NAC Version 4.6.1 - Now Available

NAC Appliance Version 4.6.1 was release yesterday.

Some of the new features:

Posture Assessment Support for 64-Bit Windows Operating Systems

The new NAC Agent can be installed and launched on 64-bit versions of Windows XP and Windows Vista, and can perform posture assessment and remediation on client machines. Earlier releases of Cisco NAC Appliance provided only authentication support for 64-bit client operating systems.

Agent Configuration XML File Upload Enhancement

This XML configuration file method of setting up Agents on client machines replaces the previous Clean Access Agent configuration schema requiring Windows registry setting manipulation for custom parameters. No more registry changes, hooray!

If you previously employed Windows registry settings to adjust Clean Access Agent behavior on client machines, you must specify the same settings in the XML Agent configuration file to preserve Agent behavior using the Cisco NAC Agent.
This upgrade has a ton of new agent features, as you can see in the above images, so make sure to check out the release notes and read for yourself.

4.6.1 Release Notes

And to configure these features, please reference the configuration guides:

NAC Manager Config Guide
NAC Server Config Guide

Cisco NAC Guest Server 2.0

NAC Guest Server has changed significantly with the latest 2.0 release. From External Portal Support to AD SSO, this revision has added some key enterprise features.

The features that have hit home the most for myself and my customers have been:

Active Directory Single Sign On

Cisco NAC Guest Server 2.0 can be joined to an Active Directory Domain and then automatically authenticate Internet Explorer browsers using Integrated Windows Authentication. This removes the need for sponsors to enter their username and password.

For details on configuration of ADSSO, see the Configuration of Active Directory Single Sign-On for NAC Guest Server Configuration Example

Credit Card Billing Support

Cisco NAC Guest Server 2.0 provides the ability for guests to purchase accounts via credit card support.

This means that you can now use NGS to provide ROI for guest internet access.

Management Reports

Management reports are enhanced to provide the following guest network usage information:

•Total Guest Accounts Created
•Total Authenticated Guests
•Total Cumulative Connect Time
•Sponsor Usage Reporting
•Access Summaries by Device

To See a list of all the new features in NAC Guest Server 2.0, please read the the release notes:

http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/20/gsrn20.html#wp65354

And to configure these features, please reference the configuration guide:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/nacguestserver.html

NAC NEWS UPDATES

The following is a list of new things out there in the Cisco NAC World. The NAC Market is continuing to grow in 2009 and with the growth the products will continue to evolve, get better and have more options.

Security Options Abound: New NAC Release

My friends over at TechWiseTV are a huge multi-media machine, producing video, audio and podcasts. Well this PodCast is on NAC 4.5, Alok Agrawal of the NAC Business Unit and Myself dive into some of the cool features of 4.5. All of the podcasts can be subscribed to through iTunes.

To access the NAC podcast go to:

http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns719/html_TW/tw_episode_198.html

And to get more information on all the great stuff coming from Techwise TV visit:
http://www.mytechwisetv.com/
or
http://cisco.com/go/interact

NAC Layer 3 Out of Band Design Guide That Uses VRF-Lite for Traffic Isolation

Cisco wrote a new configuration guide on using VRF-Lite for traffic isolation. This is a great configuration option for NAC, but with that said never re-design your network just for NAC. VRFs can become very complex and introducing new technology into the network should be carefully planned. Using VRFs in a enterprise network does make sense, but the reasons for moving to the new network design should be a combination of the added features/benefits for Security(NAC, Guest Access, Wireless, etc.) and Network managebility, throughput, and scalability.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a3a8a7.shtml

New NAC Profiler Release

Last month a new maintenance release of Cisco NAC Profiler came out. 2.1.8-38 brings a good list of BugFixes and minor enhancements.

One Minor Enhancement that made it was Endpoint and Directory Timeout Unified Into Endpoint Timeout, which gives us more control on how to age out endpoints out of the database.

Find all the Fixes and information in the Release Notes.

The Release Notes can be found:
http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/218/218rn.html#wp101317

The new software can be download at:
http://www.cisco.com/cgi-bin/tablebuild.pl/nacprofiler-2.1.8 (Requires Valid Smartnet Contract)

Cisco NAC Appliance 4.5 Released

The time has come.... 4.5 is here

It can be downloaded here! (Require Valid Smartnet Contract)

As with all NAC releases, be sure to read the RELEASE NOTES before upgrading!

