Configure Cisco NAC Appliance for VPN Concentrator Integration
The following steps are needed to configure Cisco NAC Appliance to work with a VPN concentrator.
Step 1 Add Default Login Page
Step 2 Configure User Roles and Requirements for your VPN users
Step 3 Enable L3 Support on the CAS
Step 4 Verifying the Discovery Host
Step 5 Adding/Editing VPN Concentrator Entries
Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator
Step 7 Adding/Editing Accounting Server Entries
Step 8 Mapping VPN Concentrator(s) to Accounting Server(s)
Step 9 Create (Optional) Auth Server Mapping Rules
Step 10 Add VPN Concentrator as a Floating Device
Step 11 Configure Single Sign-On (SSO) on the CAS/CAM
Step 12 Configure VPN SSO in a FIPS 140-2 Compliant Deployment (if FIPS 140-2 compliant deployment)
Step 13 Create (Optional) Auth Server Mapping Rules on the CAM for Cisco VPN SSO
Step 14 Test as Cisco NAC Appliance Agent with VPN Concentrator and SSO
Step 15 View Active VPN Clients (for troubleshooting)
Add Default Login Page
For both web login users and Agent users, a login page must be added and present in the system in order for the user to authenticate via the Agent. Go to Administration > User Pages > Login Page > Add | Add to quickly add the default user login page. See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1) for complete details on login page configuration options.
Enable L3 Support on the CAS
The Enable L3 support option must be checked on the IP form of the CAS for the Agent to work in VPN tunnel mode.
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Network > IP.
Figure 6-4 CAS Network Tab — Enable L3 Support
2. The Clean Access Server Type, Trusted Interface, and Untrusted Interface settings should already be correctly configured (from when the CAS was added).
3. Click the checkbox for Enable L3 support.
4. Click Update.
5. Click Reboot.
Note • The enable/disable L3 feature is disabled by default, and ALWAYS requires an Update and Reboot of the CAS to take effect. Update causes the web console to retain the changed setting until the next reboot. Reboot causes the process to start in the CAS.
- L3 and L2 strict options are mutually exclusive; enabling one option disables the other.
See also Enable L3 Support.
Verifying the Discovery Host
There must be a Discovery Host enabled in order for the Agent to discover the CAS in VPN or L3 deployments. By default, the Discovery Host field is set to the IP address of the CAM. Because the VPN concentrator acts as a router between the user and the CAS, the Agent uses the Discovery Host to direct its UDP 8906 discovery packets to the network of the CAS. The CAS uses these packets to learn that an Agent is active, and discards the packets before they ever reach the CAM. (This function does not apply to the Cisco NAC Web Agent.) The Discovery Host field should be set in the CAM before the Agent is distributed and installed on client machines.
1. Go to Device Management > Clean Access > Clean Access Agent > Distribution.
2. Verify the IP address for the Discovery Host field is either the IP address of the CAM (default), or a trusted network IP address that requires traffic to be routed/forwarded via the CAS.
3. If changing the Discovery Host, click the Update button.
See VPN/L3 Access for Agents, and the “Configuring Agent Distribution/Installation” section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1) for additional information.
Adding/Editing VPN Concentrator Entries
Step 1 Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > VPN Concentrators.
Step 2 If you are editing an existing VPN concentrator entry, click on the Edit icon for that entry in the list at the bottom of the configuration window, update any information necessary according to the following steps, and click Save. Otherwise, skip to Step 3 to add a new VPN concentrator entry.
Figure 6-5 Add VPN Concentrator
Step 3 Type a Name for the concentrator.
Step 4 Type the Private IP Address of the concentrator.
Step 5 Type a Shared Secret between the CAS and VPN concentrator. The same secret must be configured on the concentrator itself.
Step 6 Retype the secret in the Confirm Shared Secret field.
Step 7 Enter an optional Description.
Step 8 For a FIPS 140-2 compliant deployment, activate the Enable IPsec checkbox to ensure you can establish a secure IPSec tunnel for authentication traffic. See also, Configure VPN SSO in a FIPS 140-2 Compliant Deployment.
Step 9 Click Add VPN Concentrator.
Adding/Editing Accounting Server Entries
If the VPN concentrator is configured to work with an accounting server, the information for the accounting server(s) needs to be transferred to the CAS. The CAS maintains these associations instead.
