LINICKX.com

Cisco NAC (Clean Access) CLI Commands.

nick — Fri, 28 Aug 2009 13:58:00 +0100

I can never find these when I want them...

also, from the release notes show version...

cat /perfigo/build

.. there are some other useful scripts in /perfigo/common/bin such as

/perfigo/common/bin/fostate.sh

... is used for checking failover state, if you can think of any more please post them in the comments ;)

Multiple SYSLOG Receivers with a Cisco NAC Appliance Manager (CAM)

nick — Wed, 10 Dec 2008 07:30:00 +0000

According to Cisco's documentation on configuring syslog on a CAM, you can only forward the NAC logs to a single external log server. If you're willing to get down and dirty with the Linux operating system underneath, then this document will show you that this is simply not the case.

To get started, tweak the default logging settings within the NAC web interface, this screen-shot shows I'm sending the syslog to the local host as local6 messages, this change will send a copy of the "normal" NAC event logs to the localhost syslog server.

Next we need to enable the localhost syslog server; the CAM is build upon a Fedora image, so the SYSLOG daemon is already running it's just not listening on UDP 514 (thus not yet receiving the logs configured above). Change /etc/sysconfig/syslog , the line:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -r"

Now that the local daemon is recieving the files we need to change /etc/syslog.conf, here we will make two changes, One: we will write a copy of the NAC events to disk - this will allow us to see what events the "NAC application" is sending. The second change we'll make is the forwarding configuration, we will put in two lines (for both our syslog hosts) so that we send forward the syslogs to two different servers - which was our original intention :)
Add the following lines to /etc/syslog.conf :

# Log Messages sent from Cisco NAC Application to dedicated File
Local6.*    /var/log/CiscoNAC.log

# Forward all syslog messages to host1
*.*     @loghost1
# Forward all syslog messages to host2
*.*     @loghost2

*NOTE: loghost1 & loghost2 need to be resolvable via DNS or in /etc/hosts !!

Finally restart the syslog daemon /etc/init.d/syslog restart

Housekeeping
It's good practice once we've made changes to clear up after ourselves, these are some option steps you can take.

Add /var/log/CiscoNAC.log to logrotate, so that it doesn't just grow and grow until you run out of disk space. This is done by editing /etc/logrotate.d/syslog before /var/log/messages insert /var/log/CiscoNAC.log

You may also want to compress your syslogs, edit /etc/logrotate.conf and uncomment the word compress (remove the "#") .

Important Note
When performing NAC upgrades, Cisco provide operating system package upgrades & changes, it's important to check that after an upgrade this config changes still exist, also I take no responsibility for Cisco's TAC not wanting to support you because of the changes made!

Cisco NAC SSO Port List

nick — Wed, 02 Jul 2008 08:59:00 +0100

Note to self, the ports I need to allow thru the Un-Authenticated ACL for Active Directory SSO to work...

TCP 88,135,389,636,445,1025,1026               
UDP 88,389,636

News - Fooling Cisco's NAC network access control

nick — Wed, 04 Apr 2007 12:09:00 +0100

Just Found this,

heise Security - News - Fooling Cisco's NAC network access control

Security experts at the Black Hat conference in Amsterdam have demonstrated how Cisco's NAC network access control can be fooled. In a live demonstration using a modified Trust Agent, Michael Thumann and Dror-John Röcher from ERNW were able to gain full access to an NAC protected network using a computer which did not comply with network policies.

Although it was obvious that hackers would target the the Trust Agent, it's interesting to read a sucess story.