Chapter 10: Configuring Out-of-Band

Cisco Press

1 2 3 4 5 6 Page 5
Page 5 of 6
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686

cam login: root
Password:
[root@cam ~]# service perfigo config

Welcome to the Cisco Clean Access Manager quick configuration utility.

Note that you need to be root to execute this utility.

The utility will now ask you a series of configuration questions.
Please answer them carefully.

Cisco Clean Access Manager, (C) 2006 Cisco Systems, Inc.

Configuring the network interface:

Please enter the IP address for the interface eth0 [10.2.0.15]: 10.10.30.5
You entered 10.10.30.5. Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth0 [255.255.255.0]:
You entered 255.255.255.0. Is this correct? (y/n)? [y]

Please enter the IP address for the default gateway [10.2.0.1]: 10.10.30.1
You entered 10.10.30.1. Is this correct? (y/n)? [y]

Please enter the hostname [cam1]: nam
You entered nam. Is this correct? (y/n)? [y]

Please enter the IP address for the name server: [192.168.10.1]: 10.10.30.6
You entered 10.10.30.6. Is this correct? (y/n)? [y]

Would you like to change shared secret? (y/n)? [y]
Please remember to configure the Clean Access Server with the same string. 
Please enter the shared secret between Clean Access Server
You entered: cisco123
Is this correct? (y/n)? [y]

>>> Configuring date and time: 

The timezone is currently set to:America/Los_Angeles
Would you like to change this setting? (y/n)? [y] n

Current date and time hh:mm:ss mm/dd/yy [01:01:01 01/01/07]: 01:20:00 01/01/07
You entered 01:20:00 01/01/07 Is this correct? (y/n)? [y]
Mon Jan 01 01:20:00 PST 2007

You must generate a valid SSL certificate in order to use the Clean Access Manager's secure web console.
Please answer the following questions correctly.
Information for a new SSL certificate:
Enter fully qualified domain name or IP: 10.10.30.5
Enter organization unit name: nacapp
Enter organization name: cisco
Enter city name: san jose
Enter state code: ca
Enter 2 letter country code: us


You entered the following:
Domain: 10.10.30.5
Organization unit: nacapp
Organization name: cisco
City name: san jose
State code: ca
Country code: us
Is this correct? (y/n)? [y]
Generating SSL Certificate...
CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:
CA verifying: /root/.tomcat.crt <-> CA cert
/root/.tomcat.crt: OK
Done

For security reasons, it is highly recommended that you change the default passwords for the root user.
User: root
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Changes require a RESTART of Clean Access Manager.
Configuration is complete.
[root@cam1 ~]# service perfigo reboot

Step 3: Configuring NAC Appliance Server

On NAC Appliance Server, you must again perform some basic configuration using the configuration script. From the NAC Appliance Server CLI, type in service perfigo config. Initially, you can access the CLI by putting a keyboard and monitor on NAC Appliance Manager or via the serial port (38400bps). After NAC Appliance Server has an IP address, the CLI can be accessed via SSH. Example 10-23 shows the configuration setup script.

Example 10-23 Configuring the NAS via CLI

[root@cas ~]# service perfigo config

Welcome to the Cisco Clean Access Server quick configuration utility.

Note that you need to be root to execute this utility.

The utility will now ask you a series of configuration questions.
Please answer them carefully.

Cisco Clean Access Server, (C) 2006 Cisco Systems, Inc.

Configuring the network interfaces:

Please enter the IP address for the interface eth0 [10.2.0.15]: 10.10.20.5
You entered 10.10.20.5. Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth0 [255.255.255.0]:
You entered 255.255.255.0. Is this correct? (y/n)? [y]

Please enter the IP address for the default gateway [10.2.0.1]: 10.10.20.1
You entered 10.10.20.1. Is this correct? (y/n)? [y]

[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]

[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]

Please enter the IP address for the untrusted interface eth1 [10.2.0.15]: 10.10.21.5
You entered 10.10.20.5. Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth1 [255.255.255.0]:
You entered 255.255.255.0. Is this correct? (y/n)? [y]

Please enter the IP address for the default gateway [10.2.0.1]: 10.10.21.1
You entered 10.10.20.1. Is this correct? (y/n)? [y]

[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n]

[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]

Please enter the hostname [cas1]: l3oobnas
You entered NAS1. Is this correct? (y/n)? [y]

Please enter the IP address for the name server: [192.168.10.1]: 10.10.30.6
You entered 10.10.30.6. Is this correct? (y/n)? [y]

Would you like to change shared secret? (y/n)? [y]
Please enter the shared secret: cisco123
You entered: cisco123
Is this correct? (y/n)? [y]

>>> Configuring date and time:


The timezone is currently set to:America/Los_Angeles
Would you like to change this setting? (y/n)? [y] n

Current date and time hh:mm:ss mm/dd/yy [01:01:01 01/02/07]: 01:55:00 01/01/07
You entered 01:55:00 01/02/07. Is this correct? (y/n)? [y]
Tues Jan 02 01:55:00 PST 2007


