Services
Convergent Communications, Inc. - A Cisco Systems Learning Partner
Business/Enterprise Solutions Certification Packages
Cisco AS Courses
E-Learning About CCI
Consulting Home Page
Courses Schedules & Pricing Registration Contact Us
Product Training
Deploy Assure
Implementing Cisco NAC Appliance


Course Description

Course Objectives

Intended Audience

Prerequisites

Course Outline & Labs

SCHEDULE

REGISTRATION

COURSES INDEX

Implementing Cisco NAC Appliance (CANAC) - 4-Day Hands on Cisco Authorized Course


Course Description

In this course, you'll learn how to design & implement a Cisco NAC Appliance solution to suit your network. You will learn basic configuration tasks such as NAM and NAS deployment modes, authentication (including Windows SSO), role-based access control, posture assessment, and remediation.

Cisco Systems offers two solutions for Network Admissions Control: NAC Appliance and NAC Framework. If the NAC solution you are planning includes the following elements, then this NAC Appliance course, CANAC v2.1, is right for you:

  • NAC Appliance Manager (NAM)
  • NAC Appliance Server (NAS)
  • Cisco Catalyst Switches using Out-of-Band (OOB) access
  • Cisco VPN Concentrators (without configuring NAC commands)
  • Cisco ASA/PIX Firewalls (without configuring NAC commands)

If the NAC solution you are planning includes the following elements, then the NAC Framework course, NAC (Implementing Cisco Network Admission Control) v3.0, is the better choice:

  • Cisco Secure ACS 4.0/4.1
  • Cisco Catalyst Switches as a NAC enforcement point
  • Cisco IOS Routers as a NAC enforcement point
  • Cisco VPN Concentrators as a NAC enforcement point
  • Cisco ASA/PIX Firewalls as a NAC enforcement pointTOP


Course Objectives

  • Given client network security requirements, explain how a NAC Appliance deployment scenario will meet or exceed those expectations
  • Configure the common elements of a NAC Appliance solution
  • Configure Active Directory Single Sign-On (AD SSO)
  • Configure VPN Single Sign-On using an ASA/PIX
  • Configure the NAC Appliance in-band and out-of-band implementation options
  • Implement the NAM and NAS High Availability to protect against downtime
  • Configure Network Scanning to audit clients and clientless hosts
  • Learn to monitor, maintain, and troubleshoot a NAC solution
    TOP


Intended Audience

Anyone responsible for the design, implementation, or support of a Cisco NAC Appliance installation and Cisco Channel Partners preparing for CCSP and NAC Specialist certification.

TOP


Prerequisites

Fundamental knowledge of implementing network security or CCSP or Cisco Security Qualified Specialist Certification SNRS or working knowledge of digital certificates

  • BSCI or working knowledge of HSRP
  • SNRS - Securing Networks with Cisco Routers and Switches
  • BSCI - Building Scalable Cisco Internetworks v3.0

TOP
Course Outline

The Cisco NAC Appliance Solution

  1. Cisco Self-Defending Networks
    • The Changing Landscape of Security
    • The Cisco Host-Protection Strategy
    • The Cisco SDN Initiative
    • Trust & Identity
    • Cisco NAC Products
  2. Cisco NAC Appliance
    • Cisco NAC Appliance Solution
    • Cisco NAC Appliance Features
    • Cisco NAC Appliance Components
    • Compliance Scenarios
    • Deployment Options
    • Configuration Overview
    • User Interface
  3. Cisco NAC Appliance Deployment Options
    • Cisco NAC Appliance Out-of-Band (OOB) Deployment
    • Cisco NAC Appliance In-Band Deployment
    • Compare Cisco NAC Appliance Deployment Options
    • Cisco NAS Operating Modes
    • Virtual Gateway vs. Real-IP Gateway
    • Layer 2 vs. Layer 3
  4. Configure User Roles
    • What is a User Role?
    • Create User Roles
    • Define Traffic Policies for User Roles
    • Configure Traffic Policies for User Roles
    • Create Local User Accounts
  5. Configure External Authentication
    • Configure External Authentication Providers
    • Authenticate Cisco NAC Appliance Users with Kerberos
    • Authenticate Cisco NAC Appliance Users with RADIUS
    • Authenticate Cisco NAC Appliance Users with LDAP
    • Authenticate Cisco NAC Appliance Users with NT Domain
    • Map Users to User Roles
    • Test User Authentication
    • Configure RADIUS Accounting for Users
    • Adding Custom RADIUS Attributes
  6. Configure DHCP
    • Cisco NAS DHCP Modes
    • Enable the DHCP Module
    • Configure IP Ranges (IP Address Pools)
    • Work with Subnets
    • Reserve IP Addresses
    • Configure User-Specified DHCP Options

