Network Access Control

If you have a Network Access Control (NAC) appliance, such as a Cisco ISE, in your network: You can enable filters in Endpoint Management to set devices as compliant or not compliant for NAC, based on rules or properties. If a managed device in Endpoint Management does not meet the specified criteria, Endpoint Management marks the device as Not Compliant. A NAC appliance blocks non-compliant devices on your network.

For iOS devices, you can deploy the VPN policy and enable a NAC filter to block a VPN connection for devices that have non-compliant apps installed. For details, see iOS NAC configuration, in this article.

In the Endpoint Management console, you select one or more criteria in the list to set a device as not compliant.

Endpoint Management supports the following NAC compliance filters:

Anonymous Devices: Checks if a device is in anonymous mode. This check is available if Endpoint Management can’t reauthenticate the user when a device attempts to reconnect.

Failed Samsung KNOX attestation: Checks if a device failed a query of the Samsung KNOX attestation server.

Forbidden Apps: Checks if a device has forbidden apps, as defined in an App Access policy. For more information about the App access policy, see App access device policies.

Inactive Devices: Checks if a device is inactive as defined by the Device Inactivity Days Threshold setting in Server Properties. For details, see Server properties.

Missing Required Apps: Checks if a device is missing required apps, as defined in an App Access policy.

Non-suggested Apps: Checks if a device has non-suggested apps, as defined in an App Access policy.

Noncompliant Password: Checks if the user password is compliant. On iOS and Android devices, Endpoint Management can determine whether the password currently on the device is compliant with the passcode policy sent to the device. For instance, on iOS, the user has 60 minutes to set a password if Endpoint Management sends a passcode policy to the device. Before the user sets the password, the passcode might be non-compliant.

Out of Compliance Devices: Checks whether a device is out of compliance, based on the Out of Compliance device property. Automated actions or a third party using Endpoint Management APIs typically change that property.

Revoked Status: Checks whether the device certificate was revoked. A revoked device cannot re-enroll until it is authorized again.

Rooted Android and Jailbroken iOS Devices: Checks whether an Android or iOS device is jailbroken.

Unmanaged Devices: Check whether a device is still in a managed state, under Endpoint Management control. For example, a device running in MAM mode or an unenrolled device is not managed.

Note:

The Implicit Compliant/Not Compliant filter sets the default value only on devices that Endpoint Management manages. For example, the NAC appliance marks as Not-Compliant any devices that have a blacklisted app installed or are not enrolled. Your network blocks those devices.

iOS NAC configuration

Through policy settings in NetScaler, Endpoint Management supports Network Access Control (NAC) as an endpoint security feature for iOS devices. You can enable a NAC filter to block a VPN connection for devices that have non-compliant apps installed. When the VPN connection is blocked, the user cannot access any apps or websites through VPN.

For example, in the App Access Policy, you identify a particular app as Forbidden, or blacklisted. A user installs that app. When the user opens Citrix SSO and tries to connect to the VPN, the connection is blocked. The following error appears: Error while processing request. Contact your administrator.

The configuration requires that you update NetScaler policies to support NAC. In the Endpoint Management console, you enable NAC filters and deploy the VPN device policy. For this feature to work on devices, users install the Citrix SSO VPN client from the Apple store.

The NAC filters supported are:

  • Anonymous Devices
  • Forbidden Apps
  • Inactive Devices
  • Missing Required Apps
  • Non-Suggested Apps
  • Noncompliant Password
  • Out of Compliance Devices
  • Revoked Status
  • Rooted Android and Jailbroken iOS Devices
  • Unmanaged Devices

Prerequisites

  • NetScaler 12
  • Citrix SSO 1.0.1 installed on devices

To update the NetScaler policies to support NAC

The authentication and VPN sessions policies you configure must be advanced. On your virtual VPN server from a console window, do the following. The IP addresses in the commands and examples are fictitious.

These steps update a NetScaler that’s integrated with a Endpoint Management environment. If you have a NetScaler Gateway that’s setup for VPN and not part of the Endpoint Management environment, but can reach Endpoint Management: You can also use these steps.

  1. Remove and unbind all classic policies if you are using classic policies on your VPN virtual server. To check, type:

    show vpn vserver <VPN_VServer>

    Remove any result that contains the word Classic. For example: VPN Session Policy Name: PL_OS_10.10.1.1 Type: Classic Priority: 0

    To remove the policy, type:

    unbind vpn vserver <VPN_VServer> -policy <policy_name>

  2. Create the corresponding advanced session policy by typing the following.

    add vpn sessionPolicy <policy_name> <rule> <session action>

    For example: add vpn sessionPolicy vpn_nac true AC_OS_10.10.1.1_A_

  3. Bind the policy to your VPN virtual server by typing the following.

    bind vpn vserver _XM_Endpoint ManagementGateway -policy vpn_nac -priority 100

  4. Create an authentication virtual server by typing the following.

    add authentication vserver <authentication vserver name> <service type> <ip address>

    For example: add authentication vserver authvs SSL 0.0.0.0 In the example, 0.0.0.0 means that the authentication virtual server is not public facing.

