User manual SOPHOS NAC ADVANCED CONFIGURING CISCO ASA TO INTEGRATE WITH SOPHOS NAC ADVANCED V3.2

[. . . ] 7 Step Six: Test/Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Appendix A: Sample Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 Configuring Cisco ASA to integrate with Sophos NAC Advanced Configuring Cisco ASA to integrate with Sophos NAC Advanced This document outlines the steps necessary to implement VPN/RADIUS integration using the Cisco Adaptive Security Appliance (ASA) and Sophos NAC Advanced. The steps outlined for this integration utilize the ASA command line, which can be accessed using HyperTerminal with a console cable. [. . . ] You must test your solution before deploying it in a production environment. The commands are in RED and the comments for the commands are in GREEN. Some of the commands are displayed on a second line because of space constraints. Log on to the ASA, create a AAA Server group called "RADIUS". Specify the IAS/RADIUS Server with the interface it is located on (inside or outside) as a member of the "RADIUS" group, and provide the location and shared secret. The interface is the IP address of the Sophos Compliance Application Server. aaa-server RADIUS protocol radius aaa-server RADIUS host 10. 0. 224. 150 (IP address of the Compliance Application Server) key cisco123 (shared secret that will be used for the transaction) Step Two: Define a Tunnel Group and its Authentication Type The default Tunnel Group of DefaultRAGroup is used in this example. The Tunnel Group is the group that the user will be using in the VPN client to log on to the ASA. If there are other groups that have been created, such as Sales, Marketing, etc. , configure these groups in the same manner: 1. Since you are using the DefaultRAGroup as the VPN Group that you want to enforce, configure that group to use the RADIUS pool that you created in Step One: tunnel-group DefaultRAGroup general-attributes (modify the DefaultRAGroup Tunnel Group) authentication-server-group RADIUS (enable Authentication using RADIUS) authorization-server-group RADIUS (enable Authorization) accounting-server-group RADIUS (enable Accounting) The Basic Authentication enforcement method is fully configured now that the RADIUS Server/Tunnel Groups have been created in Step One and Step Two. If you planned on using this enforcement method, your setup for the ASA is complete, and you can continue with Step Five: Configure IAS to accept the ASA connections on page 7. 5 Configuring Cisco ASA to integrate with Sophos NAC Advanced Note: If you want to allow non-compliant users to log on to the VPN and then restrict their access to network resources, continue with Step Three: Create your Access Lists on page 6. The Basic Authentication enforcement method will only allow or deny a user's access based on whether they are compliant or non-compliant with the associated policy. Step Three: Create your Access Lists If you plan on using any enforcement method other than Basic Authentication (option 1), you must create access lists to define the network locations your users can access when they are in a compliant or non-compliant state. If you plan to use enforcement methods 2 or 3 (Filter ID, Group Policy), then you must define the access lists (ACLs) on the ASA. You do not need to define ACLs here with enforcement method 4 (Downloadable Access Lists). This example creates an ACL for port 80 (Internet) traffic only: access-list acl_http_only permit tcp any any eq www (create the ACL) Step Four: Configure VPN Restrictions You must decide which of the four enforcement methods you wish to use with NAC: Basic Authentication, Filter-ID, Group Policy, and Downloadable Access Lists. The option you plan to use corresponds with and determines which of the following procedures you should follow: Basic Authentication Enforcement 1. Go to Step Five: Configure IAS to accept the ASA connections on page 7 since the default RADIUS Enforcer access templates within the Compliance Manager are already configured for this method. Log on to the Compliance Manager and click Enforce > RADIUS Enforcer Access Templates. Click the Default ­ RADIUS Reject All template. Click the Network Access list box, and change its value from "Reject" to "Accept". Click New to create a new attribute, and specify the following properties: · Type: Standard · Name: Filter-ID · Number: 11 · Format: Text · Value: acl_http_only Note: This value is the name of the ACL that you created in Step Three. Configure the ASA with the following: ip local pool quarantine 192. 168. 1. 201-192. 168. 1. 253 (address pool for quarantine users) group-policy QuarantineGroupPolicy internal (create an internal Quarantine Group Policy) group-policy QuarantineGroupPolicy attributes (define the Group Policy attributes) vpn-filter value acl_http_only (define the Group Policy's ACL) default-domain value quarantine. com (define the default domain) address-pools value quarantine (use the quarantine pool created above) 2. [. . . ] interface Vlan2 nameif outside security-level 0 ip address dhcp setroute !interface Ethernet0/0 switchport access vlan 2 !ftp mode passive dns server-group DefaultDNS domain-name default. domain. invalid access-list outside_access_in extended permit ip 10. 0. 192. 0 255. 255. 255. 0 any access-list 10 remark Permit All Traffic access-list 10 extended permit ip any any 10 Configuring Cisco ASA to integrate with Sophos NAC Advanced access-list ProductionNetwork_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip any 10. 0. 224. 250 255. 255. 255. 254 access-list inside_nat0_outbound extended permit ip any 10. 0. 224. 252 255. 255. 255. 254 access-list acl_http_only extended permit tcp any any eq www access-list acl_http_only extended deny ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool pool1 192. 168. 1. 50-192. 168. 1. 100 ip local pool pool2 192. 168. 1. 101-192. 168. 1. 200 ip local pool quarantine 192. 168. 1. 201-192. 168. 1. 253 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524. bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0. 0. 0. 0 0. 0. 0. 0 access-group outside_access_in in interface outside per-user-override timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa-server RADIUS protocol radius aaa-server RADIUS (outside) host 10. 0. 224. 150 key password radius-common-pw password acl-netmask-convert auto-detect http server enable http 10. 0. 224. 0 255. 255. 255. 0 outside http 10. 0. 192. 0 255. 255. 255. 0 outside http 192. 168. 1. 0 255. 255. 255. 0 inside http authentication-certificate outside http redirect outside 80 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set my-set esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set my-set crypto dynamic-map dynmap 10 set reverse-route crypto dynamic-map dynmap 30 set pfs group1 11 Configuring Cisco ASA to integrate with Sophos NAC Advanced crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA crypto dynamic-map dynmap 50 set pfs group1 crypto dynamic-map dynmap 50 set transform-set ESP-3DES-SHA crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside crypto ca trustpoint local enrollment self subject-name CN=Default Certificate crl configure crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 1000 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access outside dhcpd auto_config outside !dhcpd address 192. 168. 1. 2-192. 168. 1. 33 inside dhcpd enable inside ! [. . . ]