Configuring NACs

Configure Palo Alto Networks Layer 3 Firewall DAG NAC or Cisco Identity Services Engine (ISE) pxGrid NAC. After a NAC is configured, you can begin to quarantine endpoints.

To create or edit NAC configurations, you must have Network Quarantine Administrator role. See User role requirements.

Palo Alto Networks Layer 3 Firewall DAG NAC

If you have Palo Alto Networks Dynamic Address Group (DAG), Network Quarantine can send a request to Palo Alto to block network access for an IP address.

Before you begin

Before you configure the Palo Alto DAG NAC in Network Quarantine, you must have: 

  • The host name, user name, and password for the firewall.
  • The tags that you want to apply to the quarantined endpoints configured on the firewall.
  • The necessary certificates configured. You must have the server certificate for the firewall to add to the Network Quarantine configuration. See PAN documentation: Certificate Management.

Configure Palo Alto Networks Firewall API access

Create a user in the PAN Firewall that has Administrator user with API access. Specify this user when you configure NAC settings in Network Quarantine.

  1. Log in to the PAN Firewall as an Administrator.
  2. Create an Admin role with no WebUI permissions. For XML API permissions, select only Operational Requests and UserID-Agent.
  3. Add a new Administrator user and password. Set the Profile to the admin role that you created to the new user.
  4. Click Commit to save the changes.
  5. Get an API key for the user. See PAN documentation: Get Your API Key.

Configure certificates

  1. Download the firewall certificate.
  2. From the Network Quarantine menu, click Configuration > Certificates > Create Certificate.
  3. Create a name for the certificate. For Certificate Type, select Server Certificate / Certificate Chain. Upload the certificate. Click Save.

 

 

To edit NAC settings, you must stop the NAC first.

Configure Palo Alto DAG tagger

  1. From the Network Quarantine menu, click Configuration > NACs. Click Create NAC.

  2. For the NAC Type, select Palo Alto DAG Tagger. Enter a display name for the NAC and choose whether to enable and restart the NAC when the Network Quarantine service restarts.
  3. Edit the Palo Alto DAG NAC settings. Use the PAN API user name and password that you configured, and the certificate that you uploaded to Network Quarantine. Specify the list of tags that you want to send to the NAC. Click Save.



  4. Start the NAC. Select the NAC from the list and click Start.

To edit NAC settings, you must stop the NAC first.

Cisco Identity Services Engine (ISE) pxGrid NAC

To configure a Cisco ISE pxGrid NAC, you can either use self-signed or server-signed certificates. After you configure the NAC, you can quarantine specific MAC addresses with the Adaptive Network Control (ANC) policies that are configured in ISE.

You can log in to ISE with the user interface, or with SSH.

Create server and client self-signed certificates

ISE can work with self-signed certificates for both server authentication and client authentication.

  1. Get a self-signed certificate from the server. In the ISE UI, go to Administration > Certificates > System Certificates. If you need the certificate, export the public certificate from the UI.
  2. Generate a self-signed certificate for the client.
    1. See Cisco Communities: Deploying Certificates with pxGrid.
    2. In the ISE UI, go to Administration > Certificates > System Certificates and upload the certificate into the Trusted Certificates section.
  3. If you changed pxGrid certificates, restart the ISE server. See Cisco ISE Client Commands: Start/stop commands.
  4. Make sure that you have the server certificate, client certificate, and client key to create the certificate configuration in Network Quarantine.

Generate a signed certificate

Generate a pxGrid certificate to provide as the certificate authority (CA) when you configure the NAC in Network Quarantine.

  1. In the pxGrid UI, go to Administration > pxGrid Services > Certificates. Generate a single certificate (without a certificate signing request). For the Common Name (CN), use any identifying value, such as IP address. Choose the PEM download format. Enter a password for the certificate.
  2. Click Create to download a ZIP file that contains the server certificate. Extract this ZIP file to get the server certificate that you need to configure in Network Quarantine.

Configure certificates in Network Quarantine

Create the server and client certificates in Network Quarantine.

  1. From the Network Quarantine menu, click Configuration > Certificates.
  2. Create the client certificate. Click Create Certificate. Create a name for the certificate. For Certificate Type, select Client Certificate. Upload the client certificate and key. Click Save.
  3. Create the server certificate. Click Create Certificate. Create a name for the certificate. For Certificate Type, select Server Certificate / Certificate Chain. Upload the pxGrid certificate that you created in the pxGrid web admin UI. Click Save.


Configure pxGrid NAC

  1. From the Network Quarantine menu, click Configuration > NACs. Click Create NAC.

  2. For the NAC Type, select Cisco ISE pxGrid NAC. Enter a display name for the NAC and choose whether to enable and restart the NAC when the Network Quarantine service restarts.
  3. Edit the Cisco ISE pxGrid NAC settings.
    Select the client certificate that you configured. For the Certificate Authority, choose the server certificate that you configured. If you are using a self-signed certificate, deselect Check Server Identity.



  4. Start the NAC. Select the NAC from the list and click Start.

  5. To edit NAC settings, you must stop the NAC first.

What to do next

After a NAC is configured in Network Quarantine, you can begin to quarantine endpoints. See Quarantining endpoints.

Last updated: 8/14/2018 12:43 PM | Feedback