brksec-3040
TRANSCRIPT
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-304014355_04_2008_c2 2
TroubleshootingCisco NAC
BRKSEC-3040
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-304014355_04_2008_c2
Agenda
NAC Appliance Overview
NAC Appliance Process Flow
NAC General Troubleshooting
NAC OOB Troubleshooting
Single Sign On Troubleshooting
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKSEC-304014355_04_2008_c2
Cisco NAC ApplianceOverview
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKSEC-304014355_04_2008_c2
Please enter username:
devicesecurity
networksecurity
identity
Who is the user?Is s/he authorized?What role does s/he get?
NACNACIs MS patched? Does A/V or A/S exist?Is it running?Are services on?Do required files exist?
Plus
Is policy established? Are non-compliantdevices quarantined? Is remediation required?Is remediation available?
Plus
Using the network to enforce policies ensures that incoming devices are compliant.
SiSi SiSi
What Is Network Admission Control?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKSEC-304014355_04_2008_c2
Cisco NAC Appliance Components
Cisco Clean Access Manager (CAM)Centralizes management for administrators,support personnel, and operators
Cisco Clean Access Server (CAS)Serves as enforcement point for networkaccess control
Cisco Clean Access Agent (CAA)Optional lightweight client for device-basedregistry scans in unmanaged environments
Rule-set UpdatesScheduled automatic updates for anti-virus,critical hot-fixes and other applications
MGR
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKSEC-304014355_04_2008_c2
Overview
Distributed architecture deployment
CAS is in Bridged (Virtual Gateway) or Routed (Real-IP Gateway) mode
Users are Layer 2 (L2) or Layer 3 (L3) adjacent to CAS.
CAS is Inline (IB) all the time or can be Out-of-Band (OOB). OOB CAS is Inline only during NAC Posture and remediation.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Virtual Gateway and Real IP Gateway
NAC Servers at the most basic level can pass traffic in one of two ways:
Bridged Mode = Virtual Gateway
Routed Mode = Real IP Gateway / NAT Gateway
Any NAC Server can be configured for either method, but a NAC Server can only be one at a time
Gateway mode selection affects the logical traffic path
Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Virtual Gateway
Direct Bridging: Frame Comes In, Frame Goes Out
VLAN IDs are either passed through untouched or mapped from A to B
DHCP and Client Routes point directly to network devices on the Trusted side
NAC Server is an IP passive bump in the wire, like a transparent firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Real IP/NAT Gateway
NAC Server is Routing, Packet Comes In, Packet Goes Out
VLAN IDs terminate at the Server, no pass-through or mapping
DHCP and Client Routes usually point to the Server for /30
NAC Server is an active IP router, can also NAT outbound packets* 2
* Be aware of NAT performance limitations
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Edge and Central Deployment
NAC Servers have two physical deployment modelsEdge Deployment
Central Deployment
Any NAC Server can be configured for either method
Deployment mode selection affects the physicaltraffic path
Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Edge Deployment
Easiest deployment option to understand
NAC Server is logicallyinline, and Physically inline
Supports all Catalyst Switches
VLAN IDs are passed straight through when in VGW
10 10
Installations with multiple Access Layer closets can become complex
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Central Deployment
Most common deployment option
NAC Server is logically inline, NOT physically inline
Supports 6500/4500/3750/3560
VLAN IDs are mappedwhen in VGW
110 10
Easiest installation
Most scalable in large environments
*3550 is not supported
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Central Deployment
Virtual Gateway Mode3 Access Layer Closets, 6 VLANs
500 users per VLAN total 3000 users
3 VLANS per NAC Server
500 users each
Example Enterprise Central Deployment
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Layer 2 Mode and Layer 3 Mode
NAC Servers have two client accessdeployment models
Layer 2 Mode
Layer 3 Mode
Any NAC Server can be configured for either method, but a NAC Server can only be one at a time
Deployment mode selection is based on whether the client is Layer 2 adjacent to the NAC Server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Layer 2 Mode
Client is Layer 2 Adjacent to the Server
MAC address is used asa unique identifier
Supports both VGWand Real IP GW
Supports both In Band andOut of Band
Most common deployment model for LANs
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKSEC-304014355_04_2008_c2
NAC Server Foundation:Layer 3 Mode
Client is NOT Layer 2 Adjacent to the NAC Server
IP Address is used as a unique identifier
Supports both VGW and Real IP GW
Supports InBand Mode
Needed for WAN and VPN deployments
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-304014355_04_2008_c2
NAC Server Foundation:In Band and Out of Band
NAC Servers have two traffic flow deployment modelsIn Band
Out of Band
Any NAC Server can be configured for either method, but a NAC Server can only be one at a time
Selection is based on whether the customer wants to remove the NAC Server from the data path
NAC Server is ALWAYS inline during Posture Assessment
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKSEC-304014355_04_2008_c2
NAC ApplianceProcess Flowand General Troubleshooting
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKSEC-304014355_04_2008_c2
Finding Where the Problem Is…
Know the type of deployment Virtual Gateway/Real-IP,In-Band/Out-of-band, Layer2/Layer3
Understand the process flowe.g. When does user get IP?, When does agent pop up?
