From Our Students

"I just want to let you know that your professionalism, sense of caring, and listening to the needs of someone who lost their job is deeply appreciated. The job that I now have would not have been possible had I not passed the PMP exam."

-Hector A. Fundora
See more student testimonials
Sign Up

Training That Changes Your Life

We've helped hundreds of people just like you get back to work. Attend our seminar to learn how to get the grants to pay for training.
Register now for this free two-hour class

About MicroTrain

MicroTrain Technologies gives you the computer skills and knowledge you need by applying the perfect combination of expert hands-on instruction, superior customer service and convenient training locations.

Find your classes now: Search for a class class schedule WIA-Approved Classes
PMP Training

CANAC - Implementing NAC Appliance (formerly Cisco Clean Access)

Course Schedule | Information
Price: Instructor Led $2995 | Virtual Classroom  -Call for details
Details: *This is a 4 day course

Description

In this course, you'll learn how to design and implement a Cisco NAC Appliance solution to suit your network. You will learn basic configuration tasks such as NAM and NAS deployment modes, authentication (including Windows SSO), role-based access control, posture assessment, and remediation.

Is this NAC course right for you?

Cisco Systems offers two solutions for Network Admissions Control: NAC Appliance and NAC Framework. If the NAC solution you are planning includes the following elements, then this NAC Appliance course, CANAC v2.1, is right for you:

  • NAC Appliance Manager (NAM)
  • NAC Appliance Server (NAS)
  • Cisco Catalyst Switches using Out-of-Band (OOB) access
  • Cisco VPN Concentrators (without configuring NAC commands)
  • Cisco ASA/PIX Firewalls (without configuring NAC commands)

    • Highlights

  • Given client network security requirements, explain how a NAC Appliance deployment scenario will meet or exceed those expectations
  • Configure the common elements of a NAC Appliance solution
  • Configure Active Directory Single Sign-On (AD SSO)
  • Configure VPN Single Sign-On using an ASA with the standard IPSec client and the AnyConnect client (SSL)
  • Configure the NAC Appliance in-band and out-of-band implementation options
  • Implement the NAM and NAS High Availability to protect against downtime
  • Configure Network Scanning to audit clients and clientless hosts
  • Configure compliance checking using manual and automated settings in version 4.5 of code
  • Learn the elements of Code Signing applications needed for remediation
  • Create custom web page portals based on the location of clients
  • Allow Active Directory LDAP Authorization to map AD groups to NAC Appliance Roles
  • Walk through and configure three different network topologies, In-Band, VPN In-Band and OOB
  • Visually see for yourself the privilege rights needed for installation of the Cisco NAC Appliance Agent (NAA) and Stub Installer and how the two differ
  • Learn to monitor, maintain, and troubleshoot a NAC solution

    • Audience

    Anyone responsible for the design, implementation, or support of a Cisco NAC Appliance installation and Cisco Channel Partners preparing for CCSP and NAC Specialist certification.

    Prerequisites

  • Fundamental knowledge of implementing network security or CCSP or Cisco Security Qualified Specialist Certification
  • SNRS or working knowledge of digital certificates
  • BSCI or working knowledge of HSRP

    • Outline

    The Cisco NAC Appliance Solution

    1. Cisco Self-Defending Networks

  • The Changing Landscape of Security
  • The Cisco Host-Protection Strategy
  • The Cisco SDN Initiative
  • Trust & Identity
  • Cisco NAC Products

    • 2. Cisco NAC Appliance

  • Cisco NAC Appliance Solution
  • Cisco NAC Appliance Features
  • Cisco NAC Appliance Components
  • Compliance Scenarios
  • Deployment Options
  • Configuration Overview
  • User Interface

    • 3. Cisco NAC Appliance Deployment Options

  • Cisco NAC Appliance Out-of-Band (OOB) Deployment
  • Cisco NAC Appliance In-Band Deployment
  • Compare Cisco NAC Appliance Deployment Options
  • Cisco NAS Operating Modes
  • Virtual Gateway vs. Real-IP Gateway
  • Layer 2 vs. Layer 3

    • 4. Configure User Roles

  • What is a User Role?
  • Create User Roles
  • Define Traffic Policies for User Roles
  • Configure Traffic Policies for User Roles
  • Create Local User Accounts

    • 5. Configure External Authentication

  • Configure External Authentication Providers
  • Authenticate Cisco NAC Appliance Users with Kerberos
  • Authenticate Cisco NAC Appliance Users with RADIUS
  • Authenticate Cisco NAC Appliance Users with LDAP
  • Authenticate Cisco NAC Appliance Users with NT Domain
  • Map Users to User Roles
  • Test User Authentication
  • Configure RADIUS Accounting for Users
  • Adding Custom RADIUS Attributes

