Cisco's NAC gets a Major Upgrade, including Mac OS posture assessment and support for 1.4 million clients

Cisco announced the availability of NAC Appliance release 4.5. This is a major release upgrade that contains many of the features that customers and I have been waiting for. NAC Appliance 4.5 steps up Cisco’s offering to the next level. According to Cisco, “Release 4.5 increases the scalability and power of the Cisco NAC Appliance by delivering many new functions, including wireless out-of-band support, Mac OS posture assessment, and importing and exporting of NAC policies.” I’ll focus this blog on just a few of the more interesting features that come with the new 4.5 update.

  • Wireless OOB NAC support for Cisco controller based networking
  • Mac OS X posture assessment is added to the previous authentication only Mac NAC client
  • Importing and exporting of NAC policies allowing community sharing and better support for large environments with multiple NAC Managers.
  • Switchport VLAN can be set to any VLAN value after detection of a OOB client logoff. This can greatly reduce exposure to the DHCP race issue.
  • External Authentication Server (Kerberos, LDAP, or Radius) support for CAM/CAS Web Administrator Login. Hooray!
  • The end of the software only NAC Appliance. To upgrade to 4.5 and beyond you must use Cisco Appliance hardware.
The new Wireless OOB NAC feature allows Cisco NAC Appliance to interact with the Cisco Wireless Lan Controllers. Each wireless SSID is now configured with a authentication VLAN (for quarantine) and an access vlan (for when the client has passed NAC inspection). This allows you to separate your quarantine and access vlans per SSID. When a client logs into their wireless SSID they are moved to the authentication VLAN immediately, now optional single sign on authentication happens where the controller shares the successful wireless client login info with the NAC appliance infrastructure, next a NAC Appliance Server will proceed with its posture assessment and any subsequent client remediation required, finally once the client is declared “clean” by Cisco NAC it tells the Cisco wireless controller who then moves the client into the access vlan configured for the SSID. At this point the client is riding on the access VLAN where no Cisco NAC Appliance server is present, thus it is considered Out-of-Band. In a nutshell, wireless OOB NAC works very similarly to how Cisco’s wired OOB NAC has for years. One caveat worth mentioning it wireless OOB does not work with the Cisco NAC Network Module. This is because wireless OOB NAC requires a Layer 2 OOB Virtual Gateway deployment that requires no IP change. The NAC NM does not support this topology. I and a lot of NAC customers have been waiting for NAC posture assessment support on Mac OS machines. It finally arrives with NAC 4.5! NAC 4.5 includes a new clean access agent for Mac OS 10.4 and 10.5 PCs. This new agent allows you to create Anti-virus and Anti-spyware posture assessments on your Mac’s. Mac user authentication has been around for a while but now we get posture assessment too. This is sure to be very unpopular with student Mac owners who have been heretofore exempt from the NAC posture assessment their Windows brethren have been subjected to for some time. Customers who have deployed, or are looking to deploy, more than one set of NAC Appliance Managers in their environment have had to put up with managing their policies completely separately on each NAC Manager pair. Previously their was no configuration sync between Managers. NAC 4.5 fixes that by offering a clustering like technology in which many NAC policies and configurations will be synchronized between multiple NAC Managers. According to Cisco the feature works this way,
The Policy Import/Export feature allows administrators to propagate device filters, traffic and remediation policies, and OOB port and VLAN profiles from one CAM to several CAMs. Policies are defined on a single CAM which you configure as the Policy Sync Master, and a maximum of 10 CAMs or 10 CAM HA-pairs are supported as Policy Sync Receivers. You can export policies using Manual Sync or Auto Sync. Auto Sync allows you to schedule an automatic Policy Sync once every x number of days.
This feature allows Cisco NAC Appliance to seamlessly scale to support a theoretical maximum of 1.4 Million NAC clients!!!! Here is how I arrived at that number, 10 NAC Managers can support a max of 40 NAC servers each and each NAC server can support up to 3500 NAC clients. So 10x40x3500=1,400,000 clients. Now that’s a heck of a lot of NAC. This next feature is close to my heart. It’s been something Cisco NAC has needed for a long time. Cisco NAC 4.5 provides the ability for the administrator to configure what VLAN a switchport gets moved back to once a Out-of-Band client logoff or disconnection is detected. Previously, NAC would not change the switchport VLAN on OOB client logoff. This created two potential issues when OOB was used, unpredictable results under certain NAC failure scenarios and the creation of a race condition between DHCP and NAC. I won’t go into more detail on these issues now (unless you ask), but it’s safe to say that several OOB NAC customers will be thrilled to see these potential issues go away. The added support for using an external authentication server to authenticate NAC admins is pretty self explanatory so I wont go into detail on it except to say it supports radius, ldap, and Kerberos. The last new NAC 4.5 feature I want to highlight is the death of the software only NAC Appliance solution. This has been rumored for a long time and with 4.5 it finally is happening. Basically, anyone using their own hardware to run NAC Appliance will not be able to upgrade to NAC 4.5 or beyond. This will encourage that small subset of Cisco NAC customers who have not migrated to Cisco hardware to do so soon. There are lots of other features I didn’t cover in the NAC 4.5 release. To read about them and obtain more detail on the ones I did mention here are some good resources for you to continue your research. Cisco NAC Appliance 4.5 Release Notes Cisco NAC Appliance 4.5 Video Datasheet Configuration Guide for NAC Manager 4.5

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.