ACS server.

    • Timeout—The number of seconds for the ACS server communication to time out.

    • Retries—The maximum number of retries to attempt communication with the ACS server.

    • Server Secret—The RADIUS server secret to match the ACS configuration.

    • Verify—The value of the "Server Secret" parameter repeated.

  4. Click Add or Apply.

    The authentication server appears as an entry in the Authentication Servers box.

  5. Click Save Needed.

    A confirmation window opens.

  6. Click OK.

Task 2: Configure Global EAP Over UDP

The global NAC configuration applies to all NAC sessions on the VPN 3000. Complete these steps in order to configure the global NAC settings:

  1. Select Configuration > Policy Management > Network Admission Control > Global Parameters.

    The Global Parameters window opens.

    vpn3k-nac-config-470-2.gif

  2. Set the parameters in this window as this list shows:

    • Retransmission Timer—The wait time allowed for an EAP over UDP response to be received from the host. This timer starts when the VPN 3000 sends an EAP over UDP message to a host. The timer terminates when the VPN 3000 receives a response. If this timer expires before the VPN 3000 receives a response, the VPN 3000 resends the message. The setting is in seconds.

    • Hold Timer—The interval between a failed EAP over UDP association and the next attempt to initiate a new EAP over UDP association. The setting is in seconds.

    • EAPoUDP Retries—The number of times the VPN 3000 resends an EAP over UDP message. This parameter limits the number of consecutive retries sent in response to Retransmission Timer expirations. If the VPN 3000 does not receive a response after the maximum number of retries, the NAC session of the host on the VPN 3000 enters the Hold state, at which time the Hold Timer starts.

    • EAPoUDP Port—The port number used for EAP over UDP communication with the Cisco Trust Agent (CTA) on the host. This number must match the port number configured on the CTA.

    • Clientless Authentication Enable—Enables or disables clientless authentication. If this parameter is disabled, non-responsive hosts (for example, because CTA is not present or running) are subject to the NAC Default ACL (if defined). If this parameter is enabled, ACS requests the access policy for non-responsive hosts. The access policy configured on ACS for this user determines the access policy for non-responsive hosts.

    • Clientless Authentication Username—The username configured on the ACS.

    • Clientless Authentication Password—The ACS password assigned to "Clientless Authentication Username."

    • Clientless Authentication Verify—The value of "Clientless Authentication Password" repeated.

  3. Click Apply.

  4. Click Save Needed.

    A confirmation window opens.

  5. Click OK.

Task 3: Create a Filter Rule to Allow EAP over UDP Communication

Filters on the VPN 3000 determine which network traffic to forward and which to drop. These filters consist of one or more rules. If a filter configured on the public interface of the VPN 3000 causes the VPN 3000 to drop EAP over UDP traffic, posture validation cannot proceed, and all hosts are considered clientless. Similarly, if a filter configured for a particular user or group causes the VPN 3000 to drop EAP over UDP traffic, posture validation cannot proceed and all hosts connected by the affected users are considered clientless. The same applies to an ACL sent from the ACS. Filters applied to a user session, whether configured locally on the VPN 3000 or downloaded from the ACS, must forward EAP over UDP traffic for NAC to work properly. ACLs from the ACS must allow UDP traffic on the configured EAP over UDP port (by default, Port 21862). This table lists the settings to create two rules in the VPN 3000 configuration. One rule forwards incoming EAP over UDP packets and one rule forwards outgoing EAP over UDP packets.

 

Rule for Incoming Traffic

Rule for Outgoing Traffic

Rule Name

EAPoUDP In

EAPoUDP Out

Direction

Inbound

Outbound

Action

Forward

Forward

Protocol

UDP

UDP

TCP Connection

Do not care

Do not care

Source Address

0.0.0.0/255.255.255.255

PRIVATE *

Destination Address

PRIVATE *

0.0.0.0/255.255.255.255

TCP/UDP Source Port

21862 **

All

TCP/UDP Destination Port

All

21862 **

* The IP address of Private Interface a.b.c.d/0.0.0.0. This is optional and can be set to 0.0.0.0/255.255.255.255 or to a network list such as VPN Client Local LAN (Default).

** Set to a port number in the NAC Global configuration. The default is 21862.

For example, the factory configured filter Firewall Filter for VPN Client (Default) allows all outgoing traffic but drops all incoming traffic. If the VPN 3000 applies this filter to a user session, posture validation does not take place. You can correct this problem when you add the EAPoUDP In rule (defined in the table) to this filter. There is no need to explicitly allow EAPoUDP Out since this filter already allows all outgoing traffic.

