This chapter covers the following topics:
Architectural overview of NAC on Cisco security appliances
Configuration steps of NAC on Cisco security appliances
Testing, monitoring, and troubleshooting NAC on Cisco security appliances
Similar to the Cisco VPN 3000 series concentrators discussed in Chapter 6, "Configuring NAC on Cisco VPN 3000 Series Concentrators," the Cisco security appliances provide a complete solution for the site-to-site as well as remote-access VPN tunnels. Cisco security appliances consist of Cisco Adaptive Security Appliances (ASA) and the Cisco PIX Security Appliance. The NAC functionality on the Cisco security appliances enhances security of the IPSec tunnels. This chapter focuses on NAC implementation of the security appliances by providing a brief architectural overview of the solution and step-by-step configuration examples.
Architectural Overview of NAC on Cisco Security Appliances
The NAC implementation on the security appliances is identical to the implementation on Cisco VPN 3000 series concentrators. Refer to Chapter 6 for detailed information about the NAC architectural design on the security appliance. This section covers some of the significant changes from the VPN 3000 concentrator NAC implementation.
Stateless Failover for NAC
The security appliances support stateful failover for the traffic passing through the device. This includes Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and IPSec, to name a few protocols. However, the current implementation of NAC supports only stateless failover. This means that the NAC commands are replicated from the active appliance to the standby appliance; however, none of the active NAC connections will fail over to the standby appliance if the standby appliance becomes active. In a failover, all NAC postures that are validated by active appliance are disconnected, and the new NAC sessions are created on the newly active security appliance.
If you are using the stateful failover, the IPSec connections are switched over seamlessly after a failover. However, the remote-access VPN clients go through the posture-validation process. During this time, the security appliance applies a NAC default Access Control List (ACL), if defined, on the remote-access VPN clients.
Per-Group NAC Exception List
Unlike a VPN 3000 concentrator, a security appliance supports multiple NAC exception lists that are configured under user group-policy. Each NAC exception list can be set up with the reported operating system from the VPN client and an ACL. This list excludes the configured operating systems from going through the posture-validation process. The Cisco VPN client also provides the name of the operating system the host is using, and this string is compared with entries in the NAC Exception List.
Note - The security appliances support NAC for Cisco software clients and Microsoft L2TP over IPSec clients. Plans are underway to support NAC for the SSL-based VPN tunnels in future releases.
Configuration Steps of NAC on Cisco Security Appliances
Figure 7-1 illustrates a network topology in which a Cisco ASA 5500 appliance is terminating VPN client sessions from Cisco VPN clients. The public IP address of the appliance is 209.165.202.130; the private IP address is 10.10.0.2. The security appliance leverages a Cisco Secure ACS server for user authentication. The Cisco Secure ACS also participates in the client's posture validation and applies appropriate policies. The appliance is set up with a pool of addresses from the 10.10.200.0/24 subnet. During the mode-config phase of the VPN tunnel negotiations, the Cisco ASA 5500 appliance assigns an IP address from this pool to the VPN client.
Note - For more information about the mode-config phase, refer to Chapter 6.
ASA 5500 Topology to Terminate IPSec Connections
Note - You need to run Version 7.2 or later on the security appliances to enable NAC.
The implementation of NAC on a security appliance can be divided into three stages:
VPN configuration on the security appliances
VPN configuration on the Cisco VPN client
NAC configuration on the security appliances
Note - This chapter focuses on the configuration of the security appliances and how they interact with the Cisco VPN clients.
Note - The operating system used by Cisco ASA and PIX is the same. Consequently, the configuration of NAC on the two security appliances is identical.
VPN Configuration on the Security Appliances
This section discusses the configuration of remote-access IPSec tunnels on the security appliances that can be used to accept connections from the Cisco VPN clients. The following 12 steps set up a basic remote-access IPSec tunnel.
Step 1 Enable ISAKMP.
Step 2 Create the ISAKMP policy.
Step 3 Configure remote-access attributes.
Step 4 Define the tunnel type.