Identify expected behaviore.g. Should the client get an IP in Access or Auth VLAN?
Determine the deviationList your problems. E.g. User not redirected to CAS login page
Isolate the problemUse logs/debugs/tools to narrow down issue
Don’t Know Where to Start!
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKSEC-304014355_04_2008_c2
THE GOAL
Intranet/Network
NAC Appliance Overview: Process Flow
NAC ApplianceServer
NAC Appliance Manager
1. End user attempts to access a Web page or uses an optional client
Network access is blocked until wired or wireless end user provides login information
AuthenticationServer
MGR
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKSEC-304014355_04_2008_c2
THE GOAL
Intranet/Network
NAC Appliance Overview: Process Flow
2. User is redirected to a login page
NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on the device
NAC ApplianceServer
NAC Appliance Manager
1. End user attempts to access a Web page or uses an optional client
Network access is blocked until wired or wireless end user provides login information
AuthenticationServer
MGR
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKSEC-304014355_04_2008_c2
THE GOAL
Intranet/Network
NAC Appliance Overview: Process Flow
2. User is redirected to a login page
NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on the device
Device is noncompliant or login is incorrect
User is denied access and assigned to a quarantine role with access to online remediation resources
3a. QuarantineRole
NAC ApplianceServer
NAC Appliance Manager
1. End user attempts to access a Web page or uses an optional client
Network access is blocked until wired or wireless end user provides login information
AuthenticationServer
MGR
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKSEC-304014355_04_2008_c2
THE GOAL
Intranet/Network
NAC Appliance Overview: Process Flow
2. User is redirected to a login page
NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on the device
Device is noncompliant or login is incorrect
User is denied access and assigned to a quarantine role with access to online remediation resources
3a. QuarantineRole
3b. Device is “clean”Machine gets on “certified devices list” and is granted access to network
NAC ApplianceServer
NAC Appliance Manager
1. End user attempts to access a Web page or uses an optional client
Network access is blocked until wired or wireless end user provides login information
AuthenticationServer
MGR
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKSEC-304014355_04_2008_c2
User Machine Server
Certified and Logged On
Process Flow—Protocol ExchangeManager
URL Redirect to Weblogin
DHCP Request
Connect via TCP (443)
UDP Discover (8905, 8906)
Agent Performs Posture Assessment
Download Clean Access AgentAgent download (80)
Download Policy to Agent Agent checks and rules, XML (443)
Pre-connect (1099)
User Login (443)
Report (443)
Connect request (1099)Connect Response (8955, 8956)
Server Performs Access Enforcement
Open Web browser (if no agent)
MGR
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKSEC-304014355_04_2008_c2
Checklist
Can you add CAS to the CAM?
Does user have an IP address?
Is user being redirected to login page?
Does the Clean Access Agent pop up?
Is Authentication/Login successful?
Does user pass/fail posture checks?
