Cisco Network Admission Control and Microsoft Network Access Protection Troubleshooting Guide [Cisco NAC and Microsoft NAP Interoperability Architecture]

Version 1.0

Introduction

The purpose of this guide is to provide the details necessary for configuring and testing the Cisco® Network Admission Control (NAC) and Microsoft Network Access Protection (NAP) integration solution (referred to here as NAC-NAP). This guide provide configuration details for all components of the NAC-NAP solution, including the Microsoft Vista client, Cisco Secure Access Control Server (ACS) for Windows, Cisco network access devices (NADs), Microsoft Network Policy Server (NPS), and required components.

Cisco Network Admission Control and Microsoft Network Access Protection Integration Overview

The Cisco NAC and Microsoft NAP solutions together provide the capability to gather identity and posture information from an endpoint, determine the security policy compliance of the endpoint, provide remediation services, and enforce network access policies based on the compliance of the endpoint.

With the integration of these two solutions, an administrator can verify the health status of a Microsoft Vista client, provide remediation capabilities, and provide dynamic policy enforcement on the network infrastructure.

• For additional information about the Cisco NAC solution, see http://www.cisco.com/go/nac.

• For additional information about the Microsoft NAP solution, see http://www.microsoft.com/nap.

Topology

The initial deployment examples include the following components for NAC-NAP (Figure 1): Microsoft Windows 2003 Server running Cisco Secure ACS, Microsoft Active Directory, certificate authority (CA), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), a Cisco switch, a Microsoft Vista client, and Microsoft Windows Server 2008 running Microsoft NPS, Host Credential Authorization Protocol (HCAP), and Microsoft Internet Information Server (IIS). This setup includes support for IEEE 802.1x assessment methods and HCAP integration between Cisco Secure ACS and Microsoft NPS. Note that when the HCAP server is installed on Windows Server 2008, the Microsoft NPS and IIS components are also installed.

This topology also includes support for IEEE 802.1x (NAC Layer 2 IEEE 802.1x) network connection methods. Cisco Secure ACS acts as the Cisco network policy server. The Microsoft NPS acts as the posture validation server. The Microsoft NPS and the Cisco Secure ACS communicate posture data through HCAP.

Figure 1. Basic Topology for NAC-NAP Interoperability Architecture

Configuration Scenarios

IEEE 802.1x Method

The IEEE 802.1x deployment scenario uses IEEE 802.1x with Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) as the assessment method and provides policy enforcement through dynamic VLAN assignment on the switch. Initially, two VLANs will be configured on the switch for support with IEEE 802.1x: a healthy VLAN and a quarantine VLAN (Figure 2).

Figure 2. IEEE 802.1x Method Setup

After the client is connected to the switch port, IEEE 802.1x authentication will occur when a link is detected and before the IP address is assigned to the client. After the initial IEEE 802.1x authentication between the client and the switch, the client will authenticate to Cisco Secure ACS using the EAP-FAST protocol. Cisco Secure ACS will be configured to receive the Windows health information using EAP-FAST and will send this to the Microsoft NPS over the HCAP protocol.

The initial policy to determine client health will be evaluation of whether Microsoft Windows Firewall is enabled on the Vista client. If Microsoft NPS determines that the firewall is enabled, a posture state of healthy is reported to the Cisco Secure ACS over HCAP. Because the host is deemed to be compliant, or "healthy," the healthy policy will be assigned to the client. With this policy, the client will dynamically be placed in the healthy VLAN and granted full network access. If Microsoft NPS determines that the firewall is disabled, two options are available. The host can be quarantined indefinitely, until the firewall is manually reenabled and the client health state changes to healthy; or the firewall can be enabled automatically through Microsoft NPS remediation, and the client status will change from quarantine to healthy automatically.

NAC-NAP Network Hardware Requirements

Supported Cisco Catalyst Switch Platforms

Table 1 lists the Cisco Catalyst® switch platforms that NAC-NAP supports.

