Folhetoíndice analíticoSecuring Complexity with NAC Appliance (Cisco Clean Access):A Technical View1Agenda2The Challenge of Securing Complexity3Productivity Causes Complexity4Complexity Demands Defense-in-Depth5What Is Network Admission Control?6Four Key Capabilities of NAC7Before We Continue, You May Be Asking …8Agenda9NAC Appliance10NAC Appliance Enforces Compliance11NAC Appliance (formerly known as Clean Access) Components12Sampling of Pre-Configured Checks13Product User Flow Overview14User Experience with Agent15User Experience via Web Browser16NAC Appliance Protocol Flow17NAC Appliance Sizing18Agenda19Tour of Features: Management Console20CAM Manages All Clean Access Servers21Pre-Configured Checks22Posture Validation Overview23Checks and Rules: An Example24How Checks Look in the Manager25How Rules Look in the Manager26Requirements and Roles27How Requirements Look in the Manager28How Roles Look in the Manager29How Roles Look in the Manager30Filters and Bandwidth31How Filters Look in the Manager32How Bandwidth Controls Look33Clean Access Manager: Back-end Authentication Integration34Admin Control with Real-Time Information35Fine-Tuning Administrator Access36Clean Access Manager Benefits Summary37Agenda38NAC Appliance Technical Benefits39Tamanho: 3 MBPáginas: 41Language: EnglishAbrir o manual
Folhetoíndice analíticoSecuring Complexity with Cisco NAC Appliance (Clean Access)1Agenda2The Challenge of Securing Complexity3Productivity Causes Complexity4Complexity Demands Defense-in-Depth5Agenda6What Is Network Admission Control?7Four Key Capabilities of NAC8Before We Continue, You May Be Asking …9Agenda10The Cisco NAC Appliance Advantage11NAC Appliance Enforces Compliance12NAC Appliance (formerly known as Clean Access) Components13Sampling of Pre-Configured Checks14Product User Flow Overview15User Experience with Agent16User Experience via Web Browser17NAC Appliance Sizing18NAC Appliance Options19Agenda20NAC Appliance Top Values to Business21Customer Return on Investment22Tamanho: 2 MBPáginas: 24Language: EnglishAbrir o manual
/pt/manuals/1619268/índice analíticoCisco Clean Access (NAC Appliance) Server Installation and Administration Guide1About This Guide11Document Objectives11Audience11Document Conventions12Product Documentation12Obtaining Documentation12Cisco.com12Product Documentation DVD13Ordering Documentation13Documentation Feedback13Cisco Product Security Overview13Reporting Security Problems in Cisco Products14Obtaining Technical Assistance14Cisco Technical Support & Documentation Website15Submitting a Service Request15Definitions of Service Request Severity15Obtaining Additional Publications and Information16Introduction19What Is Cisco Clean Access (NAC Appliance)?19Cisco Clean Access (NAC Appliance) Components20Clean Access Server Features21Installation Requirements22Cisco Clean Access 3140 (CCA-3140-H1)22Cisco Clean Access Licensing22CAS Management Pages Summary23Global vs. Local Administration Settings24Priority of Settings25Planning Your Deployment27Overview27Clean Access Server Operating Modes27Real-IP Gateway28Virtual Gateway29NAT Gateway30CAS Operating Mode Summary30Central Versus Edge Deployment32Routed Central Deployment (L2)32Multi-Hop L3 Deployment34Bridged Central Deployment34Edge Deployment35Installing the Clean Access Server NAC Appliance37Overview37Set Up the Clean Access Server NAC Appliance38Virtual Gateway Mode Connection Requirements40Access the CAS Over a Serial Connection41Set Up the Terminal Emulation Console Connection41Install the Clean Access Server Software from CD-ROM43Custom Installation43CD Installation Steps43Perform the Initial Configuration45Configuration Utility Script45Important Notes for SSL Certificates52Using the Command Line Interface53CAM/CAS Connectivity Across a Firewall54Configuring the CAS Behind a NAT Firewall54Troubleshooting the Installation55Network Interface Card (NIC) Driver Not Supported55Resetting the Clean Access Server Configuration55Clean Access Server