Chapter 7: Configuring NAC on Cisco ASA and PIX Security Appliances

Cisco Press

1 2 3 4 Page 2
Page 2 of 4

Example 7-10 Address Assignment from Local Pool

CiscoASA(config)# ip local pool vpnpool tunnel-group NAC-Group general-attributesCiscoASA(config-general)# address-pool vpnpool

Many large enterprises prefer to authenticate users on the external RADIUS servers, which can assign IP addresses to the client after successfully authenticating the users. Example 7-11 shows the configuration of the security appliance if RADIUS, set up as an authenticating device, is assigning the IP address.

Example 7-11 Address Assignment from an AAA Server

CiscoASA(config)# aaa-server Radius protocol radiusCiscoASA(config-aaa-server-group)# exitCiscoASA(config)# aaa-server Radius (inside) host key cisco123ciscoCiscoASA(config-aaa-server-host)# exitCiscoASA(config)# vpn-addr-assign aaa

Note - If all three methods are configured for address assignment, the security appliance prefers RADIUS over DHCP and an address pool. If the Cisco security appliance cannot get an address from the RADIUS server, it contacts the DHCP server for address allocation. If that method fails as well, the security appliance checks the local address pool as the last resort.

Step 8: Defining the IPSec Policy

An IPSec transform set specifies the encryption and hashing method to be used on the data packets when the tunnel is up. To configure the transform set, use the following command syntax:

crypto ipsec transform-set transform-set tag esp-3des |  esp-aes  | esp-aes-192| esp-aes-256 | esp-des | esp-md5-hmac | esp-null | esp-none | esp-sha-hmac}

Note - If the security appliance does not have a license for the VPN-3DES-AES feature, the security appliance allows DES encryption only for ISAKMP and IPSec policies. Administrators can now obtain a 3DES-AES license free from the Cisco website. The software download page includes instructions for obtaining the license.

In Example 7-12, the security appliance in CiscoASA is set up for AES-256 encryption and SHA hashing. The transform set name is myset.

Example 7-12 Transform Set Configuration

CiscoASA(config)# crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

Step 9: Setting Up a Dynamic Crypto Map

VPN clients often get dynamic IP addresses from their ISPs. Therefore, it is impossible to statically map their IP addresses in the group settings. The Cisco security appliance solves this problem by allowing configuration of a dynamic crypto map. Example 7-13 demonstrates the configuration of the Cisco security appliance to use the defined transform set. The dynamic crypto map name is dynmap, and it is configured with a sequence number of 10. Setting up a transform set in a dynamic crypto map is a required attribute. The dynamic crypto map becomes incomplete if no transform set is applied to it.

Example 7-13  Dynamic Crypto Map Configuration

CiscoASA(config)# crypto dynamic-map dynmap 10 set transform-set myset

Step 10: Configuring the Crypto Map

The dynamic map is associated with a crypto map entry, which is eventually applied to the interface terminating the IPSec tunnels. Example 7-14 shows crypto map configuration on the CiscoASA security appliance. The crypto map name is IPSec_map, and the sequence number is 65535.

Example 7-14  Crypto Map Configuration

CiscoASA(config)# crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap

The Cisco security appliance limits you to one crypto map per interface. If there is a need to configure multiple VPN tunnels, use the same crypto map name with a different sequence number. However, the security appliance evaluates a VPN tunnel with the lowest sequence number first.

Step 11: Applying the Crypto Map to an Interface

The next step in setting up a remote-access tunnel is to bind the crypto map to an interface. In Example 7-15, the crypto map, IPSec_map, is applied to the outside interface of the security appliance.

Example 7-15  Applying a Crypto Map to the Outside Interface

CiscoASA# configure terminalCiscoASA(config)# crypto map IPSec_map interface outside

Step 12: Configuring Traffic Filtering

If you trust all your private networks, including all your remote VPN clients, you can configure the security appliance to permit all decrypted IPSec packets to pass through it without inspecting them against the configured ACL. This is done with the use of the sysopt connection permit-vpn command, as shown in Example 7-16.

Example 7-16  sysopt Configuration to Bypass Traffic Filtering

CiscoASA(config)# sysopt connection permit-vpn

If NAT is configured on the security appliance but you do not want to change the source IP address of traffic going over the VPN tunnel, you need to configure the NAT exempt rules. You must create an access list to specify what traffic the NAT engine should bypass. Example 7-17 shows an access list that is permitting the VPN traffic from to the pool of addresses in

Example 7-17  Access List to Bypass NAT


access-list nonat extended permit ip

After defining the access list, the next step is to configure the nat 0 command. Example 7-18 demonstrates how to configure the nat 0 statement if the private LAN that is being protected is toward the inside interface.

Example 7-18  Configuration of NAT 0 Access List

CiscoASA(config)# nat (inside) 0 access-list nonat

VPN Configuration on the Cisco VPN Client

The VPN client is set up identically to the process discussed in Chapter 6 in the section "VPN Configuration on the Cisco VPN client." Refer to Chapter 6 for configuration assistance with the VPN client.

NAC Configuration on the Cisco Security Appliances

This section discusses the configuration of NAC-related parameters on the security appliances. These parameters are applied after a VPN tunnel is established. The following four steps are required in configuring NAC on the security appliances:

Step 1 Set up the NAC global parameters.

Step 2 Configure NAC authentication.

Step 3 Enable NAC on user groups.

Step 4 Configure the NAC exception list.

This section discusses these configuration steps.