Table 1. Switch Platforms Supported by NAC-NAP

Platform (Supervisor)	OS Type	OS Version
Cisco Catalyst 6500 Series Supervisor Engines 32 and 720	Cisco IOS® Software	Cisco IOS Software 12.2 (33) SXH or later
Cisco Catalyst 6500 Series Supervisor Engines 2, 32, and 720	Cisco Catalyst OS	Cisco Catalyst OS 8.6 (1) or later
Cisco Catalyst 4500 Series Supervisor Engine II-Plus, II-Plus-TS, II-Plus-10GE, IV, V, and V-10GE	Cisco IOS® Software	Cisco IOS Software 12.2 (37) SG or later
Cisco Catalyst 4900 Series Switches	Cisco IOS® Software	Cisco IOS Software 12.2 (35) SE or later
Cisco Catalyst 3570 and 3560 Series Switches	Cisco IOS® Software	Cisco IOS Software 12.2 (35) SE or later
Cisco Catalyst 2960 Series Switches	Cisco IOS® Software	Cisco IOS Software 12.2 (35) SE or later

For more information, please refer to following release note http://www.cisco.com/en/US/netsol/ns812/networking_solutions_sub_solution_home.html.

NAC-NAP Client Requirements

Table 2 lists the requirements for NAC-NAP clients.

Table 2. Client Requirements

Platform	Version	Cisco Requirement	Comments
Windows	Vista (Business, Enterprise, Ultimate)		Service Pack 1 is a prerequisite for the NAC-NAP interoperability architecture. Service Pack 1 adds critical enhancement to supplicants, and those features are required for NAC-NAP interoperation.
Windows	Vista (Business, Enterprise, Ultimate)	Cisco EAP-FAST Module	For the NAC-NAP interoperability architecture, Windows Vista must have the Cisco EAP-FAST software module installed.

Note: Cisco Trust Agent is not required for clients with the Microsoft Vista OS.

NAC-NAP Server Requirements

The minimum number of computers need for this testing is three. The recommended machine configurations are summarized in Table 3. The addition of more machines can make testing and debugging easier.

Table 3. Server Requirements

Server Type	OS	Function
Domain controller	Windows Server 2003 or 2008	The domain controller provides Microsoft Active Directory policy, DHCP server, DNS server, and root CA.
Microsoft NPS	Windows Server 2008	Microsoft NPS is the policy configuration point for NAP health validation.
Cisco Secure ACS 4.2	Cisco Secure ACS installed on a domain member server running on Microsoft Windows 2000 Server, Windows Server 2003, Windows Server 2008, or Cisco Secure ACS Solution Engine Version 4.2	Cisco Secure ACS is the central policy configuration point for NAC-NAP integration. Cisco Secure ACS will provide secure connection to clients and proxy health information to Microsoft NPS.

Admission Control Predeployment Checklist

This checklist provides a guide to the components, technologies, and organizational efforts required for a successful NAC-NAP deployment.

Security Policy Creation and Maintenance

• What are your current security policies for each of these domains?

• Who (and what) is responsible for policy creation? Policy enforcement?

• What is the quorum for making changes?

• Will network access authorizations be based on identity or posture, or both?

• What is your policy on unmanaged and nonstandard machines on your network (labs, guests, consultants, extranets, kiosks, etc.)?

• How will you handle acquisitions that may have a different network infrastructure and policy?

Public Key Infrastructure

• Have you already deployed an enterprise public key infrastructure (PKI)? Windows 2000 Server or later, a CA vendor, or other?

• If not, will you install and manage one or purchase individual certificates from a CA vendor?

• Do you understand the long-term support, migration, and scaling requirements of self-signed certificates?

Directory Services

• Do you or will you require identity for network authorization?

• Have you already deployed directory services: Microsoft Active Directory, LDAP, or other?

• Will your existing installation scale to support the added queries or are more servers needed?

Network Access Devices

• A NAD acts as a policy-enforcement point for the authorized network access privileges that are granted to a host. Does your existing hardware support the desired NAC functions? Do you need to upgrade?

• Is a new Cisco IOS Software or Cisco Catalyst OS license required for the security (crypto) images?

• Do these NADs have enough memory for the larger Cisco IOS Software security images? Do you need a memory upgrade?