Managed Domain57Overview57Add the CAS to the CAM58Add New Server58IP Addressing Considerations60Additional Notes for Virtual Gateway with VLAN Mapping (L2 Deployments)60List of Clean Access Servers61Troubleshooting61Navigating the CAS Management Pages62Network IP Settings for the CAS63IP Form63Change Clean Access Server Type65Switching Between NAT and Real-IP Gateway Modes65Switching Between Virtual Gateway and NAT/ Real-IP Gateway Modes65Enable Network Access (L3 or L2 Strict)66Enable L3 Support66VPN/L3 Access for Clean Access Agent67Enable L2 Strict Mode (Clean Access Agent Only)68Configuring Managed Subnets or Static Routes69Overview69Configure Managed Subnets for L2 Deployments71Adding Managed Subnets72Configure Static Routes for L3 Deployments73Configuring Static Routes for Layer 2 Deployments74Add Static Route74Understanding VLAN Settings75Enable Subnet-Based VLAN Retag in Virtual Gateway Mode76VLAN Mapping in Virtual Gateway Modes77VLAN Mapping for In-Band77VLAN Mapping for Out-of-Band78Switch Configuration for Out-of-Band Virtual Gateway Mode78Configure VLAN Mapping for Out-of-Band78To Verify VLAN Mapping for Out-of-Band79Local Device and Subnet Filtering80Configure Device Access Filter Policies80Configure Subnet Access Filter Policies82NAT Session Throttle83Configure 1:1 Network Address Translation (NAT)84Configure 1:1 NATing85Configure 1:1 NATing with Port Forwarding85Configure ARP Entries86Add ARP Entry86Configure Proxy Ports87Configuring DHCP89Overview89Enable the DHCP Module90Configure DHCP Mode for the Clean Access Server90Viewing the DHCP Server Startup Message91Configuring IP Ranges (IP Address Pools)92Auto-Generated versus Manually Created Subnets92Subnetting Rules92Create IP Pools Manually94Auto-Generating IP Pools and Subnets96Add Managed Subnet96Create Auto-Generated Subnet97Working with Subnets100View Users by MAC Address/VLAN100View or Delete Subnets from the Subnet List101Edit a Subnet102Reserving IP Addresses103Add a Reserved IP Address103User-Specified DHCP Options105DHCP Global Scope Example108IPSec/L2TP/PPTP/PPP on the CAS109Overview109Enable VPN Policies110Configure IPSec Encryption111Configure L2TP Encryption114Configure PPTP Encryption116Configure PPP117Example Windows L2TP/IPSec Setup118Integrating with Cisco VPN Concentrators121Overview121Single Sign-On (SSO)122Configure Clean Access for VPN Concentrator Integration124Configure User Roles and Clean Access Requirements124Enable L3 Support on the CAS125Add VPN Concentrator to Clean Access Server126Make CAS the RADIUS Accounting Server for VPN Concentrator126Add Accounting Servers to the CAS127Map VPN Concentrator(s) to Accounting Server(s)128Add VPN Concentrator as a Floating Device128Configure Single Sign-On (SSO) on the CAS/CAM129Configure SSO on the CAS129Configure SSO on the CAM129Create (Optional) Auth Server Mapping Rules130Clean Access Agent with VPN Concentrator and SSO131Clean Access Agent L3 VPN Concentrator User Experience131View Active VPN Clients133Local Traffic Control Policies137Overview137Local vs. Global Traffic Policies138View Local Traffic Control Policies139Add Local IP-Based Traffic Control Policies140Add / Edit Local IP-Based Traffic Policy140Add Local Host-Based Traffic Control Policies142Add Local Allowed Host143Add Local Trusted DNS Server144View IP Addresses Used by DNS Host144Controlling Bandwidth Usage146Local Authentication Settings149Overview149Local Heartbeat Timer150Local Login Page151Add Local Login Page151Local File Upload153Enable Transparent Windows Login154OS Detection155Local Clean Access Settings157Overview157Add Exempt Devices158Clear Exempt Devices158Clear Certified Devices159Specify Floating Devices160Administer the Clean Access Server163Status Tab163Clean Access Server Direct Access Web Console164Manage CAS SSL Certificates165Web Console Pages for SSL Certificate Management166Typical Steps for CAS New Installs166Generate Temporary Certificate167Export CSR/Private Key/Certificate169Filenames for