Cisco NAC Profiler Architecture Overview

Similar documents
Using the Cisco NAC Profiler Endpoint Console

Configuring High Availability (HA)

Failover for High Availability in the Public Cloud

Identity Firewall. About the Identity Firewall

Configuring Client Posture Policies

ForeScout CounterACT. Configuration Guide. Version 1.2

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

ForeScout CounterACT Resiliency Solutions

Cisco ISE Ports Reference

Forescout. Configuration Guide. Version 3.5

Symbols. Numerics I N D E X

Configuring the Cisco APIC-EM Settings

SD-WAN Deployment Guide (CVD)

Avaya ExpertNet Lite Assessment Tool

Configuring Port Channels

Host Identity Sources

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Wireless NAC Appliance Integration

Enterprise Manager/Appliance Communication

NAC: LDAP Integration with ACS Configuration Example

Overview of IPM. What Is IPM? CHAPTER

Barracuda Link Balancer

TriScale Clustering Tech Note

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Configuring Port Channels

Cisco NAC Profiler UI User Administration

BIG-IP TMOS : Implementations. Version

Cisco BioMed NAC Solution for Healthcare: Flexible, Cost-Effective Provisioning for Identified Networked Biomedical Devices

Cisco ISR G2 Management Overview

Cisco ISE Ports Reference

F5 DDoS Hybrid Defender : Setup. Version

CNS-222EA - EARLY ACCESS: NETSCALER FOR APPS AND DESKTOPS

Using ANM With Virtual Data Centers

Branch Repeater :51:35 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

CounterACT 7.0. Quick Installation Guide for a Single Virtual CounterACT Appliance

Set Up Cisco ISE in a Distributed Environment

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE

Network Deployments in Cisco ISE

ForeScout CounterACT. Configuration Guide. Version 4.3

Install and Configure the TS Agent

Course Objectives In this course, students can expect to learn how to:

Get Started with Cisco DNA Center

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Network Deployments in Cisco ISE

Getting Started with Prime Network

Citrix NetScaler Essentials and Unified Gateway

CHAPTER. Introduction

Error and Event Log Messages

Configure Client Posture Policies

Configure Site Network Settings

Managing Site-to-Site VPNs: The Basics

Configuring Application Visibility and Control for Cisco Flexible Netflow

Quick Start Guide: TrafficWatch

Data Collection and Background Tasks

Implementing Network Admission Control

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

Managing Site-to-Site VPNs

Forescout. Configuration Guide. Version 8.1

Cisco ISE Ports Reference

SCRIPT: An Architecture for IPFIX Data Distribution

Introduction to Network Discovery and Identity

Citrix NetScaler Traffic Management

ForeScout Agentless Visibility and Control

Managing Site-to-Site VPNs: The Basics

LiveNX 8.0 QUICK START GUIDE (QSG) LiveAction, Inc WEST BAYSHORE ROAD PALO ALTO, CA LIVEACTION, INC.

Configure Client Posture Policies

Load Balancing Censornet USS Gateway. Deployment Guide v Copyright Loadbalancer.org

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Cisco Unified Messaging Gateway

Exam Questions

WiNG 5.x How-To Guide

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Add and Organize Devices

Port Mirroring in CounterACT. CounterACT Technical Note

Campus Network Design

Cisco Implementing Cisco IP Switched Networks (SWITCH v2.0)

Seven Criteria for a Sound Investment in WAN Optimization

ForeScout CounterACT. Configuration Guide. Version 1.8

Set Up Cisco ISE in a Distributed Environment

Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

Prerequisites CNS-220 Citrix NetScaler Essentials and Traffic Management

User Management: Configuring User Roles and Local Users

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Virtual Security Gateway Overview