CAM/CAS Configuration Guides:

• Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5 New!
  
• Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5 New!

Bottom line is that 4.5 brings way too many features to list. That is why the release notes will help!

Looks for future posts on new features and benefits!

Configuration Example - Wireless Out Of Band - New NAC 4.5 Feature

The following is a configuration guide that was posted to explain how to configure NAC 4.5 with Wireless LAN Controller 5.1 for NAC Wireless OOB support.

NAC Out-Of-Band (OOB) Wireless Configuration Example

Wireless OOB is a feature we all have been waiting for. Some of the great benefits that I see are:

- No need for a second Clean Access Server(CAS) just for wireless. If you are a smaller organization wireless and wired can be performed on a single CAS.
- Bandwidth benefits for larger wireless infrastructures. With 10Gbps network backbones and large central wireless deployments(lots of clients), having a OOB wireless deployment is a no brainer.

This is one of a few great features coming out with NAC release 4.5.

Coming Soon - Cisco NAC Release 4.5

Cisco is preparing for NAC Release 4.5 which will include great features like Wireless OOB, Mac Posture Assessment Support and CAM import/export of policies.

The first piece of documentation has been published:

Cisco NAC Appliance Release 4.5 - Video Data Sheet

Keep a lookout for posting on all the new features and when the download becomes available.

NAC Updates

Windows Clean Access Agent Version 4.1.7 Released - Sept 30th

In this release their are a few minor resolved caveats:

- Symantec AntiVirus 10.x not fully compatible with CCA Agent
- Vista Agent does not detect MAC Address of Wireless NIC
- AVG Anti-Virus Free 8.x support for Virus Definition check

As with all upgrades, it is highly recommended to read the release notes before upgrading. Also, on a side note, remember that upgrades should be done for a purpose, either to fix a caveat or to gain new features.

Download 4.1.7 Windows Agent

Release Notes


3 NEW Configuration Examples posted to CCO

- NAC Appliance (CCA): Configure High Availability (HA) for the Clean Access Manager (CAM)
29/Sep/2008

- Deploy NAC Profiler in an Existing Out-of-Band NAC
02/Sep/2008

- Importing SSL Certificates to NAC Profiler
02/Sep/2008


To see all the previous Configuration Examples and TechNotes


How to Block Operating Systems with CCA

A friend of mine, Rob Chee, writes a blog on network security and had a great post on how to block operating systems using User Pages with CCA.

Make sure you check out his Post.

NEW NAC Version 4.1(6)

4.1.6 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download



4.1(6) Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1(6) CAM Installation & Configuration Guide

4.1(6) CAS Installation & Configuration Guide

Ask the Expert - Cisco NAC Guest Server

Click Here to Begin

This is a great forum to ask your NAC Guest Server questions. Syed is apart of the stellar NAC business unit and focuses on Guest Server. Please read the detailed description below:

This is an opportunity to get an update on the new Cisco NAC Guest Server which works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the entire lifecycle of guest access with Cisco expert Syed Ghayur. Syed is a technical marketing engineer in the product marketing team for the Cisco Network Access Control (NAC) Appliance. He also works on global scalability of the product, documentation, partner training, and system engineer trainings. In addition, he works closely with the Cisco Technical Assistance Center (TAC) to resolve complex issues and product related bugs. Early this year, he joined the Security Technology Group (STG) as technical marketing engineer for NAC Appliance.

Remember to use the rating system to let Syed know if you have received an adequate response.

Syed might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 25, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

Cisco NAC Guest Server 1.1.1

On June 9th, Cisco posted an update to NAC Guest Server.



Version 1.1.1 comes with a few new features:

Guest Role Support
Guest Role Support provides the ability for Sponsors to create guest accounts with different privileges. This includes provisioning into different roles on the Clean Access Manager, returning different RADIUS attributes to RADIUS clients or only allowing access from specified networks.

Additional NTP Server
The 1.1.1 release introduces the ability to configure two NTP servers instead of a single NTP server in 1.1.0.

