Network Access Control (NAC) for IPsec and L2TP/IPsec Users

In version 4.7, Cisco introduced the Network Access Control (NAC) feature for IPsec and L2TP/IPsec clients. Like the Cisco Secure Desktop (CSD) feature for WebVPN (discussed in the next chapter), NAC for IPsec and L2TP/IPsec provides a method of validating a user's access based on their operating system version and applied service packs, the anti-virus software and applied updates, the personal firewall software and applied updates, and the intrusion protection software and applied updates.

With CSD for WebVPN, the concentrator validates a user's access. With NAC, the concentrator serves as a proxy: the Cisco Trust Agent (CTA) software is installed on a user's PC and sends the required NAC information, using the Extensible Authentication Protocol (EAP), to the concentrator. The concentrator then forwards this information to an AAA server, like Cisco Secure ACS (CSACS), using EAP over RADIUS. The AAA server validates the user's access and sends the reply back to the concentrator, along with any other policy access information, where the concentrator enforces the downloaded policy. With CSD for WebVPN, you have to define all the policies locally on the concentrator, whereas with NAC, these policies are defined on the AAA RADIUS server; because of this, setting up NAC on the concentrator is simpler.

Global Configuration of NAC for IPsec

To set up the global configuration of NAC, go to Configuration > Policy Management > Network Admission Control. There are two options from this screen: Global Parameters and Exception List. The next two sections will talk about both of these options.

NAC Global Parameters

When you click the Global Parameters hyperlink option from the Configuration > Policy Management > Network Admission Control screen, you are taken to the screen shown in Figure 7-52. Here are the parameters you can configure:

• Retransmission Timer Defines how long the concentrator will wait for a NAC response from a device before resending the request. The default is 3 seconds but can range from 160.

• Hold Timer Defines how long the concentrator waits before attempting to establish a new association when there is a failed NAC credential validation or the configured number of EAP over UDP (EAPoUDP) retries has been exceeded. The default is 180 seconds but can range from 601,440.

• EAPoUDP Retries Defines the number of times the concentrator will retransmit EAP over UDP messages before marking the NAC association as failed, thereby starting the hold timer. The default is 3 times, but this can range from 13.

• EAPoUDP Port Defines the EAP over UDP port used for NAC communications; this defaults to 21,862.

• Clientless Authentication: Enable Allows authentication of user devices that aren't using Cisco Trust Agent (perhaps because you're in a migration process and slowly adding CTA to your user's desktops). Once you've enabled this, you need to define a username and password for the Clientless Authentication: Username and Clientless Authentication: Password parameters. The AAA RADIUS server will use these authentication credentials to validate network access.

Figure 7-52. NAC Global Parameters Screen

[View full size image]

NAC Exception List

Current Cisco NAC architecture doesn't support certain operating systems with their CTA software. You can create exceptions to these operating systems by creating exception list entries by going to the Configuration > Policy Management > Network Admission Control > Exception List screen and clicking the Add button. This displays the screen in Figure 7-53. Click the Enable check box to enable the exception list. In the Operating System check box, enter the name of the operating system of the non-CTA devices: you can find the name from the concentrator's Administration > Administer Sessions or Monitoring > Sessions screen in the Client Type column of the Remote Access Sessions table. You can apply a filter to the exception list to determine what IP addresses are or are not exempted. You want to make sure that any EAP over UDP traffic is not exempted: this should be your first permit rule in your filter. I discussed how to create rules and filters previously in the "Creating Rules" and "Creating Filters" sections.

Figure 7-53. NAC Exemption Lists

[View full size image]

Group Configuration of NAC

After you've defined your global properties for NAC, you need to set up your groups for NAC. This involves defining the AAA RADIUS server and the NAC group attributes. The following two sections will discuss both of these.

AAA RADIUS Server

I've already discussed how to associate an AAA RADIUS server with a group previously in the "Authentication Server Creation" section. However, you might define your NAC properties globally and want to define an AAA RADIUS server once, instead of for each group. To add an AAA RADIUS server globally, go to Configuration > System > Servers > Authentication Servers and click the Add button. The information found on this screen is the same as described previously in the "Authentication Server Creation" section. Click the Add button when done. If the AAA RADIUS server will be performing authorization functions, repeat this process by going to the Configuration > System > Servers > Authorization Servers screen, clicking the Add button, and re-entering the server information; you can repeat this same process if you want to capture accounting records (Configuration > System > Servers > Accounting Servers).

Group NAC Tab

NAC can be configured for both the Base Group and specific groups. The NAC parameters are the same for both: when configured in both places, the specific group settings override the Base Group. To modify the parameters for the Base Group, go to Configuration > User Management > Base Group and click the NAC tab; this displays the screen in Figure 7-54.

Figure 7-54. NAC Group Tab

[View full size image]

Here are the parameters on this screen:

• Enable NAC This enables NAC: any client not listed in an NAC exemption list for this group will then be validated using NAC before being admitted to the network.

• Status Query Timer Specifies the keepalive to check for any posture changes for clients in the group; the default is 300 seconds but this value can range from 301,800 seconds.

• The Revalidation Timer Specifies when the clients must be completely revalidated for admittance to the network; the default is 36,000 seconds, but this can range from 30086,400 seconds.

• Default ACL (filter) Allows you to choose a filter to use for the user of the group before NAC validation has been completed. This is useful for those clients that fail the admittance test and need to download updated software to become compliant. The filter can allow just this traffic and deny the rest until the client meets the admittance policy. At a minimum, the filter should permit the "EAPoUDP In" and "EAPoUDP Out" rules between the IPsec or L2TP/IPsec clientuse the "VPN Client Local LAN (Default)" network listand the public interface address of the concentrator (or whatever interface the clients will be terminating their IPsec connections on).

Table 7-4. EAPoUDP In and Out Filtering Rules

Parameter	Inbound Traffic	Outbound Traffic
Rule Name	EAPoUDP In	EAPoUDP Out
Direction	Inbound	Outbound
Action	Forward	Forward
Protocol	UDP	UDP
TCP/IP Connection	Don't Care	Don't Care
Source Address	0.0.0.0/255.255.255.255 or the "VPN Client Local LAN (Default)" network list	The IP address of the concentrator's interface for terminated IPsec connections
Destination Address	The IP address of the concentrator's interface for terminated IPsec connections	0.0.0.0/255.255.255.255 or the "VPN Client Local LAN (Default)" network list
TCP/UDP Source Port	All	21,862 (or whatever port number you're using)
TCP/UDP Destination Port	21,862 (or whatever port number you're using)	All