1 NAC Guest Lab Exercises November 25 th, 2008
2 2 Table of Contents Introduction... 3 Logical Topology... 4 Exercise 1 Verify Initial Connectivity... 6 Exercise 2 Provision Contractor VPN Access... 7 Exercise 3 Setup NAC for Contractor Access Exercise 4 Setup & Integrate NAC Guest Server Appendix A Answers to Exercise Questions Appendix B Common Issues/Gotchas... 33
3 3 Introduction ACME was completely satisfied with the previous NAC implementation work you provided and has contacted you for follow-on professional services work. To recap, you implemented NAC appliance with Single Sign On (SSO) to existing Active Directory credentials for VPN users. These users were checked to determine if they had Anti-Virus software installed and were using ACME issued devices. Non-compliant devices were provided with automatic remediation from the NAC manager. You suggested using Cisco ACS and IETF standards based RADIUS to provide both authentication and accounting as well as supplied them with a sample of the RADIUS accounting information that would be created. The follow-on project is to allow temporary guest access for contractors via VPN. You called an additional design meeting where it was decided that contractors would be required to install the Cisco AnyConnect VPN Client (AVC) and some type of antivirus software. Contractors only require access to a specific web based application and should be prevented from consuming too much bandwidth. You explained that there are multiple Guest options for NAC Appliance and the customer may want to consider the functionality of each. You will install a pilot with AVC using the built in guest functionality and guest server. NAC Appliance will be used to validate the posture of the contractor workstation and limit their access and bandwidth usage.
4 4 Logical Topology The diagram below depicts the logical L3 topology of the network that will be used in this lab. Please note that the UserPCs and Servers are VMWare images and that if you use shutdown you will loose all changes. Please ensure that you use restart, when needed. Unless otherwise specified, userids are administrator and passwords are cisco123 all in lower case. The default VNC password is cisco123. Firewall Outside VLAN /24.50 User PC 2 Win200 Pro SP4.254 outside (0) e0/0 Network Management VLAN / NAC-Server Inband VPN.1 fa0/ e0/1 inside (100) Fa X-over cable Server Bypass Firewall Inside NAC Untrusted VLAN /24 Firewall Inside NAC Trusted VLAN /24 Bridged Security Services VLAN /24.33 fa0/ NAC-Manager MAC Agent Win Agent Web Agent ACS 4.1 Win 2k DC DNS DHCP IIS Syslog fa0/ fa0/ Windows Servers VLAN /24 User PC 1 Win200 Pro SP4.50 Client Stations VLAN /24 NOTE: You may want to re-read the Introduction because there are several items that need done from the original statement of work.
5 5 Disclaimer This lab is intended to be a simple sample of one way to configure NAC in-band for VPN with NAC Guest Server. There are many ways NAC can be configured which vary depending on the situation and customer requirements. Please ensure that you consult all current Cisco documentation before proceeding with a design or installation. This Lab is primarily intended to be a learning tool and may not necessarily follow best practices. Documentation for NAC can be found on CCO: Additional training materials can be found on CCO under the Partner E-Learning Connection / PEC as follows; (requires a CCO Login): (From this location select Technologies, then All Offerings next to Security. Enter NAC in the keywords box and click search to see available NAC offerings) Version information is as follows: The labs were constructed using the following software version NAC Manager NAC Server NAC Windows Agent NAC Web Agent NAC Guest Server ACS (build12) ASA 8.0.2
6 6 Exercise 1 Verify Initial Connectivity Access UserPC1 and ping the following (note that UserPC1 belongs to the Wile E. Coyote): UserPC1 Default gateway Windows DC ASA Firewall Inside interface Access UserPC2 and Ping the following (note that UserPC2 belongs to the Contractor): Outside interface of the ASA If you have successfully completed theses connectivity test please continue. If not, troubleshoot your lab to identify and resolve any issues before proceeding. As in the real world, it is essential to verify the state of the network prior to starting an implementation! Q1.1: Do you agree with base-lining the network? Why/Why not?
7 7 Exercise 2 Provision Contractor VPN Access In this section you will set up SSL VPN on the ASA using the AnyConnect VPN Client and a single internal userid on the ASA. Recall that access will be controlled by the NAC infrastructure and posture will be assessed using the web agent on the contractor PC. Provisioning of temporary contractor login IDs in the NAC infrastructure will be done in subsequent steps. Section 1 - Set up ASA for AVC Access the Cisco ASDM Launcher from UserPC1 and login to the ASA (Device IP: ; Username administrator; Password: cisco123). Navigate to the Configuration tab, click on the Remote Access VPN button, and then expand the Network (Client) Access section. Select AnyConnect Connection Profile.
8 8 From here, select the Add button to add a new connection profile. Name the new profile Contractor-AVC and give it an alias of contractor. Next select the manage option for the DfltGrpPolicy to open the window and create a new group policy.
