Network Admission Control

Network Admission Control (NAC) reduces the infection of data networks from computer viruses by assessing the health of client workstations, helping to ensure that they receive the latest available virus signature updates, and controlling their access to the network.

NAC works with anti-virus software to assess the condition of a client, called the client's posture, before allowing it access to the network.Before granting it access to a data network, NAC ensures that a network client has an up-to-date virus signature set and that it has not been infected. If the client requires a signature update, NAC directs it to complete the update. If the client has been compromised or if a virus outbreak is occurring on the network, NAC places the client into a quarantined network segment until disinfection is completed.

Create NAC Tab

You must use the Create NAC tab and NAC wizard to create a NAC policy and associate it with an interface. After you create the NAC policy, you can edit it by clicking Edit NAC and choosing it in the policy list.

The NAC configuration on the router is only one part of a complete NAC implementation. Click Other Tasks in a NAC Implementation to learn the tasks that must be performed on other devices in order to implement NAC.

Enable AAA Button

Authentication, Authorization, and Accounting ( AAA) must be enabled on the router before you can configure NAC. If AAA is not enabled, click the Enable AAA button. If AAA has already been configured on the router, this button is not displayed.

Launch NAC Wizard Button

Click this button to launch the NAC wizard. The wizard breaks down NAC configuration into a series of screens in which you complete a single configuration task

How Do I List

If you want to create a configuration that this wizard does not guide you through, click the button next to this list. It lists other types of configurations that you might want to perform. If you want to learn how to create one of the configurations listed, choose the configuration and click Go.

Other Tasks in a NAC Implementation

Step 1

Install and configure the Cisco Trust Agent (CTA) software on network hosts. This provides hosts with a posture agent capable of responding to EAPoUDP queries by the router. See the links after these steps to obtain the CTA software and learn how to install and configure it.

Step 2

Install and configure an AAA authentication EAPoUDP server. This server must be a Cisco Secure Access Control Server (ACS) using the Remote Authentication Dial-In User Service ( RADIUS) protocol. Cisco Secure Access Control Server software version 3.3 is required. See the links after these steps to learn more about installing and configuring ACS.

If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link:

The document at the following link explains how to install and configure CTA software on a host.

The document at the following link contains an overview of the configuration process.

Documents at the following link explain how to install and configure Cisco Secure ACS for Windows Servers version 3.3.

Welcome

•

Select the interface on which NAC is to be enabled—Hosts attempting access to the network through this interface must undergo the NAC validation process.

•

Configure NAC Policy Servers—Admission control polices are configured on these servers, and the router contacts them when a network host attempts access to the network. You can specify information for multiple servers. NAC policy servers use the RADIUS protocol.

•

Configure a NAC exception list—Hosts such as printers, IP phones, and hosts without NAC posture agents installed may need to bypass the NAC process. Hosts with static IP addresses and other devices can be identified in an exception list, and be handled using an associated exceptionpolicy. Hosts can also be identified by their MAC address, or by their device type.

•

Configure an agentless host policy—If you want to use a policy residing on an ACS server to handle hosts without an installed posture agent, you can do so. When the ACS server receives such a packet, it responds by sending the agentless host policy. Configuring an agentless host policy is useful when there are agentless hosts that are dynamically addressed, such as DHCP clients.

•

Configuring NAC for remote access—Hosts using SDM to manage the router must be allowed access. The wizard lets you specify IP addresses for remote management so that SDM can modify the NAC ACL to allow the hosts with those addresses access to the router.

Configuring NAC on the router is the last step in a NAC configuration. Before you configure the router with this feature, Complete the steps described in the following link: Other Tasks in a NAC Implementation.

NAC Policy Servers

NAC admission control policies are configured and stored in a policy database residing on RADIUS servers running ACS version 3.3. The router must validate the credentials of network hosts by communicating with the RADIUS server. Provide the information the router needs to contact the RADIUS servers to use in this window. Each RADIUS server that you specify must have Cisco Access Control Server (ACS) software version 3.3 installed and configured.

Choose the RADIUS client source

Configuring the RADIUS source allows you to specify the source IP address to be sent in RADIUS packets bound for the RADIUS server. If you need more information about an interface, select the interface and click the Details button.

The source IP address in the RADIUS packets sent from the router must be configured as the NAD IP address in the Cisco ACS version 3.3 or later.

If you choose Router chooses source, the source IP address in the RADIUS packets will be the address of interface through which the RADIUS packets exit the router.

If you choose an interface, the source IP address in the RADIUS packets will be the address of the interface that you chose as the RADIUS client source.

Note Cisco IOS allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source, and you choose a different source, the source IP address placed in the packets sent to the RADIUS server changes to the IP address of the new source, and may not match the NAD IP address configured on the Cisco ACS.