Step 1: Setting Up NAC Global Parameters

The first step in setting up NAC on the security appliances is to ensure that the global NAC parameters are properly configured. You can modify the default values of these parameters from the global configuration mode, as shown in Example 7-19, by using the eou commands.

Example 7-19  Available EOU Parameters in Global Configuration Mode

CiscoASA(config)# eou ?configure mode commands/options: allow    Enable/Disable clientless authentication clientless Clientless host configuration max-retry  Set maximum number of times an EAP over UDP message is retransmitted port    Set EAP over UDP port number timeout   Set EAP over UDP timeout values

In Example 7-20, some of the NAC EAP over UDP (EOU) parameters are modified from their default values. The Retransmission Timer is modified from 3 seconds to 5 seconds. When the security appliance sends an EOU packet to the VPN client, it waits for 5 seconds before resending another request. This way, the VPN clients that use dialup connections to connect to the Internet can reply to the security appliance within a reasonable time. If a response is not received, the security appliance sends another request and starts the retransmission timer. The security appliance sends the EAPoUDP packets three times (eou max-retry 3) before failing the communication and initiating the hold timer. The hold time of 180 seconds ensures that no EAPoUDP requests are sent to the VPN client for 180 seconds (3 minutes). As soon as this timer expires, the security appliance initiates EAPoUDP communication with the VPN client and goes through the process discussed in Chapter 6 in the section "Architectural Overview of NAC on Cisco VPN 3000 Concentrators." EAPoUDP communication is done on UDP port 21862. It is recommended that you not change this port unless there is a port conflict in your network.

Example 7-20 Modifying EOU Parameters

CiscoASA(config)# eou max-retry 3CiscoASA(config)# eou port 21862CiscoASA(config)# eou timeout retransmit 5CiscoASA(config)# eou timeout hold-period 180

For agentless hosts, you can enable the clientless authentication and specify a username and password. The user authentication credential is sent to the RADIUS server for proper action, such as applying appropriate ACLs or requesting an audit server to scan the host. In Example 7-21, a clientless user named clientless is set up with a password of cisco123cisco. It is recommended that clientless machines such as guest hosts and contractors' computers not be given access to the trusted network of the company. Therefore, the RADIUS server can send a downloadable ACL to be applied to the VPN clients that do not have a CTA agent installed.

Example 7-21   EOU Clientless Authentication

CiscoASA(config)# eou allow clientlessCiscoASA(config)# eou clientless username clientlessCiscoASA(config)# eou clientless password cisco123cisco

If clientless authentication is not enabled, the security appliance applies a default ACL, discussed in step 3. Traffic from the VPN client is subject to this ACL based on the permit and deny entries. The active VPN clients are periodically challenged to determine whether posture validation can be done on the client machine based on the configured value of the hold timer.

Additionally, you can use Adaptive Security Device Manager (ASDM) to manage a security appliance. ASDM provides an easy-to-navigate graphical interface to set up and monitor the different features that a Cisco security appliance provides. You can configure the NAC global parameters under Configuration > VPN > NAC, as shown in Figure 7-3.

Figure 7-3

NAC Global Parameters in ASDM

Step 2: Configuring NAC Authentication

For NAC posture validation, a RADIUS server must be defined under the tunnel group. The RADIUS server is available only for the remote-access tunnel groups: IPSec and L2TP over IPSec. If you don't define at least one RADIUS server for the NAC posture-validation process, the sessions will not get authenticated. A RADIUS server is mapped to the tunnel group by using the nac-authentication-server-group command followed by the server tag name. In Example 7-22, a RADIUS server is mapped to a NAC-Group tunnel group as Radius.

Example 7-22 NAC Authentication Using RADIUS

CiscoASA(config)# tunnel-group NAC-Group general-attributesCiscoASA(config-tunnel-general)# nac-authentication-server-group Radius

In ASDM, the NAC authentication can be configured under the Authentication tab of the Edit Tunnel Group window by navigating to Configuration > VPN > General > Tunnel Group, as shown in Figure 7-4.

Figure 7-4

NAC Authentication in ASDM

Step 3: Enabling NAC on a User Group-Policy

When a VPN tunnel is established, the security appliance initiates the posture-validation process. During this process, a default ACL is applied on the users to restrict traffic. The security appliance also applies this default ACL if the EAPoUDP communication fails between the client and the ACS server. The purpose of this default ACL is to ensure that remote users do not send unnecessary traffic until their posture is fully validated. You want this ACL to be as restrictive as possible. Therefore, it is recommended that you configure the appropriate inbound and outbound access-control entries (ACEs) to pass necessary packets and deny all other traffic passing through the security appliance. As shown in Example 7-23, an ACL is defined to allow the remote-access users to communicate with the ACS server and the DNS server, and vice versa. All other communication is dropped by the implicit deny of an ACL. This ACL is mapped to the NAC process under the user group-policy by using the nac-default-acl command. The user group-policy name is SecureMeGrp.

Example 7-23  Default ACL for NAC

CiscoASA(config)# access-list NAC-default permit ip host access-list NAC-default permit udp any eq 53 access-list NAC-default permit ip host access-list NAC-default permit udp any eq 53CiscoASA(config)# group-policy SecureMeGrp attributesCiscoASA(config-group-policy)# nac-default-acl value NAC-default

Note - The NAC default ACL should allow traffic to pass from the VPN clients to the DNS server, and vice versa.

The security appliance supports two timers after successfully completing posture validation for the VPN clients. Both of these timers are configured under the user group-policy, as shown in Example 7-24:

1 2 3 4 Page 2
Page 2 of 4
SD-WAN buyers guide: Key questions to ask vendors (and yourself)