In order to create rules, select Configuration > Policy Management > Traffic Management > Rules > Add. Refer to the VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 for detailed instructions about filters and rules.

Note: After you create rules, you must add them to a filter before they take effect.

Task 4: Configure the NAC Exception List

The NAC Exception List excludes hosts from posture validation and gives them a static access policy. The entries in the NAC Exception List specify the operating system (OS) of hosts to be filtered. The Cisco VPN Client identifies the host OS to the VPN 3000. If the OS matches an entry in the NAC Exception List, the VPN 3000 applies the corresponding filter (if any) and stops further NAC processing for the host, for the duration of the VPN session.

Note: The VPN 3000 uses the NAC Exception List only if NAC is enabled for the user’s group. In order to access the Enable NAC parameter, select Configuration > User Management > Base Group/Groups > NAC.

Complete these steps in order to configure the NAC exception list:

  1. Connect the hosts that run the operating systems to be specified in the NAC Exception List, to the VPN 3000 with the use of the Cisco VPN Client.

  2. Select Administration > Administer Sessions or Monitoring > Sessions and copy the strings that identify the operating systems to appear in the NAC Exception List from the Client Type column in the Remote Access Sessions table.

  3. Select Configuration > Policy Management > Network Admission Control > Exception List > Add.

    The Add window opens.

    vpn3k-nac-config-470-3.gif

  4. Set the parameters in this window as this list shows:

    • Enable—Check this box in order to enable Exception List functionality for this entry.

    • Operating System—The name of the operating system. The string must exactly match the operating system reported by the Cisco VPN Client. Copy one of the strings noted in step 2.

    • Apply Filter—Select the filter to apply to the user session.

  5. Click Add.

  6. Repeat steps 3 through 5 for each additional operating system to appear in the NAC Exception List.

  7. Click Save Needed.

    A confirmation window opens.

  8. Click OK.

Task 5: Configure NAC for the Base Group and User Defined Groups

Complete these steps in order to configure the group specific NAC settings:

  1. Choose the path that defines the scope of the group settings:

    • Configuration > User Management > Base Group

    • Configuration > User Management > Groups > Modify <group-name>

  2. Click the NAC tab.

    The Network Access Control Parameters window opens.

    vpn3k-nac-config-470-4.gif

    Note: The only difference between the user defined group NAC configuration window and Base Group NAC configuration window is that the NAC configuration window includes an Inherit checkbox for each item to allow the user defined groups to get their NAC configuration from the base group.

  3. Use these descriptions in order to set the parameters in this window, and click the Inherit box as needed:

    • Enable NAC—Enables or disables NAC for the group. No NAC processing takes place for users in the group if you uncheck this box.

    • Status Query Timer—Determines the number of seconds between NAC Status Queries for NAC sessions in the group. The Status Query timer starts after PV successfully completes.

    • Revalidation Timer—The interval between unconditional, full posture validations for NAC sessions in the group. The Revalidation timer starts after PV successfully completes. The interval is in seconds.

    • Default ACL (filter)—Choose the filter for the VPN 3000 to apply to the user session during the initial PV. The VPN 3000 also applies the ACL (or filter in VPN 3000 terminology) to the user session if a previously successful EAP over UDP association fails. The VPN 3000 replaces the default ACL with a dynamic ACL if it obtains one from the ACS as a result of PV or Clientless Authentication.

  4. Click Apply.

  5. Click Save Needed.

    A confirmation window opens.

  6. Click OK.

Monitor and Administer NAC Sessions

In order to view NAC session data, select Monitoring > Sessions.

The Monitoring Sessions window opens.

vpn3k-nac-config-470-5.gif

The NAC Session Summary table (also shown in the next illustration) shows the number of active and total NAC sessions categorized by the outcome of the posture validation.

The meanings of the headings in the NAC Session Summary table are listed here:

  • Accepted—PV completed successfully.

  • Rejected—PV failed (ACS problem).

  • Exempted—The host OS is on the NAC exception list.

  • Non-responsive—The host is clientless.

  • N/A—The NAC is disabled for the host.

The NAC Result column in the Remote Access Sessions table indicates the result of posture validation.

Select Administration > Administer Sessions in order to administer NAC sessions. The Administer Sessions window opens.

vpn3k-nac-config-470-6.gif

This window adds administrative commands to the data present in the Monitoring Sessions window. For example, you can click the Revalidate All or Reinitialize All link to revalidate or reinitialize all active NAC sessions. Both links force posture validation for all NAC sessions. The difference between the two links is that revalidation does not change the active access policy currently in place for the NAC session before PV is initiated. Reinitialization applies the NAC Default ACL (if defined) before PV is initiated.