Step 1 Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP]> Authentication > VPN Auth > Accounting Servers.
Step 2 If you are editing an existing accounting server entry, click on the Edit icon for that entry in the list at the bottom of the configuration window, update any information necessary according to the following steps, and click Save. Otherwise, skip to Step 3 to add a new accounting server entry.
Figure 6-6 Add Accounting Server(s)
Step 3 Type a Name for the accounting server.
Step 4 Type the IP Address of the accounting server.
Step 5 Type the Port of the accounting server (typically 1813)
Step 6 Type the Retry number for the accounting server. This specifies the number of times to retry a request attempt if there is no response within the Timeout specified. For example, if the Retry is 2, and the Timeout is 3 (seconds), it will take 6 seconds for the CAS to send the request to the next accounting server on the list.
Step 7 Type the Timeout of the accounting server (in seconds). This specifies how long the CAS should wait before retrying a request to the accounting server when there is no response.
Step 8 Type a Shared Secret between the CAS and accounting server. You can transfer the settings from the VPN concentrator or create a new secret; however the same secret must be configured on the accounting server itself.
Step 9 Retype the secret in the Confirm Shared Secret field.
Step 10 Enter an optional Description.
Step 11 For a FIPS 140-2 compliant deployment, activate the Enable IPsec checkbox to ensure you can establish a secure IPSec tunnel for authentication traffic.
Step 12 Click Add Accounting Server.
Mapping VPN Concentrator(s) to Accounting Server(s)
If managing multiple VPN concentrators and multiple accounting servers, you can create mappings to associate the VPN concentrator(s) with sets of Accounting Servers. This allows the CAS to continue to the next server on the list in case an accounting server becomes unreachable.
Step 1 Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > Accounting Mapping.
Figure 6-7 Accounting Mapping
Step 2 Choose a VPN Concentrator from the dropdown menu. The menu displays all VPN concentrators added to the CAS.
Step 3 Choose an Accounting Server from the dropdown menu. The menu displays all accounting servers configured for the CAS.
Step 4 Click the Add Entry button to add the mapping. The list below will display all the accounting servers associated per VPN concentrator by name, IP address, and port.
Add VPN Concentrator as a Floating Device
In general, if the Clean Access Server is not on the same subnet as clients, the CAS will not obtain client MAC information for IP addresses as clients log into the system. Where there is a VPN concentrator between users and the CAS (all Server Types), the CAS will see the MAC address of the VPN concentrator with each new client IP address because the VPN concentrator performs Proxy ARP for the client IP addresses. Unless the VPN concentrator is configured as a floating device, only the first user logging into Cisco NAC Appliance will be required to meet requirements. Therefore, administrators must add the MAC address of the router/VPN concentrator to the Floating Device list under Device Management > Clean Access > Certified Devices > Add Floating Device (example entry: 00:16:21:11:4D:67 1 vpn_concentrator). See “Add Floating Devices” in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1) for details.
Configure Single Sign-On (SSO) on the CAS/CAM
Single Sign-On (SSO) allows the user to login only once via the VPN client before being directed through the posture assessment process. To perform SSO, Cisco NAC Appliance takes the RADIUS accounting information from the VPN concentrator/wireless controller for the user authentication and uses it to map the user into a user role. This allows the user to go through posture assessment directly without having to also login on the Clean Access Server. SSO is configured on both the CAS and CAM as described below.
The most important attributes needed from RADIUS accounting packets are User_Name, Framed_IP_address, Calling_Station_ID. For a user to be qualified for SSO through the Clean Access Server, either the Framed_IP_address or Calling_Station_ID attribute (sent for the client's IP address) must be in the RADIUS accounting message.
Note RADIUS Accounting support for Single Sign-On (SSO) includes the Cisco Airespace Wireless LAN Controller. For SSO to work with Cisco NAC Appliance, the Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's IP address (as opposed to the Framed_IP_address attribute that the VPN concentrator uses).
Configure SSO on the CAS
Step 1 Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > General.
Figure 6-8 General Settings (SSO / Logout / RADIUS Accounting Port)
Step 2 Click the checkbox for Single Sign-On to enable VPN SSO on the CAS.
