Table Of Contents
Network Admission Control Documentation Reference Guide
Network Access Device Documentation
Cisco IOS and CatOS Reference Tools
Cisco Aironet Wireless Access Point Documentation
Cisco Wireless LAN Controllers
Cisco VPN Concentrator Documentation
Cisco Secure Access Control Server Documentation
Cisco Trust Agent Documentation
Additional NAC-Compliant Components
Cisco Security Agent Documentation
Cisco Secure Monitoring Analysis and Response Systems
Network Admission Control Documentation Reference Guide
Revision 2: April 19, 2006Network Admission Control, Release 2.0 (NAC 2.0) is a network security solution composed of several different Cisco components. It uses the network infrastructure to enforce security policy compliance on devices that try to access network computing resources, thereby limiting damage from security threats.
Customers implementing NAC can allow network access to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.
A basic NAC environment consists of three components: a Network Access Device (NAD), an authentication, authorization, and accounting (AAA) server, and a posture agent running on a NAC-compliant host. NADs are often Cisco routers or Cisco switches, the AAA server is the Cisco Secure Access Control Server (ACS), and the posture agent is the Cisco Trust Agent (CTA). An expanded NAC environment has additional NAC-enabled applications running on the host.
This document provides the titles and locations of NAC documentation available at Cisco Systems's web site.
Contents
•
Network Access Device Documentation
–
–
–
•
•
•
–
–
NAC Framework Documentation
These documents discuss the Network Admission Control solution as a whole:
•
•
•
•
•
NAC Framework Web Resources
These web sites provide information about the Network Admission Control solution as a whole:
•
•
•
•
Network Access Device Documentation
A Network Access Device (NAD) controls which hosts have access to network destinations reachable through that device. Control is defined by a network access policy provided to the NAD by the ACS for a specific host.
Cisco Switch Documentation
Hosts provide posture and identity information to switches by using either IEEE 802.1X protocol or the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP). Switches pass that information to the ACS. Based on posture and identity information, the ACS issues a security policy for the host and returns that policy to the switch. The security policy for the host is enforced by the switch at Layer 2 of the Open System Interconnection (OSI) model.
When NAC is enforced at Layer 2 by using the IEEE 802.1X protocol, NAC is said to use the NAC L2 802.1X method. When NAC is enforced at Layer 2 by using the EAPoUDP protocol, NAC is said to use the NAC L2 IP method.
Table 1 lists the NAC-compliant switches and the NAC methods that they support.
Cisco Router Documentation
Hosts provide posture information to routers by using Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), and routers pass that information to the ACS. Based on the posture information, ACS issues a security policy for the host and returns that policy to the router. The security policy for the host is enforced by the router at Layer 3 of the Open System Interconnection (OSI) model. When NAC is enforced at Layer 3 by using the EAPoUDP method, this is referred to as the NAC L3 IP method.
Table 2 lists the NAC-compliant routers and the NAC methods they support.
Table 2 Router Documentation
Cisco 830 and 870 Series
Models: 831, 836, 837
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 800 Series Router documentation
Cisco IOS Software Releases 12.3 T
Cisco 1700 Series
Models: 1701, 1711, 1712, 1721, 1751, 1751-V, 1760
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 1700 Series Modular Access Router documentation
Cisco IOS Software Releases 12.3 T
Cisco 1841 Series
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 1800 Series Integrated Services Router documentation
Cisco IOS Software Releases 12.3 T
Cisco 2600 Series
Models: 2600XM, 2691
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 2600 Series Multiservice Platform documentation
Cisco IOS Software Releases 12.3 T
Cisco 2800 Series
Models: 2801, 2811, 2821, 2851
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 2800 Series Integrated Services Router documentation
Cisco IOS Software Releases 12.3 T
Cisco 3600 Series
Models: 3640/3640A, 3660-ENT Series
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 3600 Series Multiservice Platform documentation
Cisco IOS Software Releases 12.3 T
Cisco 3700 Series
Models: 3725, 3745
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 3700 Series Multiservice Access Routers
Cisco IOS Software Releases 12.3 T
Cisco 3800 Series
3845, 3825
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 3800 Series Integrated Services Routers
Cisco IOS Software Releases 12.3 T
Cisco 7200 Series
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 7200 Series Routers Documentation Roadmap
Cisco IOS Software Releases 12.3 T
Cisco 7500 Series
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 7500 Series Routers Documentation Roadmap
Cisco IOS Software Releases 12.3 T
Cisco 7600 Series
NAC L3 IP
Cisco IOS 12.3(8)T or later
Cisco 7600 Series Routers Documentation Roadmap
Cisco IOS Software Releases 12.3 T
Cisco IOS and CatOS Reference Tools
Cisco Feature Navigator
Cisco Feature Navigator is a web-based application that allows you to find the right Cisco IOS and Catalyst OS (CatOS) software release for the features you want to implement on your Network Access Device (NAD). Online help is available for this tool along with an FAQ to answer questions about its operation.
You must be a registered user of Cisco.com to use Cisco Feature Navigator.
Command Lookup Tool
The Command Lookup Tool contains a detailed description of the Cisco IOS and Catalyst OS command syntax, default values, history, usage guidelines, and examples. Use this tool to learn about the commands used to manage the operating system of your Cisco router or switch.
You must be a registered user of Cisco.com to use Cisco command Lookup Tool.
Cisco Aironet Wireless Access Point Documentation
If you need to support wireless endpoints in your NAC environment, you can use this Cisco Wireless Access Point. You also need to use a third-party IEEE 802.1X supplicant that supports wireless endpoints.
The Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.3(7)JA describes the Aironet Wireless Access Point in the NAC environment.
