Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAC-NAP Interoperability

Published byGrant Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "NAC-NAP Interoperability"— Presentation transcript:

1 NAC-NAP Interoperability
Michal Remper Systems Engineer

2 Who we are ? 4 years NAC experiences …
Decision & Remediation Subject (Managed or Unmanaged host) Enforcement ACS LAN Directory Server Posture Validation Server(s) Audit Server WAN Subject vs. Enforcement vs. Decision LAN vs WAN vs Remote Patch Server Reporting Server Remote

3 How we see Microsoft? Any NAC solution must fully support a
Microsoft owns 97.46% of global desktop operating system market (over 90% in Enterprise) Microsoft is a strategic component of business operations for nearly all of our customers Any NAC solution must fully support a Microsoft environment

4 What is the difference between NAC & NAP ?
… NAC and NAP have different goals …

5 What is the difference between NAC & NAP ?
NAC ensures that all users and devices coming into the network comply with an endpoint security policy. NAP seeks to guarantee that users and devices connecting to a specific MS server meet an endpoint security policy. Cisco and Microsoft have publicly stated that the two companies will work to integrate these two approaches.

6 Network Admission Control Network Access Protection
History Announcement originally made in October 2004. Since then… Unveiled at The Security Standard show in Sept including press announcement and live demo Joint Beta program began in Dec 06 with two customers…no, one is not Cisco IT Network Admission Control Network Access Protection

7 What we declare together ….

8 Status Today Joint testing between Cisco and Microsoft including bug fixes is ongoing and includes weekly status calls for tracking Documentation has been developed which includes presentations, deployment and troubleshooting guides Beta 1 is wrapping up with Beta 2 slotted for June start. Beta 1: Inband Posture Beta 2: Wireless, SSO, Extended States, MAB

9 Why Did We Create a Joint Solution?
Customer Driven Cisco and Microsoft interoperability help customers achieve their strategic initiatives Don’t have to choose between NAC-only or NAP-only solution.

10 NAC Admission Flow Key: Optional Mandatory
Host Attempting Network Access Network Access Devices (NADs) Cisco Secure ACS Policy Server Decision Points & Audit Identity 4a 1 Traffic triggers challenge Directory Server LDAP, OTP 3 Credentials Credentials 2 Compliant? 5 Posture 4b Policy Vendor Server (PVS) EAP RADIUS HCAP Walk through the NAC flow Point out CTA Audit server may or may not be required Step through the flow. Anti-Virus is an example but it could be any type of posture information. Status 9 Notification 8 Enforcement 7 Authorization 6 Audit 4c Audit Server (AS) Cisco Trust Agent (CTA) GAME: HTTPS

11 What is Available in the Joint Solution?
802.1x EoU Network Admission Control DHCP IPSEC VPN 802.1x Health Certificates Network Access Protection 802.1x EoU

12 Partner System Health Agents (SHAs)
4/25/ :36 PM NAC-NAP Architecture MS Partner Components Microsoft Components Cisco Components Microsoft Components Client Switches Routers Cisco ACS MS NPS Partner Policy Server Partner System Health Agents (SHAs) EAPFAST 802.1x or UDP RADIUS HCAP NAP Agent (QA) EAP Host QEC EAP-FAST 802.1x EAPoUDP We have referred to this as the In-Band (HCAP) Scenario Access methods include 802.1x and EoU Authentication is performed on ACS. Posture checking is performed on NPS. HCAP v2 is the secure transport method for credentials and policy information between ACS and NPS 12

13 NAC-NAP Benefits Interoperability and customer choice: Customers can choose components, infrastructure and technology while implementing a single, coordinated solution Investment protection: Enables customer reuse and investment protection of their NAC and/or NAP deployments. Single agent included in Windows Vista: The NAP Agent component as part will be used for both NAP and NAC. Agent deployment and update support: Microsoft will distribute Cisco EAP modules through Windows Update / Windows Server Update Services Cross-platform support: To support client operating systems other than Windows, Microsoft will make available the APIs that support both NAP and Cisco NAC and Cisco will continue to support and develop its NAC client (the Cisco Trust Agent) for non-Windows environments.

14 Solution Details ACS support for NAC-NAP is in the 4.2 release. This is currently set for Dec 07 MS Longhorn is required for NAP and NAC-NAP. This will be released at the end of Dec 07. NAP-only agent is available for XP. Cisco has no plans to support the NAC-NAP solution for anything prior to Vista There is no CTA for Vista. The NAP agent handles both NAC and NAP information for Vista

15 OS Support Vista XP NAC-NAP NAP only NAC Framework NAC Appliance

16 NAC NAP Architecture Comparison
SHV = System Health Validator QA/QS = Quarantine Agent/Server QEC/QES = Quarantine Enforcement Client/Server