• Can these NADs run the NAC-supported versions of Cisco IOS Software and Cisco Catalyst OS or is another NAD required?

Hosts and Other Network-Attached Devices

• Do you already use IEEE 802.1x supplicants from Microsoft, Cisco, or some other vendor on a platform other than Windows Vista?

• Will an IEEE 802.1x upgrade require a supplicant purchase, OS upgrade, or hardware upgrade (printers, etc)?

• Do you need wired or wireless IEEE 802.1x supplicant functions? (The Cisco free supplicant is wired only.)

• Which authentication types are required? (The NAC-NAP Version 1 solution supports only EAP-FAST with EAP-Transport Layer Security [EAP-TLS], EAP-Generic Token Card [EAP-GTC], and EAP-Microsoft Challenge-Handshake Authentication Protocol Version 2 [EAP-MSCHAPv2] inner authorization methods.)

Nonresponsive Hosts

• Do you have nonresponsive hosts (NRHs)? Generally, an NRH is a host that does not have an IEEE 802.1x supplicant or NAP agent running to perform posture validation.

• Have you identified all of the NRH device types in your network:

– No IEEE 802.1x supplicant (unsupported or hardened OS)

– NAP agent disabled or not supported (unsupported OS or network boots)

– Otherwise unmanaged or uncontrolled devices (guests, labs, etc.)

• What is your authorization strategy for NRHs?

• Do you need to upgrade to IEEE 802.1x capabilities in your hardware or OS?

• Will you use whitelisting in Cisco Secure ACS (MAC authentication bypass [MAP] and MAC or IP wildcards)?

• Do you know the administrative and management costs of a MAP, host registration, and guest system?

Cisco Secure ACS

• Do you already use Cisco Secure ACS? Will you need to upgrade or purchase it?

• How many Cisco Secure ACSs will you need to scale the deployment based on your organization size, availability requirements, revalidation frequency, and policy size?

• How will you replicate the Cisco Secure ACS database and configuration changes: manually, periodically, scheduled, or instantly?

• Will any load-balancing hardware or software be necessary to handle a high volume of concurrent authorizations?

Third-Party Software Integration

• What existing desktop security software do you want to integrate with NAC-NAP?

• What new client software do you want to deploy because of NAC-NAP?

• Do you have the required version for NAC integration? Or is an upgrade, new purchase, or replacement required?

Patch Management

• What update, patch, or remediation software do you currently use, if any?

• Does this update software integrate with NAC-NAP?

• Will you have a remediation website for communicating the posture status to unhealthy or nonresponsive hosts?

• Will you distribute software to employees and guests from this site? How will you handle licensing?

Monitoring, Reporting, and Troubleshooting

• What is your existing monitoring and reporting framework?

• Will NAC logs and events integrate? Or is something additional needed?

• Do you have sufficient long-term storage space for all of these new logs and events?

Communications

• Have you communicated the solution to the organization for the various stages: awareness (need and benefits), readiness (what and when), and adoption (monitoring and enforcement)?

• How will you communicate: email, internal news, remediation website, support desk, etc.?

Support Desk

• Have you set up staff training for the new technology and processes?

• How will the support staff troubleshoot support calls related to NAC-NAP?

• What application development is required to resolve NAC-related issues?

• Have you reviewed the troubleshooting steps (list of required logs for opening cases, etc.)?

Configuration for NAC-NAP Integration

The following sections provide the details necessary for configuring all the Cisco NAC and Microsoft NAP solution components in the scenarios described here.

The following servers and other hardware are required and will need to be installed and configured for the NAC-NAP interoperability solution:

• Cisco Secure ACS 4.2 for Windows (Microsoft Windows Server 2008, Windows Server 2003, or Windows 2000 Server)

• Microsoft Windows Server 2008 (HCAP server including Microsoft NPS and IIS)

• Microsoft Windows Vista (Service Pack 1 is required)

• NAC-compatible Cisco Catalyst switch (such as the Cisco Catalyst 3750 Series Switch)

In addition, the network device will need to be configured to support the NAC-NAP solution. In the lab, a switch will be used for to implement IEEE 802.1x for wired connections.

