locked
Auth and Autho mechanism in NAP-NAC deployment scenario RRS feed

  • Question

  •  

    Hi,

    We are piloting NAP for an unmanaged scenario as described in diagram later.

    We found that in case of PEAP, the authentication packets are not forwarded to NPS server. We enabled 802.1x auth on Cisco 2811 port. Hosts are connected to Router via Dlink DES 1024 R 802.1x non compatible switch. Switch has uplink to Rooter on port fe0/0. Switch has uplink to Server LAN. Router could not challenge the hosts and the port is forced authorized, therefore after attempting for acquiring IP address hosts are directly getting network access and do not attempt for port authentication.

    We concluded that using PEAP and 802.1x on router in unmanaged switching scenario do not support multi host.

    The other option that we can try out is Cisco EAP-FAST module with the MS NAP agent. Please rectify me if I am wrong in understanding working of the NAP - NAC scenario depicted below and the feasibility to achieve the goal.

    1. The goal to achieve is without auth, auth and posture verification, no host will be allowed to use network (WAN side). Therefore necessary ACLs to be defined on the router for all hosts.

     

    2. In the setup we have few hosts which are connected to a non 802.1x compatible switch which has uplink to the router as below network diagram:

     

    ---------     ----------------       -----------       ---       -------------     

    User PCs |-->|Unmanaged Switch| --> |2811 Router| --> |ACS| ---> |MS NAP Server |

    ---------     ----------------       -----------       ---       --------------

     

    3. Users request will come to Router via unmanaged switch and Router will consider all hosts as Authorized. There will be no 802.1x authentication.

     

    4. In EAP-FAST, ACS will act as EAP server. Hosts to EAP server will be two phase auth & auth process.

     

    5. ACS will do the user \ machine authentication against User database in MS AD.

     

    6. Post successful authentication, ACS will communicate with MS NAP for posture \ health verification.

     

    7. On success, Hosts will be authorized and allow access use network.

     

    8. On failure, ACS will download \ push dynamic access lists on Router interface and block client access.

     

    To carry out this scenario, I need few clarifications to below queries.

     

    1.    In case of EAP-FAST method, I suppose auth & auth packets will be carried out over 802.1x, but not similar to PEAP since tunnels are created. Please clarify.

    2.    Will router intercept in the process of authentication and authorization between Hosts and RADIUS (In this case ACS)?

    3.    Is there any limitation on NAD (switch \ router) make model for NAP-NAC Since it is carried out over 802.1x then what configuration to be done on Router \ Switch ?

    4.    Can  we push ACLs from NPS to router to restrict non compliant hosts ?

     

    I am referring the MS and Cisco published NAP-NAC interoperability guides.

     

    Thanks in advance.

     

    Saturday, January 31, 2009 9:38 AM

Answers

  • Hi,

    The 2811 router does not appear in the list of NAP-NAC compatible devices - although Cisco could confirm this. The client is required to send EAP messages over 802.1X using a compatible device. If the setup doesn't support 802.1X, then I don't believe you will be able to use NAP-NAC. However, you can use NAP with IPsec enforcement with a configuration similar to the following:

    ---------     ----------------       -----------       -----------------     

    User PCs |-->|Unmanaged Switch| --> |2811 Router| --> |MS NAP Server(s) |

    ---------     ----------------       -----------       -----------------

     

    In this case, the NAP servers would be NPS, HRA, and CA. These can be installed on separate computers, or the same computer.

     

    NPS does not push ACLs down in the same way that ACS does (NPS does not use downloadable ACLs), but it can enforce ACLs. With NPS, you must configure the ACL on the switch or router and NPS will specify the ACL number in a policy. 

    I hope this helps,

    -Greg

    Wednesday, February 4, 2009 6:59 PM

All replies

  • Hi,

    The 2811 router does not appear in the list of NAP-NAC compatible devices - although Cisco could confirm this. The client is required to send EAP messages over 802.1X using a compatible device. If the setup doesn't support 802.1X, then I don't believe you will be able to use NAP-NAC. However, you can use NAP with IPsec enforcement with a configuration similar to the following:

    ---------     ----------------       -----------       -----------------     

    User PCs |-->|Unmanaged Switch| --> |2811 Router| --> |MS NAP Server(s) |

    ---------     ----------------       -----------       -----------------

     

    In this case, the NAP servers would be NPS, HRA, and CA. These can be installed on separate computers, or the same computer.

     

    NPS does not push ACLs down in the same way that ACS does (NPS does not use downloadable ACLs), but it can enforce ACLs. With NPS, you must configure the ACL on the switch or router and NPS will specify the ACL number in a policy. 

    I hope this helps,

    -Greg

    Wednesday, February 4, 2009 6:59 PM
  • Hi Greg,

    I have checked with Cisco. TAC respended that Router with only switchport is supported. Further we have seen that if hosts pluggued in to unmaged switch which has uplink to Router switch-port or managed switch-port are not challanged for authentication. So unmanaged scenarion, we can not do with 802.1x on MS NAP.

    Would request you to dump me more on IPSEC scenario highlighting the position of NAP servers in the network .

    Thanks

    - Debajyoti

    Wednesday, February 11, 2009 3:33 PM
  • Hi Debajyoti,

    Sure - in the IPsec scenario you issue certificates to clients and servers. Clients typically get short-lived certificates issued by a server running the health registration authority (HRA) service and servers get these certificates directly from an enterprise certification authority (CA - also known in Server 2008 as Active Directory Certificate Services AD CS). The HRA acquires a certificate from either an enterprise CA or a standalone CA on behalf of the client computer. When HRA gets this certificate, it sets the validity period to a time that you specify when you configure the HRA.



    In the diagram above, the "NAP CA" is the certification authority used to issue certificates to client computers. There is usually a different CA used for servers, but you can use the same CA. The server certificates are called "exemption certificates" because they eliminate the need for a health evaluation. The "NAP Health Policy Server" is NPS.

    Your unmanaged switch and 2811 router can be between the client and the HRA server. In fact, you can even have access devices such as VPN servers here.

    The IPsec policies come into play when you configure rules on the network to require a certificate in order to communicate between devices. For Vista/2008 or Windows 7 you can use the new IPsec rules under Windows Firewall with Advanced Security. For Windows XP/2003 you must use the legacy IPsec rules. See http://technet.microsoft.com/en-us/library/dd314190.aspx for more information.

    Please let me know if you have questions.

    -Greg
    Wednesday, February 11, 2009 5:26 PM