Step 3 Enter a time period (in seconds) for the Agent VPN Detection Delay value. If the CAS has not received the required RADIUS accounting information before the Agent attempts VPN SSO, the Agent will prompt for user login. The Agent VPN Detection Delay field allows you to specify the amount of time the CAS should wait before prompting for authentication from the remote user’s Agent that is transmitting SWISS UDP discovery packets.
This option ensures that the CAS has time to receive updates for users who are already connected via VPN before prompting them for login credentials that the CAS normally leverages from VPN login. If the CAS learns of the existing connection during the specified waiting period, it automatically yields to the VPN SSO function. Otherwise, once the specified waiting period has passed with no indication that the user connection is already established via VPN, the CAS prompts the user to enter their login credentials.
Note The Agent VPN Detection Delay applies to all VPN SSO users until the delay expires.
When this value is 0, the CAS requests the Agent to perform VPN SSO immediately. Set this value to 0 if the first RADIUS accounting packet received by the CAS has enough information to perform VPN SSO when the VPN is connected.
When this value is any number other than 0, the CAS informs the Agent in the SWISS packet to wait for the specified delay before attempting VPN SSO login. Set this field to a non-zero value if:
- The Agent is prompting for user authentication because the first RADIUS accounting packet is delayed.
- The VPN concentrator requires a second accounting packet to update the VPN IP address sent in the first accounting packet. In this case, the CAS will not see this VPN connection as valid after the first accounting packet, and the Agent will prompt for user login if the Agent VPN Detection Delay is set to 0.
Step 4 Click the checkbox for Auto-Logout to automatically terminate the VPN session for users when they log out.
Step 5 Leave the default port (1813) or configure a new one for RADIUS Accounting Port.
Note A CAS deployed as a Real-IP gateway supporting VPN SSO opens the Accounting port only on the trusted (eth0) interface.
Step 6 Click Update.
Configure SSO on the CAM
To support SSO when configuring Cisco NAC Appliance VPN Concentrator integration, a Cisco VPN SSO authentication source must be added to the CAM.
1. Go to User Management > Auth Servers > New.
Figure 6-9 Add New Auth Server (in CAM)
2. Choose Cisco VPN SSO from the Authentication Type dropdown menu.
3. The Provider Name is set by default to Cisco VPN.
4. From the Default Rol e dropdown, choose the user role you want VPN client users to be assigned to for the posture assessment process.
5. Enter an optional Description to identify the VPN concentrator in the list of auth servers.
6. Click Add Server.
The new Cisco VPN SSO auth server appears under User Management > Auth Servers > List of Servers.
- Click the Edit button next to the auth server to modify settings.
- Click the Mapping button next to the auth server to configure RADIUS attribute-based mapping rules for Cisco VPN SSO.
See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1) for further details.
Configure VPN SSO in a FIPS 140-2 Compliant Deployment
Setting up IPSec communication between your FIPS compliant Cisco NAC Appliance system and Cisco ASA covers three primary phases:
Import a Trusted CA
To import your trusted Certificate Authority (CA) into the ASA VPN concentrator:
Step 1 In ASDM, click the Configuration toolbar button.
Step 2 Select the Site-to-Site VPN tab.
Step 3 Go to Panel Certificate Management > CA Certificates (Figure 6-10).
Figure 6-10 Import CA Certificate
Step 4 Click Add and enter a trustpoint name for your CA.
Step 5 Click Browse and select your CA certificate file.
Step 6 Click Install Certificate.
Set up Identity certificate
To set up an Identity Certificate on the ASA VPN concentrator:
Step 1 Go to Certificate Management > Identity Certificates.
Step 2 Specify a trustpoint name.
Step 3 Choose the Import the identity certificate from a file option (Figure 6-11).
Figure 6-11 Import Identity Certificate
Step 4 Enter the Decryption Passphrase for your certificate (which is the password you specified when you exported the trusted CA certificate).
Step 5 Click Browse and select the identity certificate.
This certificate/key pair should be in pkcs12 format. If not, you can use the following OpenSSL command to convert separate key/certificate files into one single pkcs12 format:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out ASACert.p12
Step 6 Specify the Identity Certificate password (which is the same as the Decryption Passphrase for your certificate).
Step 7 Click Add Certificate.