You must generate a valid SSL certificate in order to use the Clean Access Server's secure web console.
Please answer the following questions correctly.
Information for a new SSL certificate:
Enter fully qualified domain name or IP: 10.10.20.5
Enter organization unit name: nacapp
Enter organization name: cisco
Enter city name: san jose
Enter state code: ca
Enter 2 letter country code: us


You entered the following:
Domain: 10.10.20.5
Organization unit: nacapp
Organization name: cisco
City name: san jose
State code: ca
Country code: us
Is this correct? (y/n)? [y]
Generating SSL Certificate...
CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:
CA verifying: /root/.tomcat.crt <-> CA cert
/root/.tomcat.crt: OK
Done

For security reasons, it is highly recommended that you change the default password for the root user.
User: root
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.


Would you like to change the default password for the web console admin user password? (y/n)? [y]
Please enter an appropriately secure password for the web console admin user.

New password for web console admin:
Confirm new password for web console admin:
Web console admin password changed successfully.

Configuration is complete. 
[root@cas1 ~]# service perfigo reboot

Step 4: Logging In to NAC Appliance Manager

Open a browser and connect to NAM through a SSL connection. Type in the IP or domain name of the NAM (https://10.10.30.5). The default username is admin, and the default password is cisco123.

You can view the NAM configuration at Administration > CCA Manager, as shown in Figure 10-36.

Figure 10.36

Figure 10-36

NAC Appliance Manager Configuration Page

Step 5: Adding NAC Appliance Server to NAC Appliance Manager

You can add NAC Appliance Server by going to Device Management > CCA Servers > New Server, as shown in Figure 10-37. In the sample topology (see Figure 10-35), NAC Appliance Server is of type Out-of-Band Real-IP Gateway. Be sure to select the proper server type from the drop-down menu.

Figure 10.37

Figure 10-37

New Server Configuration Page

Figure 10-38 shows that NAC Appliance Server has been added in OOB Real-IP Gateway mode, and its status is connected.

Figure 10.38

Figure 10-38

Server List

Step 6: Editing Network Settings on NAC Appliance Server

In Figure 10-39, notice that Set Management VLAN ID is not enabled. This is because the switch ports to which NAC Appliance Server is connected are access ports, not 802.1q trunk ports. Therefore, you don't want NAS to tag any packets. In addition, the check box next to Enable L3 Support is checked. This allows NAC Appliance Server to communicate with clients that are Layer 2 adjacent or multiple routing hops away.

Figure 10.39

Figure 10-39

Server Network Configuration Page

Step 7: Configuring Static Routes

In this example, you don't have to configure any managed subnets. However, you will configure static routes. This is one difference between a Layer 2 OOB deployment and a Layer 3 OOB deployment.

Think of managed subnets as directly connected subnets for routers. So, for user subnets directly connected to NAC Appliance Server, you configure managed subnets.

NAC Appliance Server does not support routing protocols. Therefore, for user subnets that are one or more hops away from NAC Appliance Server, you have to configure static routes. NAC Appliance Server communicates with the user device when the user is in the untrusted VLAN. So, you will configure static routes for the subnets associated with the untrusted VLANs, as shown in Figure 10-40. In this example, VLAN 110 (10.10.110.0/24) is the untrusted VLAN.

Figure 10.40

Figure 10-40

Adding a Static Route on NAC Appliance Server

Step 8: Configuring a Switch Group

This step is optional. A preconfigured Default group is already present. When you add switches to be managed by the NAC Appliance Manager, they are added to the Default group. You can configure additional groups and then add the switches in a particular group. By doing this, when you list the switches, you can list them by group. This step is useful if you have a large number of switches to be managed by NAC Appliance. In this example, you will configure a group called cat3750, as shown in Figure 10-41.

Figure 10.41

Figure 10-41

Adding a Switch Group

Step 9: Configuring a Switch Profile

A switch profile is configured to define how NAC Appliance Manager communicates with the switches. When you add the switches to be managed by NAC Appliance Manager, you will configure which profile the switch belongs to. You must add a switch profile for each model of Cisco switch you manage. Figure 10-42 shows the switch profile configuration page.

Figure 10.42

Figure 10-42

Adding a Switch Profile

Make sure that you configure the switch model, the SNMP port, and the SNMP read/write community strings to match the configuration on each switch.

Step 10: Configuring a Port Profile

A port profile is applied to a port to determine whether it is controlled by NAC Appliance. You can configure the authentication VLAN, default access VLAN, and VLAN assignment method using port profiles. Remember that the authentication VLAN is the same as the untrusted VLAN or quarantine VLAN. The access VLAN is the trusted side VLAN. In the configuration (see Figure 10-35) for the Access VLAN field, User Role VLAN has been chosen from the drop-down menu. This means that when the user is authenticated and healthy, the VLAN to which the user is moved is determined by user role. Figure 10-43 shows the port profile configuration page.

