locked
Microsoft NAP with Cisco ACS 5.2 as Radius Proxy RRS feed

  • Question

  • Hello!

    We tested NAP in our testing environment. We used a cisco 3560 switch and a Microsoft NAP Policy server. This szenario works fine!

    No we like to add a cisco ACS as radius proxy to forward the client statements to the microsoft NAP server. We like to use the szenario listed here...

    http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns812/guide_c07-491729.html

    We added a cisco acs 5.2 device but we had some problems. Is there anyone who get this radius proxy configuration to work on a acs 5.2 machine? Can you give us some documents or demo pictures?

    Thanks a lot and regards

    mat

    Wednesday, February 23, 2011 10:16 AM

Answers

  • Hi mat,

     

    Thanks for posting here.

     

    Yes, could you discuss these problems in detail ?

    You may also refer to the links in the article below and start your deployment :

     

    Appendix A: Deploying NAP-NAC

    http://technet.microsoft.com/en-us/library/dd296894(WS.10).aspx

     

    Meanwhile, as it is a question about the inter-operation between Windows NPS and Cisco, please also contact the Cisco support for further investigation.

     

    Thank you for your understanding.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, February 24, 2011 3:35 AM
  • Hi,

    I wanted to add that unless you contact Cisco support as Tiger Li says, NAP/NAC will not be enabled on the ACS. A patch is required that is only available from Cisco.

    Also, you mentioned that you are trying to use the ACS as a proxy, but this isn't the configuration that is used with NAP/NAC and shown in the link you provided. For NAP/NAC, the ACS does identity authentication (it is not a proxy). NPS does health authentication when you configure the ACS to use NPS as a "posture" server.

    To summarize:

    • With NAP, NPS performs authentication and authorization.
    • With NAC, ACS performs authentication and authorization.
    • With NAP/NAC, ACS performs authentication and NPS performs authorization.

    -Greg

    Thursday, February 24, 2011 6:41 AM

All replies

  • Hi

    Have you configured NPS on the windows server? And can you explain what sort of problems did you encounter?? :)


    tech-nique
    Wednesday, February 23, 2011 8:04 PM
  • Hi mat,

     

    Thanks for posting here.

     

    Yes, could you discuss these problems in detail ?

    You may also refer to the links in the article below and start your deployment :

     

    Appendix A: Deploying NAP-NAC

    http://technet.microsoft.com/en-us/library/dd296894(WS.10).aspx

     

    Meanwhile, as it is a question about the inter-operation between Windows NPS and Cisco, please also contact the Cisco support for further investigation.

     

    Thank you for your understanding.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, February 24, 2011 3:35 AM
  • Hi,

    I wanted to add that unless you contact Cisco support as Tiger Li says, NAP/NAC will not be enabled on the ACS. A patch is required that is only available from Cisco.

    Also, you mentioned that you are trying to use the ACS as a proxy, but this isn't the configuration that is used with NAP/NAC and shown in the link you provided. For NAP/NAC, the ACS does identity authentication (it is not a proxy). NPS does health authentication when you configure the ACS to use NPS as a "posture" server.

    To summarize:

    • With NAP, NPS performs authentication and authorization.
    • With NAC, ACS performs authentication and authorization.
    • With NAP/NAC, ACS performs authentication and NPS performs authorization.

    -Greg

    Thursday, February 24, 2011 6:41 AM
  • Hi mat,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, February 26, 2011 6:49 AM
  • Hi to all,

    Sorry for my very late answer. I was out of business for a while.

    This should be a progress report...

    Meanwhile I was able to sort my problems using Cisco ACS 5.2 as a NAP 802.1x Proxy out.

    The Cisco ACS acts as a Radius Proxy for several windows domains where every domain has a separate NPS Server.

                                                              NPS                 DC
                                                    I----> Domain A-----> Domain A
                                                    I
    Vista         Cisco         ACS 5.2     I        NPS                  DC
    Client----> Switch----> Proxy ---->I----> Domain B-----> Domain B
                                                    I
                                                    I        NPS                  DC
                                                    I----> Domain C-----> Domain C

    The NPS Servers are doing the identity authentication and the health authentication.

    The ACS Proxy sends the 802.1x requests based on domain filtering (name ends with "*.domain a" --> send to NPS Domain A) to the right NPS Server.

    We have multiple compliant vlans. Therefore we use the vlan group attribute as Tunnel-Private-Group-ID on the NPS server. The vlan groups are configured on the switches.

    This work fine so far.

    For non NAP capable devices (printers,...) we use MAB (mac authentication bypass) who jumps in after the 802.1x times out.

    The MAB part works fine too with a central MAC address database. But the our customers do have not only different domains (A, B and C). They would like to manage their own mac address databases. Here is where the problem with proxying starts.

    The ACS Proxy is unable to know which MAC address to forward to which customer. This is where we struggling right now.

    Also the WOL (wake on lan) over the 802.1x configured ports seems to be problematic...

    Thanks for your help and regards

    mat

    Thursday, April 14, 2011 11:55 AM
  • 1.

    For the Wake-on-LAN piece.....take a look at Intel vPro/AMT.

    http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/DOCS/Implementation%20and%20Reference%20Guide/default.htm

    That's what we've used for a couple of other customers as a preference to WOL.

    These customers are using SCCM and with the vPro, then can easily power on the machines at night, patch them and power them down again.

    They can also do bare-metal operating system deployments now that the vPro is in-place on their machines.

    It was quite a lot of fun and games setting this up, and a couple of hacks to SCCM and WinPE images to get it working.

     

    2.

    For the MAC address piece.....I think you have a couple of options.

     

    2a.

    One is to create separate MAC address entries/hosts in ACS and associated them with the appropriate customer's VLAN.

    You'd then need to write some sort of front-end web portal for each customer, that allows them to add/remove/modify MAC addresses associated to them.

    This portal would then need to make the approriate API calls to the Cisco ACS to update that customer's objects as appropriate.

    (Hmmmm....I wonder if there are some role-based access controls natively in ACS v5.2 that could help with that....?!?!)

    (PS - most printers I've come across support 802.1X via MD5, TLS or MSCHAPv2 -  in native EAP or PEAP/EAP variants.)

     

    2b.

    In ACS v4.2, if you failed authentication, you used to be able to get it too look at the next database (from an LDAP perspective).

    What you could do, is have the MAB lookup querying an LDAP database (e.g. the Customers active directory) and they create MAC address objects in there.

    Then what would happen, is it would run a MAB lookup against Customer A database - if it fails, then move on to Customer D, fail again, onto Customer C.

    It does this until it either gets a "pass authentication" or it hits all the LDAP servers, gets a "fail" all the way through and therefore "fails auth" to the switch.

    Not sure if you can do the same in ACS v5.2. Also not sure if you could do this with a list of RADIUS servers instead of LDAP.

    Anyway, thought I'd give you the idea and see if it helps/comes to anything.

     

    Cheers

    Phil

     

    Wednesday, June 8, 2011 4:53 PM