    • 6. Configure DHCP

  • Cisco NAS DHCP Modes
  • Enable the DHCP Module
  • Configure IP Ranges (IP Address Pools)
  • Work with Subnets
  • Reserve IP Addresses
  • Configure User-Specified DHCP Options

    • NAC Appliance Implementation

    7. Implement Cisco NAC Appliance In-Band Deployment

  • In-Band Process Flow
  • In-Band Deployment Configurations
  • Configure the Cisco NAS for In-Band Deployment
  • Add the Cisco NAS to the Managed Domain
  • Configure the Cisco NAS Interfaces
  • Add Managed Subnets
  • Configure Cisco NAS VLAN Settings

    • 8. Implement Windows Active Directory Single Sign-On (AD SSO)

  • Kerberos Ticket Exchange
  • Confirming a NAS Ticket
  • Communications between the NAS and Active Directory
  • AD SSO Configuration Checklist
  • TCP & UDP Ports Required for AD SSO
  • Configure the NAS for AD SSO
  • Install Support Tools for Windows 2000 or 2003 Server
  • Configure the Domain Controller with ktpass.exe

    • 9. Implement Virtual Private Network Single Sign-On (VPN SSO)

  • Configuration Checklist
  • Configure a Traffic Filter
  • Add VPN Authentication Server to NAM
  • Map VPN Users to Roles on NAM
  • Enable VPN SSO on the NAS
  • Adding a VPN Device to the NAS
  • Configure RADIUS Accounting
  • Configure the VPN Gateway as a Floating Device
  • Test VPN SSO

    • 10. Implement Cisco NAC Appliance Out-of-Band Deployment

  • OOB Process Flow
  • OOB Deployment Considerations
  • Layer 2 Central & Edge Deployment
  • Layer 3 Virtual Gateway & Real-IP Gateway
  • Layer 2 & 3 Clientless Host Options
  • Differences between Cisco NAC Appliance OOB Setup and In-Band Setup
  • Implement Cisco NAS OOB Operating Modes

    • 11. Manage Switches

  • Implement Switch Management
  • Configure the Network for OOB Deployment
  • Configure Group, Switch, and Port Profiles
  • Configure Port Profiles Adding Switches to the Managed Domain
  • Configuring SNMP Advanced Settings
  • Configure Switch Ports to Use Port Profiles
  • Manage Switch Configuration Settings

    • NAC Appliance Implementation Options

    12. Implement Cisco NAC Appliance on a Network

  • Implement Cisco NAC Appliance
  • General Setup Tab
  • User Pages
  • Configure Cisco NAA Support
  • Manage Certified Devices
  • Device Exemption
  • Viewing User Reports

    • 13. Implement Network Scanning

  • Configure the Quarantine Role
  • Implement Nessus Plug-Ins
  • Test a Scanning Configuration
  • Customize the User Agreement Page
  • View Scan Reports

    • 14. Configure the NAM to Implement Cisco NAC Appliance Agent on User Devices

  • Configure the Cisco NAM to Implement the Cisco NAC Appliance Agent (NAA)
  • Retrieve Updates
  • Require the Use of the Cisco NAA
  • Configure the Cisco NAA Temporary Role
  • Introduce Checks, Rules, and Requirements
  • Create a Check, Rules, and Requirements
  • Map Requirements to Rules and Roles

    • 15. Configure NAM High Availability (HA)

  • Introduce HA for Cisco NAMs
  • Establish a Serial Connection Between Managers
  • Digital Certificate Requirements
  • Configure the Primary Cisco NAM
  • Configure the Standby Cisco NAM

    • 16. Configure Cisco NAC Appliance Server (NAS) HA

  • Introduce HA for NASs
  • Implementation Considerations
  • Digital Certificate Requirements
  • Configure the Primary and Standby NAS
  • Complete the Standby NAS HA Configuration
  • Test the NAS HA Configuration
  • Configure DHCP Failover

    • NAC Appliance Monitoring and Administration

    17. Monitor a Cisco NAC Appliance Deployment

  • Cisco NAC Appliance Monitoring
  • Monitor Online Users
  • Monitor NAS Health Event Logs
  • Configure Basic SNMP Support
  • Configure Syslog Support

    • 18. Administer Cisco NAM

  • Define the Cisco NAM Administration Module
  • Set Network and Failover Parameters
  • Manage Administration Groups
  • Manage Administration Users
  • Manage User Passwords
  • Administer the System Time
  • Manage SSL Certificates
  • Manage the Cisco NAC Appliance Software
  • Protect Your NAM Configuration

    • Labs

    Lab 1: Remote Lab Familiarization

    The purpose of this lab is to introduce you to the Global Knowledge Remote Lab Environment used for this class. You will have access to four Microsoft Windows XP PC system desktops, four Windows 2003 Servers, one Windows 2000 Server, an ASA 5520 firewall, a Catalyst 3560 L3 switch, 2811 IOS router, two NAC Appliance Managers (NAMs), and one NAC Appliance Server (NAS). This lab will demonstrate how to access the various pieces of equipment, what features are available with them, and how they are connected in the topology.