9 9 From this new window select Add and name the new group policy contractor, uncheck Inherit for both the Banner and Address Pools. Set the banner to Welcome Contractor and then click on Select to create a new address pool. Once Select is clicked the following window will appear: From the Select Address Pool window click on Add and add a new pool with the following info:
10 10 Name: contractor-avc-pool1 Starting IP Address: Ending IP Address: Subnet Mask: Note: You previously added a static route in the NAC Server for the /24 subnet pointing at the inside address of the ASA. This is the subnet that the customer had reserved for their VPN pools. Since there are still available addresses in this pool that we are using for the AVC, you do not need to update the route in the NAC Server. If you had added new addresses, you would have had to add a static route for the new range.
11 11 After entering the information into the Add IP Pool window and click OK. From here select the new pool and click on Assign and then click OK. Ensure that the new address pool now shows as the selected Address Pool. Expand the More Options section and uncheck the Inherit box next to Tunneling Protocols and Simultaneous Logins and fill in the following information: Tunneling Protocols: SSL VPN Client Simultaneous Logins: 10
12 12 Click OK on the Configure Group Policy window, the Configure Group Polices window, and the Add SSL VPN Connection Profile window. This will return to the following ASDM window. At this point you are ready to enable SSL VPN Access on an external interface. Click on the Enable Cisco AnyConnect VPN check box in the Access Interfaces section. This will result in a popup asking you to designate an AnyConnect image.
13 13 Click Yes and then click Browse Flash to select the Windows AnyConnect image (anyconnect-win k9.pkg). Click OK and then OK again to return to the main ASDM screen. Now click Allow Access on the outside interface to allow AVC on this interface. Apply when finished. Q2.1: What have we configured so far?
14 14 Next you will need to add the internal userid for the contractor into the ASA. Expand the AAA/Local Users item in the tree and select then Local Users. Click Add and set the username and password as follows. Also, click the bullet next to No ASDM, SSH, Telnet or Console access under the Access Restriction section. Username: contractor Password: cisco123 Access Restriction: No ASDM, SSH, Telnet or Console access
15 15 Next select VPN Policy, from the left side column. Unselect Inherit for the Group Policy and choose contractor from the drop down box. Click OK when done. After clicking OK on the Add User Account window above you should be returned to main ASDM screen. Apply and Save the configuration to the ASA.
16 16 Section 2 Test Access from Contractor PC Access UserPC2 and login (VNC Password: cisco123; username: administrator; password: cisco123) Open a web browser and browse to the outside interface of the Firewall: https:// /contractor Proceed at the Security Alert and enter the userid of contractor and password of cisco123 on the login screen. Click Login. You should be presented with the following screen:
17 17 Click Continue and the AVC installer should start. If you are prompted, accept the certificate and continue. Install and connect screens are shown below:
18 18 After connecting with the AVC, look at the AnyConnect VPN Client by double clicking the AVC icon in the system tray. Verify your IP address to ensure it came from the VPN pool as you configured it. At this point you are connected to the network as a contractor.
19 19 Q2.2: What can you reach and Why/Why not? Q2.3: What do we need to do next?
20 20 Exercise 3 Setup NAC for Contractor Access At this point you are now ready to build the contractor role within the NAC environment and set up the restrictions as per the customer s specifications. As you recall, the customer would like to have the contractor s access restricted to only allow http access to the intranet web server as well as restrict the bandwidth for the entire contractor group. Section 1 Create the Contractor Role and Set its Restrictions Access the NAC Manager Configuration screen from UserPC1 and login. To do this, click on the Internet explorer icon on the desktop. From the IE home page, select the CAM / NAC Manager link and login with the credentials admin / cisco123. Navigate to User Roles in the User Management pane. Add a new role called contractor and set the description. Also, set the Max Sessions per User Account to 20 and take the defaults for the remaining items. Click Create Role.
21 21 Now click the Policies link for the new contractor role you just created. Add a policy to the contractor role by clicking Add Policy. (Note: The contractor role is preselected for you.)
22 22 Now set it up to only allow http to the intranet web server at :80 Next, add a Bandwidth policy to restrict the bandwidth for the contractor role. Click the Bandwidth tab then click the Edit icon associated with the contractor role. Set the Upstream Bandwidth and Downstream Bandwidth each to 100. Set the Burstable Traffic to 10 and give this policy a description.
23 23 Now add an internal userid called testcontractor and set the password to cisco123. To do so navigate to Local Users under the User Management pane, then select the Local Users tab, and the New sub-tab. Place this user in the contractor role and click Create User. At this point you are ready to test. Before testing answer the following questions: Q3.1: Can the contractor connect to the intranet web server now? Why/Why not? Q3.2: What are the role requirements for the new Contractor role? From UserPC2 attempt access the intranet website (http:// ). The contractors don t have SSO so you ll be redirected on the NAC and asked to login. Login with the test credentials you just created (testcontractor/cisco123) to view the intranet s website. Q3.3: Is this what you expected?