FTP Backup Directory
The 1.1.1 release allows a directory to be specified as part of the scheduled FTP backup, prior versions placed the backup in the default directory of the FTP user account.

As with all NAC related upgrades make sure to read the RELEASE NOTES before upgrading!

The NAC Guest Server Installation & Configuration Guide 1.1.1 can be used for reference of the new features.

Finally to download the new version go to the NAC Guest Server Download Page. (Requires Valid CCO Login)

NAC Updates

I want to apologize for the lack of posts over the past couple of months. I have been out performing NAC Deployments non-stop.

I thought I would kick things off by offering some updates on the latest software release. Look for more custom check and best practice posts soon. Also, if anyone has any requests on something they would like to see posted about let me know!

Cisco Clean Access Agent 4.1.3.2
Some updates to the original 4.1.3.0 Agent has been made, refer to the release notes for all enhancements, bug fixes, etc.

Cisco NAC Profiler 2.1.8-37
On April 7th, Cisco released an upgrade to NAC Profiler.
Release Notes | Documentation

Cisco NAC Guest Server 1.1.0
Cisco released an upgrade to the Guest Server. Check out the documentation for all enhancements/fixes
Release Notes | Documentation

New NAC NEWS - ChalkTalks and PodCasts

If everyone out there has not heard yet, there is a spring 2008 chalktalk series going on currently. The chalk talks are very technical and can give everyone great insight into the topics discussed.

March 13th - Cisco NAC Deployment Methodologies
March 20th - Troubleshooting Cisco NAC Appliance
March 27th - NAC Profiler Best Practices

All can be seen at 10am PDT at http://premium.meetingplace.net with meeting ID 434343

Also, Robb Boyd and the TechWise TV team posted a podcast on Troubleshooting Cisco NAC Appliance. It features "rockstar" Prem Ananthakrishnan, one of the great TMEs from the NAC BU.

NAC Troubleshooting Podcast

NAC Appliance episode on TechwiseTV

There is a new TechWiseTV episode about to be taped, focusing on Cisco NAC Appliance and the producers are looking for feedback as to what the episode should focus on. The main presenter will be Alok Agrawal, one of the Technical Marketing Engineers from the Cisco NAC Business Unit. If you have never seen TechWiseTV, it is a highly technical show focusing on getting answers to the tough questions. I can promise that if enough of you want a topic discussed that Alok will definately be put on the spot to give you an answer. So please visit their website and start posting about what you are interested in hearing explained:

http://www.mytechwisetv.com/page/30+Network+Admission+Control


The following is a draft of the topics discussed:

Proposed Segmentation:
Segment 1: NAC Foundational Concepts -

• What is it, why do we need it, why now?
• Where does 802.1x fit, what problems can be solved here, etc.
• Posture Assesment - more than just AV and Spyware
• Client vs. Clientless, Inband vs. Out of Band, Remediation, Non-Cisco applications
• Server, Manager, Agent Communication, Rule Set updates.

Segment 2: Server Deployment Modes

• Virtual and Real IP Gateway
• Layer 2 and Layer 3
• In-band and Out of Band
• Client & Temporal Agent

Segment 3: Topology and Design Considerations

• VPN
• Wireless
• Remote Sites
• Campus

Segment 4: Device Profiling

• NAC Profiler
• Collector
• Design Choices/Trade-offs

Cisco NAC Guest Server Documentation

Bulletin
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806f3235.html

Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806e98c9.html

Q&A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806f525a.shtml

Release Notes 1.0.0
http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/10/gsrn100.html

Configuration Guide 1.0.0
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/10/nacguestserver.html

Chalk Talk Series 3 - Update

To give everyone the update, the following is the schedule for the upcoming NAC chalk talks:

September 27th: Cisco NAC Profiler Introduction
Prem Ananthakrishnan will introduce the Cisco NAC Profiler, which discovers, tracks,
and monitors all non-PC endpoints attached to a network. By adding Profiler to a NAC
deployment, customers can apply policies and access prvileges to non-PC endpoints.

October 4: Secure Guest with Cisco NAC
Enhance guest access with Cisco’s NAC Guest Server. Syed Ghayur will introduce the
advanced provisioning and reporting features of this latest addition to the Cisco NAC
product line.