Details Button

If you need a quick snapshot of the information about an interface before selecting it, click Details. The screen displayed shows you the IP address and subnet mask, the access rules and inspection rules applied to the interface, the IPSec policy and QoS policy applied, and whether there is an Easy VPN configuration on the interface.

Server IP, Timeout, and Parameters columns

The Server IP, Timeout, and Parameters columns contain the information that the router uses to contact a RADIUS server. If no RADIUS server information is associated with the selected interface, these columns are blank.

Use for NAC Checkbox

Check this box if you want to use the listed RADIUS server for NAC. The server must have the required admissions control policies configured if NAC is to be able to use the server.

Add, Edit, and Ping Buttons

To provide information for a RADIUS server, click the Add button and enter the information in the screen displayed. Select a row and click Edit to modify the information for a RADIUS server. Select a row and click Ping to test the connection between the router and a RADIUS server.

Note When performing a ping test, enter the IP address of the RADIUS source interface in the source field in the ping dialog. If you chose Router chooses source, you need not provide any value in the ping dialog source field.

The Edit and the Ping buttons are disabled when no RADIUS server information is available for the selected interface.

Interface Selection

Choose the interface on which to enable NAC in this window. Choose the interface through which network hosts connect to the network.

Click the Details button to display the policies and rules associated with the interface you choose. The window displays the names of the ACLs applied to inbound and to outbound traffic on this interface.

If an inbound ACL is already present on the interface, SDM uses that ACL for NAC by adding appropriate permit statements for EAPoUDP traffic. If the IP address of the interface on which NAC is being applied were 192.55.22.33, a sample permit statement might be the following:

The permit statement that SDM adds uses the port number 21862 for the EAPoUDP protocol. If the network hosts run EAPoUDP on a custom port number, you must modify this ACL entry to use th e port number that the hosts use.

If no inbound ACL is configured on the interface you specify, you can have SDM apply an ACL to the interface. You can choose a recommended policy, or a policy that simply monitors reported NAC postures.

•

Strict Validation (Recommended)—SDM applies an ACL that denies all traffic (deny ip any any). Admission to the network is determined by the NAC validation process. By default, all traffic is denied except the traffic found to be valid based on the policy configured on the NAC policy server.

•

Monitor NAC Postures—SDM applies an ACL that permits all traffic (permit ip any any). After the NAC validation process, the router may receive policies from the NAC server that deny access to certain hosts. You can use the Monitor NAC Postures setting to determine the impact of NAC configuration on the network. After you have done so, you can modify the policies on the NAC policy server, and then reconfigure NAC on the router to use Strict Validation, by changing the ACL applied to the interface to deny ip any any using the SDM Firewall Policy feature.

NAC Exception List

You can identify hosts that must be allowed to bypass the NAC validation process in this screen. Typically, hosts such as printers, IP phones, and hosts without NAC posture agent software installed are added to the exception list.

If there are hosts without static addresses on your network it is recommended that they be entered in the agentless host policy, and not in the NAC exception list. The NAC exception policy may not work properly if host IP addresses change.

If you are using the NAC wizard and you do not need to configure a NAC exception list, you can click Next without entering information in this window. As an alternative or as a complement to the NAC exception list, the wizard allows you to configure an agentless host policy in another window.

IP Address/MAC Address/Device Type, Address/Device, and Policy Columns

These columns contain information about a host in the exception list. A host can be identified by its IP address, MAC address, or by the type of device it is. If it is identified by an address, the IP address or MAC address is shown in the row along with the name of the policy that governs the host's access to the network.

Add, Edit, and Delete Buttons

Build the exception list by clicking Add and entering information about a host. You can use the Add button as many times as you need to.

Select a row and click Edit to change information about a host. Click Delete to remove information about a host from this window. The Edit and Delete buttons are disabled when there is no information in this list.

Add or Edit an Exception List Entry

Type List

Hosts are selected by the way they are identified. This list contains the following selections:

•

MAC Address—Choose if you want to identify the host by its MAC address.

•

Cisco IP Phone—Choose if you want to include the Cisco IP phones on the network in the exception list.

Specify Address Field

If you choose IP Address or MAC Address as the host type, enter the address in this field. If you choose a device type, this field is disabled.

Policy Field

If you know the name of the exception policy, enter it in this field. Click the button with three dots to the right of the Policy field to choose an existing policy or to display a dialog box in which you can create a new policy.

Choose an Exception Policy

Select the policy that you want to apply to the host. When you select a policy, the redirect URL specified for the policy appears in a read-only field, and the access rule entries for the policy are displayed.