  5. Bind an SSL certificate with the virtual server by typing the following.

    bind ssl vserver <authentication vserver name> -certkeyName <Webserver certificate> For example: bind ssl vserver authvs -certkeyName Star_mpg_citrix.pfx_CERT_KEY

  6. Associate an authentication profile to the authentication virtual server from the VPN virtual server. First, create the authentication profile by typing the following.

    add authentication authnProfile <profile name> -authnVsName <authentication vserver name>

    For example:

    add authentication authnProfile xm_nac_prof -authnVsName authvs

  7. Associate the authentication profile with the VPN virtual server by typing the following.

    set vpn vserver <vpn vserver name> -authnProfile <authn profile name>

    For example:

    set vpn vserver _XM_Endpoint ManagementGateway -authnProfile xm_nac_prof

  8. Check the connection from NetScaler to a device by typing the following.

    curl -v -k https://<Endpoint Management server>:4443/Citrix/Device/v1/Check --header "X-Citrix-VPN-Device-ID: deviceid_<device_id>"

    For example, this query verifies connectivity by obtaining the compliance status for the first device (deviceid_1) enrolled in the environment:

    curl -v -k https://10.10.1.1:4443/Citrix/Device/v1/Check --header "X-Citrix-VPN-Device-ID: deviceid_1"

    You should see a similar command as the following example.

    HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    < X-Citrix-Device-State: Non Compliant
    < Set-Cookie: ACNODEID=181311111;Path=/; HttpOnly; Secure
    
  9. When the preceding step is successful, create the web authentication action to Endpoint Management. First, create a policy expression to extract the device ID from the iOS VPN plug-in. Type the following.

    add policy expression xm_deviceid_expression "HTTP.REQ.BODY(10000).TYPECAST_NVLIST_T(\'=\',\'&\').VALUE(\"deviceidvalue\")"

  10. Send the request to Endpoint Management by typing the following. In this example, the Endpoint Management IP is 10.207.87.82.

    add authentication webAuthAction xm_nac -serverIP 10.207.87.82 -serverPort 4443 -fullReqExpr q{"GET /Citrix/Device/v1/Check HTTP/1.1\r\n" + "Host: 10.207.87.82:4443\r\n" + "X-Citrix-VPN-Device-ID: " + xm_deviceid_expression + "\r\n\r\n"} -scheme https -successRule "HTTP.RES.STATUS.EQ(\"200\") &&HTTP.RES.HEADER(\"X-Citrix-Device-State\").EQ(\"Compliant\")"

    The successful output for the Endpoint Management NAC is HTTP status 200 OK. The ‘X-Citrix-Device-State’ header must have the value of Compliant.

  11. Create an authentication policy with which to associate the action by typing the following.

    add authentication Policy <policy name> -rule <rule> -action <web auth action> For example: add authentication Policy xm_nac_webauth_pol -rule "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NAC\")" -action xm_nac

  12. Convert the existing LDAP policy to an advanced policy by typing the following.

    add authentication Policy <policy_name> -rule <rule> -action <LDAP action name> For example: add authentication Policy ldap_xm_test_pol -rule true -action 10.10.1.1_LDAP

  13. Add a policy label with which to associate the LDAP policy by typing the following.

    add authentication policylabel <policy_label_name> For example: add authentication policylabel ldap_pol_label

  14. Associate the LDAP policy to the policy label by typing the following.

    bind authentication policylabel ldap_pol_label -policyName ldap_xm_test_pol -priority 100 -gotoPriorityExpression NEXT

  15. Connect a compliant device to do a NAC test to confirm successful LDAP authentication. Type the following.

    bind authentication vserver <authentication vserver> -policy <webauth policy> -priority 100 -nextFactor <ldap policy label> -gotoPriorityExpression END

  16. Add the UI to associate with the authentication virtual server. Type the following command to retrieve the device ID.

    add authentication loginSchemaPolicy <schema policy>-rule <rule> -action lschema_single_factor_deviceid

  17. Bind the authentication virtual server by typing the following.

    bind authentication vserver authvs -policy lschema_xm_nac_pol -priority 100 -gotoPriorityExpression END

  18. Create an LDAP advanced authentication policy enable the Secure Hub connection. Type the following.

    add authentication Policy ldap_xm_test_pol -rule "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NAC\").NOT" -action 10.200.80.60_LDAP

    bind authentication vserver authvs -policy ldap_xm_test_pol -priority 110 -gotoPriorityExpression NEXT

  19. Configure the VPN device policy. For more information on configuring the VPN device policy, see VPN Device Policy

Configure Network Access Control

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Under Server, click Network Access Control. The Network Access Control page appears.

    Image of Network Access Control Settings

  3. Select the check boxes for the Set as not compliant filters you want to enable.

  4. Click Save.

Network Access Control