24 24 Exercise 4 Setup & Integrate NAC Guest Server The final step to completing the guest access options for you customer is to install and integrate the NAC Guest Server. This will enable employees to add guest accounts on the fly. They will do this through the guest server web interface, instead of adding them to the NAC infrastructure like we did for the testcontractor or allowing contractors to enter their own credentials. Section 1 Initial set up of Guest Server Bootstrap guest server. NOTE: Already done. This process is similar to NAC Manager and NAC Server. Access guest server admin interface to complete initial configuration from UserPC1 s web browser; https:// /admin userid: administrator password: cisco123
25 25 Next add a sponsor account by navigating to Authentication > Sponsors > Local User Database tab. Click on Add user to add the sponsor account. Wile E. Coyote will be the Lobby Ambassador that will build the guest accounts. Set the username to wecoyote with a password of cisco123 and add Wile s address of Click on Add User.
26 26 Next add the definition for the NAC Server by navigating to Devices > NAC Appliance and clicking on Add NAC Appliance. Now add the definitions for the NAC Manager. Name: NAC Manager Address: Admin Username: administrator Password: cisco123 Role: contractor
27 27 Click Add NAC Manager. Now test the connectivity to the NAC Manager by selecting the Test Connection button. A NAC test account will be added and then deleted. Note: If you want to see if this really happened in the NAC Manager, go check the Monitoring > Event Logs and you will see the creation/deletion of a test user. Next, setup functionality by going to Devices > Settings and entering the following information: Enable Yes SMTP Server: Sent From Address:
28 28 Click Save Settings. Note: This will require a restart. Execute the restart using the Restart button after saving the settings. Logout of the administrative interface and log into the sponsor interface by navigating to https:// / and logging in with the account created above which should have been userid of wecoyote with a password of cisco123. You will know you are on the right page is the screen display Cisco NAC Guest Server and not Cisco NAC Guest Server Administration. Next test the functionality by adding a guest account for the Road Runner, who is now a contractor using SSL VPN, to log in. Navigate to User Accounts > Create and add the user s info: First Name: Road Last Name: Runner Company: Road Runner Contracting Address: Note the time ranges. Take the defaults for now but can you see how to control this user s access to the customer s network? Click Add User.
29 29 After Adding the Account you should see the following screen indicating the account was successfully created. Ensure that you capture the username and password which will be used later in the lab. In a production environment, this information can be printed or sent via or sms text message.
30 30 On UserPC1 navigate back to the NAC Manager and login if required (admin / cisco123) Remove active users from the Online Users list in the NAC Manager by navigating to Monitoring > Online Users and selecting Kick Users. On UserPC2 attempt to access the test web server at When prompted for credentials, enter the new Guest account you just created and click Continue. The username is and the password was randomly generated by the Guest Server.
31 31 As a final check, take a look at the local users in the NAC Manager by browsing to User Manager, Local Users. After selecting the Local Users tab, you should see with a Description of Created using API. This completes the basic setup and testing of the Guest Server. Congratulations, this concludes the lab exercises!
32 32 Appendix A Answers to Exercise Questions Q1.1: Do you agree with base-lining the network? Why/Why not? Always baseline a network so you understand what works/doesn t work BEFORE you start. How can you know if you solved a problem if you don t know what the state of the situation was before you started? Q2.1: What have we configured so far? AnyConnect VPN on the ASA for contractor access. Q2.2: What can you reach and Why/Why not? Though the contractor has established a VPN through ACME s ASA they have not gone through the NAC Server. Therefore the contractor is stuck on the untrusted side. This means that until they authenticate through NAC they will have no access to the intranet. The only things reachable (i.e. pingable) are (the ASA) and (the NAC Server). Q2.3: What do we need to do next? Since there currently is no Contractor role in NAC the contractor cannot pass through the NAC Server. If this was Road Runner attempting to connect, say from his home PC, he would not be able to connect either. Though Road Runner may be able to login and his PC may even have clamwin installed, his PC would still fail the hidden registry check. (Again, assuming this was his home PC and it didn t have the registry value.) Q3.1: Can the contractor connect to the intranet web server now? Why/Why not? Yes the contractor can authenticate at the NAC Server and be assigned a role (the Contractor role) which has permissions to contact the intranet web server on port 80. Q3.2: What are the role requirements for the new Contractor role? Currently there are no requirements associated with the Contractor role. Q3.3: Is this what you expected? Since the contractor s credentials associate to the Contractor role and that role does permit port 80 access to the intranet web server, then yes, this behavior is expected.
33 33 Appendix B Common Issues/Gotchas 1. Remember to use caution during the initial configuration of the NAC Server to ensure that the untrusted interface is not connected to the network. This could result in spanning-tree issues until the configuration is complete. 2. The NAC Manager cannot be on the NAC Server s trusted VLAN. Therefore always setup a VLAN further in the intranet for the NAC Manager. 3. NAC Server doesn t auto negotiate a trunk port. Remember you ll need to hard code the dot1q trunking on the switch port, if require are trunking to the NAC Server. 4. As a safety precaution, set the native VLAN on the trunk ports going to the NAC Server to non-existent (and different) VLANs. 5. If using FQDN for the NAC appliances and using signed certificates make sure that DNS is not broken for the authenticating users using the NAC Agent. (For example, when programming the Discovery Host on the NAC Manager and using a server name instead of IP address.) 6. Remember to create the default login page.