12.1. Cisco Network Admission Control (Cisco NAC)

Announced by Cisco in 2004, Network Admission Control (NAC) is one of the graybeards of network access control. Cisco NAC was a pioneer in NAC architectures. Although other companies had been circling the NAC flame for a couple of years, Cisco was one of the first to pull together a framework for NAC. It was also one of the points at the end of the spear for LAN security management.

At a high level, the goal of Cisco NAC — and, really, any other NAC framework — is to prevent unauthorized or compromised endpoint devices from gaining network access. Among other things that Cisco NAC does and can do, it assesses the security state of an endpoint device prior to allowing that device to access a network, much like other NAC architectures, frameworks, and solutions.

Cisco has stated in promotional materials that the Cisco NAC framework is suited for various use cases or scenarios, including protecting a network from infected endpoint devices, whether the infection was unintentional or intentional; securing access to networks for business partners; and enabling and managing network access for guests.

The Cisco NAC framework empowers different types of devices used in a typical network — including switches, routers, and even wireless access points — to collect user authentication and device security state data from endpoint devices. The system can use the information gathered by these network devices to decide the access fate for a particular user and device:

With Cisco NAC, an endpoint device can send user authentication and security state information to the network devices that gather that data before a user accesses the network (before the user and device are assigned an Internet Protocol [IP] address by the network). This action is similar to how the IEEE 802.1X standard for port-based network access control acts; Cisco NAC includes tenets of the 802.1X standard.

Cisco NAC then verifies the authentication and security state data communicated, and based on those results, it can control the network access for the user and device. Cisco NAC makes its access control decision when the system toggles LAN switch ports or the system directs user access to different virtual LANs (VLANs), based on the security and access control policies and procedures established by the organization implementing Cisco NAC. Cisco NAC, via the network devices with which it interacts, can deny users or devices network access, limit their access, or quarantine the devices until the system can remediate it — until the system repairs whatever makes the device non-compliant with an organization's policies.

To really begin to grasp how Cisco NAC works, you need to understand the various components that comprise the Cisco NAC framework. Refer to Figure 12-1 while reading the following sections if you need a little visualization help.

12.1.1. Cisco Trust Agent (CTA)

The CTA is the agent that resides on an endpoint device and gathers the user authentication and endpoint device security state data for Cisco NAC. The CTA interacts with third-party security and anti-malware applications on the device to collect data about the device's security posture, which can include operating system patch levels, antivirus updates, and so on. The system collects this data by using Cisco NAC–compatible third-party plug-ins, sometimes referred to as posture plug-ins, that either Cisco or the third-party provider has created. Depending on who created the plug-ins, either Cisco integrates them with CTA or the third-party provider deploys them as part of its application.

The CTA communicates the authentication and device security state information to network devices — including routers, switches, and wireless access points — which Cisco calls Network Access Devices (NADs). The system collects the authentication and security data in a Cisco NAC–compatible package and communicates it to the appropriate network devices by using a Cisco NAC–aware Extensible Authentication Protocol (EAP). However, the NADs aren't the only stop for the gathered authentication and security state data. The system also shares that information with the Cisco Access Control Server (ACS).

12.1.2. Cisco Access Control Server (Cisco ACS)

Cisco originally conceived and promoted ACS as a Remote Authentication Dial-In User Service (RADIUS) server. Over time, Cisco ACS has also become the policy manager for Cisco NAC.

Cisco ACS, whether deployed as server software or as a Cisco appliance, interfaces with the various third-party policy servers (such as antivirus policy servers) and third-party management servers (such as audit servers and vulnerability management servers) to ascertain whether the system should grant the device network access or restrict it in some manner, based on the security posture data gathered and communicated by the CTA. Cisco ACS also retains its ability to perform as a RADIUS server, interfacing with authentication databases and data stores (such as Microsoft Active Directory or Lightweight Directory Access Protocol [LDAP]) to determine whether the user is allowed access to the network based on the authentication information gathered by the CTA:

12.1.3. Network Access Device (NAD)

A NAD is simply a Cisco switch, router, wireless access point, or even a VPN server that the system has outfitted to support Cisco NAC, as well as the 802.1X standard. A NAD acts as the initial communication point with the CTA, receiving the user authentication and device security state information, passing that data through to the Cisco ACS. And NADs are the enforcement points for the access control rights granted (or denied) by the Cisco ACS and policy servers, based on the data that the system pass through from the CTA.