Figure 10.43

Figure 10-43

Port Profile Configuration Page

The Generate Event Logs When There Are Multiple MAC Addresses Detected on the Same Switch Port option is enabled so that you will know if an end user has connected a hub or an unmanaged switch behind the NAC-controlled switch.

The Remove Out-of-Band Online User When SNMP Linkdown Trap Is Received option is enabled so that if the user machine is disconnected from the switch port, the user will be logged off from NAC Appliance.

In a scenario in which a user connects his machine from behind an IP phone, when the user disconnects, the switch will not detect a linkdown and therefore will not log off the user from NAC Appliance. The Remove Other Out-of-Band Online Users on the Switch Port When a New User Is Detected on the Same Port option is enabled so that if a new user is detected on a port, NAC Appliance will automatically log off the old user. In addition, the Remove Out-of-Band Online User Without Bouncing the Port option is checked. This is required if clients will be behind IP phones.

Step 11: Configuring the SNMP Receiver

The SNMP receiver configuration must match the SNMP configuration on the NAC-controlled switches. The SNMP receiver receives and responds to SNMP traps sent by switches. Figure 10-44 shows the SNMP receiver configuration for the sample topology.

Figure 10.44

Figure 10-44

SNMP Receiver Configuration Page

Advanced settings with which you can tweak different timers are also available, as shown in Figure 10-45. Tweaking the timers is not required unless there is unexpected latency in the switch and the NAC Appliance Manager communication.

Step 12: Adding the Switch to NAC Appliance Manager

For NAC Appliance to manage a switch, the switch must first be added (see Figure 10-46). This page can be found by navigating to Switch Management > Devices > New.

Figure 10.45

Figure 10-45

SNMP Receiver Advanced Setting

Figure 10.46

Figure 10-46

Add a New Switch Configuration Page

You must choose the appropriate switch profile and switch group. Make sure that you choose Default Port Profile as Uncontrolled. Put in the IP address of the switch and click Add.

Step 13: Configuring Ports to Be Managed by NAC Appliance

Now that the switch has been added, NAC Appliance dynamically learns all its ports. To view them, click the Ports icon for the switch, as shown in Figure 10-47. Doing so lists all the ports available on that switch, as shown in Figure 10-48.

Figure 10.47

Figure 10-47

Switches List

Figure 10.48

Figure 10-48

Port List

Because the user PC is connected on Fa1/0/5, change the profile for port Fa1/0/5 to the NAC_controlled port profile and click Update. When you click the Setup button, NAC Appliance Manager adds the command snmp trap mac-notification added to the Fa1/0/5 interface configuration. This configuration change is made to the running configuration of the switch. To save it to the startup-config, click the Save button.

Step 14: Configuring User Roles

For the sample topology, you will configure three user roles: Guest, Consultant, and Employee. In the user role page, you will define the OOB user role VLAN. This is the VLAN to which the switch port will be assigned when a user belonging to the user role completes the NAC process. See Figure 10-35 for a list of these VLAN assignments. Remember that all references to roaming, IPsec, and VPN on the user role configuration page should be ignored because they are deprecated features. Figure 10-49 shows the user role creation for Guest.

Figure 10.49

Figure 10-49

Adding a User Role—Guest

Figure 10-50 shows the user role creation for Consultant.

Figure 10.50

Figure 10-50

Adding a User Role—Consultant

Figure 10-51 shows the user role creation for Employee.

Figure 10.51

Figure 10-51

Adding a User Role—Employee

Figure 10-52 shows all the user roles.

Figure 10.52

Figure 10-52

User Role List

Step 15: Configuring User Authentication on the Local Database

Add two local users to the NAC Appliance local database: an employee and a consultant. These local user accounts will be used for testing purposes. In a production environment, you should configure an LDAP, Kerberos, or RADIUS server instead of a local user database. Local users should generally be used only for testing and guest access. Figure 10-53 shows the creation of a Consultant user.

Figure 10.53

Figure 10-53

Adding a Local User—Consultant

Figure 10-54 shows the creation of an Employee user.

Figure 10.54

Figure 10-54

Adding a Local User—Employee

Step 16: Changing the Discovery Host

NAC Appliance Agent sends discovery packets to discover the NAC Appliance Server so that it can start communicating with it and begin the NAC process. These packets are sent on UDP port 8905 and 8906.

NAC Appliance Server listens on the UDP ports 8905 and 8906. So, when it receives packets from NAC Appliance Agent on these ports, it knows that a new host has connected to the network and instructs NAC Appliance Agent to pop up and challenge the user for authentication. The NAC Appliance Server doesn't forward these packets out on the trusted network.

The packets on UDP 8905 are sent to the default gateway of the user device. Therefore, if a NAC Appliance Server is Layer 2 adjacent to the user, the NAC Appliance Agent packets will reach NAS.

Related:
1 2 3 4 5 6 Page 5
Page 5 of 6
SD-WAN buyers guide: Key questions to ask vendors (and yourself)