If no policies are available in the list, click Cancel to return to the wizard screen, and then choose the option that allows you to add a policy.

Select the policy that you want to apply to the excepted host from the list. If there are no policies in the list, click Cancel to return to the wizard and then choose Create a new policy and select in the Add to the Exception List window.

Redirect URL: URL Field

This read-only field displays the redirect URL associated with the policy that you select. Hosts to which this policy is applied are redirected to this URL when attempting to access the network.

Preview of Access Rule

The Action, Source, Destination, and Service columns show the ACL entries in the access rule associated with the policy. These columns are empty if no ACL is configured for this policy.

Add Exception Policy

To create a new exception policy, enter a name for the policy, and either specify an access rule that defines the IP addresses that hosts in the exception list can access, or enter a redirect URL. The redirect URL should contain remediation information that enables users to update their virus definition files. You must provide either an access rule name, or a redirect URL. You can specify both.

Name Field

Enter the name for the policy in this field. Question mark (?) characters and space characters cannot be used in policy names, and the name is limited to 256 characters.

Access Rule Field

Enter the name of the access rule that you want to use, or click the button to the right of this field and browse for the access rule, or create a new access rule. The access rule must contain permit entries that specify the IP addresses that hosts on the exception list can connect to. The access rule must be a named ACL; numbered ACLs are not supported.

Redirect URL Field

Enter an URL that contains the remediation information for your network. This information might contain instructions for downloading virus definition files.

Agentless Host Policy

If a policy for agentless hosts exists on the ACS server, the router can use that policy to handle hosts without installed posture agents. This method of handling agentless hosts can be used as an alternative or as a complement to a NAC exception list. If you are using the NAC wizard and you do not need to configure an agentless host policy, you can click Next without entering information in this window.

Authenticate Agentless Hosts Checkbox

Check this box to indicate that you want to use the agentless hosts policy on the ACS server.

Username and Password Fields

Some Cisco IOS images require a username and password be supplied along with the request to the ACS server. If this is required, enter the username and password configured on the ACS server for this purpose. If the Cisco IOS image does not require this information, these fields do not appear.

Configuring NAC for Remote Access

Configuring NAC for remote access allows you to modify the ACLs that NAC configuration creates so that they will permit SDM traffic. Specify the hosts that must be able to use SDM to access the router.

Enable SDM Remote Management

Host/Network Address Fields

If you want SDM to modify the ACL to allow SDM traffic from a single host, choose Host Address and enter the IP address of a host. Choose Network Address and enter the address of a network and a subnet mask to allow SDM traffic from hosts on that network. The host or network must be accessible from the interfaces that you specified. Choose Any to allow SDM traffic from any host connected to the specified interfaces.

Modify Interface ACL

SDM checks the ACLs applied to the NAC interfaces to determine if they block any traffic used during the NAC validation process and reports what it finds in this screen.

Each NAC interface is listed, along with the service currently being blocked on that interface, and the ACL that is blocking it. If you want SDM to modify the ACL to allow the traffic listed, check the Modify box in the appropriate row. If you want to see the entry that SDM will add to the ACL, click the Details button.

In the following table, FastEthernet0/0 has been configured for NAC. This interface is configured with the services shown in the Service column.


Interface	Service	ACL	Action
FastEthernet0/0	RADIUS Server	101 (INBOUND)	[ ] Modify
FastEthernet0/0	DNS	100 (INBOUND)	[ ] Modify
FastEthernet0/0	DHCP	100 (INBOUND)	[ ] Modify
FastEthernet0/0	NTP	101 (INBOUND)	[ ] Modify
FastEthernet0/0	VPN	190 (INBOUND)	[ ] Modify

Details Window

This window displays the entries that SDM will add to ACLs to allow services needed for the NAC validation process. The window might contain an entry like the following:

Summary of the configuration

This window summarizes the information you entered, and allows you to review it in a single window. You can use the back button to return to any wizard screen to change information. Click Finish to deliver the configuration to the router.

In this example, RADIUS packets will have the IP address of FastEthernet 0/1.40. NAC is enabled on FastEthernet 0/1.42, and the NAC policy that the wizard applied is SDM_EOU_3. One host has been named in the exception list, and its access to the network is controlled by the exception policy P55.

Edit NAC Tab

The Edit NAC tab lists the NAC policies configured on the router and enables you to configure other NAC settings. A NAC policy must be configured for each interface on which posture validation is to be performed.

NAC Timeouts Button

The router and the client use Extensible Authentication Protocol over Unformatted Data Protocol ( EAPoUDP) to exchange posture information. Default values for EAPoUDP timeout settings are preconfigured, but you can change the settings if you want to do so. This button is disabled if there is no NAC policy configured on the router.

