+ All Categories
Home > Documents > nac-inband-remote-vpn.pdf

nac-inband-remote-vpn.pdf

Date post: 02-Apr-2018
Category:
Upload: bom36040
View: 215 times
Download: 0 times
Share this document with a friend

of 34

Transcript
  • 7/27/2019 nac-inband-remote-vpn.pdf

    1/34

    NAC Appliance (Cisco Clean Access) InBandVirtual Gateway for Remote Access VPNConfiguration Example

    Document ID: 71573

    Contents

    Introduction

    Prerequisites

    Requirements

    Components Used

    Network Diagram

    Conventions

    NAC Appliance (Cisco Clean Access) Configuration

    Cisco ASA Configuration

    ASA CLI ConfigurationVerify

    Troubleshoot

    Related Information

    Introduction

    This document provides a stepbystep guide on how to configure the Cisco Network Admission Control

    (NAC) Appliance (formerly Cisco Clean Access) for remote access VPN in Inband Virtual Gateway mode.

    The Cisco NAC Appliance is an easily deployed NAC product that uses the network infrastructure to enforce

    security policy compliance on all devices that seek to access network computing resources. With the NAC

    Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, andremote users and their machines prior to network access. It identifies whether networked devices such as

    laptops, IP phones, or game consoles are compliant with the security policies of your network and repairs any

    vulnerabilities before access to the network is permitted.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on these software and hardware versions:

    Cisco Clean Access version 4.0.3

    Cisco Adaptive Security Appliance (ASA) version 7.2

    The information in this document was created from the devices in a specific lab environment. All of the

    devices used in this document started with a cleared (default) configuration. If your network is live, make sure

    that you understand the potential impact of any command.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    2/34

    Network Diagram

    This document uses this network setup:

    Conventions

    Refer to the Cisco Technical Tips Conventions for more information on document conventions.

    NAC Appliance (Cisco Clean Access) Configuration

    Complete these steps in order to configure the NAC Appliance (Cisco Clean Access).

    Login to the Clean Access Manager (CAM) using the administrative account.1.

    Choose Device Management > CCA Servers and go to the New Server tab in order to add the Cisco

    Clean Access Server (CAS) to the Cisco CAM.

    In this example, the IP address of the CAS is 10.10.20.162. Enter the server location for reference

    purposes. In this example, the CAS is located behind the Cisco ASA that is configured for remote

    access VPN. The Server Location information is VPN Remote Access CAS. Select Virtual Gateway

    for the Server Type.

    The CAS configured as a virtual gateway acts like a bridge for the managed network. The virtual

    gateway configuration is good when managed clients share a subnet with trusted clients and you do

    not want to modify the existing gateway or architecture. There is no need to define static routes on

    any of the routing devices.

    2.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    3/34

    The CAS appears under the List of Servers. Make sure that the Status reads Connected. Click on

    Manage in order to access the CAS configuration.

    Troubleshooting Tip: If the CAM fails to import the CAS, make sure that connectivity is not an

    issue. You can attempt to ping the CAS from the CAM CLI when you log in as root. You can also

    attempt an SSH connection from the CAM to the CAS. Make sure that you have done the initial

    configuration in the CAS. You can use the service perfigo config command in order to initialize the

    CAS via its CLI.

    3.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    4/34

    Go to the Network tab.

    The CAS is typically configured such that the untrusted interface is connected to a trunk port with

    multiple VLANs trunked to the port. In such a situation, the management VLAN ID is the VLAN ID

    of the VLAN to which the IP address of the CAS belongs.

    4.

    CheckEnable Layer 3 support in order to allow users to be more than one hop away from the CAS.

    Since this case is a VPN configuration, you need to enable this option.

    5.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    5/34

    Under the CCA Server Advanced tab clickVLAN Mapping and enter the VLAN information in

    order to map VLAN 10 (untrusted) with VLAN 20 (trusted).

    6.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    6/34

    Create a filter for the Cisco ASA to be able to communicate with the protected network behind the

    CAS. Choose Device Management > Filters > Devices > New and add the MAC address and the IP

    address of the Cisco ASA (00:15:C6:FA:39:F7/10.10.20.100 in this example).

    7.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    7/34

    The CAM on each CAS automatically adds devices to the Certified Devices list after the user

    authenticates and the device passes network scanning with no vulnerabilities found and/or meets

    Clean Access Agent requirements. Certified devices are considered clean until removed from the list.

