Configure (SES) Security Expressions Server to run in a NAC environment
My customers often ask me how to configure SES so that it can run in a NAC environment. I use Cisco, so this article will be Cisco-biased, but you can follow my instructions the same way with your hardware and it should be fine. So basically, SES acts as the external posture validation server in the Cisco NAC environment.
Also, all paths I use are for default installations, so make sure to check that if you installed differently.
Below is a basic configuration example for the components involved with Cisco NAC. These components are the Cisco Network access Device, Cisco ACS Server and the SES. Again, as I said, this example uses a Cisco router. Cisco switches may also be deployed as the network access device.
- Basic Network Access Device Configuration: (Router)
aaa authentication eou default group radius
ip admission name NSITE_EAPOUDP_po eapoudp inactivity-time 60
eou allow clientless
ip address 10.166.10.24 255.255.255.0
ip access-group 102 in
ip admission NSITE_EAPOUDP_po
ip http(s) server
ip http(s) secure-server
access-list 102 permit ip any 10.188.10.0 0.0.0.255
access-list 102 deny ip any any
radius-server attribute 8 include-in-access-req
radius-server host 10.199.10.240 auth-port 1812 acct-port 1813
radius-server timeout 1
radius-server key nsitertp
radius-server vsa send authentication
In the above example:
FastEthernet0/0 is the interface through which a device tries to get into the network and triggers NAC.
10.199.10.240 is the ACS IP address
"nsitertp" is the shared key that is configured on both the ACS and the Router.
Access-List 102 is the Interface ACL that is the baseline policy until NAC posture validation is done. It is good if this ACL allows access to the remediation server and the Audit Server.
NSITE_EAPOUDP_po is the policy name which is applied on the interface
Issues with this then you should check your Cisco documentation, not SES.
- Basic Configuration for Cisco ACS
Cisco’s ACS should come with the Altiris Vendor information built in. The Altiris Vendor ID is 12999.
If you do not have a PKI infrastructure, you will have to change the Security Expressions server. By default the Security Expressions Server requires SSL communication with the ACS server.
How to Disable HTTPS on Security Expressions Server: Edit your Web.Config file on the Audit & Compliance Server and add the following lines:
<add key="SSLRequiredForNac" value="False" />
<add key="NoEnforceSecureConn" value="True" />
ACS is very flexible and complex. See the “CS ACS 4.0 Configuration Guide” for help and refer to the following information where appropriate.
Navigate to Interface Configuration > Advanced Options.
· Enable the checkbox next to group level Downloadable ACL.
Navigate to Network configuration.
· Add the router address to AAA clients, set the key to clientless, and set authentication to (Radius Cisco IOS/PIX 6.0).
· Verify that the AAA server is set to the ACS server IP.
Navigate to Shared Profile Components > Network Access Filtering
· Create a new access filter and assign the Cisco Router to the filter.
· Save the Network Access Filter.
Navigate to Shared Profile Components > Radius Authorization Components.
· Add a new authorization component of type cisco av-pair attribute.
· Set the attribute equal to
For Cisco Routers:
url-redirect=http(s)://<fully qualified host name>/seserver/NAC/NacStatus.aspx?
For CAT OS Switches:
url-redirect=http(s)://<fully qualified hostname>/seserver/NAC/NacStatus.aspx?
Navigate to Shared Profile Components > Downloadable IP ACLs.
· Create a downloadable ACL for both quarantine, unknown and healthy, name them anything you want but I recommend naming them healthy, unknown and quarantine.
Navigate to Posture Validation > External Posture Validation Audit Setup
· The Audit Server should have the following properties:
Name: <Server hostname>
Description: <your choice>
Audit Server Vendor: Altiris
Primary Server Config:
URL: http(s)://<Server hostname>/seserver/NAC/Audit.aspx
Username: <anything, not used>
Password: <anything, not used>
Timeout (sec): 5
Trusted Root CA: <appropriate CA for IIS certificate installed on the Server>
<Configure as appropriate for your environment>
Navigate to Network Access Profiles.
· Add a network Access Profile.
Set to Active
Allow any Protocol type
Leave everything else as the default
· Now click on posture validation next to your new access profile.
Under Determine Posture Validation for NRH:, select audit and choose you audit server.
· Now click on authorization next to your new access profile.
Set the authorization section as follows.
1. Add ACS to the list of valid Connection Monitors:
The Server treats ACS as a Connection Monitor that’s reporting device connections to the network. Put the IP address or hostname of ACS in the valid list of Connection Monitors on the Audit-On-Connect/Connection Monitors page.
Note: The Password Setting has nothing to do with the NAC environment. This setting is only used by the Altiris Audit on Connect connection Monitors.
2. The Server divides devices into two main categories: managed and unmanaged. A managed system is simply one that the Server is able to access because it has the necessary credentials to audit the device. An unmanaged system is everything else.