Can user access network resources?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKSEC-304014355_04_2008_c2
Cannot Add CAS to CAM
Q- "Can CAM and CAS ping each other?"Check interfaces on CAM, CAS (eth0) and switch(es). Is shared secret between Manager and server correct ?
Verify matching hash (cat /root/.secret) on CAM and CAS
Check “Monitoring >> Event logs” for errors
Licensing Issue!! Typically means a server license file has not been loaded.
Connectivity Issue!! Firewall between CAM/CAS?.
Ensure TCP ports 443,80,1099 (CAS) and ports 443, 80, 8995 8996 (CAM) are allowed at minimum
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKSEC-304014355_04_2008_c2
End User Not Getting an IP Address
Q- "Is CAS the DHCP server (Real-IP G/W)?"Check /var/log/dhcplog for DHCP handshake
Is IP allocation based on incoming (Auth) VLAN?
CAS reads 802.1q tag for Auth VLAN, to dispense IP address
Check switch port for CAS Untrusted (eth1) and ensure that Auth VLAN is being tagged (not as native vlan)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKSEC-304014355_04_2008_c2
End User Not Getting an IP Address
Q- "DHCP server is beyond the CAS (Virtual Gateway)?"Is the DHCP VLAN (Access VLAN) trunked to switchport for CAS Trusted Interface (eth0)?
Is VLAN mapping enabled and configured right?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKSEC-304014355_04_2008_c2
End User Not Getting an IP Address (ARP Table)
CAS maintains its own ARP/Routing tables
Standard Linux ARP tables do NOT apply here
ARP entry will confirm whether the traffic is hitting the Untrusted interface of the CAS or NOT
ARP Tables: /proc/click/intern_arpq/table (Untrusted)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKSEC-304014355_04_2008_c2
Users Not Redirected to Web Login Page
Q- "Does browsing to IP address of the CAM work ?"Check client DNS settings. Can client resolve DNS?
Isolate the problem - Connect PC to a port on Core switch where CAS is connected to check redirection.
Is there a SVI for the Auth VLAN?Auth VLAN must be a L2 only VLAN on all switches
Prune Auth VLAN from all other links except CAS Untrusted
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKSEC-304014355_04_2008_c2
Users Not Redirected to Web Login Page: L2 Client Mode
Q- "Only browsing to IP/name of CAS works?"Ensure Managed Subnets are configured correctly
“Managed subnets are configured with an unused IP from the Trusted subnet, but VLAN ID from Auth VLAN”
For L2 Subnets
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKSEC-304014355_04_2008_c2
Users Not Redirected to Web Login Page: L3 Client Mode
Q- "Only browsing to IP/name of CAS works? (L3 mode) "Ensure Static Routes are configured correctly
The Static route will be for the user subnet pointing to the next hop on the Un-trusted Interface
** Un-authenticated traffic should block traffic for redirect to happen
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKSEC-304014355_04_2008_c2
Agent Does Not Pop Up
Agent sends “Discovery packets” (small UDP packets) every 5 seconds to detect CAS
Agent first sends L2 discovery packet to default g/w on UDP 8905 hoping for a L2 CAS to respond
CAS responds when it sees any discovery packet passing “THROUGH” it
The response from CAS makes agent pop up
Failing L2 response from a CAS, agent sends L3 discovery packet to “Discovery Host” on UDP 8906
Q- "Is agent able to communicate with CAS ? "
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKSEC-304014355_04_2008_c2
Agent Does Not Pop Up
“Discovery Host” is a configurable IP/hostname that agent gets from the following registry key on client PC
HKCU\Software\Cisco\Clean Access Agent\ServerUrl
Registry key + value gets configured during agent install based on the setting on CAM
It is an IP/name which is routable “through” the CAS
The response from CAS makes agent pop up
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKSEC-304014355_04_2008_c2
Agent Does Not Pop Up
For L2 deployments, check Web redirection first.
Web redirection works, but Agent doesn’t pop up ?Check if agent is sending UDP 8905 packets to default G/W
Personal Firewall blocking discovery packets?
For L3 deployments, check the Discovery Host value on the client machine
Is Discovery Host value present in the registry key?
If discovery host is a name, can it be resolved in DNS?