    You can remove devices at a specified time or interval from the Certified Devices list in order to force

    them to repeat network scanning/agent checking.

    Note that devices for Clean Access Agent users are always scanned for requirements at each login. A

    floating device requires Clean Access certification at every login and is certified only for the duration

    of a user session. Floating devices are always added manually.

    In this case the CAS performs security posture for VPN Clients terminated on the Cisco ASA. The

    Cisco ASA needs to communicate with devices such as the Cisco Secure ACS server in the trusted

    side. It is recommended to add the ASA as a floating device. Click on Clean Access under Device

    Management and choose Certified Devices > Add Floating Device. Enter the MAC address of theASA (00:15:C6:FA:39:F7 in this example). Set type to 1 to never exempt the ASA from certification

    list and enter a description.

    8.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    8/34

    In this example, you create two different roles (sales and engineering). Choose User Management >

    User Roles and clickNew Role in order to create a new role. Enter the Role Name and a Description.

    In this example, the Role Name is sales with its respective description. ClickCreate Role.

    9.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    9/34

    Repeat step 9 and create the engineering role. This window displays when you are done.10.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    10/34

    Choose User Management > User Roles and go to the Traffic Control tab in order to configure the

    policies used by each user role. Under the desired role click on Add Policy.

    11.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    11/34

    This window shows that the policy for the sales users is configured. The sales users should only have

    access to the 10.1.1.0/24 subnet. All TCP traffic to the SALES subnet is allowed in this example.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    12/34

    This window shows all the policies configured for each user role. Step 11 was repeated to allow UDP

    and TCP traffic for the sales and engineering users to their respective subnets. ICMP is also allowed

    for both groups. The Quarantined users only have access to a remediation server with the IP

    172.18.85.123 over TCP.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    13/34

    Choose Device Management > Clean Access, go to the General Setup tab, and clickAgent Login.

    For each role, checkRequire use of Clean Access Agent. Requiring the use of the Clean Access

    Agent is configured per user role and operating system. When the Agent is required for a role, users in

    that role are forwarded to the Clean Access Agent download page after authenticating for the first

    time using web login. The user is then prompted to download and run the Agent installation file. At

    the end of the installation, the user is prompted to log into the network using the Agent.

    12.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    14/34

    The NAC Appliance (Cisco Clean Access) provides integration with Cisco VPN Concentrators and

    the Cisco ASA (in this example). Cisco Clean Access can enable Single SignOn (SSO) capability

    for VPN users. This functionality is achieved with the use of RADIUS accounting. The CAS can

    acquire the IP address of the client from either Framed_IP_address or Calling_Station_ID RADIUS

    attributes for SSO purposes. VPN users do not need to login to the web browser or the Clean Access

    Agent because the RADIUS accounting information sent to the CAS/CAM by the VPN Concentrator

    provides the user ID and IP address of users who log into the VPN Concentrator (RADIUS

    Accounting Start Message). In order to do this, you need to add the Cisco VPN device (Cisco ASA in

    this example) as an authentication server.

    Choose User Management > Auth Servers > New Server.a.Choose Cisco VPN Server from the dropdown menu.b.

    Choose the user role assigned to users authenticated by the Cisco VPN Concentrator.

    Unauthenticated Role is selected in this example. This default role is used if not overridden

    by a role assignment based on MAC address or IP address, or if RADIUS mapping rules do

    not result in a successful match.

    c.

    Enter an optional description of the Cisco ASA for reference and clickAdd Server.d.

    13.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    15/34

    Choose User Management > Auth Servers > New Server and select RADIUS from the dropdown

    menu in order to add the Cisco Secure ACS server (RADIUS server).

    This list provides a description of the settings on this window:

    Provider Name(optional) Type a unique name for this authentication provider. Enter a

    meaningful or recognizable name if web login users are able to select providers from the web

    login page.

    Server NameThe fully qualified host name (for example, auth.cisco.com) or IP address of

    the RADIUS authentication server. 172.18.124.101 is the IP address of the Cisco Secure ACS

    server in this example.

    Server PortThe port number on which the RADIUS server listens.

    RADIUS TypeThe RADIUS authentication method. Supported methods include EAPMD5,

    Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol

    (CHAP), and Microsoft (MSCHAP). PAP is used in this example.

    Timeout (sec)The timeout value for the authentication request.

    Default RoleChoose the unauthenticated role as the user role assigned to users authenticated

    by this provider. This default role is used if not overridden by a role assignment based on

    MAC address or IP address, or if RADIUS mapping rules do not result in a successful match.