Exported Files170Verify Currently Installed Private Key and Certificates170Import Signed Certificate173View Certificate Files Uploaded for Import175Troubleshooting Certificate Issues175CAS Cannot Establish Secure Connection to CAM175Private Key in Clean Access Server Does Not Match the CA-Signed Certificate176Regenerating Certificates for DNS Name Instead of IP177Certificate-Related Files177Specify DNS Servers on the Network178Synchronize System Time179Support Logs and Loglevel Settings180Implement High Availability (HA) Mode183Overview183Plan Your Environment184Sample HA Configuration185Upgrading an Existing Failover Pair185Before Starting186Selecting and Configuring the Heartbeat UDP Interface186Serial Port High-Availability Connection186Configure High Availability187Configure the Primary Clean Access Server187a. Access the Primary CAS Directly187b. Configure the Host Information for the Primary188c. Configure HA-Primary Mode and Update188d. Configure the SSL Certificate190e. Reboot the Primary Server191Configure the Standby Clean Access Server192a. Access the Standby CAS Directly192b. Configure the Host Information for the Standby192c. Configure HA-Standby Mode and Update192d. Configure the SSL Certificate194e. Reboot the Standby Server195Connect the Clean Access Servers and Complete the Configuration195Test the Configuration195Configure DHCP Failover196To Configure DHCP Failover196Modifying High Availability Settings199To change IP Settings for a High-Availability Clean Access Server:199Upgrading to a New Software Release201Determining the Software Version201New Installation of Release 3.6(x)202Migrating/Upgrading from 3.5(x) to 3.6(x)203Preparing for Upgrade204OOB Switch Trunk Ports and 3.6(x) Upgrade205General Procedure for 3.6(2) Migration205Migration Procedure from 3.5(7)/3.5(8)/3.5(9)/3.5(10) to 3.6(2)206Download the Upgrade File207Run the Upgrade File on the CAM and Perform System Backup207Perform CD Installation209Copy System Backup File Back to CAM211Restore System Backup File211Reboot All Machines212Upgrade Instructions for 3.6(x) Minor Releases and Patches212Create CAM DB Backup Snapshot213Download the Upgrade File213Upgrade via Web Console214Upgrade CAS from CAS Management Pages214Upgrade CAS from CAS Direct Access Web Console215Upgrade CAM from CAM Web Console216Upgrading via SSH217Download the Upgrade File and Copy to CAM/CAS218Perform SSH Upgrade on the CAM218Perform SSH Upgrade on the CAS219Upgrading High Availability Pairs220Accessing Web Consoles for High Availability220Determining Active and Standby Clean Access Manager220Determining Active and Standby Clean Access Server220Instructions for Upgrading High Availability CAM and CAS221Tamanho: 5 MBPáginas: 228Language: EnglishAbrir o manual
/pt/manuals/1619269/índice analíticoCisco Clean Access (NAC Appliance) Manager Installation and Administration Guide1About This Guide15Audience15Document Conventions15Product Documentation16Obtaining Documentation16Cisco.com16Product Documentation DVD16Ordering Documentation17Documentation Feedback17Cisco Product Security Overview17Reporting Security Problems in Cisco Products18Obtaining Technical Assistance18Cisco Technical Support & Documentation Website19Submitting a Service Request19Definitions of Service Request Severity20Obtaining Additional Publications and Information20Introduction23What Is Cisco Clean Access (NAC Appliance)?23Cisco Clean Access (NAC Appliance) Components24Clean Access Manager (CAM)25Clean Access Server (CAS)26Clean Access Agent27Managing Users27Installation Requirements28Cisco Clean Access 3140 (CCA-3140-H1)28Cisco Clean Access (NAC Appliance) Licensing29FlexLM Licensing29Evaluation Licenses32Legacy Perfigo License Keys32Overview of Web Admin Console Elements33Clean Access Server (CAS) Management Pages34Admin Console Summary35Installing the Clean Access Manager NAC Appliance37Overview37Set Up the Clean Access Manager NAC Appliance38Access the CAM Over a Serial Connection40Install the Clean