NAC up your Alley…host login process
Tags: Network Admission Control (NAC)
So now that we have the NAC agent installed, we can take a look at the process the host goes through in order to achieve NAC login.
The first thing to understand is the SWISS Protocol that Cisco has created. When an agent is installed on the host machine and loads as a user process, it begins sending out discovery packets frequently. The timing depends on the configuration, that is, if the NAS is configured as Layer 2 or Layer 3.
If the NAS is Layer 2 then the host will attempt to discover the NAS by sending packets to its’ default gateway every 5 seconds. Now in a Layer2 type of environment, the users’ gateway should be behind the NAS or the gateway being the NAS itself if we are configured as Real-IP Mode. So the host attempts this discovery using a destination port of UDP/8095. If the NAS is present, it will respond with its’ certificate to the client so they can begin authentication/posture assessment over a secure channel (SSL).
In the case of Layer3 configurations on the NAS, the client attempts to contact its’ configured “Discovery Host” which is an IP Address or hostname configured in the NAA (NAC Appliance Agent). The connection attempt to reach this discovery host will be made on UDP port 8096. If a NAS exists between the agent and this discovery host, then the NAS will send its’ certificate to the host in an attempt to further negotiations over a secure medium.
The discovery host field itself can be modified to whatever IP Address you wish. Remember, this IP is only for the NAA to initiate contact and begin the communication process. So really, the IP can be literally anything in the network as long as the IP resides behind the NAS. Some organizations have even configured NAC with split-tunnel VPN configurations and used this discovery host to begin this trigger process with NAC back at their main office where the NAS is located.
Also keep in mind that this discovery host field is already pre-populated since the agent was obtained from the NAM. In fact, we’ve even seen this mangled in configs. It turns out that the Discovery Host is added to the NAA on NAC Appliance reboot and we’ve seen errors in this compilation process of the NAA. Anyway, rest assured you can absolutely change the field by simply right-clicking the agent in the system tray on the host machine and clicking properties as seen in the following image.
Another location where you can modify the discovery host for Layer3 NAS support is during installation. You should have the NAA installed before any NAC deployment goes live and the process can be easily accomplished by using the following in your windows scripts:
msiexec /package F:NACCCAAgent.msi /qn SERVERURL=http://10.1.1.1/
Notice that you can also modify the registry where the discovery host is set by locating the proper registry key located in: HKLMSoftwareCiscoClean Access Agent and modifying the ServerUrl data value to anything you wish.
Author: Jim Thomas