The NAC Result column in the Administer Sessions window shows the result of posture validation, and contains two action links to allow revalidation and reinitialization of an individual session.

The Actions column in the Remote Access Sessions and Management Sessions tables in the Administer Sessions window also adds administrative access to the respective session.

Click an entry in the Username column to display the session details. The Administration > Administer Sessions > Detail window also contains information about NAC-enabled sessions. This illustration shows the Network Admission Control section of the session details table.

vpn3k-nac-config-470-7.gif

The Network Admission Control section of the session details table shows this information:

  • Revalidation Time Interval—The interval (in seconds) between revalidation processes. You can configure the interval on the Configuration > User Management > Base Group/Groups > NAC tab. However, the ACS can override this configuration.

  • Time Until Next Revalidation—The number of seconds that remain until revalidation takes place.

  • Status Query Time Interval—The interval (in seconds) between status queries. You can configure the interval on the Configuration > User Management > Group/Groups> NAC tab. However, the ACS can override this configuration.

  • EAPoUDP Session Age—The number of seconds that the EAP over UDP session is up.

  • Hold-off Time Remaining—The number of seconds that remain before the VPN 3000 removes the host EAPoUDP session from the hold-off state and retries posture validation. Hold-off state is entered when EAPoUDP communication is lost to a host with an established EAPoUDP session.

  • Posture Token—The state of the host as determined by the ACS server during posture validation. Although these are configurable on ACS, typical ACS posture token values are Healthy, Checkup, Quarantine, Infected, and Unknown.

  • Redirect URL—The optional URL to which the VPN Concentrator redirects HTTP sessions of hosts. The ACS downloads this URL as a result of posture validation or clientless authentication.

Note: Refer to the VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 4.7 for more information about the Administration and Monitoring windows.

Enable EAP, EAPoUDP, and NAC Logging

The EAP, EAPoUDP, and NAC software modules log events on the VPN 3000 that can be useful for debugging NAC. Select Configuration > System > Events > Classes > Add in order to enable event logging.

The Severities 1–7 NAC, EAP, and EAPoUDP events are the ones most relevant for debugging NAC. Refer to VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 for more information about event logging.

Sample VPN 3000 Debug Logs

These sections show example logs for which Severities 1–7 NAC, EAP, and EAPoUDP event logging is enabled:

Note: Refer to Important Information on Debug Commands before you issue debug commands.

Typical Successful Posture Validation Log

These event messages indicate a typical successful posture validation. Most of the event messages show a public IP address (PUB_IP), private (assigned by VPN 3000) IP address (PRV_IP), or both as a way to associate the events with each other. The last event in this log, EAPoUDP association successfully established, signals the end of a successful posture validation. 

2621 11/24/2004 13:16:47.530 SEV=4 NAC/2 RPT=4 NAC session 
initialized - PUB_IP:10.86.5.114 PRV_IP:192.168.2.68 

2622 11/24/2004 13:16:47.530 SEV=4 NAC/29 RPT=6 NAC Applying filter - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Name:NAC Filter, ID:6 

2624 11/24/2004 13:16:47.530 SEV=4 EAPOUDP/2 RPT=6 EAPoUDP association 
initiated - PRV_IP:192.168.2.68 

2625 11/24/2004 13:16:50.530 SEV=6 EAPOUDP/20 RPT=2 EAPoUDP response timer 
expiry - PRV_IP:192.168.2.68 

2626 11/24/2004 13:16:50.540 SEV=5 EAPOUDP/3 RPT=6 EAPoUDP-Hello response 
received from host - PRV_IP:192.168.2.68 

2627 11/24/2004 13:16:50.540 SEV=5 EAPOUDP/4 RPT=6 NAC EAP association 
initiated - PRV_IP:192.168.2.68, EAP context:0x061c8354 

2628 11/24/2004 13:16:50.540 SEV=4 EAP/2 RPT=6 EAP association 
initiated - context:0x061c8354 

2629 11/24/2004 13:16:50.640 SEV=5 EAP/3 RPT=6 EAP-Identity response 
received - context:0x061c8354 