Access Manager Software from CD-ROM42Custom Installation42CD Installation Steps42Perform the Initial Configuration44Configuration Utility Script44Important Notes for SSL Certificates46Using the Command Line Interface (CLI)47Troubleshooting Network Card Driver Support Issues48CAM/CAS Connectivity Across Firewall48Access the CAM Web Console48Device Management: Adding Clean Access Servers, Adding Filters51Working with Clean Access Servers51Add Clean Access Servers to the Managed Domain52Networking Considerations for CAS54Troubleshooting when Adding the Clean Access Server54Manage the Clean Access Server55Check Clean Access Server Status56Disconnect a Clean Access Server56Reboot the Clean Access Server56Remove the Clean Access Server from the Managed Domain56Global and Local Administration Settings57Global and Local Settings58Global Device and Subnet Filtering58Device Filters for In-Band Deployment60Device Filters for Out-of-Band Deployment60Device Filters and IPSec/L2TP/PPTP Connections to CAS61Device Filters and Gaming Ports61Global vs. Local (CAS-Specific) Filters61Configure Device Filters61Add Global Device Filter62Display / Search Device Filter Policies63Edit Device Filter Policies64Delete Device Filter Policies65Configure Subnet Filters65Switch Management and Out-of-Band (OOB) Deployments67Overview67In-Band Versus Out-of-Band68Out-of-Band Requirements68SNMP Control69Deployment Modes70Basic Connection70Out-of-Band Virtual Gateway Deployment71Out-of-Band Real-IP/NAT Gateway Deployment74Configuring Your Network for Out-of-Band77Configure Your Switches77Configuration Notes77Example Switch Configuration Steps78OOB Network Setup / Configuration Worksheet82Configure OOB Switch Management in the CAM83Add Out-of-Band Clean Access Servers and Configure Environment84Configure Group Profiles86Add Group Profile87Edit Group Profile87Configure Switch Profiles88Add Switch Profile89Configure Port Profiles91Add Port Profile92Configure SNMP Receiver95SNMP Trap95Advanced Settings96Add Managed Switch97Add New Switch97Search New Switches99Discovered Clients100Manage Switch Ports101Ports Tab101Ports -MAC Notification102Ports-Linkup/Linkdown106Config Tab108Basic108Advanced109Group110Out-of-Band User List Summary111OOB Troubleshooting112OOB Switch Trunk Ports After Upgrade112User Management: User Roles113Overview113Create User Roles113User Role Types114Unauthenticated Role114Normal Login Role115Role Assignment Priority116Clean Access Roles116Session Timeouts117Default Login Page118Traffic Policies for Roles118Add New Role118Role Properties120Modify Role123Edit a Role123Delete Role124Create Local User Accounts125Create a Local User125User Management: Auth Servers127Overview127Configure an Authentication Provider130Kerberos131RADIUS132Windows NT134LDAP135Transparent Windows137Implementing Transparent Authentication137Add Transparent Windows Auth Server138Cisco VPN Server139Authenticating Against Active Directory141AD/LDAP Configuration Example141Map Users to Roles Using Attributes or VLAN IDs143Configure Mapping Rule144Editing Mapping Rules148Test User Authentication150RADIUS Accounting152Enable RADIUS Accounting152Restore Factory Default Settings153Add Data to Login, Logout or Shared Events153Add New Entry (Login Event, Logout Event, Shared Event)154User Pages and Guest Access157User Login Page157Proxy Settings158Add Default Login Page159Customize Login Page Content160Customize Login Page Styles162Upload a Resource File163Create Content for the Right Frame164Configure Other Login Properties165Redirect the Login Success Page165Specify Logout Page Information166Set Up Guest Access167User Management: Traffic Control, Bandwidth, Schedule169Overview169Global vs. Local Scope171View Global Traffic Control Policies171Add Global IP-Based Traffic Policies172Add IP-Based Policy172Edit IP-Based Policy175Add Global Host-Based Traffic Policies176Add Trusted DNS Server for a Role176Enable Default Allowed Hosts177Add Allowed Host178View IP Addresses Used