NAC Appliance Implementation

  1. Implement Cisco NAC Appliance In-Band Deployment
    • In-Band Process Flow
    • In-Band Deployment Configurations
    • Configure the Cisco NAS for In-Band Deployment
    • Add the Cisco NAS to the Managed Domain
    • Configure the Cisco NAS Interfaces
    • Add Managed Subnets
    • Configure Cisco NAS VLAN Settings
  2. Implement Windows Active Directory Single Sign-On (AD SSO)
    • Kerberos Ticket Exchange
    • Confirming a NAS Ticket
    • Communications between the NAS and Active Directory
    • AD SSO Configuration Checklist
    • TCP & UPD Ports Required for AD SSO
    • Configure the NAS for AD SSO
    • Install Support Tools for Windows 2000 or 2003 Server
    • Configure the Domain Controller with ktpass.exe
  3. Implement Virtual Private Network Single Sign-On (VPN SSO)
    • Configuration Checklist
    • Configure a Traffic Filter
    • Add VPN Authentication Server to NAM
    • Map VPN Users to Roles on NAM
    • Enable VPN SSO on the NAS
    • Adding a VPN Device to the NAS
    • Configure RADIUS Accounting
    • Configure the VPN Gateway as a Floating Device
    • Test VPN SSO
  4. Implement Cisco NAC Appliance Out-of-Band Deployment
    • OOB Process Flow
    • OOB Deployment Considerations
    • Layer 2 Central & Edge Deployment
    • Layer 3 Virtual Gateway & Real-IP Gateway
    • Layer 2 & 3 Clientless Host Options
    • Differences between Cisco NAC Appliance OOB Setup and In-Band Setup
    • Implement Cisco NAS OOB Operating Modes
  5. Manage Switches
    • Implement Switch Management
    • Configure the Network for OOB Deployment
    • Configure Group, Switch, and Port Profiles
    • Configure Port Profiles Adding Switches to the Managed Domain
    • Configuring SNMP Advanced Settings
    • Configure Switch Ports to Use Port Profiles
    • Manage Switch Configuration Settings

NAC Appliance Implementation Options

  1. Implement Cisco NAC Appliance on a Network
    • Implement Cisco NAC Appliance
    • General Setup Tab
    • User Pages
    • Configure Cisco NAA Support
    • Manage Certified Devices
    • Device Exemption
    • Viewing User Reports
  2. Implement Network Scanning
    • Configure the Quarantine Role
    • Implement Nessus Plug-Ins
    • Test a Scanning Configuration
    • Customize the User Agreement Page
    • View Scan Reports
  3. Configure the NAM to Implement Cisco NAC Appliance Agent on User Devices
    • Configure the Cisco NAM to Implement the Cisco NAC Appliance Agent (NAA)
    • Retrieve Updates
    • Require the Use of the Cisco NAA
    • Configure the Cisco NAA Temporary Role
    • Introduce Checks, Rules, and Requirements
    • Create a Check, Rules, and Requirements
    • Map Requirements to Rules and Roles
  4. Configure NAM High Availability (HA)
    • Introduce HA for Cisco NAMs
    • Establish a Serial Connection Between Managers
    • Digital Certificate Requirements
    • Configure the Primary Cisco NAM
    • Configure the Standby Cisco NAM
  5. Configure Cisco NAC Appliance Server (NAS) HA
    • Introduce HA for NASs
    • Implementation Considerations
    • Digital Certificate Requirements
    • Configure the Primary and Standby NAS
    • Complete the Standby NAS HA Configuration
    • Test the NAS HA Configuration
    • Configure DHCP Failover

