Home » Cisco, Security, Technology

NAC up your Alley…host login process

Author: Jim Thomas 6 May 2009 42,050 views One Comment

So now that we have the NAC agent installed, we can take a look at the process the host goes through in order to achieve NAC login.

The first thing to understand is the SWISS Protocol that Cisco has created. When an agent is installed on the host machine and loads as a user process, it begins sending out discovery packets frequently. The timing depends on the configuration, that is, if the NAS is configured as Layer 2 or Layer 3.

If the NAS is Layer 2 then the host will attempt to discover the NAS by sending packets to its’ default gateway every 5 seconds. Now in a Layer2 type of environment, the users’ gateway should be behind the NAS or the gateway being the NAS itself if we are configured as Real-IP Mode. So the host attempts this discovery using a destination port of UDP/8095. If the NAS is present, it will respond with its’ certificate to the client so they can begin authentication/posture assessment over a secure channel (SSL).

In the case of Layer3 configurations on the NAS, the client attempts to contact its’ configured “Discovery Host” which is an IP Address or hostname configured in the NAA (NAC Appliance Agent). The connection attempt to reach this discovery host will be made on UDP port 8096. If a NAS exists between the agent and this discovery host, then the NAS will send its’ certificate to the host in an attempt to further negotiations over a secure medium.

The discovery host field itself can be modified to whatever IP Address you wish. Remember, this IP is only for the NAA to initiate contact and begin the communication process. So really, the IP can be literally anything in the network as long as the IP resides behind the NAS. Some organizations have even configured NAC with split-tunnel VPN configurations and used this discovery host to begin this trigger process with NAC back at their main office where the NAS is located.

Also keep in mind that this discovery host field is already pre-populated since the agent was obtained from the NAM. In fact, we’ve even seen this mangled in configs. It turns out that the Discovery Host is added to the NAA on NAC Appliance reboot and we’ve seen errors in this compilation process of the NAA. Anyway, rest assured you can absolutely change the field by simply right-clicking the agent in the system tray on the host machine and clicking properties as seen in the following image.


Another location where you can modify the discovery host for Layer3 NAS support is during installation. You should have the NAA installed before any NAC deployment goes live and the process can be easily accomplished by using the following in your windows scripts:

msiexec /package F:NACCCAAgent.msi /qn SERVERURL=

Notice that you can also modify the registry where the discovery host is set by locating the proper registry key located in: HKLMSoftwareCiscoClean Access Agent and modifying the ServerUrl data value to anything you wish.

Author: Jim Thomas

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

One Comment »

  • Mohan said:


    This is very good information, that I have not seen explained in this detail. Appreciate your effort.


Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.