CCNP Security VPN

A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS

Performance Routing (PfR) Master Controller Redundancy Configuration

Cisco Exam Questions & Answers

Cisco Next Generation Firewall Services

Overview of IPM. What is IPM? CHAPTER

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

SmartReport user documentation; Team SmartReport, Acipia

Configure Cisco NAC Profiler Events

Cisco Nexus Data Broker

Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0

Connection Logging. Introduction to Connection Logging

Intel Active Management Technology Overview

Transcription:

CHAPTER 2 Topics in this chapter include: Overview, page 2-1 Cisco NAC Profiler System Deployment Model, page 2-3 Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory, page 2-4 Overview Cisco NAC Profiler is a modular, network appliance-based system that provides two top-level functions critical to the effective and efficient deployment and management of Network Admission Control (NAC) solutions. Those two functionalities are Endpoint Profiling and Behavior Monitoring. NAC Profiler performs these functions utilizing a unique approach and technologies that are both highly reliable and result in negligible impact to the endpoints and network. NAC Profiler performs the Endpoint Profiling and Behavior Monitoring functions by passively analyzing network traffic and several other methods described in the previous chapter to classify endpoints into an appropriate Profile according to pre-determined criteria or rules that guide the classification of all endpoints into the appropriate Profile. In addition, the system reports changes in endpoint connection status and stores the data for future retrieval. It also allows the user to take action with respect to changing selected port parameters of edge network infrastructure devices, parameters pertinent to the implementation and ongoing management of authentication and NAC solutions. All of these functions are controlled by the administrator using the web-based graphical user interface (GUI) accessible through a standard browser. The Endpoint Profiling software that powers Cisco NAC Profiler is provided as two functional systems that reside on different appliances: Cisco NAC Profiler Server appliance Collector component on the Clean Access Server (Cisco NAC Appliance) The Cisco NAC Profiler Server houses the database that contains all of the endpoint information, gathered from the associated Collectors, including device type, location, and behavioral attributes. In addition the Profiler Server presents the web-based interfaces and liaises with the Clean Access Manager to keep the CAM s filters list current and relevant. There are also Forwarder modules that serve as middleware and facilitate secure communications between the Profiler Server and the Collectors. Finally, the Profiler Server also provides a module that can receive and analyze data from other sources such as NetFlow records exported from NetFlow-enabled infrastructure devices (e.g., routers) or other NetFlow collectors. This information is combined with the information gathered from the Collectors and is used to further profile the network attached endpoints. 2-1

Overview Chapter 2 The Cisco NAC Profiler Collector resides on the same appliance with the Cisco NAC Appliance Clean Access Server (CAS) and consists of a number of software modules that discover information about the network attached endpoints including a network mapping module (NetMap), an SNMP trap receiver/analyzer (NetTrap), a passive network analysis module (NetWatch), and an active inquiry module (NetInquiry). The major functions of the Collector are to gather all of the salient data about the endpoints communicating to/through that Clean Access Server (CAS), and to minimize and aggregate the information that is sent over the network to the Profiler Server. Table 2-1 and Table 2-2 summarize the functions of the Profiler Server and the Collector. Table 2-1 Profiler Server Modules Profiler Server Module NetRelay Forwarder Server Purpose Receives endpoint profiling and behavior monitoring data from other systems, such as NetFlow Facilitates communication between all NAC Profiler modules, acts as middleware between Collector modules and the Server module in a Cisco NAC Profiler system Controller, modeling engine, GUI and database. Collects, classifies and logs incoming data. Serves web-based User Interface, and manages the Device Filters list in the Clean Access Manager for Cisco NAC Profiler systems. Table 2-2 Collector Modules Collector Module NetMap NetTrap NetWatch NetInquiry Forwarder Purpose Collector Module that queries network devices via SNMP for: System information Interface information Bridge information 802.1x information Routing/IP information Builds and maintains a model of the network topology Receives selected traps from network devices to assist NetMap in maintaining the model of the network topology Passive network analyzer collector modules. Collects information about endpoints using network traffic Active profiling Collector module Facilitates communication between all NAC Profiler modules, acts as middleware between Collector modules and the Server module in a Cisco NAC Profiler system 2-2

