Gain hands-on experience on NAC 4.8 and Profiler in this unique course offered only by Global Knowledge.

We started with Cisco's standard course material that was built on NAC version 4.0, and we completely re-wrote and re-organized it. We updated it to use NAC version 4.8 software, and we added coverage of Cisco Profiler.

We expanded our exclusive labs, adding more content and taking the standard course from just three days to a content-packed five days. You'll train for four days on the NAC Appliance, followed by a full day on the Cisco Profiler.

You won't find another NAC course with this level of enhanced content. Enhancements you'll find only in our course include:

• Updated Student Guide material, with NAC version 4.8 screen shots and content
• Feature-enhancement discussions, including out-of-band (OOB) logoff, Passive Re-Assessment, and external authentication for management sessions
• Log data and configuration file locations on CLI
• Real-world ASA SSL VPN scenarios
• Detailed certificate discussions surrounding high availability (HA) and using a Microsoft certificate authority (CA)
• NAC Appliance Agent (NAA) version 4.8
• Client configuration file using XML without the older registry settings
• NAC Profiler discussion providing an overview and covering setup and HA

A Global Knowledge Exclusive: Bonus Lab Credits

You'll receive five extra security e-Lab credits (good for 30 days) to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training.

What You'll Learn

• Given client network security requirements, how a NAC Appliance deployment scenario will meet or exceed those expectations
• Configure the common elements of a NAC Appliance solution
• Configure Active Directory Single Sign-On (AD SSO)
• Configure VPN Single Sign-On using an ASA with the standard IPSec client and the AnyConnect 3.0 client (SSL)
• Configure the NAC Appliance in-band and OOB implementation options
• Implement the NAM and NAS HA to protect against downtime
• Configure Network Scanning to audit clients and clientless hosts
• Configure compliance checking using manual and automated settings in version 4.8 of code
• Learn the elements of code signing applications needed for remediation
• Create custom web page portals based on the location of clients
• Allow Active Directory (AD) LDAP Authorization to map AD groups to NAC Appliance Roles
• Walk through and configure three different network topologies: in-band, VPN in-band, and OOB
• See for yourself the privilege rights needed for installing the Cisco NAA customizing client XML settings
• Learn to monitor, maintain, and troubleshoot a NAC solution
• NAC Profiler overview, design, and deployment

Who Needs to Attend

Anyone responsible for the design, implementation, or support of a Cisco NAC Appliance installation

Prerequisites

There are no prerequisites for this course.

Follow-On Courses

There are no follow-ons for this course.

Certification Programs and Certificate Tracks

This course is part of the following programs or tracks:

• Cisco Network Admission Control Specialist

Course Outline

Cisco NAC Appliance Solution (NAS)

1. Cisco Self-Defending Networks

• Changing Security Landscape
• Cisco Host-Protection Strategy
• Cisco SDN Initiative
• Trust and Identity
• Cisco NAC Products

2. Cisco NAC Appliance

• Cisco NAC Appliance Solution
• Features and Components
• Compliance Scenarios
• Deployment Options
• Configuration Overview
• User Interface

3. Cisco NAC Appliance Deployment Options

• Out-of-Band (OOB) Deployment
• In-Band Deployment
• Deployment Options Comparison
• NAS Operating Modes
• Virtual vs. Real-IP Gateways
• Layer 2 vs. Layer 3

NAC Appliance Implementation

4. Configure User Roles

• What a User Role Is
• Create User Roles
• Define and Configure Traffic Policies for User Roles
• Create Local User Accounts

5. Implement Cisco NAC Appliance In-Band Deployment

• In-Band Process Flow
• In-Band Deployment Configurations
• Configure the Cisco NAS for In-Band Deployment
• Add the Cisco NAS to the Managed Domain
• Configure Cisco NAS Interfaces
• Add Managed Subnets
• Configure Cisco NAS VLAN Settings

6. Configure NAM High Availability

• HA for Cisco NAMs
• Establish a Serial Connection Between Managers
• Digital Certificate Requirements
• Configure the Primary and Standby Cisco NAMs