Create a Site-to-Site VPN to CAS
Note Use ASDM version 6.2(1) (asdm-621.bin) for the following procedure.
Step 1 Select Wizards > IPsec VPN Wizard (Figure 6-12).
Figure 6-12 VPN Wizard
Step 2 Specify the following tunnel attributes:
- VPN Tunnel Type: Site-to-Site
- VPN Tunnel Interface: inside
Step 3 Check the “ Enable inbound IPsec sessions …” option and click Next.
Step 4 Specify the following attributes:
- Peer IP Address: <CAS trusted IP address>
- Authentication method: Certificate
- Certificate Name: <trustpoint name you entered when importing identity certificate>
- Tunnel Group Name: <CAS IP address> (default setting)
Step 5 Click Next.
Step 6 Specify the following IKE Policy attributes:
- Encryption: AES-128
- Authentication: SHA
- Diffie-Hellman Group: 2
Step 7 Click Next.
Step 8 Specify the following IPsec Rule attributes:
- Encryption: AES-128
- Authentication: SHA
- Check the Enable Perfect Forward Secrecy option
- Diffie-Hellman Group: 2
Step 9 Click Next.
Step 10 Specify the following Hosts and Networks attributes:
- Action: Protect
- Local Networks: <inside IP address of ASA>
- Remote Networks: <CAS IP address>
Step 11 Check the Exempt ASA side host/network option and click Next.
Step 12 Verify the configuration summary and click Finish.
Step 13 Go to Configuration > Site-to-Site VPN > Advanced > IPSec Transform Sets (Figure 6-13).
Figure 6-13 Add IPSec Transform Set
Step 14 Click Add.
Step 15 Specify the following attributes:
- Set Name: NAC-AES-128-SHA
- Mode: Transport
- ESP Encryption: AES-128
- ESP Authentication: SHA
Step 16 Click OK.
Step 17 Go to Configuration > Site-to-Site VPN > Connection Profiles.
Step 18 Select the IPSec connection you created and click Edit.
Step 19 Under Encryption Algorithms, click Manage (next to IKE Proposal).
Step 20 In the Configure IKE Proposals dialog box, click Edit.
Step 21 Select the aes-128/sha/2/rsa-sig proposal and edit it so that the Lifetime attribute is set to 8 hours.
Step 22 Click OK.
Step 23 Specify the IPSec Proposal to be NAC-AES-128-SHA and click OK.
Step 24 Click Apply.
Step 25 Select Tools > Command Line Interface and enter ping <CA Sip address>.
Be sure to verify the ping output.
Create (Optional) Auth Server Mapping Rules
For the Cisco VPN SSO type, you can create mapping rules based on the RADIUS Auth Server attributes that are passed from the VPN Concentrator to map users into roles. The following RADIUS attributes can be used to configure Cisco VPN SSO mapping rules:
Mapping rules are configured in the CAM web admin console under User Management > Auth Servers > Mapping Rules. For complete configuration details, see “User Management: Configuring Auth Servers” in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1).
Cisco NAC Appliance Agent with VPN Concentrator and SSO
The Agent supports multi-hop L3 deployment and VPN/L3 access from the Agent. The Agent:
1. Checks the client network for the Clean Access Server (L2 deployments), and if not found,
2. Attempts to discover the CAS by sending discovery packets to the CAM. This causes the discovery packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially download the Agent from the CAS. This can be done in two ways:
- From the Agent download web page (i.e. via web login)
- By client upgrade to the latest Cisco NAC Agent or auto-upgrade to Agent version 220.127.116.11 or later. For the Agent auto-upgrade process to work, clients must have an earlier version of the Agent already installed.
Either method allows the Agent to acquire the IP address of the CAM in order to send traffic to the CAM/CAS over the L3 network. Once installed in this way, the Agent can be used for both L3/VPN concentrator deployments or regular L2 deployments. See Enable L3 Support for details.
Note For VPN SSO deployments, if the Agent is not downloaded from the CAS, but is instead downloaded by other means, the Agent is not able to determine the runtime IP information of the CAM and does not automatically pop up, nor does it scan the client machine. For Cisco NAC Agent users, you can work around this issue by specifying a DiscoveryHost setting in the Agent configuration XML file.