Chapter 2 Cisco NAC Profiler System Deployment Model Cisco NAC Profiler System Deployment Model Cisco NAC Profiler is designed and implemented as a modular system which employs one or more remote Collectors to distribute the data gathering to each CAS in the network and provide distributed points of visibility while centralizing the Endpoint Profiling and Behavior Monitoring functions onto a centralized Profiler Server. The remote Collectors run one or more instances of the desired Collector modules plus the Forwarder system module. The Forwarder module on a CAS/Collector forwards data collected by the remote appliance to the designated Profiler Server. The Profiler Server aggregates the data received from all the Collectors in the system and provides centralized management of the distributed Cisco NAC Profiler system. Note Cisco NAC Profiler Collectors must be combined with a Cisco NAC Profiler Server in order to be managed, so that Endpoint Profiling and Behavior Monitoring data is aggregated analyzed, presented, and the appropriate endpoints sent to the Clean Access Manager's Device Filters list. Figure 2-1 shows the Cisco NAC Profiler system, where one or more Collectors are deployed in conjunction with a central Profiler Server. The Collectors send their Endpoint Profiling and Behavior Monitoring data to the central appliance via the onboard Forwarder module (blue lines), and are managed by the central appliance (yellow lines). Communications between the appliances is accomplished over the local or wide area network via an encrypted TCP session using the Management interfaces on the NAC Profiler appliances. The central appliance maintains the endpoint database and provides centralized management for the entire Cisco NAC Profiler system via the web based UI served by that appliance. The endpoint data that is denoted as needing to be provisioned to the Clean Access Manager is sent using the NAC API and data mining of the NAC Profiler database is performed via a web-based session with the Profiler Server. 2-3

Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory Chapter 2 Figure 2-1 Distributed Cisco NAC Profiler System IP CAM CAS with NAC Profiler Collector - 1 IP CAS with NAC Profiler Collector - n NAC Profiler Server IP Endpoint Profiling and Behaviour Monitoring Management NAC API and Data Retrieval 184555 Cisco NAC Profiler Usage: Port Provisioning and Endpoint Directory The Endpoint Profiling and Behavior Monitoring functions provided by the Cisco NAC Profiler are essential to the efficient and effective deployment and ongoing management of NAC in enterprise networks. The modes of operation for Cisco NAC Profiler can be categorized at the top level as Port Provisioning and Endpoint Directory. The Port Provisioning functions of the Cisco NAC Profiler are used as an augmentation to the network management platform, providing purpose-built configuration management tools designed to assist with deployment and ongoing management of NAC in enterprise networks. Port Provisioning provides the network administrator with a UI for interacting with the edge network infrastructure devices (e.g., switches), and allows the manipulation of port parameters on those network edge devices providing 2-4