Cisco Secure ACS Base Configuration

The NAC-NAP configuration will begin with the Cisco Secure ACS to establish the base functions to develop policies for the solution. After installing Cisco Secure ACS, use the following steps to create the Cisco Secure ACS configuration for NAC-NAP.

Network Configuration

Task 1: Configure AAA Clients

On the Network Configuration page, you can add and configure authentication, authorization, and accounting (AAA) clients (network access devices, such as switches and wireless access points) and remote AAA servers.

Step 1. On the Network Configuration screen, click the hyperlink under Network Device Group. Click (Not Assigned) and move to the (Not Assigned) AAA Client screen.

Step 2. Configure the AAA clients by clicking the Add Entry button. You can define all NADs as a single AAA client using IP address wildcards. Shared Secret is an identical key string that you define for a switch RADIUS configuration. For Authenticate Using, be sure to select RADIUS (Cisco IOS/PIX 6.0). The following screenshot shows a sample configuration.

Step 3. Click Submit + Apply to save the changes.

Note: AAA client definitions with wildcards cannot overlap with other AAA client definitions, regardless of the authentication types. When adding more AAA clients with a different authentication type, avoid using wildcards and specify the AAA client IP address as needed.

Task 2: Configure AAA Servers

The AAA server information is populated with the hostname and IP address of the device on which Cisco Secure ACS is installed. In this configuration guide, the server name id-acs and IP address 10.1.100.2 are configured. If the server has been assigned a different name, it will be displayed as the AAA server name with current active IP address.

Note: Your AAA server is automatically populated during the installation of Cisco Secure ACS, using the hostname assigned to the host operating system.

Step 1. Configure the Key setting for the AAA server as shown in the following screenshot. Choose Network Configuration > Network Device Group > (Not Assigned) and click the AAA server name hyperlink id-acs. This shared secret key is used by the remote AAA server and Cisco Secure ACS to encrypt the data. The key must be configured identically in the remote AAA server and the local Cisco Secure ACS, including case sensitivity.

Note: You can optionally assign the Cisco Secure ACS to a previously configured network device group (NDG). When adding a Cisco Secure ACS to a network device group, make sure that shared secret for NDG matches the Cisco Secure ACS's shared secret.

Interface Configuration

In the Interface Configuration section, you can configure options such as the RADIUS attribute dictionary, NDG, replication, and the HCAP interface for communication with Microsoft NPS running on Windows Server 2008. The items configured in the Interface Configuration section, such as RADIUS attributes, must be enabled here to be available in other parts of the Cisco Secure ACS configuration.

Task 1: Configure RADIUS Attributes

You configure the RADIUS attributes in the Interface Configuration section. Note that the RADIUS Cisco IOS/PIX6.0 menu appears only after you add the AAA client with the RADIUS Cisco IOS/PIX6.0 authentication type on the Network Configuration screen.

Step 1. Choose Interface Configuration from the main menu, choose RADIUS (IETF), and select the attributes shown in the screenshot. Then choose RADIUS Cisco IOS/PIX6.0 and select the attribute shown in the screenshot. Only the attributes checked are necessary for NAC. All other attributes should by unchecked to save time in later configuration steps.

	Options
RADIUS (IETF)	[027] Session-Timeout
	[029] Termination-Action
	[064] Tunnel-Type
	[065] Tunnel-Medium-Type
	[081] Tunnel-Private-Group-ID
RADIUS (Cisco IOS/PIX6.0)	[026/009/001] cisco-av-pair

Note: Attributes 64, 65, and 81 are necessary only for VLAN assignments. Attributes 27 and 29 are used for IEEE 802.1X reauthentication.

Step 2. Choose Interface Configuration > Advanced Options and enable the attributes shown here.