2630 11/24/2004 13:16:50.650 SEV=4 NAC/10 RPT=41 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2631 11/24/2004 13:16:51.340 SEV=4 NAC/10 RPT=42 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2632 11/24/2004 13:16:51.460 SEV=4 NAC/10 RPT=43 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2633 11/24/2004 13:16:51.640 SEV=4 NAC/10 RPT=44 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2634 11/24/2004 13:16:51.780 SEV=4 NAC/10 RPT=45 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2635 11/24/2004 13:16:51.960 SEV=4 NAC/10 RPT=46 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2636 11/24/2004 13:16:52.230 SEV=4 NAC/10 RPT=47 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2637 11/24/2004 13:16:52.560 SEV=4 NAC/10 RPT=48 NAC Access Request 
successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2638 11/24/2004 13:16:52.860 SEV=4 EAP/5 RPT=6 EAP received Access 
Accept - context:0x061c8354 

2639 11/24/2004 13:16:52.860 SEV=4 NAC/12 RPT=6 NAC Access Accept - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, user:NACTEST-W2K:Administrator 

2641 11/24/2004 13:16:52.860 SEV=4 NAC/13 RPT=6 NAC Access Accept - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Reval Period:6060 seconds 

2643 11/24/2004 13:16:52.860 SEV=4 NAC/14 RPT=6 NAC Access Accept - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Posture Token:Healthy 

2644 11/24/2004 13:16:52.860 SEV=4 NAC/15 RPT=6 NAC Access Accept - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Redirect URL:http://192.168.2.120, 
IP Addr:192.168.2.120 

2646 11/24/2004 13:16:52.860 SEV=4 NAC/7 RPT=6 NAC Access Accept -  
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68 

2647 11/24/2004 13:16:52.860 SEV=5 EAPOUDP/5 RPT=6 EAPoUDP 
association successfully established - PRV_IP:192.168.2.68

Typical Clientless Log

These event messages indicate a typical posture validation attempt with a clientless (or non-responsive) host. After three attempts to get a response to the EAPoUDP-Hello message, the VPN 3000 deems the host as clientless and requests the clientless access policy from ACS. 

2712 11/24/2004 13:48:17.530 SEV=4 NAC/2 RPT=5 NAC session 
initialized -  PUB_IP:10.86.5.114 PRV_IP:192.168.2.68

2713 11/24/2004 13:48:17.530 SEV=4 NAC/29 RPT=7 NAC Applying 
filter - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Name:Public for NAC, ID:6

2715 11/24/2004 13:48:17.530 SEV=4 EAPOUDP/2 RPT=7 EAPoUDP association 
initiated - PRV_IP:192.168.2.68

2716 11/24/2004 13:48:20.530 SEV=6 EAPOUDP/20 RPT=3 EAPoUDP response 
timer expiry - PRV_IP:192.168.2.68

2717 11/24/2004 13:48:23.530 SEV=6 EAPOUDP/20 RPT=4 EAPoUDP response 
timer expiry - PRV_IP:192.168.2.68

2718 11/24/2004 13:48:26.530 SEV=6 EAPOUDP/20 RPT=5 EAPoUDP response 
timer expiry - PRV_IP:192.168.2.68

2719 11/24/2004 13:48:26.530 SEV=5 EAPOUDP/12 RPT=1 EAPoUDP failed to 
get a response from host - PRV_IP:192.168.2.68

2720 11/24/2004 13:48:26.530 SEV=4 NAC/21 RPT=1 NAC clientless Access 
Request successful - PUB_IP:10.86.5.114, PRV_IP:192.168.2.68

2721 11/24/2004 13:48:26.530 SEV=5 EAPOUDP/7 RPT=1 AUTH request for 
NAC Clientless host - PRV_IP:192.168.2.68

2722 11/24/2004 13:48:26.830 SEV=4 NAC/13 RPT=7 NAC Access Accept - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Reval Period:300 seconds

2724 11/24/2004 13:48:26.830 SEV=4 NAC/14 RPT=7 NAC Access Accept - 
PUB_IP:10.86.5.114, PRV_IP:192.168.2.68, Posture Token:Clientless

2726 11/24/2004 13:48:26.830 SEV=4 NAC/15 RPT=7 NAC Access Accept - 
PUB_IP:192.168.2.68, PRV_IP:10.86.5.114, 
Redirect URL:http://www.clientless.com, IP Addr:Unknown

2728 11/24/2004 13:48:26.830 SEV=4 NAC/7 RPT=7 NAC Access Accept -  
PUB_IP:10.86.5.114, PRV_IP:192.168.2.6

Verify

See the Typical Successful Posture Validation Log section of this document for verification information.

Troubleshoot

See the Typical Clientless Log section of this document for information you can use to troubleshoot.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for VPN
Service Providers: VPN Service Architectures
Service Providers: Network Management
Virtual Private Networks: Security
Virtual Private Networks: General

Related Information

Updated: Mar 04, 2008Document ID: 65115