locked
Cisco VPN and NAP RRS feed

  • Question

  • Hi

    Trying to set-up a NAP solution through a Cisco 3000 VPN.
    The network is Win2003 and the clients are XPsp3.

    Have anybody tried this? or gotten a similar set-up to work?

    I can find documentation that is should work with a Cisco ACS, a $6000 solution.

    I can not find anybody that have a set-up that works.

    Thanks

    • Edited by Ravn Friday, August 29, 2008 11:25 AM None
    Friday, August 29, 2008 11:23 AM

Answers

  •  Also, these papers are out of date. For example, the first one mentions using Health Registration Authority with NAP-NAC, but this is not a supported scenario.
    Wednesday, September 10, 2008 5:02 PM

All replies

  • Hi,

    I have not tried using a Cisco 3000 VPN with NAP VPN enforcement.  Generally it is required that you use a Microsoft VPN server, but recently I've been in discussions with the NAP developers and VPN developers and found that if another VPN can recognize certain Vendor Specific Attributes (VSAs) then it might be possible for it to work. You cannot configure this the same as the current VPN NAP step by step guide because remediation server groups won't work. However, you might get this to work using IP Filters. If you are willing to try it, I'd be interested to find out if it works. Let me know if you want to attempt it.

    You can also use NAP with IPsec combined with a non-Microsoft VPN server and this will be a way to implement NAP for VPN users.

    -Greg 
    Friday, September 5, 2008 3:42 PM
  • Hi
    Thanks for your reply.

    I have a paper from MS and Cisco saying that it is possible - "Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture" - http://www.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdf
    from 2006.

    and a "ACS 4.2 Configuration Guide" how to setup "NAP/NAC Configuration Scenario"
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/nac_conf.html

    Are you saying that this will not work????

    Ravn


    Wednesday, September 10, 2008 11:19 AM
  • Hi,

    These papers describe NAP-NAC, not NAP with VPN enforcement, which is what I thought you were asking about. If you are trying to set up NAP-NAC you can't do this with XP SP3. It is only supported for Vista SP1.

    -Greg

    Wednesday, September 10, 2008 4:57 PM
  •  Also, these papers are out of date. For example, the first one mentions using Health Registration Authority with NAP-NAC, but this is not a supported scenario.
    Wednesday, September 10, 2008 5:02 PM
  • Hi

    So just to recap, MS and Cisco send out a paper in 2006 on how to setup Cisco and MS NAP to work together (via NAC).
    But for now the only VPN, MS NAP (on XP sp3) will work with, is a MS VPN, is that as you see it to?


    You wrote that a "NAP with IPsec combined with a non-Microsoft VPN server and this will be a way to implement NAP for VPN users." will you explain how that will work.

    Ravn
    Wednesday, September 17, 2008 12:16 PM
  • Hi Ravn,

    It's a little complicated, so I'll try to summarize. Here is how NAP and NAP-NAC are set up:

    NAP:

    Client computer <------> NAP enforcement point <------> NPS

    (XP SP3 or Vista)            (Server 2008 or a                 (Server 2008)
                                          switch/access point)

     

    NAC Framework:

    Client computer <------> Network access device <------> ACS

    (XP)                                (Switch/access point                 (Server 2003
                                            or VPN)                                     + Cisco ACS)

     

    NAP-NAC:

    Client computer <------> Network access device<------> ACS<------>NPS

    (Vista SP1)                      (Cisco switch or               (Server 2003    (Server 2008)

                                            access point)                   + Cisco ACS)

     

     In the NAP scenario, the "NAP enforcement point" is one of the following:
    1. Health Registration Authority (HRA) (for IPsec enforcement, it provides certificates to NAP clients).
    2. An 802.1X-compliant switch or access point (for 802.1X enforcement, it puts clients on VLANs and/or applies ACLs).
    3. A VPN server (for VPN enforcement, guaranteed to work with MS routing and remote access service (RRAS))
    4. A DHCP server (for DHCP enforcement, only works with MS DHCP).