17 Vista Client Architecture
4/25/ :36 PM Vista Client Architecture Statement of Health (SoH) aka posture credentials – Encapsulation of endpoint posture sent from an endpoint SHA to its SHV. The SoH is a response to a request for health state. System Health Agents (SHA) aka posture pluggin – SHAs are responsible for reporting on the health state of the client. Each configured SHA reports health state to the NAP Agent. A SHA will also accept statement of health response data and will optionally remediate the client. NAP Agent aka CTA – QA is responsible for collating the statement of health information from the SHAs into a single system statement of health. QA also accepts the System statement of health response, parses it into individual statements of health to be passed to the SHAs. EAP Host – A plug in architecture for Network Authentication components. There will be a partner program where Microsoft will certify components and distribute them through Windows Update. Client Partner System Health Agents (SHAs) NAP Agent (QA) EAP Host QEC EAP-FAST 802.1x EAPoUDP 17

18 Microsoft Server and Partner Components
NPS Server (Longhorn) Replaces IAS Place to define NAP enforcement and remediation policies. (RADIUS access policies for NAP-only) Implements HCAP v2 for ACS communication Support for SHV API and installation of SHVs MS Partner Program Very similar to the way the Cisco NAC program is setup Partners develop interoperability through the SHA and SHV APIs SHV – System Health Value SHA – System Health Agent Client Updates Network Policy Server Policy Servers SHA 1 SHA 2 SHV 1 Health policy SHV 2 Remediation Servers Quarantine Agent (QA) QEC 1 QEC 2 Quarantine Server (QS)

19 What About Cisco Components
Any Cisco device that works with NAC will work with NAC-NAP !!! Currently ACS 4.2 will support NAC-NAP. Will support a heterogeneous environment of NAC & NAC-NAP Cisco ACS

20

21 Access Methods for NAC-NAP
4/25/ :36 PM Access Methods for NAC-NAP Client Switches Routers Cisco ACS Partner System Health Agents (SHAs) RADIUS 802.1x or EoU NAP Agent (QA) EAPFAST EAP Host QEC EAP-FAST EAPoUDP 802.1x EAP-FAST – The transport method for SoH. The method will be deployable via group policy and downloadable via Windows Server Update Services EAPoUDP – Layer 3 method similar to the NAC-only deployment. In the NAC NAP solution EoU relies on EAP-FAST. EoU will also be deployable via group policy and downloadable via WSUS 802.1x – The Windows Vista 802.1x supplicant will be NAC-NAP enabled and will fully support both wired and wireless access 21

22 Client Statement of Health Process
Health Validation Events Health State Change – An SHA may notify the NAP Agent if it’s health state change For example, the Windows firewall is turned off Network State Change – A QEC may notify the NAP Agent that there is a network state change For example, a wireless client roams to a new network Probation Timer – The probation time expires Partner System Health Agents (SHAs) SoH Creation Process Health validation event occurs NAP Agent requests SoH data from all bound SHAs SHAs respond with SoH data NAP Agent collects all SHA data and adds system SoH data to create a system SSoH. NAP Agent forward SoH to the all configured QECs NAP Agent (QA) EAP Host QEC HC QEC

23 Network Access Profile
4/25/ :36 PM Traffic Flow Client Switches Routers MS NPS Partner Policy Server Partner System Health Agents (SHAs) Cisco ACS SoH 802.1x or UDP SoH RADIUS SoHr / Qstate / ExtState NAP Agent (QA) Network Access Profile SoHr EAP Host QEC EAP-FAST EAP-FAST 802.1x EAPoUDP Credential + SoH Qstate ExtState + SoHr Client negotiates 802.1x or EAP over UDP with the Network Access Device The ACS server initiates an EAP-Fast authentication with the client Client generates a system SSoH and sends this to the ACS along with it’s authentication credentials ACS authenticates the client ACS forwards the system SoH, User Group and Location Group to the Posture AAA (NPS) Posture AAA (NPS) validates the system SoH and evaluates it against policy Posture AAA generates a system SoHr and returns it plus a quarantine state and an extended state to ACS ACS takes the quarantine state and extended state plus the authentication data and authorizes the client ACS generates a Network Access profile and returns this to the NAD ACS returns the system SoHr to the client via EAP-FAST Client process the system SoHr and remediates as necessary 23

24 Key Takeaways Main points to keep in mind:
This solution will be available around the end of CY07 when ACS 4.2 and Longhorn Server ships. NAC-NAP only supported on Vista and Longhorn Customer can still do NAC only or NAP only Currently POCs are not available for customers outside of the beta Key Takeaways are critical for TOI as well as retention of material. When VT members go to redeliver the content of the session to their region/team, what are the critical main points that they must redeliver? The answer to that question should be the bullets of this slide.

25 Q and A

Download ppt "NAC-NAP Interoperability"

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.

May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Jayson Ferron CIO Interactive Security Training WSV206.

Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.

Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Similar presentations

Ads by Google