Table 3 Aironet Wireless Access Point Documentation
Cisco Wireless LAN Controllers
Cisco Wireless LAN Controllers are responsible for system wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. They work in conjunction with Cisco 1000 Series Lightweight Access Points and the Cisco Wireless Control System (WCS) to support wireless applications.
Cisco Wireless LAN Controllers communicate with Cisco 1000 Series Lightweight Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). These devices support automation of numerous WLAN configuration and management functions across all enterprise locations.
Table 4 Wireless LAN Controller Documentation
Cisco 2000
NAC L2 802.1X
Release 3.1 or later
Cisco 4100
NAC L2 802.1X
Release 3.1 or later
Cisco 4400
NAC L2 802.1X
Release 3.1 or later
Wireless Services Module (WiSM)
NAC L2 802.1X
Release 3.1 or later
Wireless LAN Services Module (WLSM)
NAC L2 802.1X
Release 3.1 or later
Cisco Catalyst 6500 Series Wireless LAN Services Module (WLSM)
Wireless LAN Controller Module for Integrated Services Routers
NAC L2 802.1X
Release 3.1 or later
Cisco VPN Concentrator Documentation
The Virtual Private Network (VPN) Concentrator functions as both a NAC authenticator and an ACS client. The VPN Concentrator is considered a Layer 3 device and uses the NAC L3 IP method for posture validation.
As a NAC authenticator, the VPN Concentrator performs these tasks:
•
•
•
•
•
•
As an ACS client, the VPN Concentrator supports:
•
•
NAC on the VPN 3000 Concentrator differs from that on Cisco IOS Layer 3 devices such as routers. Whereas routers trigger posture validation (PV) based on routed traffic, the VPN 3000 Concentrator configured with NAC uses the establishment of an IPSec VPN session as the trigger for PV. Cisco IOS routers configured with NAC use an Intercept access control list (ACL) in order to trigger PV based on traffic destined for certain networks. Because external devices cannot access the network behind the VPN 3000 Concentrator without starting a VPN session, the VPN 3000 Concentrator does not need an intercept ACL as a PV trigger. During posture validation, all IPSec traffic from the device is subject to the Default ACL configured for the device's group.
Table 5 VPN Concentrator Documentation
Cisco VPN 3000 Series
Models: 3005 to 3080
V4.7 or later
VPN 3000 Network Access Device 4.7.0 NAC Administration and Configuration
VPN 3000 Network Access Device 4.7.1 NAC Administration and Configuration
Release Notes for Cisco VPN 3000 Series Concentrator, Release 4.7; Cisco SSL VPN Client, Release 1.0
Release Notes for Cisco VPN 3000 Series Concentrator, Release 4.7.1
Release Notes for Cisco VPN 3000 Series Concentrator, Release 4.7.2
Cisco Secure Access Control Server Documentation
Cisco Secure Access Control Server (ACS) is NAC's central authentication, authorization, and accounting (AAA) server.
When a host attempts to access the network, ACS requests the host's posture credentials. CTA solicits posture credentials from posture plugins and returns them to the ACS. Based on the credentials received, ACS determines the postures of the individual application and the overall posture token for the host.
Based on the overall posture token of the host, the ACS defines a network access policy for the host and forwards that policy to the NAD where the policy is enforced.
ACS for Windows (V.4.0)
The ACS for Windows is a software implementation of ACS. These are the documents you will need to install and configure ACS for Windows in a NAC environment:
•
•
•
•
•
•
ACS Solution Engine (V.4.0)
The ACS Server Solution Engine (ACS SE) is a hardware implementation of ACS. This is the list of documentation for the Cisco Secure ACS Solution Engine:
•
•
•
•
•
•
•
Registered users of Cisco.com may also access this document:
•
Cisco Trust Agent Documentation
Cisco Trust Agent (CTA) is NAC's posture agent. CTA software is installed on each host on the network. When a host attempts to access the network, ACS requests the host's posture credentials. CTA solicits posture credentials from posture plugins and returns them to the ACS. Each posture plugin gathers posture information from one application.
On Windows-based network clients, CTA can be installed with a "supplicant" called the Cisco Trust Agent 802.1X Wired Client (802.1X Wired Client). The 802.1X Wired Client is an authentication supplicant for creating secure user connections to an Ethernet switch. The 802.1X Wired Client provides a GUI for monitoring authentication status and managing authorized network access.
Install CTA with the 802.1X Wired Client if your network meets all of these conditions:
•
•
•
Install CTA without the 802.1X Wired Client if your network meets either of these conditions:
•
•
These are the Cisco Trust Agent (CTA) documents relative to NAC Release 2.0:
•
•
•
Additional NAC-Compliant Components
It is possible that there might be applications installed at the endpoint that interact with NAC components. These applications might require additional NAC infrastructure, or they might need special configuration in order to allow NAC to function properly.
Cisco Security Agent Documentation
Cisco Security Agent (CSA) provides intrinsic, distributed security by deploying agents that defend against attacks across networks and systems. The Cisco Security Agents enforce a set of policies selectively applied to system nodes by the network administrator.
A Cisco Security Agent has its own posture plugin and can send posture credentials to CTA when they are requested.
CSA versions 4.5.1.639 and 5.0.0.176 or later support NAC 2.0.
•
•
•
•
•
•
•
Cisco Secure Monitoring Analysis and Response Systems
Cisco Secure Monitoring Analysis and Response Systems (CS-MARS) are high performance, scalable appliances for threat management, monitoring and mitigation, enabling customers to make more effective use of network and security devices by combining network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities.
These documents describe how to configure a NAC device or application to communicate with the CS-MARS.
•
•
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)
Network Admission Control Documentation Reference Guide
© 2006 Cisco Systems, Inc. All rights reserved.
Guest