by DNS Hosts179Control Bandwidth Usage180Configure User Session and Heartbeat Timeouts182Session Timer182Heartbeat Timer182In-Band (L2) Sessions182OOB (L2) and Multihop (L3) Sessions183Session Timer / Heartbeat Timer Interaction183Configure Session Timer (per User Role)184Configure Heartbeat Timer (User Inactivity Timeout)184Configure Policies for Agent Temporary and Quarantine Roles186Configure Clean Access Agent Temporary Role186Configure Session Timeout for the Temporary Role186Configure Traffic Control Policies for the Temporary Role187Configure Network Scanning Quarantine Role188Create Additional Quarantine Role188Configure Session Timeout for Quarantine Role189Configure Traffic Control Policies for the Quarantine Role190Example Traffic Policies191Allowing Authentication Server Traffic for Windows Domain Authentication191Allowing Gaming Ports191Microsoft Xbox191Other Game Ports192Adding Traffic Policies for Default Roles194Troubleshooting Host-Based Policies196Clean Access Implementation Overview197Clean Access Overview197Clean Access Agent Download198Clean Access Agent for VPN Users198Clean Access Agent Process199Network Scanning Process200Clean Access Agent200Cisco Clean Access Updates201Network Scanner201Certified List203Role-Based Configuration204Clean Access Setup Steps204General Setup Summary206User Page Summary209Manage Certified Devices213Add Exempt Device214Clear Certified or Exempt Devices Manually215View Clean Access Reports for Certified Devices215View Switch Information for Out-of-Band Certified Devices216Certified Device Timer216Add Floating Devices217Network Scanning219Overview219Network Scanning Implementation Steps220Configure the Quarantine Role221Load Nessus Plugins into the Clean Access Manager Repository221Manually Loading Plugins222Deleting Plugins223Configure General Setup224Apply Plugins225Configure Plugin Options227Configure Vulnerability Handling228Test Scanning230Show Log231View Scan Reports232Customize the User Agreement Page234Clean Access Agent239Summary239Configuration Steps for Clean Access Agent242Add Default Login Page242Enable Network Access (L3 or L2 Strict)242Enable L3 Deployment Support243VPN/L3 Access for Clean Access Agent243Enable L3 Support244Disabling L3 Capability245Enable L2 Strict Mode (Clean Access Agent Only)245Distribute the Clean Access Agent247Distribution Page247Configure Clean Access Agent Auto-Upgrade249Enable Agent Auto-Upgrade on the CAM249Disable Agent Auto-Upgrade Notification for Users249Disable Mandatory Auto-Upgrade on the CAM249User Experience for Auto-Upgrade250Uninstalling the Agent250Agent Setup and Agent Patch (Upgrade) Files250Loading Agent Installation Files to the CAM251Auto-Upgrade Compatibility251Upgrading from 3.5.0 and Below Agents253Agent Upgrade Through File Distribution Requirement253Manually Uploading the Agent to the CAM255Retrieve Updates256Require Use of the Clean Access Agent259Configure Network Policy Page (Acceptable Usage Policy) for Agent Users261Configure the Clean Access Agent Temporary Role261Create Clean Access Agent Requirements262Configure AV/AS Definition Update Requirements263AV Rules and AS Rules264Verify AV/AS Support Info265Create AV Rule268Create AV Definition Update Requirement269Create AS Rule270Create AS Definition Update Requirement271Configure Custom Checks, Rules and Requirements272Custom Requirements272Cisco Rules273Cisco Checks273Copying Checks and Rules273Create Custom Check274Registry Check Types274File Check Types276Service Check Type277Application Check Type277Create Custom Rule278Create a Custom Rule279Validate Rules280Create Custom Requirement281Create File Distribution /Link Distribution / Local Check Requirement281Map Requirement to Rules284Apply Requirements to Role286Validate Requirements287Configure an Optional Requirement288Access Clean Access Agent Reports290Limiting the Number of Reports291Verify Clean Access Agent User Experience292Troubleshooting the Agent300Client Cannot Connect/Login300No