Step 5 Configure preshared keys.
Step 6 Configure user authentication.
Step 7 Assign an IP address.
Step 8 Define the IPSec policy.
Step 9 Set up a dynamic crypto map.
Step 10 Configure the crypto map.
Step 11 Apply the crypto map on the interface.
Step 12 Configure traffic filtering.
Note - This chapter assumes that you have basic familiarity with the security appliance command-line interface (CLI) and that you have administrative rights to set up different functions and features. For more information about the security appliances, visit http://www.cisco.com/go/asa and http://www.cisco.com/go/pix.
Step 1: Enabling ISAKMP
By default, ISAKMP is disabled on all the interfaces. If the remote VPN device sends a tunnel-initialization message, the security appliance drops it until ISAKMP is enabled on the interface terminating the IPSec tunnels. Typically, it is enabled on the Internet-facing or the outside interface, as demonstrated in Example 7-1.
Example 7-1 Enabling ISAKMP on the Outside Interface
CiscoASA# configure terminalCiscoASA(config)# isakmp enable outside
Step 2: Creating the ISAKMP Policy
The isakmp policy commands define ISAKMP Phase 1 attributes that are exchanged between the VPN peers. Example 7-2 shows an ISAKMP policy to negotiate preshared keys for authentication, Advanced Encryption Standard-256 (AES-256) for encryption, Secure Hash Algorithm (SHA) for hashing, group 2 for Diffie-Hellman (DH), and 86400 seconds for lifetime.
Example 7-2 Configuration of ISAKMP Policy
CiscoASA# configure terminalCiscoASA(config)# isakmp policy 10 authentication pre-shareCiscoASA(config)# isakmp policy 10 encryption aes-256CiscoASA(config)# isakmp policy 10 hash shaCiscoASA(config)# isakmp policy 10 group 2CiscoASA(config)# isakmp policy 10 lifetime 86400
Step 3: Configuring Remote-Access Attributes
The security appliance allows the configuration of the mode-config parameters in three different places:
Under default group-policy
Under user group-policy
ω Under user policy
The security appliance implements an inheritance model in which a user inherits the mode-config attributes from the user policy, which inherits its attributes from the user group-policy, which, in turn, inherits its attributes from the default group-policy, as illustrated in Figure 7-2. A user, ciscouser, receives traffic filtering ACL and an assigned IP address from the user policy, the domain name from the user group-policy, and IP Compression, along with the number of simultaneous logins from the default group-policy.
Mode-Config Inheritance Model
You can use the group-policy attributes command to specify the default and user group-policy mode-config attributes. Example 7-3 shows how to configure the default group attributes on the security appliances by setting DfltGrpPolicy as the group name in the group-policy. The administrator has limited the simultaneous logins to three and has enabled IP Compression for data payload.
Example 7-3 Configuration of Default Group-Policy
CiscoASA(config)# group-policy DfltGrpPolicy attributesCiscoASA(config-group-policy)# vpn-simultaneous-logins 3CiscoASA(config-group-policy)# ip-comp enable
Note - DfltGrpPolicy is a special group name, used solely for the default group-policy.
The user group-policy is set up similarly to a default group-policy, by configuring the attributes under the group-policy submenu. In Example 7-4, a group called SecureMeGrp is being set up to send the domain-name securemeinc.com attribute during mode-config exchange. One major difference between the default group-policy and the user group-policy is that you can define the latter as an internal or external group. In an internal group, all the policy attributes are defined locally on the security appliance. In an external group, all the attributes are stored on an external server such as RADIUS. In Example 7-4, SecureMeGrp is set up as an internal group, which is why the domain-name attribute is defined locally.
Example 7-4 Configuration of Group-Specific Group Policy
CiscoASA(config)# group-policy SecureMeGrp internalCiscoASA(config)# group-policy SecureMeGrp attributesCiscoASA(config-group-policy)# default-domain value securemeinc.com
Step 4: Defining the Tunnel Type
Cisco security appliances can be configured for two different tunnel types, as shown in Example 7-5.