Is it routable through CAS from client machine?
For OOB deployments, confirm that port is on Auth VLAN. CAS will only be reachable on Auth VLAN
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKSEC-304014355_04_2008_c2
Login/Authentication Fails
Q- "Does Auth Test from CAM succeed?"
Authentication/Posture is carried over SSL
Agent/browser posts credentials to CAS
CAS posts to CAM overSSL again
Except Single Sign On, all backend authentications are performed by CAM
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKSEC-304014355_04_2008_c2
Login/Authentication Unsuccessful
Q- "For name based certificates, DNS can resolve name ?"
HA certificates are based on Virtual IP/hostnames
Sync time on CAM/CAS to NTP (5 minutes lag)
Regenerate certificates and reboot
Check /perfigo/logs/perfigo-redirect-log0.log.0 on CAS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKSEC-304014355_04_2008_c2
Login/Authentication Unsuccessful
indicates connectivity issue between CAM and CAS
Indicates time on CAM/CAS are not in sync
CAS is posting to wrong IP. CAM certificate generated with wrong IP?
Example: /perfigo/logs/perfigo-redirect-log0.log.0 on CAS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKSEC-304014355_04_2008_c2
Login/Authentication Unsuccessful
Typically seen when the CAM has a CA signed certificate
Import the CAM’s CA root certificate into CAS as "Trust a non-standard CA" and restart CAS.
Indicates CAS does not trust CAM’s cert
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKSEC-304014355_04_2008_c2
User Not Being Postured Correctly
Check Online user for user’s role
Is Role mapping configured right?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKSEC-304014355_04_2008_c2
Cannot Access Network After Login (IB)
Q- "Have you allowed access to the network under Traffic Control in the final role?"
Real-IP Gateway?—CAS does not advertise routes, add static routes on next hop router for the Managed subnets
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKSEC-304014355_04_2008_c2
NAC ApplianceTroubleshootingOut-of-Band (OOB)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKSEC-304014355_04_2008_c2
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
v10 or v110
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
10.90.0.2
vlan 900
10.30.0.2
1. PC is attached to the network
2. Switch sends mac address via snmp to the CAM
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKSEC-304014355_04_2008_c2
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
IP : 10.10.0.10DG: 10.10.0.1
v110
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
3. CAM verifies if PC is ‘Certified’If PC not certified, CAM instructs switch to assign port to Authentication Vlan
PC gets DHCP IP address in vlan 10subnet due to DHCP/DNS trafficpassing through the CAS using VlanMapping
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
vlan 900
10.90.0.2
10.30.0.2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKSEC-304014355_04_2008_c2
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
IP : 10.10.0.10DG: 10.10.0.1
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
4. All traffic from PC flows to the CAS, CAS enforces network access restrictions
5. PC goes through Authentication, Posture Assessment and Remediation
v110
vlan 900
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
10.90.0.2
10.30.0.2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKSEC-304014355_04_2008_c2
Out-of-Band Process Flow
Network
vlan 110
vlan 10,30Vlan Mapping v110 v10
dot1q trunkv10, v110
IP : 10.10.0.10DG: 10.10.0.1
v10
DHCP Servervlan 10 scope
10.10.0.5 – 10.10.0.254
6. CAS informs CAM that PC is ‘Certified’
7. CAM instructs switch to assign port to ‘Access’vlan based on Port mapping or User Role Assignment
8. PC is allowed access to network
vlan 900
SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1
10.90.0.2
10.30.0.2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKSEC-304014355_04_2008_c2
Port Not Being Moved to Auth VLAN?
Check snmp settings on the client switch. Ensure that mac-notifications are enabled and CAM is set to receive the MAC-notifications
Confirm that you can ping CAM from the switch and vice-versa
Add the “snmp-server trap-source <interface>”command to ensure that traps are being sourced with correct IP
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKSEC-304014355_04_2008_c2
Port Not Being Moved to Auth VLAN?Ensure SNMP Settings on CAM/Switch Are Matching
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKSEC-304014355_04_2008_c2
Port Not Being Moved to Auth VLAN?
