Sunday, September 21, 2008

Limiting Operating Systems Allowed Through Cisco NAC Appliance

In order to limit the operating systems that are allowed through the NAC Server, configure the "User Pages". "User Pages" are located at "Administration > User Pages", as seen below. This makes sense when the login page is used for user authentication. Users plug in their computers, try to access a webpage, and are then redirected to the login page for their operating system. If their operating system is not defined under "User Pages", then they are denied access to the network.



What is less obvious is how the "User Pages" affect single sign on (SSO) scenarios. With NAC Appliance, there are two widely used single sign methods. The first SSO method is VPN SSO. This is used mostly with remote VPN access where the VPN device sends the NAC Server a RADIUS accounting packet after successful authentication. This allows the NAC Server to accept sessions from the user as successfully authenticated. The second SSO method is AD SSO. This is used mostly for campus deployments. In this method, a user's AD login is recognized by the NAC Server using Kerberos tickets.

In both SSO methods, the login page is never displayed because authentication is handled by SSO. With this in mind, configuring the User Pages is not an intuitive step in the configuration process. In actuality, the User Pages are very important in the configuration of SSO. The "User Pages" still define which operating systems are allowed through the NAC Server. This means that, even if a user successfully completes SSO, they will not be allowed access, through the NAC Server, if their operating system is not defined in "User Pages". Thinking of it another way, this is still the recommended method of blocking unwanted operating systems even when using SSO.
Posted by Rob Chee at 10:41 PM
Labels:

3 comments:

shef said...

and how it detect user's OS? by user-agent?

September 22, 2008 7:00 AM
Rob Chee said...

The OS is detected by the response from the HTTP GET request. Below is the relevant text from the Cisco NAC Manager 4.1.6 Config Guide

Cisco NAC Appliance detects a number of client operating system types, including Windows, Mac OS, Linux, Solaris, Unix, Palm, Windows CE, and others. Cisco NAC Appliance determines the OS the client is running from the OS identification in the HTTP GET request, the most reliable and scalable method. When a user makes a web request from a detected operating system, such as Windows XP, the CAS can respond with the page specifically adapted for the target OS.

September 23, 2008 1:21 PM
Rob Chee said...

The OS can be further verified by information from JavaScript, or OS fingerprinting from the TCP/IP handshake. This can be seen in the CAM GUI at "Device Management > Clean Access Servers > x.x.x.x". The relevant text from the GUI is as follows

By default, the system uses the User-Agent string from the HTTP header to determine the client OS. Additional detection options include using the platform information from JavaScript, or OS fingerprinting from the TCP/IP handshake.

This is also described in the NAC Manager 4.1.6 Config Guide in the "Clean Access Implementation Overview" Section. Search for "OS Detection Fingerprint"

September 23, 2008 1:54 PM

Post a Comment

Subscribe to: Post Comments (Atom)