7. Configure Cisco NAS HA

• HA for NAS
• Implementation Considerations
• Digital Certificate Requirements
• Configure the Primary and Standby NAS
• Complete the Standby NAS HA Configuration
• Test the NAS HA Configuration
• Configure DHCP Failover

8. Configure External Authentication

• Configure External Authentication Providers
• Authenticate Cisco NAC Appliance Users
  • Kerberos
  • RADIUS
  • LDAP
  • NT Domain
• Map Users to User Roles
• Test User Authentication
• Configure RADIUS Accounting for Users
• Add Custom RADIUS Attributes

9. Implement Windows AD SSO

• Kerberos Ticket Exchange
• Confirming a NAS Ticket
• Communications Between the NAS and Active Directory
• AD SSO Configuration Checklist
• TCP and UDP Ports Required for AD SSO
• Configure the NAS for AD SSO
• Install Support Tools for Windows 2000 or 2003 Server
• Configure the Domain Controller with ktpass.exe

10. Implement Virtual Private Network Single Sign-On (VPN SSO)

• Configuration Checklist
• Configure a Traffic Filter
• Add VPN Authentication Server to NAM
• Map VPN Users to Roles on NAM
• Enable VPN SSO on the NAS
• Adding a VPN Device to the NAS
• Configure RADIUS Accounting
• Configure the VPN Gateway as a Floating Device
• Test VPN SSO

11. Implement Cisco NAC Appliance OOB Deployment

• OOB Process Flow
• OOB Deployment Considerations
• Layer 2 Central and Edge Deployment
• Layer 3 Virtual Gateway and Real-IP Gateway
• Layer 2 and 3 Clientless Host Options
• Cisco NAC Appliance OOB vs. In-Band Setup
• Implement Cisco NAS OOB Operating Modes

12. Manage Switches

• Implement Switch Management
• Configure the Network for OOB Deployment
• Configure Group, Switch, and Port Profiles
• Configure Port Profiles Adding Switches to the Managed Domain
• Configuring SNMP Advanced Settings
• Configure Switch Ports to Use Port Profiles
• Manage Switch Configuration Settings

NAC Appliance Implementation Options

13. Implement Cisco NAC Appliance on a Network

• General Setup Tab
• User Pages
• Configure Cisco NAA Support
• Manage Certified Devices
• Device Exemption
• Viewing User Reports

14. Implement Network Scanning

• Configure the Quarantine Role
• Implement Nessus Plug-Ins
• Test a Scanning Configuration
• Customize the User Agreement Page
• View Scan Reports

15. Configure the NAM to Implement Cisco NAA on User Devices

• Retrieve Updates
• Require the Use of the Cisco NAA
• Configure the Cisco NAA Temporary Role
• Introduce and Create Checks, Rules, and Requirements
• Map Requirements to Rules and Roles

16. Configure DHCP

• Cisco NAS DHCP Modes
• Enable the DHCP Module
• Configure IP Ranges (IP Address Pools)
• Work with Subnets
• Reserve IP Addresses
• Configure User-Specified DHCP Options

NAC Appliance Monitoring and Administration

17. Monitor a Cisco NAC Appliance Deployment

• Cisco NAC Appliance Monitoring
• Monitor Online Users
• Monitor NAS Health Event Logs
• Configure Basic SNMP Support
• Configure Syslog Support

18. Administer Cisco NAM

• Define the Cisco NAM Administration Module
• Set Network and Failover Parameters
• Manage Administration Groups and Users
• Manage User Passwords
• Administer the System Time
• Manage SSL Certificates
• Manage the Cisco NAC Appliance Software
• Protect Your NAM Configuration

NAC Profiler

19. NAC Profiler Fundamentals

• Cisco Profiler Solution
• Components
• Use Cases
• Management Interface
• Features and Profiling Options

20. Deploying NAC Profiler

• Deployment Options
• Active Collections
• Endpoint Discovery Fundamentals
• NAC and LDAP Integration
• Profiler Events
• High Availability

Labs

Lab 0: Exclusive - Remote Lab Familiarization

• Log In to the Remote Lab Environment
• Launch and Log In to the Remote Lab Virtual PCs
• Set Time Zone on Remote Lab Virtual PCs
• Log In to and Manage Remote Lab Equipment

