- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Information about Network Admission Control
- Licensing Requirements
- Prerequisites for NAC
- Guidelines and Limitations
- Viewing the NAC Policies on the Security Appliance
- Adding, Accessing, or Removing a NAC Policy
- Configuring a NAC Policy
- Assigning a NAC Policy to a Group Policy
- Changing Global NAC Framework Settings
Configuring Network Admission Control
Information about Network Admission Control
Network Admission Control protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as a condition for production access to the network. We refer to these checks as posture validation. You can configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on a host with an IPsec or WebVPN session are up-to-date before providing access to vulnerable hosts on the intranet. Posture validation can include the verification that the applications running on the remote hosts are updated with the latest patches. NAC occurs only after user authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network from hosts that are not subject to automatic network policy enforcement, such as home PCs.
The establishment of a tunnel between the endpoint and the ASA triggers posture validation.
You can configure the ASA to pass the IP address of the client to an optional audit server if the client does not respond to a posture validation request. The audit server, such as a Trend server, uses the host IP address to challenge the host directly to assess its health. For example, it may challenge the host to determine whether its virus checking software is active and up-to-date. After the audit server completes its interaction with the remote host, it passes a token to the posture validation server, indicating the health of the remote host.
Following successful posture validation or the reception of a token indicating the remote host is healthy, the posture validation server sends a network access policy to the ASA for application to the traffic on the tunnel.
In a NAC Framework configuration involving the ASA, only a Cisco Trust Agent running on the client can fulfill the role of posture agent, and only a Cisco Access Control Server (ACS) can fulfill the role of posture validation server. The ACS uses dynamic ACLs to determine the access policy for each client.
As a RADIUS server, the ACS can authenticate the login credentials required to establish a tunnel, in addition to fulfilling its role as posture validation server.
Note Only a NAC Framework policy configured on the ASA supports the use of an audit server.
In its role as posture validation server, the ACS uses access control lists. If posture validation succeeds and the ACS specifies a redirect URL as part of the access policy it sends to the ASA, the ASA redirects all HTTP and HTTPS requests from the remote host to the redirect URL. Once the posture validation server uploads an access policy to the ASA, all of the associated traffic must pass both the Security Appliance and the ACS (or vice versa) to reach its destination.
The establishment of a tunnel between an IPsec or WebVPN client and the ASA triggers posture validation if a NAC Framework policy is assigned to the group policy. The NAC Framework policy can, however, identify operating systems that are exempt from posture validation and specify an optional ACL to filter such traffic.
Licensing Requirements
The following table shows the licensing requirements for this feature:
Note This feature is not available on No Payload Encryption models.
|
|
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Prerequisites for NAC
When configured to support NAC, the ASA functions as a client of a Cisco Secure Access Control Server, requiring that you install a minimum of one Access Control Server on the network to provide NAC authentication services.
Guidelines and Limitations
Following the configuration of one or more Access Control Servers on the network, you must use the aaa-server command to name the Access Control Server group. Then follow the instructions in the Configuring a NAC Policy.
ASA support for NAC Framework is limited to remote access IPsec and WebVPN client sessions. The NAC Framework configuration supports only single mode.
NAC on the ASA does not support Layer 3 (non-VPN) traffic and IPv6 traffic.
Viewing the NAC Policies on the Security Appliance
Before configuring the NAC policies to be assigned to group policies, we recommend that you view any that may already be set up on the ASA. Because the default configuration does not contain NAC policies, entering this command is a useful way to determine whether anyone has added any. If you, you may decide that policies already configured are suitable and disregard the section on configuring a NAC policy.
Detailed Steps.
Refer to the following sections to create a NAC policy or modify one that is already present.
Adding, Accessing, or Removing a NAC Policy
Enter the following command to add or modify a NAC policy:
Detailed Steps
Configuring a NAC Policy
After you use the nac-policy command to name a NAC Framework policy, use the following sections to assign values to its attributes before you assign it to a group policy.
