CANAC v2.1 - Implementing Cisco NAC Appliance CANAC v2.1

The Cisco NAC Appliance is an easily deployed software NAC solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network. The Implementing Cisco NAC Appliance (CANAC) v2.1 course provides learners with the skills and knowledge needed to implement the Cisco NAC Appliance solution.

After completing this course the student should be able to:

• Given client network security requirements, explain how a Cisco NAC Appliance deployment scenario will meet or exceed network security requirements
• Configure the common elements of a Cisco NAC Appliance solution
• Configure the Cisco NAC Appliance in-band and out-of-band implementation options
• Implement a highly available Cisco NAC Appliance solution to mitigate network threats and facilitate network access for those users that meet corporate security requirements
• Maintain a highly available Cisco NAC Appliance deployment in medium and enterprise network environments

• Employee
• Channel Partner / Reseller
• Customer

Module 1: Cisco NAC Endpoint Security Solutions

• Lesson 1: Introducing Cisco Self-Defending Networks
  • Describe the key factors that are causing changes to network security
  • Describe the role of each of the three components of the Cisco host-protection strategy
  • Describe the Cisco SDN strategy
  • Describe Cisco NAC products
• Lesson 2: Introducing Cisco NAC Appliance
  • Summarize how the Cisco NAC Appliance solution controls and secures networks
  • Describe the components of a Cisco NAC Appliance solution
  • Describe the supported platforms for a Cisco NAC Appliance solution
  • Explain how Cisco NAC Appliance enforces compliance for remote and local users
  • Summarize how to configure a Cisco NAC Appliance solution
  • Navigate through the Cisco NAC Appliance web-based GUI
• Lesson 3: Introducing In-Band and Out-of-Band Deployment Options
  • Describe the Cisco NAS deployment options
  • Describe the in-band and out-of-band deployment options
  • Describe the key features of a Cisco NAC Appliance out-of-band deployment
  • Describe the key features of a Cisco NAC Appliance in-band deployment
  • Describe the Cisco NAS operating modes for an in-band and out-of-band deployment

Module 2: Cisco NAC Appliance Common Elements Configuration

• Lesson 1: Configuring User Roles
  • Describe user roles in Cisco NAC Appliance
  • Describe how to manage user roles
  • Explain traffic control policies for user roles
  • Describe how to configure traffic control policies for a user role
  • Describe how to create a local user account
  • Describe how to configure user session timeouts for user roles
  • Describe how to configure guest access for visitors or temporary users in a Cisco NAC Appliance network
• Lesson 2: Configuring External Authentication
  • Describe how to configure the Cisco NAM to use external authentication providers
  • Describe how to map users to user roles when configuring external authentication
  • Describe how to test user authentication for configured external authentication providers
  • Describe how to configure RADIUS accounting for users in a Cisco NAC Appliance network
• Lesson 3: Configuring DHCP on the Cisco NAS
  • Describe Cisco NAS modes of operation for a DHCP-enabled network
  • Describe how to enable the Cisco NAS DHCP module
  • Describe how to configure the Cisco NAS to provide DHCP services
  • Describe how to manage generated subnets on the Cisco NAS
  • Describe how to configure the Cisco NAS to provide reserved IP addresses
  • Describe how to configure user-specified DHCP options on the Cisco NAS

Module 3: Cisco NAC Appliance Implementation

• Lesson 1: Implementing Cisco NAC Appliance In-Band Deployment
  • Describe the Cisco NAC Appliance in-band process flow
  • Describe central and edge in-band deployment configurations for Cisco NAC Appliance
  • Describe how to configure the Cisco NAS for in-band deployment
  • Describe how to add the Cisco NAS to the Cisco NAM managed domain for in-band deployment
  • Describe how to use the Cisco NAM to configure the trusted and untrusted interfaces of the Cisco NAS
  • Describe how to add managed subnets on the Cisco NAS
  • Describe how to configure Cisco NAS VLAN settings
• Lesson 2: Implementing the Microsoft Windows SSO Feature on the Cisco NAC Appliance
  • Describe how Cisco NAC Appliance uses Windows SSO to ensure increased security
  • Summarize the process used by Microsoft Windows to exchange Kerberos tickets with the Cisco NAS
  • Describe how a Cisco NAS communicates with a Microsoft Windows Active Directory server
  • Describe the steps that are used to configure Active Directory SSO for the Cisco NAM, Cisco NAS, and Microsoft Windows Active Directory Server
• Lesson 3: Implementing the Cisco VPN SSO Feature on the Cisco NAC Appliance
  • Describe the Cisco NAC Appliance VPN SSO support for Cisco VPN concentrators and Cisco Adaptive Security Appliances (ASAs)
  • Explain how the SSO improves the use of VPN services with the Cisco NAC Appliance solution
  • Describe how to configure the Cisco NAC Appliance for Cisco VPN SSO device integration
• Lesson 4: Implementing Cisco NAC Appliance Out-of-Band Deployment
  • Describe the Cisco NAC Appliance out-of-band process flow
  • Describe the considerations for implementing the Cisco NAC Appliance out-of-band for central- and edge-deployment scenarios
  • Describe how to add an out-of-band Cisco NAS to the Cisco NAM
  • Describe how to implement the Cisco NAC Appliance out-of-band deployment for the different Cisco NAS operating modes
• Lesson 5: Managing Switches
  • Describe how to implement switch management for Cisco NAC Appliance out-of-band deployment
  • Describe how to set up switches so that they can be used with Cisco NAC Appliance out-of-band deployment
  • Describe how to configure group profiles on the Cisco NAM for out-of-band deployment
  • Describe how to configure switch profiles on the Cisco NAM for out-of-band deployment
  • Describe how to configure port profiles on the Cisco NAM for out-of-band deployment
  • Describe how to configure the SNMP receiver on the Cisco NAM for out-of-band deployment
  • Describe how to add switches to the Cisco NAM managed domain for out-of-band deployment
  • Describe how to configure switch ports to use the Cisco NAM port profiles for out-of-band deployment
  • Describe how to manage the switch configuration settings for out-of-band deployment