Access Information:

Time - 10am PDT, 12pm CDT, 1pm EDT
Audio - Toll-free US/Canada: 1-800-370-2618
Meeting ID: 321456#
Web - Disable any pop-up blocker software
http://gc46gw1.meetingplace.net
Enter Meeting ID 321456

Priveon Launches Real World NAC Appliance Training

Most training courses prepare individuals for certifications, but Priveon's Real-World training is the exact opposite. Their new Cisco NAC Appliance class is focused around how to design, deploy, operate and optimize Cisco NAC. With 20 labs and a topology that mimics typical organizations' environments, the class is very impressive and valuable for everyone interested or involved with Cisco NAC Appliance! I have personally reviewed the class and I highly recommend it to anyone wanting to take their expertise to the next level.


www.priveon.com

Priveon NAC Appliance Training Page
http://www.priveon.com/training/cisco-naca-training/priveon-real-world-naca-training.html

NAC Chalk Talk Video on Demand (VOD) - A success for Force 3 and its clients

For those of you who missed the NAC Chalk Talk I did on Thursday, here is the link to the Video on Demand, so that you can catch some of the deployment best practices.

Cisco NAC Appliance: A Success for Force 3 and Its Clients

http://tools.cisco.com/cmn/jsp/index.jsp?id=65948

I also want to thank the NAC Appliance Business Unit at Cisco and specifically Prem who hosted me out in San Jose, he is the real Rock Star!

NEW NAC Chalk Talk Series - Starting Sept 13th

There is a new NAC chalk talk series starting next week and excitingly enough I will be the first person to present! My chalk talk will be focused around how to make your deployment more successful. This is your chance to ask me questions and get the answers live via IPTV! :)

If you are unfamiliar with the NAC chalktalks, they are a great source of information about how to design, deploy, configure, troubleshoot, operate and optimize Cisco NAC Appliance. Please review the existing series by visiting the below link:
View the existing NAC Chalk Talks


The details of my up coming chalk talk:

CISCO NAC APPLIANCE CHALK TALK SERIES 3

Kicking off SEPTEMBER 13th with a LIVE VIDEO BROADCAST featuring Jamie Sanbower from Force 3 --

Cisco NAC Appliance: A Success for Force 3 and Its Clients

Watch this interactive session to learn Force 3's secret to NAC success, key deployment strategies and how they use Cisco NAC to solve their client business requirements.

Date: Thursday, September 13th
Time: 10am PDT/12pm CDT/1pm EDT
Location: http://tools.cisco.com/cmn/jsp/index.jsp?id=65688 (requires CCO login)

No pre-registration required.

There will be additional chalk talks continuing the weeks following the 13th, so be sure to check back here for updates on the others!

Cisco NAC Profiler Documentation

Cisco NAC Profiler is here, and let me tell you this product makes deployments go a lot smoother. How nice is it not to have to find all of your Printers, IP Fax Machines, UPS management, Game Consoles, etc.

If you are interested in NAC Profiler services or consulting, please contact me jsanbower hotmail.com or visit www.force3.com

To save everyone some time, the following is a list of all the public documentation on Cisco NAC Profiler:

Cisco NAC Profiler Data Sheet
http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd806b7d4e.html

Cisco NAC Profiler Brochure
http://www.cisco.com/en/US/products/ps6128/prod_brochure0900aecd806b7e8c.html

Cisco NAC Profiler Q & A
http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd806b5d40.shtml

Cisco NAC Profiler Ordering Guide
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd806b7d69.html

Configuration Guide 2.1.7
http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/217/nac_profiler_cg.html

NAC Network Modules

I just wanted to give everyone the update on the NEW NME-NAC-K9 module. They are supported as of version 4.1(2). The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The following are some documents to get you started with the new NAC Network Module:


Getting Started with Cisco NAC Network Modules in Cisco Access Routers

http://www.cisco.com/en/US/products/ps6128/prod_installation_guide09186a008086aa28.html
-- New guide describing initial configuration and deployment examples


Installing Cisco Network Modules in Cisco Access Routers

http://www.cisco.com/en/US/products/hw/modules/ps2797/products_installation_guide_chapter09186a008007c8ec.html
-- New Chapter in the Cisco Network Modules Hardware Installation Guide