Chapter 2 Profiler Server High Availability Option (HA) access to a selected endpoint or group of endpoints for the purpose of provisioning authentication and or NAC-specific parameters. Cisco NAC Profiler utilizes SNMP communications to make persistent configuration changes on selected ports of selected edge devices enabling network managers to have fine-grained control of the infrastructure providing endpoint connectivity. If port provisioning is not intended to be used, but SNMP is intended to provide discovery functionality on the Collectors, then read-only access is required. Read-write credentials are only required if port provisioning is to be used. In the Endpoint Directory, Cisco NAC Profiler provides endpoint information to the CAM, most frequently managing the list of those endpoints that are unable to interact with the NAC system directly. In this usage mode, the Cisco NAC Profiler is integrated with the CAM using the methods described in Chapter 11, Integration with Cisco NAC Appliance, providing valuable and up-to-date information about non-user devices so that they can be provided reliable and secure access in an automated and dynamic fashion, regardless of their physical location. In most Cisco NAC Appliance environments, the port provisioning function is only used at deployment time and when something acute needs immediate attention. The uses of this function at deployment time are to rapidly deploy VLAN port configuration settings to the network access devices so that they may communicate with Cisco NAC Appliance. These settings can be deployed by network switch by providing a list of ports on a device or by endpoint type whereby the GUI presents all of the endpoints of a give type in one table for configuration. This can be especially helpful when deploying NAC incrementally where it may be desirable to deploy certain device type (all windows users, all Apple users, etc) or certain groups of ports (all conference rooms or café ports). The usage of the Endpoint Directory, meanwhile, is at the heart of the Cisco NAC Profiler/Cisco NAC Appliance interaction. The Endpoint Directory is a list of all profiled and un-profiled endpoints that are known to the Cisco NAC Profiler. From this list, the selected endpoint types (profiles) can be provisioned to the CAM. As new devices are discovered they can be added to the list. Endpoints that have been retired, or are found to be behaving in ways not appropriate for their known device type can be removed from the filters list. Profiler Server High Availability Option (HA) Cisco NAC Profiler (release 2.1.8 and later) provides a high-availability option in the Profiler Server software. The HA option allows Cisco NAC Profiler Server appliances to be deployed as a pair of physical appliances that operate as a single entity, with a single, shared database manageable via single Virtual IP (VIP). This option is provided to protect against either appliance hardware or software failure, or the loss of network connectivity to a single appliance so that the Cisco NAC Profiler system remains available. The following key points provide a high-level summary of High Availability operation for Cisco NAC Profiler Server appliances: The Profiler Server appliance high-availability mode is an Active/Passive two-appliance configuration in which a Secondary appliance acts as a backup to an active Primary appliance. The pair is managed via a single IP address (VIP) which will be transferred to the Primary at any given point The Primary appliance performs all tasks for the system. The standby monitors the active appliance and keeps its database synchronized with the active appliance's database. Both Profiler Server appliances share a virtual Service IP for the eth0 (management) interface. In the event of a failover, the system continues to operate normally with no manual intervention. The primary and secondary appliances exchange UDP heartbeat packets every 2 seconds. If the heartbeat timer expires, stateful failover occurs. 2-5

Profiler Server High Availability Option (HA) Chapter 2 The eth1 interfaces on the both the active and standby appliances are used for heartbeat packets and database synchronization. While the active Profiler Server appliance carries most of the workload under normal conditions, the standby continually monitors the active and keeps its data store synchronized with the active appliance's data. The data store includes system configuration information as well as the endpoint database. If a failover event occurs, such as the active appliance being inadvertently shut down or stops responding to the peer's heartbeat signal for any other reason, the standby assumes the role of the active Profiler Server appliance. The HA option also includes an additional feature to guard against the failure of a network interface. A designated external ping host is specified for the HA appliances and is monitored independently by each member of the pair. If an appliance determines that the external ping host has failed (due to the failure of a network interface, or other condition preventing network communication with the ping host), the appliance will contact the other appliance in the pair to determine if it has better connectivity. In the case of the primary Profiler Server appliance sensing loss of network connectivity, if the secondary does have better connectivity, failover is initiated to the secondary. This additional protective measure enables the appliances to monitor the state of their network connectivity to guard against failures of their network interface hardware or other disruptions of network connectivity. When a loss of network connectivity occurs, failover will be initiated although the appliance hardware and software is still operating normally otherwise. Typically, the HA option is configured at the initial startup when the Cisco NAC Profiler system is initially deployed. When both appliances to be utilized in a HA pair are new (fresh Profiler Server software ISO installation), the proper procedure for the configuration of the HA pair is contained in Chapter 4, Installation and Initial Configuration of this document. A second appliance can also be added to an existing operating Profiler appliance. Instructions for this procedure are included in Chapter 15, Cisco NAC Profiler Server Command Line Reference. 2-6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback