NAC-NAP Interoperability

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco-MS 1

NAC-NAP Interoperability

Michal Remper

Systems Engineer

[email protected]

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Who we are ? 4 years NAC experiences …

Enforcement

ACS

PatchServer

DirectoryServer

Subject(Managed or Unmanaged

host)

Decision &Remediation

LAN

Remote

WAN

Posture ValidationServer(s)

ReportingServer

AuditServer


How we see Microsoft?

Microsoft owns 97.46% of global desktop operating system market (over 90% in Enterprise)

Microsoft is a strategic component of business operations for nearly all of our customers

Any NAC solution must fully support a Microsoft environment


… NAC and NAP have different goals …

What is the difference between NAC & NAP ?


NAC ensures that all users and devices coming into the network comply with an endpoint security policy.

NAP seeks to guarantee that users and devices connecting to a specific MS server meet an endpoint security policy.

Cisco and Microsoft have publicly stated that the two companies will work to integrate these two approaches.

What is the difference between NAC & NAP ?


History

Announcement originally made in October 2004.

Since then…

Unveiled at The Security Standard show in Sept 06 including press announcement and live demo

Joint Beta program began in Dec 06 with two customers…no, one is not Cisco IT

Network Access ProtectionNetwork Admission Control


What we declare together ….


Status Today

Joint testing between Cisco and Microsoft including bug fixes is ongoing and includes weekly status calls for tracking

Documentation has been developed which includes presentations, deployment and troubleshooting guides

Beta 1 is wrapping up with Beta 2 slotted for June start.

Beta 1: Inband Posture

Beta 2: Wireless, SSO, Extended States, MAB


Why Did We Create a Joint Solution?

Customer Driven

–Cisco and Microsoft interoperability help customers achieve their strategic initiatives

–Don’t have to choose between NAC-only or NAP-only solution.


NAC Admission Flow

Cisco Secure

ACS

Policy Vendor Server (PVS)

Host Attempting

Network Access

Network Access Devices (NADs)

Policy Server Decision

Points & Audit

RADIUS

Cisco Trust Agent (CTA)

Audit Server (AS)

Credentials22

Notification 88

Authorization66

Identity4a4a

Compliant?55

Enforcement77

33

Credentials

Directory Server

LDAP, OTP

Key: Optional Mandatory

HCAP

Posture4b4b

Audit4c4c

GAME: HTTPS

Status99

Traffic triggers challenge11

EAP


DHCPIPSECVPN

802.1xHealth Certificates

802.1xEoU

What is Available in the Joint Solution?

Network Access Protection

Network Admission Control

802.1xEoU


NAC-NAP Architecture

Partner Policy Server

EAPFAST802.1x or UDP HCAPRADIUS

MSNPS

CiscoACS

SwitchesRouters

Client

EAP-FAST

EAPoUDP

Microsoft Components Cisco ComponentsMS Partner Component

s

We have referred to this as the In-Band (HCAP) Scenario

Access methods include 802.1x and EoU

Authentication is performed on ACS. Posture checking is performed on NPS.

HCAP v2 is the secure transport method for credentials and policy information between ACS and NPS

NAP Agent (QA)

802.1x

EAP Host QEC

Partner System Health Agents (SHAs)

Microsoft Components


NAC-NAP Benefits

Interoperability and customer choice: Customers can choose components, infrastructure and technology while implementing a single, coordinated solution

Investment protection: Enables customer reuse and investment protection of their NAC and/or NAP deployments.

Single agent included in Windows Vista: The NAP Agent component as part will be used for both NAP and NAC.

Agent deployment and update support: Microsoft will distribute Cisco EAP modules through Windows Update / Windows Server Update Services

Cross-platform support: To support client operating systems other than Windows, Microsoft will make available the APIs that support both NAP and Cisco NAC and Cisco will continue to support and develop its NAC client (the Cisco Trust Agent) for non-Windows environments.


Solution Details

ACS support for NAC-NAP is in the 4.2 release. This is currently set for Dec 07

MS Longhorn is required for NAP and NAC-NAP. This will be released at the end of Dec 07.

NAP-only agent is available for XP. Cisco has no plans to support the NAC-NAP solution

for anything prior to Vista There is no CTA for Vista. The NAP agent handles both

NAC and NAP information for Vista


OS Support

Vista XPNAC-NAP

NAP only

NAC Framework

NAC Appliance


NAC NAP Architecture Comparison


Vista Client Architecture

Statement of Health (SoH) aka posture credentials – Encapsulation of endpoint posture sent from an endpoint SHA to its SHV. The SoH is a response to a request for health state.

System Health Agents (SHA) aka posture pluggin – SHAs are responsible for reporting on the health state of the client. Each configured SHA reports health state to the NAP Agent. A SHA will also accept statement of health response data and will optionally remediate the client.

NAP Agent aka CTA – QA is responsible for collating the statement of health information from the SHAs into a single system statement of health. QA also accepts the System statement of health response, parses it into individual statements of health to be passed to the SHAs.

EAP Host – A plug in architecture for Network Authentication components. There will be a partner program where Microsoft will certify components and distribute them through Windows Update.

ClientClient


NAP Agent (QA)

EAP Host QEC EAP-FAST

EAPoUDP802.1x


Microsoft Server and Partner Components

NPS Server (Longhorn)

Replaces IAS

Place to define NAP enforcement and remediation policies. (RADIUS access policies for NAP-only)

Implements HCAP v2 for ACS communication

Support for SHV API and installation of SHVs

MS Partner Program

Very similar to the way the Cisco NAC program is setup

Partners develop interoperability through the SHA and SHV APIs

Network Policy Server

Quarantine Server (QS)

Client

Quarantine Agent (QA) Health policyHealth policy

UpdatesUpdatesPolicy ServersPolicy Servers

Remediation Remediation Servers Servers

SHA1

SHA2

SHV1

SHV2

QEC1

QEC2


What About Cisco Components

Any Cisco device that works with NAC will work with NAC-NAP !!!

Currently ACS 4.2 will support NAC-NAP. Will support a heterogeneous environment of NAC & NAC-NAP

CiscoACS



Access Methods for NAC-NAP

EAP-FAST – The transport method for SoH. The method will be deployable via group policy and downloadable via Windows Server Update Services

EAPoUDP – Layer 3 method similar to the NAC-only deployment. In the NAC- NAP solution EoU relies on EAP-FAST. EoU will also be deployable via group policy and downloadable via WSUS

802.1x – The Windows Vista 802.1x supplicant will be NAC-NAP enabled and will fully support both wired and wireless access

EAPFAST

CiscoACS

SwitchesRouters

ClientPartner System

Health Agents (SHAs)

NAP Agent (QA)

EAP-FAST

EAPoUDP802.1x

RADIUS

802.1x or EoU

EAP Host QEC


Client Statement of Health ProcessHealth Validation Events

Health State Change – An SHA may notify the NAP Agent if it’s health state change. For example, the Windows firewall is turned off

Network State Change – A QEC may notify the NAP Agent that there is a network state change. For example, a wireless client roams to a new network

Probation Timer – The probation time expires

SoH Creation Process1. Health validation event

occurs2. NAP Agent requests SoH data

from all bound SHAs3. SHAs respond with SoH data4. NAP Agent collects all SHA

data and adds system SoH data to create a system SSoH.

5. NAP Agent forward SoH to the all configured QECs


EAP Host QEC HC QEC

NAP Agent (QA)


Key Takeaways

Main points to keep in mind:

This solution will be available around the end of CY07 when ACS 4.2 and Longhorn Server ships.

NAC-NAP only supported on Vista and Longhorn

Customer can still do NAC only or NAP only

Currently POCs are not available for customers outside of the beta

© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25

Q and A

Documents

NAC-NAP Interoperability