    Shared SecretThe RADIUS shared secret bound to the IP address of the specified client.

    NASIdentifierThe NASIdentifier value to be sent with all RADIUS authentication

    packets. Either a NASIdentifier or a NASIPAddress must be specified to send the

    14.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    16/34

    packets.

    NASIPAddressThe NASIPAddress value to be sent with all RADIUS authentication

    packets. Either a NASIPAddress or a NASIdentifier must be specified to send the

    packets.

    NASPortThe NASPort value to be sent with all RADIUS authentication packets.

    NASPortTypeThe NASPortType value to be sent with all RADIUS authentication

    packets.

    Enable FailoverThis enables sending a second authentication packet to a RADIUS failover

    peer IP if the primary RADIUS authentication server response times out.

    Failover Peer IPThe IP address of the failover RADIUS authentication server.

    Allow Badly Formed RADIUS PacketsThis enables the RADIUS authentication client to

    ignore errors in badlyformed RADIUS authentication responses as long as the responses

    contain a success or failure code. This can be required for compatibility with older RADIUS

    servers.

    Complete these steps in order to enable Single SignOn (SSO) on the CAS.

    Choose Device Management > CCA Servers and select the server (in this case

    10.10.20.162).

    a.

    Go to the Authentication tab and choose VPN Auth.b.

    CheckSingle SignOn and Auto Logout and enter the RADIUS Accounting Port (only port

    1813 is supported).

    c.

    15.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    17/34

    Under the VPN Concentrators subtab enter the ASA information and clickAdd VPN

    Concentrator.

    16.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    18/34

    Under the Accounting Servers subtab enter the RADIUS Accounting Server information and click

    Add Accounting Server.

    17.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    19/34

    Under the Accounting Mapping subtab select the ASA from the VPN Concentrator pulldown menu

    (asa1.cisco.com [10.10.20.100] in this example) and select the Accounting Server (acs1.cisco.com

    [172.18.85.181:1813] in this example).

    18.

    Cisco ASA Configuration

    This section demonstrates how to configure the Cisco ASA using the Adaptive Security Device Manager

    (ASDM). The VPN wizard lets you configure basic LANtoLAN and remote access VPN connections. Use

    ASDM in order to edit and configure advanced features.

    Choose Configuration > VPN and clickLaunch VPN Wizard in order to launch the VPN Wizard.1.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    20/34

    Use the VPN Tunnel Type panel in order to select the type of VPN tunnel to define, remote access or

    LANtoLAN, and to identify the interface that connects to the remote IPsec peer.

    ClickRemote Access in order to create a configuration that achieves secure remote access for VPN

    Clients, such as mobile users. This option lets remote users securely access centralized network

    resources. When you select this option, the VPN Wizard displays a series of panels that let you enterthe attributes a remote access VPN requires.

    Select the interface that establishes a secure tunnel with the remote IPsec peer (the outside interface is

    used in this example, since the VPN Clients connect from the Internet). If the Security Appliance has

    multiple interfaces, you need to plan the VPN configuration before you run this wizard and identify

    the interface to use for each remote IPsec peer with which you plan to establish a secure connection.

    Enable inbound IPsec sessions to bypass interface access lists. This enables IPsec authenticated

    inbound sessions to always be permitted through the Security Appliance (that is, without a check of

    the interface accesslist statements). Be aware that the inbound sessions bypass only the interface

    access control lists (ACLs). Configured grouppolicy, user, and downloaded ACLs still apply. Click

    Next.

    2.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    21/34

    Select the remote access client type. Cisco VPN Client Release 3.x or higher, or other Easy VPN

    Remote product is used in this example, since the clients use the Cisco VPN Client. ClickNext.

    3.

    In this example, preshared keys are used for tunnel authentication. Enter the preshared key

    (cisco123 in this example) and the VPN Tunnel Group Name (vpngroup in this example). ClickNext.

    4.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    22/34

    Use the Client Authentication panel in order to select the method by which the Security Appliance

    authenticates remote users. In this example, the VPN Clients are authenticated against a RADIUS

    server. ClickNew in order to configure a new AAA server group.

    5.

    Provide this information in order to configure a new AAA server group that contains just one server:6.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    23/34

    Server Group NameType a name for the server group. You associate this name with users

    whom you want to authenticate using this server. The Server Group Name in this example is

    called authgroup.

    Authentication ProtocolSelect the authentication protocol the server uses. RADIUS is used

    in this example.

    Server IP AddressType the IP address for the AAA server. The RADIUS server is

    172.18.124.101 in this example.

    InterfaceSelect the Security Appliance interface on which the AAA server resides. The

    AAA server in this example is in the inside interface.

    Server Secret KeyType a casesensitive, alphanumeric keyword of up to 127 characters.

    The server and Security Appliance use the key to encrypt data that travels between them. The

    key must be the same on both the Security Appliance and server. You can use special

    characters, but not spaces.

    Confirm Server Secret KeyType the secret key again.

    Configure an address pool for the addresses to be assigned to the VPN Clients. ClickNew in order to

    create a new pool.

    7.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    24/34

    Add the name of the pool, the range, and the subnet mask.8.

    Use the Attributes Pushed to Client (Optional) window in order to have the Security Appliance pass

    information about DNS and WINS servers and the default domain name to remote access clients.

    Enter the Primary and Secondary DNS and WINS server information. Also enter the Default Domain

    Name.

    9.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    25/34

    Use the IKE Policy window in order to set the terms of the Phase 1 IKE negotiations. 3DES, SHA,

    and DiffieHellman Group 2 are used in this example as the IKE policy for VPN Client connections.

    10.

    Use this IPSec Encryption and Authentication window in order to select the encryption and

    authentication methods to use for Phase 2 IKE negotiations, which create the secure VPN tunnel.

    3DES and SHA are used in this example.

    11.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    26/34

    Use the Address Translation Exemption (Optional) window in order to identify local hosts/networks

    which do not require address translation.

    By default, the Security Appliance hides the real IP addresses of internal hosts and networks from

    outside hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks

    of attack by untrusted outside hosts, but might be improper for those who have been authenticated and

    protected by VPN.

    For example, an inside host that uses dynamic NAT has its IP address translated by matching it to a

    randomly selected address from a pool. Only the translated address is visible to the outside. Remote

    VPN Clients that attempt to reach these hosts by sending data to their real IP addresses cannot

    connect to these hosts, unless you configure a NAT exemption rule.

    12.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    27/34

    Verify that the information is accurate in the Summary window and clickFinish.13.

    This is a very important step. The Cisco ASA needs to send the RADIUS accounting messages to

    the CAS in order to do SSO and perform security posture checks.

    Complete these steps in order to add a new AAA Server Group.

    14.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    28/34

    Choose Configuration > Properties > AAA Setup > AAA Server Groups and clickAdd.a.

    Enter the Server Group name (CAS_Accounting in this example).b.

    Select RADIUS as the Protocol.c.

    Make sure that the Accounting Mode is Single and Reactivation Mode is Depletion.d.

    ClickOK.e.

    Add a new AAA Server entry. In this case the AAA server is the IP address of the CAS

    (10.10.20.162) which resides in the inside interface. Configure the Server Authentication Port (1812)

    and Server Accounting Port (1813). ClickOK.

    15.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    29/34

    The new AAA Server Group and AAA Server appears as this example window shows.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    30/34

    Complete these steps in order to add the CAS as the accounting server for the VPN group you

    configured (vpngroup in this example).

    Choose Configuration > VPN > General > Tunnel Group.a.

    Select the Tunnel Group.b.

    ClickEdit.c.

    16.

    Under the Accounting tab select the new AAA Server Group under the Accounting Server Group

    pulldown menu (CAS_Accounting in this example).

    17.

  • 7/27/2019 nac-inband-remote-vpn.pdf

    31/34

    ASA CLI Configuration

    ASA1#show runningconfig

    : Saved

    :

    ASA Version 7.2(1)

    !

    hostname ASA1

    domainname cisco.com

    enable password 8Ry2YjIyt7RRXU24 encrypted

    namesdnsguard

    !

    interface GigabitEthernet0/0

    description Outside Interface Facing the Internet

    nameif outside

    securitylevel 0

    ip address 209.165.200.225 255.255.255.0

    !

    interface GigabitEthernet0/1

    description Inside Interface

    nameif inside

    securitylevel 100

    ip address 10.10.20.100 255.0.0.0

    !interface GigabitEthernet0/2

  • 7/27/2019 nac-inband-remote-vpn.pdf

    32/34

    shutdown

    no nameif

    no securitylevel

    no ip address

    !

    interface GigabitEthernet0/3

    shutdown

    no nameif

    no securitylevel

    no ip address

    !interface Management0/0

    nameif management

    securitylevel 100

    ip address 172.18.85.174 255.255.255.0

    !