Agentless Host Policy Button

If a policy for agentless hosts exists on the ACS server, the router can use that policy to handle hosts without installed posture agents. This method of handling agentless hosts can be used when such hosts do not have static IP addresses. This button is disabled if there is no NAC policy configured on the router.

Add, Edit, and Delete Buttons

These buttons allow you to manage the NAC policy list. Click Add to create a new NAC policy. Use the Edit and Delete buttons to modify and remove NAC policies. The Edit and Delete buttons are disabled when no NAC policies have been configured on the router.

Only the Add button is enabled when there is no NAC policy configured on the router. The Add button is disabled when all router interfaces are configured with a NAC policy.

NAC Policies List

The name, the interface that the NAC policy is applied to, and the access rule that defines the policy is included in the list. If you enabled NAC on an interface using the Create NAC wizard, the default NAC policy SDM_EOU_1 appears in this list.

NAC Components

This window provides a brief description of the EAPoUDP components that SDM allows you to configure.

Exception List Window

This placeholder topic will be removed when the help system for NAC is built. This help topic has already been written for wizard mode. To view it, click on the following link:

Exception Policies Window

NAC exception policies control the network access of hosts in the exception list. A NAC exception policy consists of a name, an access rule, and/or a redirect URL. The access rule specifies the destinations that hosts governed by the policy have access to. If a redirect URL is specified in the policy, the policy can point web clients to sites that contain information on how to obtain the latest available virus protection.

Access rules associated with NAC policies must be extended ACLs, and must be named. An example of an access rule that might be used in a NAC policy is shown in the following table:

Name	Access Rule	Redirect URL
NACLess	nac-rule	http://172.30.10/update


Action	Source	Destination	Service	Log	Attributes
permit	any	172.30.2.10	ip

This rule permits any host governed by the policy to send IP traffic to the IP address 172.30.2.10.

Add, Edit, and Delete Buttons

Click the Add button to create a new exception policy. Use the Edit button to modify existing exception policies, and the Delete button to remove exception policies. The Edit and Delete buttons are disabled when there are no exception policies in the list.

NAC Timeouts

Configure the timeout values the router is to use for EAPoUDP communication with network hosts. The default, minimum, and maximum values for all settings are shown in the following table.


Value	Default	Minimum	Maximum
Hold Period Timeout	180 seconds	60 seconds	86400 seconds
Retransmission Timeout	3 seconds	1 second	60 seconds
Revalidation Timeout	36000 seconds	300 seconds	86400 seconds
Status Query Timeout	300 seconds	30 seconds	1800 seconds

Interface Selection

Hold Period Timeout Field

Enter the number of seconds that the router is to ignore packets from clients that have just failed authentication.

Retransmit Timeout Field

Enter the number of seconds the router is to wait before retransmitting EAPoUDP messages to clients.

Revalidation Timeout Field

The router periodically queries the posture agent on the client to determine the client's adherence to security policy. Enter the number of seconds that the router should wait between queries.

Status Query Timeout Field

Enter the number of seconds the router should wait between queries to the posture agent on the host.

Reset to Defaults Button

Configure these timeout values globally checkbox

Configure a NAC Policy

A NAC policy enables the posture validation process on a router interface, and can be used to control the admission control process by specifying the types of traffic that are to be exempt from posture validation.

Name Field

Select an Interface List

Select the interface to which you want to apply the NAC policy. Select an interface that connects network clients to the router.

Admission Rule Field

You can use an access rule to exempt specific traffic from triggering the admission control process. It is not required. Enter the name or the number of the access rule that you want to use for the admission rule. You can also click the button to the right of this field and browse for the access rule, or create a new access rule.

The access rule must contain deny statements that specify the traffic that is to be exempted from the admission control process. No posture validation triggering occurs if the access rule contains only deny statements.

The first deny statement exempts traffic with a destination of port 53 (domain), and the second statement exempts traffic with a destination of port 80(www). The permit statement ending the ACL ensures that posture validation occurs.

How Do I...

The following topics contain procedures for performing tasks that the Create NAC wizard does help you to do.

How Do I Configure a NAC Policy Server?

The router must have a connection to a Cisco Secure Access Control Server (ACS) version 3.3, configured to use the RADIUS protocol, in order to implement NAC. The document at the following link contains an overview of the configuration process.

Documents at the following link explain how to install and configure Cisco Secure ACS for Windows Servers version 3.3.

How Do Install and Configure a Posture Agent on a Host?

If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link:

The document at the following link explains how to install and configure CTA software on a host.

The specific installation procedures required to install third-party posture agent software and the optional remediation server vary depending on the software in use. Consult the vendor documentation for complete details.

Table Of Contents