Advanced Options

Default Time-of-Day / Day-of-Week Specification

Group-Level Shared Network Access Restrictions

Group-Level Network Access Restrictions

Group-Level Password Aging

Network Access Filtering

Max Sessions

ACS internal database Replication

RDBMS Synchronization

Network Device Groups

Microsoft Network Access Protection Settings

Note: Microsoft Network Access Protection Settings needs to be checked in this section to enable the HCAPv2 interface so you can configure the Microsoft NPS address.

System Configuration

Task 1: Set Up Cisco Secure ACS Certificate and Root CA Certificate

Configure Cisco Secure ACS with a server certificate for establishing client trust when challenging the client for its credentials. For authenticated in-band PAC provisioning for EAP-FAST, the client must have a certificate that matches the one installed in Cisco Secure ACS.

Note: Using a production PKI and certificates signed by a production CA or registration authority is highly recommended for the most scalable NAC deployments. This part of NAC implementation has been significantly compressed and abbreviated; you will need to use an existing PKI (internal or outsourced) to securely identify the Cisco Secure ACS infrastructure to endpoint devices.

The following steps show how to request the Cisco Secure ACS certificate from a locally configured Microsoft root CA server and install it on Cisco Secure ACS as the server certificate. If the CA server is not available in the testing environment, Cisco Secure ACS can generate a self-signed certificate. Please proceed to Step 14 if you want to use a self-signed server certificate generated on Cisco Secure ACS. Step 14 shows how to create and install a self-signed certificate.

Step 1. Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request. Fill out the required field as shown here and click the Submit button.

Examples of field values for the certificate signing request (CSR) are shown here.

Generate Certificate Signing Request
Certificate subject	cn=your_acs_ name
Private key file	C:\%your_cert_dir%your_private_key_name
Private key password	your_private_key_password
Retype private key password	your_private_key_password
Key length	2048 bits
Digest to sign with	SHA1

After you submit your request, your CSR is displayed in the right frame of your browser console.

Step 2. Now send the CSR to the Microsoft CA server. Copy your CSR to a temporary text file. Then access your CA server using Microsoft Internet Explorer (IE). The local Microsoft CA server can be accessed through the following URL: http://your_ca_server/certsrv/

Step 3. Click Request a certificate > advanced certificate request > Submit a certificate request by using a base-64-3ncoded CMS or PKCS #10, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 4. Paste your copied CSR from the Cisco Secure ACS web console to the Saved Request text box. For Certificate Template, choose Web Server; then click Submit.

Step 5. Select DER encoded to download your Distinguished Encoding Rules (DER) encoded certificate to your certificate directory on Cisco Secure ACS (or you may need to download the certificate to your Cisco Secure ACS Solution Engine server). Name the downloaded certificate to distinguish it from the root CA server of this Microsoft CA server. Alternatively, you may want to save the CA certificate in both DER and Base 64 encoding methods and then save them both with appropriate names.

Step 6. (Optional) When you are accessing the CA web enrollment console, we recommend that you download the CA server root certificate and save it along with the Cisco Secure ACS certificate for future use. To download the CA root certificate, access your CA server with IE and click Download a CA certificate, certificate chain, or CRL under Select a task section of Welcome page.

Step 7. Make sure you choose the current CA server and then click Download certificate.

Step 8. Now you have a root CA certificate, Cisco Secure ACS certificate, and associated private key saved on your Cisco Secure ACS. You have to install those certificates and the private key on Cisco Secure ACS. First install the root CA certificate on Cisco Secure ACS. Choose System Configuration > ACS Certificate Setup > ACS Certification Authority Setup. Specify the location of the CA certificate and click the Submit button.

Step 9. After you add the new CA certificate, restart Cisco Secure ACS. Choose System Configuration > Service Control and click Restart.

Step 10. After installing the CA certificate, you should add it to the certificate trust list (CTL) as a trusted authority. To do this, select the Edit Certificate Trust List link from the ACS Certificate Setup screen, locate the name of your CA in the list, and check the box next to it and click Submit to save the changes.

Edit the Certificate Trust List (CTL)

ID-CA

Step 11. Changing the CTL requires a Cisco Secure ACS restart; choose System Configuration > Service Control and click the Restart button.

Step 12. Choose Install Certificate. Specify the location of the Cisco Secure ACS certificate and click the Submit button.