Module 4: Cisco NAC Appliance Implementation Options

• Lesson 1: Implementing Cisco NAC Appliance on a Network
  • Describe how to implement Cisco NAC Appliance to protect a network
  • Describe how to use the Device Management menu options to configure the general setup options
  • Explain how user pages are configured in Cisco NAC Appliance
  • Describe how to use the Cisco NAM to manage certified devices in the network
• Lesson 2: Implementing Network Scanning
  • Describe the steps that are needed to configure the Cisco NAC Appliance network scanner to use Nessus plug-ins
  • Describe how to configure the quarantine role
  • Describe how to implement Nessus plug-ins into the Cisco NAM repository
  • Describe how to test a network scanning configuration
  • Describe how to customize the User Agreement page
  • Describe how to view scan reports
• Lesson 3: Configuring the Cisco NAM to Implement the Cisco NAA on User Devices
  • Describe the steps that are used to configure the Cisco NAM to implement the Cisco NAA on client machines
  • Describe how to retrieve updates from the Cisco NAC Appliance update server
  • Describe how to ensure that the Cisco NAA is installed on user devices
  • Describe how to configure the Cisco NAA temporary role on the Cisco NAM
  • Explain Cisco NAA system requirements
  • Describe how to create a check
  • Describe how to create an antivirus rule and a normal rule
  • Describe how to create an antivirus requirement and a custom requirement
  • Describe how to map requirements to rules and roles
• Lesson 4: Configuring Cisco NAM High Availability
  • Describe how to configure high availability between two Cisco NAMs
  • Describe how to establish a serial connection between two Cisco NAMs
  • Describe how to configure a primary Cisco NAM for high availability
  • Describe how to configure a secondary Cisco NAM for high availability
• Lesson 5: Configuring Cisco NAS High Availability
  • Describe how to configure high availability between two Cisco NASs
  • Describe how to configure the primary Cisco NAS for high availability
  • Describe how to configure the secondary Cisco NAS for high availability
  • Describe how to test the Cisco NAS high-availability configuration
  • Describe how to configure DHCP failover

Module 5: Cisco NAC Appliance Monitoring and Administration

• Lesson 1: Monitoring a Cisco NAC Appliance Deployment
  • Describe how to monitor Cisco NAC Appliance activities
  • Describe how to use the Online Users page to monitor online users
• Lesson 2: Administering the Cisco NAM
  • Describe the components of the Cisco NAM administration module
  • Describe how to manage administrator groups
  • Describe how to manage users with administrator privileges
  • Describe how to manage user passwords
  • Describe how to administer the Cisco NAM system time settings
  • Describe how to configure SSL certificate management using the administrator console of the Cisco NAM
  • Describe how to manage Cisco NAC Appliance software upgrades and licenses

• Lab 1-1: Preparing the Cisco NAM to Support Web-Based Administration Console Configuration
• Lab 2-1: Configuring User Roles
• Lab 3-1: Adding an In-Band Virtual Gateway Cisco NAS to the Cisco NAM
• Lab 3-2: Configuring the Microsoft Windows Active Directory SSO Feature on the Cisco NAC Appliance
• Lab 3-3: Configuring the Cisco VPN SSO Feature on the Cisco NAC Appliance
• Lab 4-1: Configuring Cisco NAA
• Lab 4-2: Configuring a High Availability In-Band VPN Cisco NAC Appliance Solution
• Lab 3-4: Adding an Out-of-Band Virtual Gateway Cisco NAS to an HA Cisco NAC Appliance Deployment
• Lab 3-5: Configuring SNMP, Switch, and Port Profiles for an Out-of-Band Cisco NAC Appliance Deployment

• Certification as a CCSP or the equivalent knowledge.
• Basic knowledge of the Microsoft Windows operating system.
• Familiarity with networking and security terminology and concepts.
• Fundamental knowledge of implementing network security or CCSP or Cisco Security CSQ.
• BCMSN or working knowledge of VLANs.
• SNRS or working knowledge of digital certificates.
• BCSI or working knowledge of HSRP.