Lab 1: Enhanced - Bootstrap Primary NAM and NAS

• Log In to the NAM and NAS Serial Console
• Execute the NAM and NAS Setup Script
• Navigate to the NAM and NAS Web-Based Administration Consoles
• Access the NAS from a Host on the Same Subnet

Lab 2: Exclusive - Configuring User Roles and Traffic Policies

• Configure Default Authentication Pages for Users
• Create User Roles on the Cisco NAM
• Create an IP-based Traffic Control Policy for Each User Role
• Configure New Users in the Local Database

Lab 3: Enhanced - Configure NAS In-Band Virtual Gateway

• Add an In-Band Virtual Gateway Cisco NAS to the Cisco NAM Domain
• Configure the In-Band Virtual Gateway Cisco NAS Settings
• Configure VLAN Mapping for the In-Band Virtual Gateway
• Install the NAA

Lab 4: Exclusive - Configuring High Availability

• Configure the Secondary NAM for Network Access
• Export the Primary NAM SSL Private Key and Certificate
• Configure the Primary Cisco NAM Network and Failover Settings
• Import the SSL Private Key and Certificate into the Secondary Cisco NAM
• Configure Secondary Cisco NAM Network and Failover Settings
• Test the HA Cisco NAM Cluster

Lab 5: Enhanced - Configuring Active Directory Single Sign-On (AD SSO)

• Confirm Readiness to Configure Windows AD SSO
• Add Windows AD SSO Authentication Server
• Configure Traffic Policies for the Unauthenticated Role
• Configure Windows AD SSO on the NAM
• Windows Active Directory Server Configuration
• Install the KTPASS Utility on the Data-Srv
• Enable Agent-Based Windows SSO with Active Directory
• Test Windows AD SSO Configuration

Lab 6: Exclusive - Enhanced SSO with LDAP Group Authorization

• Configure an LDAP lookup server
• Configure authorized groups in AD
• Associate the lookup server with an authentication provider
• Test the solution

Lab 7: Exclusive - Configuring VPN Remote Access: Using the Class Attribute

• Add the ASA as a Floating Device in the NAM
• Add a Cisco VPN Auth Server to NAM
• Map VPN Users to Roles in the NAM
• Enable VPN SSO
• Add the ASA to the NAS for Accounting
• Add a Radius Accounting Server to the NAS
• Test the VPN

Lab 8: Exclusive - Configuring NAC VPN SSO

• Configuring the ASA to Communicate with the RADIUS and Accounting Server
• Adjust Traffic Filters for Additional VPN Addresses
• Mapping VPN Groups using Framed IPs
• Testing the VPN SSO
• SSO for SSL (AnyConnect VPN)

Lab 9: Exclusive - Configuring OOB

• Re-Configure the NAS for OOB Virtual Gateway
• Verify Switch SNMP Notification
• Configure Group and Switch Profiles to the NAS
• Configure Port Profiles
• Add a Switch to the Cisco NAM
• Configure the Ports on the Switch
• Verify Your Configuration by Authenticating Your Users

Lab 10: Enhanced - Compliance Checking

• Configure General Setup
• Allow DNS Packets to Your Network in the Temporary Role
• Create Checks and Rules
• Create a New Requirement for Users
• Associate the Requirement to a Role
• Test the Configuration

Lab 11: Exclusive - Feature Enhancements

• OOB Logoff
• Client XML Customization
• Passive Re-assessment
• Skinning the Client

Lab 12: Exclusive - NAC Administration and Maintenance

• IP-Based Restrictions
• External Authentication
• Key Recovery
• Upgrading the NAC Appliance

Lab 13: Exclusive - Configuring NAC Profiler

• Profiler Installation
• NAC Collector Configuration
• SSL Certificates Using a Microsoft CA

Lab 14: Exclusive - Configuring NAC Profiler Server

• Profiler Module Upgrade
• Server Connection Options
• Configuring Collector Modules
• Configuring My Networks
• Managing Network Devices
• Integrating NAC Profiler with Active Directory

Lab 15: Exclusive - Profiling the Network

• Configuring Endpoints and Endpoint Profile Groups
• Integrating with the Cisco NAC Appliance
• Create NAC Events