Example 7-5 Supported Tunnel Types
CiscoASA(config)# tunnel-group NAC-Group type ? ipsec-l2l IPSec Site to Site group ipsec-ra IPSec Remote Access group
In this example, the tunnel-group tag is named NAC-Group, and the tunnel type is ipsec-ra. The ipsec-ra command stands for IPSec remote-access tunnels, and, when configured, the security appliance expects the Cisco VPN clients to initiate a tunnel and send vendor identity as a Cisco client during the ISAKMP negotiations. Example 7-6 shows the Cisco security appliance in CiscoASA configured for remote-access tunnels.
Example 7-6 Configuration of Remote-Access Tunnels
CiscoASA(config)# tunnel-group NAC-Group type ipsec-ra
Note - The tunnel-group name—NAC-Group in the preceding example—is the group name that needs to be configured on the Cisco VPN clients.
Step 5: Configuring ISAKMP Preshared Keys
If you want to use a preshared key as the authentication method, you must configure a shared secret that is used to validate the identity of both VPN devices. The preshared key is configured after the ipsec-attributes keyword of the tunnel-group command, as shown in Example 7-7.
Example 7-7 Preshared Key Configuration
CiscoASA(config)# tunnel-group NAC-Group ipsec-attributesCiscoASA(config-ipsec)# pre-shared-key cisco123cisco
In Example 7-7, all Cisco VPN clients configured for the NAC-Group group must use cisco123cisco as the preshared key. If there is a mismatch on the key, the security appliance denies group authentication for the client.
Note - A preshared key is also known as a group password in the Cisco remote-access VPN client.
Step 6: Configuring User Authentication
The tunnel group must be configured with the corresponding authentication server, under general attributes. The authentication-server-group subcommand specifies the authentication server. Example 7-8 illustrates how to define a RADIUS server for user authentication. The RADIUS server is located on the inside interface and is set up for the 10.10.20.181 IP address. The RADIUS server is then mapped to the NAC-Group group for user authentication.
Example 7-8 Authentication Using RADIUS Server
CiscoASA(config)# aaa-server Radius (inside) host 10.10.20.181CiscoASA(config-aaa-server-host)# key cisco123ciscoCiscoASA(config-aaa-server-host)# exitCiscoASA(config)# tunnel-group NAC-Group general-attributesCiscoASA((config-group-policy)# authentication-server-group Radius
Step 7: Assigning an IP Address
During the mode-configuration phase of the IPSec tunnel negotiations, the Cisco VPN client requests an IP address to be assigned to the VPN adapter of the workstation. The security appliance supports three different methods to assign an IP address back to the client:
Local address pool
DHCP server
RADIUS server
Example 7-9 shows the available address-assignment methods in the vpn-addr-assign command.
Example 7-9 Available Address-Assignment Methods
CiscoASA(config)# vpn-addr-assign ? aaa Allow AAA servers to specify an IP address dhcp Allow DHCP servers to specify an IP address local Allow local pools to specify an IP addressCiscoASA(config)# vpn-addr-assign local
These options are useful to meet any deployment methodology. Each address-assignment option is discussed here:
vpn-addr-assign aaa—This option requires that an IP address be assigned from the RADIUS server. When a user is authenticated, the RADIUS server assigns an IP address in RADIUS attribute 8, Framed-IP-Address. This is a preferred method for large VPN deployments in which the pool of addresses is centrally managed on the authentication server.
vpn-addr-assign dhcp—For ease of management, the security appliance can contact a DHCP server when allocating an IP address. After user authentication, the security appliance sends a request to the DHCP server and, after it is allocated, forwards it to the VPN client.
vpn-addr-assign local—For small to midsize deployments, the preferred method for assigning an IP address is through the local database. When the client requests an IP address, the security appliance checks the local pool and assigns the next available IP address.
Example 7-10 shows the necessary commands to configure an address pool called vpnpool and map it for address assignment for a VPN group NAC-Group. The pool range starts at 10.10.200.1 and ends at 10.10.200.254.