Agent Pop-Up/Login Disabled300Client Cannot Connect (Traffic Policy Related)301AV/AS Rule Troubleshooting301Enable Debug Logging on the Clean Access Agent302Known Issue for Windows Script 5.6303Known Issue for MS Update Scanning Tool (KB873333)303Background303Workaround304Monitoring305Overview305Online Users List307Interpreting Active Users307View Online Users309In-Band Users309Out-of-Band Users310View Users by Clean Access Server, Authentication Provider, or Role312Search by User Name, IP, or MAC Address312Log Users Off the Network312Display Settings313Interpreting Event Logs314View Logs314Event Log Example317Limiting the Number of Logged Events318Configuring Syslog Logging318Log Files318SNMP319Enable SNMP Polling/Alerts320Add New Trapsink321Administration323Overview323Network & Failover324Set System Time326Manage CAM SSL Certificates327Web Console Pages for SSL Certificate Management328Typical Steps for New Installs328Generate Temporary Certificate330Export CSR/Private Key/Certificate331Filenames for Exported Files332Verify Currently Installed Private Key and Certificates332Import Signed Certificate335View Certificate Files Uploaded for Import336Troubleshooting Certificate Issues337No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM337Private Key in Clean Access Server Does Not Match the CA-Signed Certificate338Regenerating Certificates for DNS Name Instead of IP338Certificate-Related Files339System Upgrade340Licensing341Support Logs343Admin Users345Admin Groups345Add a Custom Admin Group345Admin Users347Login / Logout an Admin User347Add an Admin User347Edit an Admin User348Active Admin User Sessions349Manage System Passwords351Change the CAM Web Console Admin Password351Change the CAS Web Console Admin User Password352Recovering Root Password for CAM/CAS352Back Up the Configuration353Automated Daily Database Backups353Manual Backups from Web Console353Create a Manual Backup353Apply a Configuration from a Downloaded File354Manual Database Backup from SSH354Database Recovery Tool355API Support356Usage Requirements356Authentication Requirement356Guest Access Support356Summary of Operations357Examples358Configuring High Availability359Overview359Before Starting360Upgrading an Existing Failover Pair361Connect the Clean Access Manager Machines361Serial Connection361Set Up the Primary Clean Access Manager362Configure the Primary Manager for High Availability362Set Up the Standby Clean Access Manager366Complete the Configuration367Device Management: Roaming369Overview369Requirements369How Roaming Works370Roaming Modes371Before Starting372Setting Up Simple Roaming373Setting Up Advanced Roaming374Monitoring Roaming Users376Upgrading to a New Software Release379Determining the Software Version379New Installation of Release 3.6(x)380Migrating/Upgrading from 3.5(x) to 3.6(x)381Preparing for Upgrade382OOB Switch Trunk Ports and 3.6(x) Upgrade383General Procedure for 3.6(2) Migration383Migration Procedure from 3.5(7)/3.5(8)/3.5(9)/3.5(10) to 3.6(2)384Download the Upgrade File385Run the Upgrade File on the CAM and Perform System Backup385Perform CD Installation387Copy System Backup File Back to CAM389Restore System Backup File389Reboot All Machines390Upgrade Instructions for 3.6(x) Minor Releases and Patches390Create CAM DB Backup Snapshot391Download the Upgrade File391Upgrade via Web Console392Upgrade CAS from CAS Management Pages392Upgrade CAS from CAS Direct Access Web Console393Upgrade CAM from CAM Web Console394Upgrading via SSH395Download the Upgrade File and Copy to CAM/CAS396Perform SSH Upgrade on the CAM396Perform SSH Upgrade on the CAS397Upgrading High Availability Pairs398Accessing Web Consoles for High Availability398Determining Active and Standby Clean Access Manager398Determining Active and Standby Clean Access Server398Instructions for Upgrading High Availability CAM and CAS399Error and Event Log Messages403Client Error Messages403CAM Event Log Messages404Tamanho: 10 MBPáginas: 410Language: EnglishAbrir o manual