  • Log in to the Remote Lab Environment
  • Launch and Log in to the Remote Lab Virtual PCs
  • Set Time Zone on Remote Lab Virtual PCs
  • Log in to and Manage Remote Lab Equipment

    • Lab 2: Bootstrap Primary NAM & NAS

    The purpose of this lab is to introduce you to the Linux Command Line Interface of the NAC Appliance Manager (NAM) and NAC Appliance Server (NAS). In this exercise, you will initialize the Primary NAM and NAS to test basic network connectivity. You will also learn some basic NAM scripts to automate system administration tasks. During this lab, you will get a chance to explore the changes to the directory structure in NAC Appliance version 4.5.

  • Run setup scripts on NAM and NAS
  • Log in to the Web Administration Environment
  • View a Common Routing Issue for the Hosts on the Same Subnet as the NAS
  • See some newer password enhancements in 4.5 software code

    • Lab 3: Configuring User Roles and Traffic Policies

    In this lab, you will configure the roles on the Cisco NAM. These roles each have a specific access policy that will permit or deny traffic through the NAS, allowing the association of users to roles for access privileges. All users begin in the unauthenticated role with the least amount of access to your network. You will have to modify this basic profile's policy to allow the most basic communication to take place through the NAS from the untrusted network to the trusted network including DNS, LDAP, authentication, and NTP.

  • Configure Default User Web Pages Based Upon Where a User is Coming From
  • Create User Roles on the NAM
  • Create Traffic Policies that Map to Each User Role
  • Configure New Users in the Local Database

    • Lab 4: Configure NAS In-Band Virtual Gateway

    Now you are ready to put your NAS between your untrusted network and your trusted network. Any host that attempts to send a packet through the NAS will cause the NAS to present to the user for authorization your previously created Login Page. Upon successful authentication, the user will download and install the NAA. In this lab, you will be looking only for successful authentication and not for posture validation. That is, you will not perform any other sort of software or compliance check before the user can enter your network.

  • Connect an In-Band NAS to the NAM
  • Configure NAS as Virtual Gateway
  • Configure VLAN Mapping
  • Install the NAA for the First Time and Determine the Rights Needed
  • Install the Stub Installed
  • Use the Web Agent to Scan an Outside User's PC Who Does Not Have Local Admin Rights

    • Lab 5: Create a High Availability NAM Cluster

    The purpose of this lab is to configure NAM High Availability. You will configure a secondary Cisco NAM device to function on the same network as the current primary NAM. A virtual IP will be used to allow communication to the NAM cluster and obtain high availability for the NAS communication to the NAM pair. Investigate the times required for failover to work by shutting down a NAM.

  • Configure the Secondary NAM
  • Confirm Connectivity between Primary & Secondary NAM
  • Export the Private Key and SSL Certificate of the Primary NAM
  • Import the Private Key and SSL Certificate into the Secondary NAM
  • Configure Network and Failover Settings on Primary & Secondary NAM
  • Verify NAM Database Synchronization
  • Test Failover

    • Lab 6: Configuring Active Directory Single Sign-On (AD SSO)

    In this lab, you'll get an introduction to integrating the NAM with Microsoft Active Directory for Single Sign-On (SSO). The process includes configuration of Kerberos mappings on the AD Domain Controller, and you will create a policy access list on the NAM to allow authentication traffic through the NAS. This lab is a great reference for you in your own network environment. It includes the majority of standard implementation with the NAC appliance.

  • Add AD SSO Authentication Server
  • Configure Traffic Policies for the Unauthenticated Role
  • Enable the NAS to Use AD SSO
  • Use ktpass.exe to Prepare the Domain Controller
  • Enable and Test Agent-Based AD SSO

    • Lab 7: Configuring VPN Remote Access

    The purpose of this lab is to allow your VPN users to use the NAS for network compliance prior to accessing the corporate network. You will use software version 8.x on the ASA and you will discuss enhancements to NAC in this version of software. You will examine the changed VPN topology and authentication methods being used for VPN SSO.