Install New Certificate
Read certificate from file
Certificate file:	c:\certs\id-acs.cer
Private key file:	c:\certs\id-acs.pvk
Private key password:	cisco123

Step 13. After a successful installation of the Cisco Secure ACS certificate, you must restart Cisco Secure ACS. Choose System Configuration from the main menu, select Service Control, and click the Restart button. This completes the Cisco Secure ACS certificate installation process.

Step 14. (Optional) Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request. Fill out the required fields as shown here and click the Submit button.

Note: Self-signed server certificates generated on Cisco Secure ACS should be used for lab testing purposes only. This certificate is valid for one year only, and the administrator is advised to not deploy a self-signed certificate for any production use.

Task 2: Set Up Global Authentication

Cisco Secure ACS supports many protocols for securely transferring credentials from the host to the Cisco Secure ACS for authentication and authorization. You must tell Cisco Secure ACS which protocols are allowed and what the default settings are for each protocol.

Note: Unless you have a limited deployment environment or specific security concerns, we highly recommend that you enable all protocols globally. You will have an opportunity to limit the actual protocol options later when you create the network access profiles for NAC, but if they are not enabled here, they will not be available in the network access profiles.

Step 1. Choose System Configuration > Global Authentication Setup.

Step 2. Select the global authentication parameters shown here to make them available for the network access profile authentication configuration. Note that Protected EAP (PEAP) and its inner authentication methods are also selected. PEAP is not required for NAC-NAP integration. Those methods can be disabled in the network access profile.

Step 3. Click Submit + Restart to save these changes.

Step 4. Choose EAP-FAST Configuration to open the EAP-FAST Configuration page. Select the parameters shown here

Step 5. Click Submit + Restart to save these changes.

Task 3: Configure Attributes for Logging

In this task, you will turn on the Cisco Secure ACS logs needed for monitoring and troubleshooting. Cisco Secure ACS logs provides records of access requests from clients and hints about why authentication failed if something goes wrong. You should always turn on the appropriate log options when initially configuring Cisco Secure ACS.

Note: To log any attribute values from hosts other than NAC attribute values, you must first import the attribute definitions into Cisco Secure ACS and then select them for logging.

Step 1. To specify which log files are enabled and which event attributes are recorded within them, choose System Configuration > Logging.

The recommended log files and their logged attributes for NAC are shown here. Make sure logging for CSV Failed Attempts, CSV Passed Authentications, and CSV RADIUS Accounting are all turned on.

CSV Failed Attempts	CSV Passed Authentications	CSV RADIUS Accounting
Logged Attributes • Message-Type • User-Name • Caller-ID • Authen-Failure-Code • NAS-Port • NAS-IP-Address • AAA Server • Network Device Group • Access Device • PEAP/EAP-FAST-Clear-Name • EAP Type • EAP Type Name • Network Access Profile Name • Shared RAC • Downloadable ACL • System-Posture-Token • Application-Posture-Token • Reason	Logged Attributes • Message-Type • User-Name • Caller-ID • NAS-Port • NAS-IP-Address • AAA Server • Filter Information • Network Device Group • Access Device • PEAP/EAP-FAST-Clear-Name • EAP Type • EAP Type Name • Network Access Profile Name • Outbound Class • Shared RAC • Downloadable ACL • System-Posture-Token • Application-Posture-Token • Reason	Logged Attributes • User-Name • Group-Name • Calling-Station-Id • Acct-Status-Type • Acct-Session-Id • Acct-Session-Time • Acct-Input-Octets • Acct-Output-Octets • Acct-Input-Packets • Acct-Output-Packets • Framed-IP-Address • NAS-Port • NAS-IP-Address • Class • Termination-Action • Called-Station-Id • Acct-Delay-Time • Acct-Authentic • Acct-Terminate-Cause • Event-Timestamp • NAS-Port-Type

Hierarchical Navigation

Cisco NAC and Microsoft NAP Interoperability Architecture

Cisco Network Admission Control and Microsoft Network Access Protection Troubleshooting Guide

Downloads