Check if user is already present in Certified Device list And the Online Users list
CAM will change the user port VLAN to Access VLAN if the user is already on the Certified Device List && Online User List
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKSEC-304014355_04_2008_c2
Port Not Being Moved to Auth VLAN?
If the user is already present in Certified Device list But NOT in the Online Users List
Check the Port Profile Options and confirm which VLAN is selected for this scenario
CAM will change the user port to Access VLAN if port profile option is set to access VLAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKSEC-304014355_04_2008_c2
Switch Debugs and Cam Logs Are Handy
“debug snmpheaders” and “debug snmp packets can be used on test/lab switches
Do not use this on production switches
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKSEC-304014355_04_2008_c2
Switch Debugs and Cam Logs Are Handy
GotoAdministration >>CCA Manager >> Support Logs
Set Logging level to “All” as shown
Download support logs and look at /perfigo/logs/perfigo-log0.log.0
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKSEC-304014355_04_2008_c2
NAC ApplianceWireless/VPNSingle Sign On
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKSEC-304014355_04_2008_c2
Role of Radius Accounting
CAS acts as a Radius Accounting Server for ASA/WLC
Authentication is independent of Accounting
E.g. ASA could authenticate VPN users against LDAP, but still account using Radius
CAS trusts the Authentication performed by another network device (WLC, ASA etc) and uses the Accounting packet from them for SSO
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKSEC-304014355_04_2008_c2
Wireless Single Sign On (SSO) Process
WLC performs dot1x/LDAP
based Authentication
WLC sends Radius
Accounting to CAS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKSEC-304014355_04_2008_c2
VPN SSO Process
User logs in using IPSEC or SSL VPN client
VPN server sends Radius Accounting packet to CAS
CAS performs SSO for that user based on the Accounting packet
CAS can optionally be configured to forward that Accounting packet to another Radius server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKSEC-304014355_04_2008_c2
Is the CAS Receiving Accounting Packets?
Goto CCA Servers >> Manage (CAS IP) >> Authentication >> VPN Auth >> Active Clients and click “Show All”
START packet adds an entry, STOP packet removes it
User not added to Online User list until CAS sees traffic from actual user IP
Entry not seen here? Format of Radius packet is important
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKSEC-304014355_04_2008_c2
Packet Format
Radius Accounting packet must contain the following minimum fields to be added to Active List on the CAS
User-Name
Acct-Status-Type
Framed-IP-Address OR Calling-Station-ID checked in that order
Acct-Status-Type needs to be a START packet. Interim/Update packets will not be added to Active List.
Framed-IP-Address will be considered first. If not present, Calling-Station-ID will be considered.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKSEC-304014355_04_2008_c2
View Radius Accounting Logs on CAS
Login to the CAS directly by pointing your browser to https://<CAS-IP-address>/admin
Navigate to Monitoring >> Support Logs
Set the level of logging for “Radius Accounting Proxy Server Logging” to “ALL”
To see Radius packet details, you will need to also set “CAM/CAS communication logging” to “ALL”
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKSEC-304014355_04_2008_c2
View Support Logs
To view support logs real-time, tail the following file:/perfigo/logs/perfigo-redirect-log0.log.0