  • Configure the ASA as a Filter Device
  • Configure NAC Appliance to use an ASA 5520 as a Floating Device
  • Add VPN Authentication Server to the NAM
  • Map VPN Users to Roles for SSO
  • Add a RADIUS Accounting Server to the NAS
  • Map the ASA 5520 to the Accounting Server
  • Configure VLAN Mappings to allow Internet Access through the NAS
  • Modify IP Filters to allow Returning Internet Traffic Back Through
  • Test VPN SSO

    • Lab 8: Configuring NAC VPN SSO

    In this lab, you will configure the VPN tunnel groups on the ASA to forward authentication credentials to the RADIUS software running on the (Security-Srv). Part of the configuration requires you to create additional IP VPN pools and assign them to the Employees and Consultants VPN tunnel groups. You will adjust the NAM attribute mappings for the VPN to work with the user roles. At the end of this lab, you should have a successful VPN SSO deployment.

  • Configure the ASA to Communicate with the RADIUS and Accounting Server
  • Adjust Traffic Filters for Additional VPN Address Pools
  • Use Framed-IP-Address Fields in the Accounting Packet to Map VPN Users to NAC Appliance Roles
  • Use Kiwi CatTools to load ASA Version 8.x Code and the AnyConnect Client Config
  • Test VPN SSO

    • Lab 9: Configure Switch for Out-Of-Band Operation

    This lab requires the reconfiguration of the lab topology. VLAN 7 will be used exclusively for user authentication to the network and not for user traffic. Once user authentication is successful, the user's port will transition from VLAN 7 to the VLAN assigned to the Port/Role. All subsequent traffic will no longer be traversing through the NAS. The lab will take you through a complete re-configuration of the NAM as well as adding switches and community strings.

  • Delete the In-Band NAS from the NAM
  • Reconfigure the NAS as OOB Virtual Gateway
  • Configure VLAN Mapping
  • Verify Switch SNMP Configuration
  • Configure Group and Switch Profiles
  • Configure the NAM as an SNMP Trap Receiver
  • Add Switches and Configure Ports on the NAM
  • Test Your Configuration

    • Lab 10: Configuring the NAC Appliance Agent (NAA) for Specific Threats

    Up to this point you have verified that your authentication is working through your NAS device. You have transitioned from creating a Layer 2 In-Band Virtual Gateway to a VPN SSO solution and, finally, Out of Band Virtual Gateway. You have been dealing solely with authentication. In this lab, you will turn compliance checking on and explore the checks you can perform with NAC. You will perform basic and advanced compliance checking to see that your users have installed some required software. If they do not, you will point them to your remediation server to download the fixes.

  • Configure the General Setup for NAA
  • Allow DNS Packets to Your Network in the Temporary Role
  • Create Checks and Rules
  • Create a New Requirement for Users
  • Associate the Requirement to a Role
  • Remediation Types and Appropriate Rights for Each
  • AV Check and File Distribution
  • Local Application Launch
  • Code Signing Requirements
  • Compare Manual and Automatic Remediation
  • Verify the Configuration

    • Lab 11: Enhanced SSO with LDAP Group Authorization

    To be sure the lab environment in this class is as close as possible to the typical scenarios you will encounter in the real world, in this lab, we will enhance our SSO for Active Directory by mapping groups in Active Directory to roles in the NAC Appliance.

  • Configure an LDAP Lookup Server
  • Configure Authorized Groups in Active Directory
  • Associate the Lookup Server with an Authentication Provider
  • Test the Solution
    • Location Date
    Santa Clara, CA 11/16-11/19/2010
    Atlanta, GA 09/28-10/01/2010
    Schaumburg, IL 10/19-10/22/2010
    Cary, NC 12/07-12/10/2010
    Morristown, NJ 11/30-12/03/2010
    New York, NY 12/14-12/17/2010
    Irving, TX 11/09-11/12/2010
    Arlington, VA 10/26-10/29/2010

    Take a look at some of MicroTrain's programs to keep you on the cutting edge:

    View Complete Course List
    Course Schedules
    WIA-Approved Programs

    Individual
    Training

    Corporate
    Training

    Case Managers
    Portal

    Student
    Portal

    Room
    Reservations
    1-888-737-8512
    Chicago,IL
    200 W. Adams St, Suite 410
    Chicago, IL 60606
    Tel: 312.628.9200
    Fax: 312.628.9210
    Lombard, IL
    720 E. Butterfield Rd, Suite 100
    Lombard, IL 60148
    Tel: 630.981.0200
    Fax: 630.981.0210
    Deerfield, IL
    770 Lake Cook Rd, Suite 200
    Deerfield, IL 60015
    Tel: 847.572.0600
    Fax: 847.572.0610

    You should follow us on Twitter and Facebook

    Copyright © 2010 MicroTrain Technologies. All rights reserved.

    Privacy Policy

    INC 5000 Click to verify BBB accreditation and to see a BBB report.