CANAC - Implementing NAC Appliance (formerly Cisco Clean Access)
In this course, you'll learn how to design and implement a Cisco NAC Appliance solution to suit your network. You will learn basic configuration tasks such as NAM and NAS deployment modes, authentication (including Windows SSO), role-based access control, posture assessment, and remediation.
Is this NAC course right for you?
Cisco Systems offers two solutions for Network Admissions Control: NAC Appliance and NAC Framework. If the NAC solution you are planning includes the following elements, then this NAC Appliance course, CANAC v2.1, is right for you:
- NAC Appliance Manager (NAM)
- NAC Appliance Server (NAS)
- Cisco Catalyst Switches using Out-of-Band (OOB) access
- Cisco VPN Concentrators (without configuring NAC commands)
- Cisco ASA/PIX Firewalls (without configuring NAC commands)
Highlights
- Given client network security requirements, explain how a NAC Appliance deployment scenario will meet or exceed those expectations
- Configure the common elements of a NAC Appliance solution
- Configure Active Directory Single Sign-On (AD SSO)
- Configure VPN Single Sign-On using an ASA with the standard IPSec client and the AnyConnect client (SSL)
- Configure the NAC Appliance in-band and out-of-band implementation options
- Implement the NAM and NAS High Availability to protect against downtime
- Configure Network Scanning to audit clients and clientless hosts
- Configure compliance checking using manual and automated settings in version 4.5 of code
- Learn the elements of Code Signing applications needed for remediation
- Create custom web page portals based on the location of clients
- Allow Active Directory LDAP Authorization to map AD groups to NAC Appliance Roles
- Walk through and configure three different network topologies, In-Band, VPN In-Band and OOB
- Visually see for yourself the privilege rights needed for installation of the Cisco NAC Appliance Agent (NAA) and Stub Installer and how the two differ
- Learn to monitor, maintain, and troubleshoot a NAC solution
Course Outline
The Cisco NAC Appliance Solution
1. Cisco Self-Defending Networks
- The Changing Landscape of Security
- The Cisco Host-Protection Strategy
- The Cisco SDN Initiative
- Trust & Identity
- Cisco NAC Products
2. Cisco NAC Appliance
- Cisco NAC Appliance Solution
- Cisco NAC Appliance Features
- Cisco NAC Appliance Components
- Compliance Scenarios
- Deployment Options
- Configuration Overview
- User Interface
3. Cisco NAC Appliance Deployment Options
- Cisco NAC Appliance Out-of-Band (OOB) Deployment
- Cisco NAC Appliance In-Band Deployment
- Compare Cisco NAC Appliance Deployment Options
- Cisco NAS Operating Modes
- Virtual Gateway vs. Real-IP Gateway
- Layer 2 vs. Layer 3
4. Configure User Roles
- What is a User Role?
- Create User Roles
- Define Traffic Policies for User Roles
- Configure Traffic Policies for User Roles
- Create Local User Accounts
5. Configure External Authentication
- Configure External Authentication Providers
- Authenticate Cisco NAC Appliance Users with Kerberos
- Authenticate Cisco NAC Appliance Users with RADIUS
- Authenticate Cisco NAC Appliance Users with LDAP
- Authenticate Cisco NAC Appliance Users with NT Domain
- Map Users to User Roles
- Test User Authentication
- Configure RADIUS Accounting for Users
- Adding Custom RADIUS Attributes
6. Configure DHCP
- Cisco NAS DHCP Modes
- Enable the DHCP Module
- Configure IP Ranges (IP Address Pools)
- Work with Subnets
- Reserve IP Addresses
- Configure User-Specified DHCP Options
NAC Appliance Implementation
7. Implement Cisco NAC Appliance In-Band Deployment
- In-Band Process Flow
- In-Band Deployment Configurations
- Configure the Cisco NAS for In-Band Deployment
- Add the Cisco NAS to the Managed Domain
- Configure the Cisco NAS Interfaces
- Add Managed Subnets
- Configure Cisco NAS VLAN Settings
8. Implement Windows Active Directory Single Sign-On (AD SSO)
- Kerberos Ticket Exchange
- Confirming a NAS Ticket
- Communications between the NAS and Active Directory
- AD SSO Configuration Checklist
- TCP & UDP Ports Required for AD SSO
- Configure the NAS for AD SSO
- Install Support Tools for Windows 2000 or 2003 Server
- Configure the Domain Controller with ktpass.exe
9. Implement Virtual Private Network Single Sign-On (VPN SSO)
- Configuration Checklist
- Configure a Traffic Filter
- Add VPN Authentication Server to NAM
- Map VPN Users to Roles on NAM
- Enable VPN SSO on the NAS
- Adding a VPN Device to the NAS
- Configure RADIUS Accounting
- Configure the VPN Gateway as a Floating Device
- Test VPN SSO
10. Implement Cisco NAC Appliance Out-of-Band Deployment
- OOB Process Flow
- OOB Deployment Considerations
- Layer 2 Central & Edge Deployment
- Layer 3 Virtual Gateway & Real-IP Gateway
- Layer 2 & 3 Clientless Host Options
- Differences between Cisco NAC Appliance OOB Setup and In-Band Setup
- Implement Cisco NAS OOB Operating Modes
11. Manage Switches
- Implement Switch Management
- Configure the Network for OOB Deployment
- Configure Group, Switch, and Port Profiles
- Configure Port Profiles Adding Switches to the Managed Domain
- Configuring SNMP Advanced Settings
- Configure Switch Ports to Use Port Profiles
- Manage Switch Configuration Settings
NAC Appliance Implementation Options
12. Implement Cisco NAC Appliance on a Network
- Implement Cisco NAC Appliance
- General Setup Tab
- User Pages
- Configure Cisco NAA Support
- Manage Certified Devices
- Device Exemption
- Viewing User Reports
13. Implement Network Scanning
- Configure the Quarantine Role
- Implement Nessus Plug-Ins
- Test a Scanning Configuration
- Customize the User Agreement Page
- View Scan Reports
14. Configure the NAM to Implement Cisco NAC Appliance Agent on User Devices
- Configure the Cisco NAM to Implement the Cisco NAC Appliance Agent (NAA)
- Retrieve Updates
- Require the Use of the Cisco NAA
- Configure the Cisco NAA Temporary Role
- Introduce Checks, Rules, and Requirements
- Create a Check, Rules, and Requirements
- Map Requirements to Rules and Roles
15. Configure NAM High Availability (HA)
- Introduce HA for Cisco NAMs
- Establish a Serial Connection Between Managers
- Digital Certificate Requirements
- Configure the Primary Cisco NAM
- Configure the Standby Cisco NAM
16. Configure Cisco NAC Appliance Server (NAS) HA
- Introduce HA for NASs
- Implementation Considerations
- Digital Certificate Requirements
- Configure the Primary and Standby NAS
- Complete the Standby NAS HA Configuration
- Test the NAS HA Configuration
- Configure DHCP Failover
NAC Appliance Monitoring and Administration
17. Monitor a Cisco NAC Appliance Deployment
- Cisco NAC Appliance Monitoring
- Monitor Online Users
- Monitor NAS Health Event Logs
- Configure Basic SNMP Support
- Configure Syslog Support
18. Administer Cisco NAM
- Define the Cisco NAM Administration Module
- Set Network and Failover Parameters
- Manage Administration Groups
- Manage Administration Users
- Manage User Passwords
- Administer the System Time
- Manage SSL Certificates
- Manage the Cisco NAC Appliance Software
- Protect Your NAM Configuration
Space is limited. Register today to save your space!