    passwd 2KFQnbNIdI.2KYOU encrypted

    boot system disk0:/asa721k8.bin

    ftp mode passive

    dns servergroup DefaultDNS

    domainname cisco.com

    accesslist outside_cryptomap extended permit ip any 10.10.55.0 255.255.255.0

    accesslist something extended permit ip any any

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    mtu management 1500

    ip local pool pool1 10.10.55.110.10.55.254 mask 255.255.255.0

    no failover

    icmp permit any inside

    icmp permit any management

    asdm image disk0:/asdm521.bin

    no asdm history enable

    arp timeout 14400

    accessgroup something in interface outside

    accessgroup something in interface inside

    route inside 172.18.85.181 255.255.255.255 10.10.20.1 1

    route inside 0.0.0.0 0.0.0.0 10.10.20.1 tunneledroute outside 0.0.0.0 0.0.0.0 209.165.200.226 1

    route inside 172.18.85.0 255.255.255.0 10.10.20.1 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 halfclosed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcppat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sipinvite 0:03:00 sipdisconnect 0:02:00

    timeout uauth 0:05:00 absolute

    aaaserver authgroup protocol radius

    aaaserver authgroup host 172.18.85.181

    timeout 5

    key cisco123

    authenticationport 1812

    accountingport 1813

    aaaserver test protocol radiusaaaserver test host 10.10.20.162

    key cisco123

    accountingport 1813

    aaaserver CAS_Accounting protocol radius

    aaaserver CAS_Accounting host 10.10.20.162

    key cisco123

    authenticationport 1812

    accountingport 1813

    radiuscommonpw cisco123

    grouppolicy vpngroup internal

    grouppolicy vpngroup attributes

    winsserver value 172.18.108.40 172.18.108.41

    dnsserver value 172.18.108.40 172.18.108.41

    vpntunnelprotocol IPSec

  • 7/27/2019 nac-inband-remote-vpn.pdf

    33/34

    defaultdomain value cisco.com

    username cisco password ffIRPGpDSOJh9YLq encrypted

    http server enable

    http 0.0.0.0 0.0.0.0 management

    no snmpserver location

    no snmpserver contact

    snmpserver enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transformset ESP3DESSHA esp3des espshahmac

    crypto ipsec transformset FirstSet esp3des espshahmac

    crypto dynamicmap outside_dyn_map 20 set transformset ESP3DESSHA

    crypto map outside_map 20 ipsecisakmp dynamic outside_dyn_mapcrypto map outside_map interface outside

    crypto map abcmap 1 set peer 202.83.212.69

    crypto isakmp enable outside

    crypto isakmp policy 1

    authentication preshare

    encryption 3des

    hash sha

    group 2

    lifetime 86400

    tunnelgroup vpngroup type ipsecra

    tunnelgroup vpngroup generalattributes

    addresspool pool1

    authenticationservergroup authgroup

    accountingservergroup CAS_Accounting

    defaultgrouppolicy vpngroup

    tunnelgroup vpngroup ipsecattributes

    presharedkey *

    telnet timeout 5

    ssh 0.0.0.0 0.0.0.0 management

    ssh timeout 5

    console timeout 0

    !

    classmap class_sip_tcp

    match port tcp eq sip

    classmap class_sip_udp

    match port udp eq sip

    classmap inspection_defaultmatch defaultinspectiontraffic

    !

    !

    policymap global_policy

    class inspection_default

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect netbios

    inspect rsh

    inspect rtsp

    inspect skinny

    inspect sqlnet

    inspect sunrpcinspect tftp

    inspect xdmcp

    class class_sip_tcp

    inspect sip

    class class_sip_udp

    inspect sip

    !

    servicepolicy global_policy global

    prompt hostname context

    Cryptochecksum:8e30f7ade3dcb3d1ae0da79a9d94371e

    : end

    [OK]

  • 7/27/2019 nac-inband-remote-vpn.pdf

    34/34

    Verify

    There is currently no verification procedure available for this configuration.

    Troubleshoot

    There is currently no specific troubleshooting information available for this configuration.

    Related Information

    Cisco NAC Appliance (Clean Access) Product Support

    Technical Support & Documentation Cisco Systems

    Contacts & Feedback | Help | Site Map

    2009 2010 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of

    Cisco Systems, Inc.

    Updated: Oct 03, 2006 Document ID: 71573


Recommended