Note • Uninstalling the Agent while still on the VPN connection does not terminate the VPN connection, although the (if configured) the client machine is removed from the Certified Devices List and the user is removed from the Online Users List.
- If a 3.5.0 or earlier version of the Clean Access Agent is already installed, or if the Agent is installed through non-CAS means, you must perform web login to download the latest Agent setup files from the CAS directly and reinstall the Agent to get the L3 capability.
Cisco NAC Appliance Agent Layer 3 VPN Concentrator User Experience
1. Launch the VPN connection application configured to work with Cisco NAC Appliance.
2. Once logged in, open a browser and attempt to go to an intranet or extranet site.
Cisco NAC Appliance enables administrators to deploy the CAS in-band behind a VPN concentrator, or router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 in-band deployment by allowing the CAM and CAS to track user sessions by unique IP address when users are separated from the CAS by one or more routers. With Layer 2-connected users, the CAM/CAS continue to manage these user sessions based on the user MAC addresses, as before. Figure 6-14 illustrates the login and posture assessment process for a VPN user using the Agent with Single Sign-On. Note that the initial download of the Agent must be performed via the VPN connection.
Figure 6-14 Agent with SSO for VPN Users
With Single Sign-On, the Agent performs automatic login and scanning as shown Figure 6-15.
Figure 6-15 Agent Auto-Login Screen (User View)
Note Web login always works in Layer 2 or Layer 3 mode, and Layer 3 capability cannot be disabled.
View Active VPN Clients
The Active VPN Clients page lists IP addresses known to the CAS through VPN Single Sign-On (SSO) This page is intended for troubleshooting and is available in both the CAS management pages and CAS direct access console. The Active VPN Clients page shows a list of all users for which the CAS has received valid Radius accounting START packets.
Anytime the CAS receives a valid Radius Accounting START packet for a particular client machine, the CAS adds it to the Active VPN Clients list:
- If a client appears in this list, the client is able to perform SSO.
- If the client does not appear in this list, then most likely the START packet did not make it to the CAS or it was in an incorrect format.
The key things the packet format must include are:
- Account-Status-type = 1 (indicating it is a START packet)
- Calling-station-Id (showing end machine's IP address)
When the user tries to browse, or runs the Agent, the CAM/CAS compares the Active VPN Client information to its mapping rules to determine what role to put the user in.
To view active VPN clients:
1. Go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Authentication > VPN Auth > Active Clients.
Figure 6-16 Active Clients (VPN Concentrator)
2. Click the Show All button to List All VPN Clients or perform a Search. The Active Clients page remains blank until you perform one of these two actions:
a. Click Show All to display all current IP/user information from the system Single Sign-On (SSO) table.
b. Alternatively, type an IP address in the Search IP Address text field, select an operator from the dropdown menu (equals, starts with, ends with, contains), and click the Search button to display results.
3. The table at the bottom of the page is populated with the following information. Entries are sorted by Client IP address.
– Total Active VPN Clients —Displays the current number of active VPN clients in the SSO table.
– Client IP —The client IP address received from the RADIUS accounting packet.
– Client Name —The client name received from the RADIUS accounting packet.
– VPN Server IP —The IP address of the Cisco VPN SSO auth server being used for Single Sign-On.
– Login Time —The date/time that the active VPN client session was established.
Note Clicking Show All or performing a new search refreshes the page with the latest SSO table information.
4. To remove entries from the Active Client page, either:
a. Click the Clear button to Clear All Active VPN Client entries from the SSO table. For example, if VPN users lose their sessions due to a VPN server crash, the RADIUS accounting stop message will not be sent to the CAS, and those users will remain in the system SSO table until manually removed. Removing all entries from the Active VPN Clients page allows the system to restart from a fresh SSO table.
b. Click the checkbox for an individual entry and click the Delete button at the top of the column to remove that entry from the SSO table.
Note Clicking the Clear or Delete button only removes the user(s) from the system’s current SSO client table; it does not remove the user(s) from the Online Users list.
Tip You can also view active VPN clients from the direct console of the CAS (https://<CAS_eth0_IP_address>/admin), from the Monitoring > Active VPN Clients page (Figure 6-17).
Figure 6-17 CAS Direct Access Console—Monitoring Active VPN Clients