Alternatively, you can download the support logs from Monitoring >> Support LogsApr 25, 2007 4:58:54 PM com.perfigo.wlan.radius.RadiusAccServer processPacketFINEST: Received radius packet? from /10.20.20.3:1026Apr 25, 2007 4:58:54 PM om.perfigo.wlan.jmx.admin.VPNUserManager$VPNAccHandleaccounting<------------------------------------------- DETAIL LOGGING ENABLED --------------------------------------------------FINEST: Received accounting request from /10.20.20.3:User-Name (1), Length: 8, Data: [jdoe], 0x68616D696E68NAS-Port (5), Length: 6, Data: [# 131072], 0x00020000Service-Type (6), Length: 6, Data: [# 2 (Framed)], 0x00000002Framed-Protocol (7), Length: 6, Data: [# 1 (PPP)], 0x00000001Framed-IP-Address (8), Length: 6, Data: [# 2887306241] / [IP 10.50.50.1], 0xAC18CC01Called-Station-Id (30), Length: 12, Data: [12.6.247.4], 0x31322E362E3234372E34Calling-Station-Id (31), Length: 16, Data: [157.130.22.122], 0x3135372E3133302E32322E313232Acct-Status-Type (40), Length: 6, Data: [# 1 (Start)], 0x00000001Acct-Input-Packets (47), Length: 6, Data: [# 33], 0x00000021Acct-Output-Packets (48), Length: 6, Data: [# 270], 0x0000010ENAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005NAS-IP-Address (4), Length: 6, Data: [# 184436253] / [IP 10.20.20.3], 0x0AFE461D
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKSEC-304014355_04_2008_c2
NAC ApplianceWindows SingleSign On
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKSEC-304014355_04_2008_c2
Windows Single Sign on Process
Phase 1: CAS—DC CommunicationThis phase is for the CAS to authenticate itself to the domain
Once authenticated, CAS starts the SSO service toserve clients
Phase 2: Client (Agent)—CAS CommunicationThis phase happens AFTER the service on CAS is started
This involves CAS asking the client (Agent) for a SSO Kerberos Service ticket in order to perform SSO
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKSEC-304014355_04_2008_c2
Phase 1: CAS-DC Communication
KTPASS is executed for Service Account on DC
CAS authenticates itself to DC first to enable Service
DC responds with AS-REP upon successful Auth
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKSEC-304014355_04_2008_c2
Phase 2: Client (Agent)—CAS Communication
CAS instructs Agent to get a Service Ticket (ST) for theSSO Service
Agent gets the ST from the DC and gives CAS
CAS performs SSO
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKSEC-304014355_04_2008_c2
Ensure Basics Are Covered!!
Windows SSO applies only to an Active Directory environment
Clean Access Agent is mandatory for Windows SSO
Requires the use of Clean Access Agent 4.0.0.0or above
CAM/CAS need to be running 4.0.0 or above as well
Domain Controller must be running Win2K+SP4, Win2K3+SP1 or Win2K3R2
Confirm domain login is complete and working without NAC before testing Windows SSO
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKSEC-304014355_04_2008_c2
Identify the Phase
Isolating the problem is half the battle!!!
First step is to identify whether your problem falls under Phase 1 (CAS—DC communication) or Phase 2 (Client—CAS) communication
Question to ask: Is the Service on the CAS started?No : Focus on CAS-DC Authentication problems
Yes : Focus on the client side. Client communication with DC and CAS are important here
Lets take a look at troubleshooting some of the common Phase 1 and Phase 2 issues!!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKSEC-304014355_04_2008_c2
Cannot Start Service on CAS (Phase1)
When you try to enable the AD SSO Service on the CAS
Login to CAS at https://<CAS-IP-address>/admin
From Monitoring >> Support Logs, set logging level for “AD Communication Logging” to “INFO”
tail –f /perfigo/logs/perfigo-redirect-log0.log.0 on the CAS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKSEC-304014355_04_2008_c2
Cannot Start Service on CAS (Phase1)
Under CCA Servers >> Manage (CAS IP) >> Misc >> Time ensure time on CAS synchronized with DC.
Point CAS to a Time server running NTP
Alternatively you can point CAS to the DC itself (lab setups) for Time server
May 2, 2007 5:59:13 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCINFO: GSSServer - SPN : [ccasso/[email protected]]SEVERE: startServer - SSO Service authentication failed. Clock skew too great (37)
Typically means that CAS/DC times are not synchronized.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKSEC-304014355_04_2008_c2
Cannot Start Service on CAS (Phase1)
Verify that the account (ccasso) name for CAS exists on the DC
Ensure that the correct account name has been defined on CAS
May 2, 2007 5:57:31 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCINFO: GSSServer - SPN : [ccasso/[email protected]]May 2, 2007 5:57:31 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCSEVERE: startServer - SSO Service authentication failed. Client not found in Kerberos database (6)
Typically means that Username is wrong or does not exist in AD.
