CANAC (Implementing NAC Appliance (formerly Cisco Clean Access)) Training Class

The Cisco NAC Appliance Solution

1. Cisco Self-Defending Networks

• The Changing Landscape of Security


• The Cisco Host-Protection Strategy


• The Cisco SDN Initiative


• Trust & Identity


• Cisco NAC Products

2. Cisco NAC Appliance

• Cisco NAC Appliance Solution


• Cisco NAC Appliance Features


• Cisco NAC Appliance Components


• Compliance Scenarios


• Deployment Options


• Configuration Overview


• User Interface

3. Cisco NAC Appliance Deployment Options

• Cisco NAC Appliance Out-of-Band (OOB) Deployment


• Cisco NAC Appliance In-Band Deployment


• Compare Cisco NAC Appliance Deployment Options


• Cisco NAS Operating Modes


• Virtual Gateway vs. Real-IP Gateway


• Layer 2 vs. Layer 3

4. Configure User Roles

• What is a User Role?


• Create User Roles


• Define Traffic Policies for User Roles


• Configure Traffic Policies for User Roles


• Create Local User Accounts

5. Configure External Authentication

• Configure External Authentication Providers


• Authenticate Cisco NAC Appliance Users with Kerberos


• Authenticate Cisco NAC Appliance Users with RADIUS


• Authenticate Cisco NAC Appliance Users with LDAP


• Authenticate Cisco NAC Appliance Users with NT Domain


• Map Users to User Roles


• Test User Authentication


• Configure RADIUS Accounting for Users


• Adding Custom RADIUS Attributes

6. Configure DHCP

• Cisco NAS DHCP Modes


• Enable the DHCP Module


• Configure IP Ranges (IP Address Pools)


• Work with Subnets


• Reserve IP Addresses


• Configure User-Specified DHCP Options

NAC Appliance Implementation

7. Implement Cisco NAC Appliance In-Band Deployment

• In-Band Process Flow


• In-Band Deployment Configurations


• Configure the Cisco NAS for In-Band Deployment


• Add the Cisco NAS to the Managed Domain


• Configure the Cisco NAS Interfaces


• Add Managed Subnets


• Configure Cisco NAS VLAN Settings

8. Implement Windows Active Directory Single Sign-On (AD SSO)

• Kerberos Ticket Exchange


• Confirming a NAS Ticket


• Communications between the NAS and Active Directory


• AD SSO Configuration Checklist


• TCP & UPD Ports Required for AD SSO


• Configure the NAS for AD SSO


• Install Support Tools for Windows 2000 or 2003 Server


• Configure the Domain Controller with ktpass.exe

9. Implement Virtual Private Network Single Sign-On (VPN SSO)

• Configuration Checklist


• Configure a Traffic Filter


• Add VPN Authentication Server to NAM


• Map VPN Users to Roles on NAM


• Enable VPN SSO on the NAS


• Adding a VPN Device to the NAS


• Configure RADIUS Accounting


• Configure the VPN Gateway as a Floating Device


• Test VPN SSO

10. Implement Cisco NAC Appliance Out-of-Band Deployment

• OOB Process Flow


• OOB Deployment Considerations


• Layer 2 Central & Edge Deployment


• Layer 3 Virtual Gateway & Real-IP Gateway


• Layer 2 & 3 Clientless Host Options


• Differences between Cisco NAC Appliance OOB Setup and In-Band Setup


• Implement Cisco NAS OOB Operating Modes

11. Manage Switches

• Implement Switch Management


• Configure the Network for OOB Deployment


• Configure Group, Switch, and Port Profiles


• Configure Port Profiles Adding Switches to the Managed Domain


• Configuring SNMP Advanced Settings


• Configure Switch Ports to Use Port Profiles


• Manage Switch Configuration Settings

NAC Appliance Implementation Options

12. Implement Cisco NAC Appliance on a Network

• Implement Cisco NAC Appliance


• General Setup Tab


• User Pages


• Configure Cisco NAA Support


• Manage Certified Devices


• Device Exemption


• Viewing User Reports

13. Implement Network Scanning

• Configure the Quarantine Role


• Implement Nessus Plug-Ins


• Test a Scanning Configuration


• Customize the User Agreement Page


• View Scan Reports

14. Configure the NAM to Implement Cisco NAC Appliance Agent on User Devices

• Configure the Cisco NAM to Implement the Cisco NAC Appliance Agent (NAA)


• Retrieve Updates


• Require the Use of the Cisco NAA


• Configure the Cisco NAA Temporary Role


• Introduce Checks, Rules, and Requirements


• Create a Check, Rules, and Requirements


• Map Requirements to Rules and Roles

15. Configure NAM High Availability (HA)

• Introduce HA for Cisco NAMs


• Establish a Serial Connection Between Managers


• Digital Certificate Requirements


• Configure the Primary Cisco NAM


• Configure the Standby Cisco NAM

16. Configure Cisco NAC Appliance Server (NAS) HA

• Introduce HA for NASs


• Implementation Considerations


• Digital Certificate Requirements


• Configure the Primary and Standby NAS


• Complete the Standby NAS HA Configuration


• Test the NAS HA Configuration


• Configure DHCP Failover

NAC Appliance Monitoring and Administration

17. Monitor a Cisco NAC Appliance Deployment

• Cisco NAC Appliance Monitoring


• Monitor Online Users


• Monitor NAS Health Event Logs


• Configure Basic SNMP Support


• Configure Syslog Support

18. Administer Cisco NAM

• Define the Cisco NAM Administration Module


• Set Network and Failover Parameters


• Manage Administration Groups


• Manage Administration Users


• Manage User Passwords


• Administer the System Time


• Manage SSL Certificates


• Manage the Cisco NAC Appliance Software


• Protect Your NAM Configuration

Anyone responsible for the design, implementation, or support of a Cisco NAC
Appliance installation and Cisco Channel Partners preparing for ASFE
certification.

• Fundamental knowledge of implementing network security or CCSP or Cisco
  Security Qualified Specialist Certification


• SNRS or working knowledge of digital certificates


• BSCI or working knowledge of HSRP