12.1.4. Third-party servers

Third-party servers that interface and interact with Cisco NAC include third-party policy servers, such as antivirus management servers, patch management servers, and other anti-malware servers. These third-party policy servers communicate with Cisco ACS, determining whether the security state data received by Cisco ACS (from the NAD, via CTA) adheres to an organization's security or access control policies, predefined on and with the third-party server. The third-party servers communicate an endpoint device's compliance or non-compliance to the Cisco ACS, which implements appropriate actions based on that communication.

Cisco NAC can interface with third-party servers such as vulnerability management servers or audit servers. These servers, after Cisco ACS communicates with them, may scan an endpoint device to determine its vulnerability state or to audit its security state. Based on the outcome of their scans, these servers communicate with Cisco ACS whether the endpoint device is in compliance, enabling Cisco ACS to take appropriate action — grant, deny, or limit network access for that user and endpoint device, or quarantine the endpoint device until the system has remediated the device.

Finally, Cisco ACS interfaces with third-party directory servers, databases, or data stores that contain authentication data to determine whether a user is authorized to access the network based on the authentication data supplied by CTA (and communicated through the appropriate NAD). If, after interfacing with the directory server (or database or data store), Cisco ACS determines that the user is authenticated and authorized to access the network, the system allows that user to access the network — if, of course, his or her device passes security and access policy muster. If the user isn't authenticated, then he or she isn't authorized to access the network; Cisco NAC doesn't allow the user, or his or her device, onto the network.

Figure 12-1 shows all the various components of Cisco NAC that we talk about in this section and the preceding sections.

Figure 12.1. The Cisco Network Admission Control (NAC) framework.

12.1.5. How Cisco NAC works

When an endpoint device attempts to access a network protected by the Cisco NAC framework, the CTA on the endpoint device invokes the various third-party plug-ins (posture plug-ins) embedded within CTA or already preloaded on the endpoint device by third-party anti-malware or security applications. These plug-ins collect the endpoint device's security state information and provide that data to the CTA.

The CTA also gathers the user's authentication data, packaging the collected security state information and authentication data, and then communicating that package to the appropriate NAD (such as a Cisco switch, router, wireless access point, and so on) by using an EAP method (EAP over UDP).

After the NAD receives the packaged authentication and security state data, it passes that data through to the Cisco ACS by using a typical 802.1X communications method, EAP over RADIUS. Cisco ACS accepts the authentication and security state data, parsing out the user authentication data from the endpoint device security state information.

Cisco ACS compares the user authentication data against directory servers, such as Microsoft Active Directory or LDAP, to authenticate the user and determine whether he or she has authorization to access the network. Cisco ACS then separates the endpoint device security state data and sends authorization to each appropriate third-party policy server. The system compares the collected endpoint device security data to the policies that the organization predetermines on the policy servers for each of the third-party applications.

If the system authenticates the user and the endpoint device's security state adhere to the organization's policy, Cisco ACS communicates the appropriate access rights to the original NAD. That NAD, acting as the policy enforcement point, allows the user and device access to the network. However, if the system authenticates the user, but his or her device doesn't pass the policy check, Cisco ACS sends a message to the original NAD (again, which serves as an enforcement point) to either deny network access to the user and device, limit the network access for the user and device, or quarantine the device until the system can remediate it and bring it into policy compliance. How the system handles network access for a non-compliant endpoint device depends on the policies of the organization. If the system can't authenticate the user, the system usually denies that user (and his or her device) network access.