NAC Appliance Monitoring and Administration

  1. Monitor a Cisco NAC Appliance Deployment
    • Cisco NAC Appliance Monitoring
    • Monitor Online Users
    • Monitor NAS Health Event Logs
    • Configure Basic SNMP Support
    • Configure Syslog Support
  2. Administer Cisco NAM
    • Define the Cisco NAM Administration Module
    • Set Network and Failover Parameters
    • Manage Administration Groups
    • Manage Administration Users
    • Manage User Passwords
    • Administer the System Time
    • Manage SSL Certificates
    • Manage the Cisco NAC Appliance Software
    • Protect Your NAM Configuration

If the NAC solution you are planning includes the following elements, then the NAC Framework course, NAC - Implementing Cisco Network Admission Control v3.0, is the better choice:

    • Cisco Secure ACS 4.0/4.1
    • Cisco Catalyst Switches
    • Cisco IOS Routers
    • Cisco VPN Concentrators
    • Cisco ASA/PIX Firewalls

Course Labs

  1. Lab 1: Remote Lab Environment
    • Log In to the Remote Lab Environment
    • Launch and Log In to the Remote Lab Virtual PCs
    • Set Time Zone on Remote Lab Virtual PCs
    • Log In to and Manage Remote Lab Equipment
  2. Lab 2: Prepare NAM for Web-Based Administration
    • Import Appropriate License Files
    • Log into the Web Administration Environment
    • Prepare to Import a NAS
  3. Lab 3: Configuring User Roles and Traffic Policies
    • Configure a Default User Page
    • Create User Roles on the NAM
    • Create Traffic Policies that Map to Each User Role
    • Configure New Users
  4. Lab 4: Adding In-Band Virtual Gateway NAS to the NAM
    • Connect an In-Band NAS to the NAM
    • Configure NAS as Virtual Gateway
    • Configure VLAN Mapping
  5. Lab 5: Create a High Availability NAM Cluster
    • Confirm Connectivity between Primary & Secondary NAM
    • Export the Private Key and SSL Certificate of the Primary NAM
    • Import the Private Key and SSL Certificate into the Secondary NAM
    • Configure Network and Failover Settings on Primary & Secondary NAM
    • Verify NAM Database Synchronization
    • Test Failover
  6. Lab 6: Configuring Active Directory Single Sign-On (AD SSO)
    • Add AD SSO Authentication Server
    • Configure Traffic Policies for the Unauthenticated Role
    • Enable the NAS to Use AD SSO
    • Use ktpass.exe to Prepare the Domain Controller
    • Enable and Test Agent-Based AD SSO
  7. Lab 7: Configuring VPN Single Sign-On (VPN SSO)
    • Configure the NAM to use an ASA 5520 as a Floating Device
    • Add VPN Authentication Server to the NAM
    • Map VPN Users to Roles for SSO
    • Add a RADIUS Accounting Server to the NAS
    • Map the ASA 5520 to the Accounting Server
    • Test VPN SSO
  8. Lab 8: Configuring RADIUS for SSO VPN
    • Adding an IAS Server
    • Debugging the ASA RADIUS Authentication
    • Mapping VPN Groups to a NAC Appliance Role
  9. Lab 9: Configure Switch for Out-Of-Band Operation
    • Delete the In-Band NAS from the NAM
    • Reconfigure the NAS as OOB Virtual Gateway
    • Configure VLAN Mapping
    • Verify Switch SNMP Configuration
    • Configure Group and Switch Profiles
    • Configure the NAM as an SNMP Trap Receiver
    • Add Switches and Configure Ports on the NAM
    • Test With Host
  10. Lab 10: Configuring the NAC Appliance Agent (NAA) for Specific Threats
    • Configure the NAS to Require the Use of NAA
    • Configure NAA Host Policies
    • Create a Host Requirement
    • Associate the Host Requirement to Users and Roles
    • Test and Verify
  11. Lab 11: Configuring LDAP Authorization to MAP AD Groups to NAC Appliance Roles
    • Configure an LDAP Lookup Server
    • Configure Authorized Groups in Active Directory
    • Associate the Lookup Server with an Authentication Provider
    • Test the Solution


    TOP



 

301-565-0138 : info@ccitraning.net

Courses | Schedule | Registration | Contact Us | Homepage | Related Links
Business/Enterprise Solutions | E-Learning | Consulting | Certification Packages | CISCO AES Courses | About Us

© Convergent Communications, Inc.