    You can also combine some of these methods together. For a summary of methods that can be combined see Joe Davies recent blog post. The thing to note here is that IPsec can be combined with any of the other methods.

    Because the IPsec enforcement method uses certificates that can be given (or not given) to computers connecting to the network through any means, you can use IPsec even if (for example) clients connected through a VPN device that doesn't support NAP VPN enforcement. To set this up, you would configure the NAP client computers for IPsec enforcement similar to what is done in the IPsec step by step guide. If you want clients to have access to certificates when they are not connected to the VPN, you would have to supply some of the NAP infrastructure on the Internet, specifically the HRAs. You can also put everything on your intranet and check health only when clients connect through the VPN.

    The Cisco 3000 VPN might also simply work with NAP and VPN enforcement. You would not configure this exactly as shown in the VPN step by step guide. The difference in configuration is small, however. Essentially, you wouldn't use Remediation Server Groups to configure restricted access. Use IP Filters or vendor specific attributes (VSAs) instead. There might be some VSAs that your documentation says are supported for this type of scenario. They could be MS-Filter or MS-Quarantine-IPFilter. Check your VPN documentation for this.

    I hope this helps. Let me know if you have more questions.

    Thanks,
    -Greg

    Wednesday, September 17, 2008 5:39 PM
  •  

    Hi,

    A question came up recently that referred to this old thread, so I thought I would add some additional information.

    The key requirement in order to support NAP is that the VPN client must be able to re-authenticate while maintaining the VPN connection each time its health state changes. To do this, the VPN server must reserve the IP address used by the client and not issue a new one when the client re-authenticates.

    If the VPN server does not reserve the VPN client’s IP address, the NAP VPN client could be restricted if it connected while noncompliant, or be given full access if it connects while compliant. What cannot be done is to dynamically change the access state from restricted to unrestricted or vice-versa without disconnecting the VPN and reconnecting.

    -Greg

     




    Wednesday, April 27, 2011 5:50 AM
  • Hi Greg,

    I am trying to understand the set up you proposed for VPN clients. 

    "Because the IPsec enforcement method uses certificates that can be given (or not given) to computers connecting to the network through any means, you can use IPsec even if (for example) clients connected through a VPN device that doesn't support NAP VPN enforcement. To set this up, you would configure the NAP client computers for IPsec enforcement similar to what is done in the IPsec step by step guide"

    Is it same as below:

    Client computer <------> Cisco  VPN concentrator<---->HRA on DMZ or Intranet <-----NPS

    (XP SP3 or Vista or

    Windows & with IPsec

    enforcement client)

    If the above case is true and if we push  VSAs to cisco VPN appliance,can we achive the following.

    • Auto-remediation of Windows Patches from the SCCM server.

    Thanks for your help in advance.

     

    Regards,

    Indeevar.

    Wednesday, April 27, 2011 8:43 AM
  • Hi Indeevar,

     

    What you have above is correct.

     

    If you understand how NAP with IPsec enforcement works, then it is pretty simple. A VPN client is like any other wired or wireless client that is connecting to the network after being turned off.

     

    1. The VPN client will have NAP agent running and the IPsec enforcement client enabled before it connects to the corporate network through a VPN.

    2. If the client is compliant, it will attempt to acquire a health certificate from the list of HRAs configured in its settings.

    3. If the HRA is reachable before connecting to the corporate VPN then the client can acquire a health certificate, otherwise it will mark the HRA as unavailable and not try again right away. I think the period is 10 minutes, but I don't recall the algorithm exactly.

    4. If you wish to place HRAs so that clients on the Internet are able to acquire health certificates, see NAP on the Internet

     

    If you are also using SCCM, this gets a little more complicated because the SHA will not be able to validate compliance or auto-remediate the client unless it can connect to a software update point. In this case, a VPN client might be noncomplaint until it connects to the VPN, and then it will validate health and acquire a health certificate. If the client needs to download a patch it might be restricted for a while until this update happens.

     

    -Greg 

    Wednesday, April 27, 2011 12:11 PM