Specifying the Access Control Server Group
You must configure at least one Cisco Access Control Server to support NAC.
Detailed Steps
Setting the Query-for-Posture-Changes Timer
After each successful posture validation, the ASA starts a status query timer. The expiration of this timer triggers a query to the remote host for changes in posture since the last posture validation. A response indicating no change resets the status query timer. A response indicating a change in posture triggers an unconditional posture revalidation. The ASA maintains the current access policy during revalidation.
By default, the interval between each successful posture validation and the status query, and each subsequent status query, is 300 seconds (5 minutes). Follow these steps to change the status query interval:
Detailed Steps
Setting the Revalidation Timer
After each successful posture validation, the ASA starts a revalidation timer. The expiration of this timer triggers the next unconditional posture validation. The ASA maintains the current access policy during revalidation.
By default, the interval between each successful posture validation is 36000 seconds (10 hours). To change it, enter the following command in nac-policy-nac-framework configuration mode:
Detailed Steps
Configuring the Default ACL for NAC
Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible for NAC. The ASA applies the NAC default ACL before posture validation. Following posture validation, the ASA replaces the default ACL with the one obtained from the Access Control Server for the remote host. The ASA retains the default ACL if posture validation fails.
The ASA also applies the NAC default ACL if clientless authentication is enabled (which is the default setting).
Detailed Steps
Configuring Exemptions from NAC
The ASA configuration stores a list of exemptions from NAC posture validation. You can specify the operating systems that are exempt. If you specify an ACL, the client running the operating system specified is exempt from posture validation and the client traffic is subject to the ACL.
To add an entry to the list of remote computer types that are exempt from NAC posture validation, enter the following command in nac-policy-nac-framework configuration mode:
Detailed Steps
Note When the command specifies an operating system, it does not overwrite the previously added entry to the exception list; enter the command once for each operating system and ACL you want to exempt.
Assigning a NAC Policy to a Group Policy
Upon completion of each tunnel setup, the ASA applies the NAC policy, if it is assigned to the group policy, to the session. By default, the nac-settings command is not present in the configuration of each group policy. The ASA automatically enables NAC for a group policy when you assign a NAC policy to it.
Detailed Steps
Changing Global NAC Framework Settings
The ASA provides default settings for a NAC Framework configuration. Use the instructions in this section to adjust these settings for adherence to the policies in force in your network.
Changing Clientless Authentication Settings
NAC Framework support for clientless authentication is configurable. It applies to hosts that do not have a Cisco Trust Agent to fulfill the role of posture agent. The ASA applies the default access policy, sends the EAP over UDP request for posture validation, and the request times out. If the ASA is not configured to request a policy for clientless hosts from the Access Control Server, it retains the default access policy already in use for the clientless host. If the ASA is configured to request a policy for clientless hosts from the Access Control Server, it does so and the Access Control Server downloads the access policy to be enforced by the ASA.
Enabling and Disabling Clientless Authentication
Clientless authentication is enabled by default. The default configuration contains the eou allow clientless configuration.
Restrictions
Detailed Steps
Follow these steps to enable clientless authentication for a NAC Framework configuration:
Changing the Login Credentials Used for Clientless Authentication
When clientless authentication is enabled, and the ASA fails to receive a response to a validation request from the remote host, it sends a clientless authentication request on behalf of the remote host to the Access Control Server. The request includes the login credentials that match those configured for clientless authentication on the Access Control Server. The default username and password for clientless authentication on the ASA matches the default username and password on the Access Control Server; the default username and password are both “clientless.”
Prerequisites
If you change these values on the Access Control Server, you must also do so on the ASA.
Detailed Steps
Enter the following to change the username used for clientless authentication:
Changing NAC Framework Session Attributes
The ASA provides default settings for the attributes that specify communications between the ASA and the remote host. These attributes specify the port no. to communicate with posture agents on remote hosts and the expiration counters that impose limits on the communications with the posture agents. These attributes, the default settings, and the commands you can enter to change them are as follows: