NAC up your alley! – NAC Appliance…
Tags: Network Admission Control (NAC)
In previous posts, we discussed the authentication component of the NAC Appliance and how the trigger process begins once a host is introduced to the network. In our last discussion I brought up the NAA (NAC Appliance Agent) so let’s dive further into this agent.
The NAA is our “middleware” that allows the NAC Appliance to communicate with your host and check for compliance (aka authorization) and authentication. I mean if you think about it, a NAC Appliance cannot just ask your corporate hosts what software is installed. There are firewalls and all the other software you’ve installed on the hosts, so the only way to query the host is by use of an agent. The agent itself should be installed ahead of time before the Appliances go live at all. So here is the kicker;
- The agent requires admin rights to be installed.
- The agent runs as a process under the logged in user and not as a system service (in the next rev this will be updated).
So while you are adding the NAA to the host you should also add a couple of other key components including the “stub installer” and the root CA certificate. The stub installer can be found either by doing an SCP copy from the NAM or browsing into the NAMs GUI to download the exe file. You will want the stub installer because if a user ever downloads the NAA or needs to update their NAA by means of the NAM providing the file, the stub will automatically be invoked to allow the NAA to be installed/patched therefore not requiring your users to have admin rights. (The downfall to installing the stub installer by the way is that the stub itself needs to be installed with admin rights so this will need to be scripted to be automatically installed by your IT staff.)
The CAs certificate will need also to be installed ahead of time or else the users will see a certificate popup window everytime they log in. Remember that the CA will sign the website certificate used on the NAS and NAM.
Also keep in mind the NAA runs as a Process on the local host. That means the user will need to be logged in order to check for any compliance on the host. A user cannot simply leave their PC on yet logout and expect compliance checking to work correctly. Cisco has mentioned that a service version of the NAA will be coming out shortly, but until then we are stuck with the process.
There are also a few sticking points to the agent. If the user logs in to their Windows host and decides to hold the shift key down to prevent any startup programs from starting, the NAA is subjected to the same bypass, preventing the NAA from loading. It’s the same case if a user simply kills the process in TaskManager. In either of those two cases, the users’ PC will be redirected to the web page of the NAC Appliance once they decide to open their browser and browse to the network or Internet.
Author: Jim Thomas