[. . . ] 7 Step Six: Test/Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Appendix A: Sample Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3
Configuring Cisco ASA to integrate with Sophos NAC Advanced
Configuring Cisco ASA to integrate with Sophos NAC Advanced
This document outlines the steps necessary to implement VPN/RADIUS integration using the Cisco Adaptive Security Appliance (ASA) and Sophos NAC Advanced. The steps outlined for this integration utilize the ASA command line, which can be accessed using HyperTerminal with a console cable. [. . . ] This method provides a way to quickly update ACLs without having to log on to the ASA. Note: These enforcement methods are definable for each NAC policy and each compliance state in NAC, and through Tunnel-Groups on the ASA. For example, if you had the CEO assigned to the Executives group within NAC that had a corresponding policy, then you could set up the policy to never assign any of the above enforcement methods, or you could simply have all of the executives' VPN configurations set to use a different Tunnel-Group that does not have enforcement options applied to it.
Step One: Configure the ASA to use the Compliance Application Server (RADIUS)
The ASA must be configured to point to the Compliance Application Server for Authentication, Authorization, and Accounting (AAA RADIUS) so that users can be authenticated and their policy compliance state can be confirmed. At this stage, NAC will send back a response based upon the compliance state associated with the username. Note: The commands used in this document are based on a sample configuration. For more information, see Appendix A: Sample Configuration on page 10. You must test your solution before deploying it in a production environment. The commands are in RED and the comments for the commands are in GREEN. Some of the commands are displayed on a second line because of space constraints. Log on to the ASA, create a AAA Server group called "RADIUS". Specify the IAS/RADIUS Server with the interface it is located on (inside or outside) as a member of the "RADIUS" group, and provide the location and shared secret. The interface is the IP address of the Sophos Compliance Application Server.
aaa-server RADIUS protocol radius aaa-server RADIUS host 10. 0. 224. 150 (IP address of the Compliance Application Server) key cisco123 (shared secret that will be used for the transaction)
Step Two: Define a Tunnel Group and its Authentication Type
The default Tunnel Group of DefaultRAGroup is used in this example. The Tunnel Group is the group that the user will be using in the VPN client to log on to the ASA. If there are other groups that have been created, such as Sales, Marketing, etc. , configure these groups in the same manner: 1. Since you are using the DefaultRAGroup as the VPN Group that you want to enforce, configure that group to use the RADIUS pool that you created in Step One:
tunnel-group DefaultRAGroup general-attributes (modify the DefaultRAGroup Tunnel Group) authentication-server-group RADIUS (enable Authentication using RADIUS) authorization-server-group RADIUS (enable Authorization) accounting-server-group RADIUS (enable Accounting)
The Basic Authentication enforcement method is fully configured now that the RADIUS Server/Tunnel Groups have been created in Step One and Step Two. If you planned on using this enforcement method, your setup for the ASA is complete, and you can continue with Step Five: Configure IAS to accept the ASA connections on page 7. 5
Configuring Cisco ASA to integrate with Sophos NAC Advanced Note: If you want to allow non-compliant users to log on to the VPN and then restrict their access to network resources, continue with Step Three: Create your Access Lists on page 6. The Basic Authentication enforcement method will only allow or deny a user's access based on whether they are compliant or non-compliant with the associated policy.
Step Three: Create your Access Lists
If you plan on using any enforcement method other than Basic Authentication (option 1), you must create access lists to define the network locations your users can access when they are in a compliant or non-compliant state. If you plan to use enforcement methods 2 or 3 (Filter ID, Group Policy), then you must define the access lists (ACLs) on the ASA. You do not need to define ACLs here with enforcement method 4 (Downloadable Access Lists). This example creates an ACL for port 80 (Internet) traffic only:
access-list acl_http_only permit tcp any any eq www (create the ACL)
Step Four: Configure VPN Restrictions
You must decide which of the four enforcement methods you wish to use with NAC: Basic Authentication, Filter-ID, Group Policy, and Downloadable Access Lists. The option you plan to use corresponds with and determines which of the following procedures you should follow: Basic Authentication Enforcement 1. [. . . ] If you see that users are being denied access due to Connection Request Policy problems, then it is likely that PAP did not get set up as one of the allowed authentication protocols, or that the VPN users are accessing the wrong Connection Request Policy.
9
Configuring Cisco ASA to integrate with Sophos NAC Advanced
Appendix A: Sample Configuration
The following is the sample configuration used in the creation of this document: ASA Version 7. 2(4) !hostname ciscoasa domain-name default. domain. invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI. 2KYOU encrypted names !interface Vlan1 nameif inside security-level 100 ip address 192. 168. 1. 1 255. 255. 255. 0 !interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! [. . . ]