The Server maps the Altiris system posture to a Cisco posture token based on the settings made on the Audit-On-Connect/Network page. ACS will choose an enforcement policy based on the token returned. Even if the Server sends a posture token of Quarantine, ACS ultimately decides whether the device is actually quarantined or allowed on the network unrestricted. Therefore, both ACS and the Server must be configured jointly.
With Server version 3.3, NAC settings are visible only after adding the following line to Web.Config:
<add key="ShowNAC" value="True" />
The following table lists the settings available on the Audit-On-Connect/Network page after changing Web.Config:
Unmanaged Systems: Initial Token
The Server will send the Quarantine posture token to ACS. If you are enabling quarantine enforcement, the unmanaged device will be quarantined until it complies with your defined system policies. Once in quarantine, the user must pass a self-service audit to gain unrestricted network access.
Quarantine if Device Type is Windows:
If the Server can determine the Device Type and it is a Windows device, then SE will return Quarantine. If this system is not Windows SE will return Healthy. This choice is generally not recommended. The idea is to quarantine only those devices that are capable of performing a self-service audit.
Allow all unmanaged devices unrestricted network access.
The Server will send the Unknown posture token to ACS.
Unmanaged Systems: Token after self-audit
Selecting this option keeps the unmanaged system in Quarantine if the user fails the self-service audit. This is the default behavior. Unrestricted access may only be gained after passing a self-service audit.
The unmanaged system is deemed healthy even after failing a self-service audit.
Unmanaged Systems: Cache validity duration
Quarantine: If the managed system fails an audit and is not compliant with policy, return the Quarantine token to ACS.
Healthy: Return Healthy to ACS even if the managed system fails the audit. Use this option to allow corporate computers (managed systems) unrestricted.
<Duration>: Once an unmanaged device is deemed Healthy and has unrestricted access, this option controls how long that unrestricted access is valid before the unmanaged device must pass another self-service audit. When the validity period expires, the device will be placed back into quarantine.
Both Managed and Unmanaged: Network access device (NAD) polling
Healthy <duration 1 hour to 24 hours>/smallest cache time: Once a device is deemed Healthy, the NAD will periodically poll ACS for updated NAC policies. If a system is managed, the system will be re-audited. If a system is unmanaged it will be placed back into quarantine if the Cache validity duration setting has expired otherwise it remains Healthy.
Quarantined/Unknown: Once a device is deemed to be in quarantine, ACS will poll the SE Server repeatedly until the computer becomes healthy. This can be set between 30 seconds and 10 minutes.
Re-Audit if Quarantined: By default, when a managed system is re-audited, the policy cache is used to avoid re-auditing if not necessary. If re-audit if quarantined is enabled, the policy cache settings will be ignored completely
Both Managed and Unmanaged: Redirection Web page behavior
Display a message that the user must contact an administrator for access and leave in quarantine:
When a system is quarantined and URL redirection has been configured in ACS the landing page on the Server will display a simple message informing the user that they are in quarantine.
This message is kept in the NAC/NotHealthy.aspx Web page. To change the message, customize this page.
Display the results of the failed audit and a message stating that an administrator has been notified, then grant access to the network and remove from quarantine:
When a managed system is quarantined and URL redirection has been configured in ACS, the landing page on the Server will display the results of the audit performed then automatically grant access to the network (by sending a Healthy token to ACS) with no further action by the user.
Modify the page NAC/PermitAccess.aspx to customize to your own needs.
When an unmanaged system is quarantined, the landing page will walk the user through a self-audit.
Modify the page NAC/UnmanagedSelfAudit.aspx to customize to your own needs.
Provide help with remediation. Display the following URL containing instructions for self-remediation. Allow the user to perform self-service audits to verify:
When a system is quarantined and URL redirection has been configured in ACS, the landing page on the Server will display a URL of your choice and instruct the user to follow the remediation instructions found there. Then, the Server will walk the user through a self-service audit. If the audit is passed, then network access is granted, otherwise the user remains at the landing page.
Modify the page NAC/SelfRemediate.aspx to customize to your own needs.
If you are having problems, enable debug logging of ACS and Server communications by adding the following line to SE Server Web.Config:
<add key="NacDebugLog" value="c:\Nac.log" />
Make sure the ASPNET user has FULL permissions on the Nac.log file and the Web.Config file. You will have to create an empty file initially to be able to set the necessary permissions on it.
To debug auditing and activity by the Server service:
1. Stop the service “Altiris SecurityExpressions Audit & Compliance Server” from the Services control panel application.
2. Open a command prompt and set the current directory to the SecurityExpressions installation directory. E.g. “cd ‘C:\Program Files\Altiris\Security Management\SecurityExpressions”
3. Run the service executable in debug mode. “seserverbackend.exe –debug”.