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKSEC-304014355_04_2008_c2
Cannot Start Service on CAS (Phase1)
KTPASS command on DC was not run with correct parameters
The Active Directory Server (FQDN) info on CAS in incorrect
The Account Password for CAS is incorrect
May 2, 2007 5:59:13 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCINFO: GSSServer - SPN : [ccasso/[email protected]]May 2, 2007 5:59:13 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCSEVERE: startServer - SSO Service authentication failed. Pre-authentication information was invalid (24)
This is a generic error and it usually means one of these
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKSEC-304014355_04_2008_c2
Cannot Start Service on CAS (Phase1)
ktpass -princ ccasso/[email protected] -mapuserccasso –pass Cisco123 -out c:\test.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
User Account Properties Control Panel -> System
CONVERTTO CAPITALS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKSEC-304014355_04_2008_c2
Cannot Start Service on CAS (Phase1)Control Panel -> System
CONVERTTO CAPITALS
** KTPass.exe version known to work correctly is 5.2.3790.0
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKSEC-304014355_04_2008_c2
Service Starts, but SSO Fails (Phase 2)
Focus on client communication with DC and CAS
Confirm that ports are open to the appropriate DCs in the Unauthenticated Role
For testing, open complete access to DCs. Once you get SSO working you can tie it down to specific ports
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKSEC-304014355_04_2008_c2
Service Starts, but SSO Fails (Phase 2)
Disable Lookup Server and testLookup servers are for Role mapping—Independent of SSO
Ensure that client is logged into domain and not local PC
net time /set can confirm client PCs communication with DC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKSEC-304014355_04_2008_c2
Service Starts, but SSO Fails (Phase 2)
Use Kerbtray to check if client PC has Service Ticket for CAS
Kerbtray is a free tool available through Microsoft Support tools
Get agent logs, Get CAS logs and work with TAC
How to collect agent logs:
http://www.cisco.com/en/US/products/ps6128/prod_release_note09186a00807bb9f3.html#wp113880
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKSEC-304014355_04_2008_c2
NAC ApplianceCommon Issues
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKSEC-304014355_04_2008_c2
Common Issues
Connecting CAS to my core switch bringsnetwork down
In Virtual Gateway Central deployment, configure Vlan Mapping before connecting untrusted interface (eth1) to switch (No longer an issue with VLAN pruning option enabled on CAS by default)
CAM cannot get updatesEnsure CAM can resolve DNS. Make sure CAM can reach http://www.perfigo.com on port 80. From CAM CLI,
curl http://www.perfigo.com/clean_machine_1/version-se.txt
Agent login keeps loopingEnsure managed subnets are configured correctly. Confirm port gets moved to Access VLAN after authentication
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKSEC-304014355_04_2008_c2
UI Errors
Check Certificate on the CAS and CAM
If using FQDN, make sure DNS can resolve it
Regenerate certs and reload CAM/CAS
Typically a network issue.
Seen because Agent does not see CAS response
Check network connectivity
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKSEC-304014355_04_2008_c2
UI Errors
Check SNMP settings on switch
Make sure switch is sending MAC notifications to CAM IP
Ensure that community strings for Mac-notification is correct on both CAM and switch
Means CAM Has Not Received a MAC Notification for This MAC Address
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKSEC-304014355_04_2008_c2
UI Errors
This is a browser issue
"Check for server certificate revocation" checkbox in IE
Details available in Release Notes on this error
User pages is not configured
Goto Administration >> User Pages and add a new login page
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKSEC-304014355_04_2008_c2
Finding Where the Problem Is…
I Know the type of deployment Virtual Gateway/Real-IP, In-Band/Out-of-band, Layer2/Layer3
I understand the process flowe.g. When does user get IP? When does agent pop up? Where is the DHCP server located?
I'll ensure basics are coverede.g.
1) Ensure Manual login is working before configuring VPN/Wireless SSO or AD SSO
2) In OOB, VLAN is changing correctly after manual login
I Know Where to Start!
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKSEC-304014355_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKSEC-304014355_04_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKSEC-304014355_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKSEC-304014355_04_2008_c2