Cisco NAC Appliance
Hello
I wanted to know if anyone can give me help on a Cisco NAC appliance.
Honestly, I've heard of them, but I've never installed or worked on a before and I
have a client who wants to have one installed. So I wanted to know some here can
point me in the right direction regarding the installation and configuration. Thank you
the help in advance and have a very nice evening.
Hello
Everything you need to get started:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
Tags: Cisco Security
Similar Questions
-
Cisco NAC appliance - after a success does not change users to connect to the vlan propper
Hello
I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.
Also the user does not appear on the list of users online on cam.
Can someone help me figure out how can I fix? version 4.8, I'll post any information requested
Thank you
We recently had the problem with Windows AD SSO and Windows 7 clients.
Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.
Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.
What are the parameters of the port-profile to which is applied the switchport?
What is the map settings vlan ports trunk not approved or confidence?
-
Base installation of Cisco NAC
Hello
I bought a Cisco NAC server and a Cisco NAC Manager. I have it in the laboratory to test for the moment, but I would extend approximately 200 users possibly on campus lan. I just check that a user is valid on active directory. Perhaps the best way I can do that is by making a discovery on the server of the NAC to valid mac addresses.
What is the best way to do this? That is to say
user connects to a port on the campus lan
Active directory checks that they are a valid user on the domain
they get their usual dhcp address once they are authenticated
If they are not a user validates on the field that they will not be authenticated
I'm not worried about the verification of the antivirus, pc built... for now
For the moment, I installed the server of the NAC and the NAC Manager and both can access it through a layer 3 switch.
Thank you
Kevin
Kevin,
Essentially, you ask for advice on how to do this. As I just pulled out of 1000 users NAC L2 VG OOB (who looks like, it's what you want to do) and a 3000user of the NAC L3 RIP OOB as well as OOB wirless and looking IB VPN right now. My best advice would be to buy the next book.
Cisco NAC Appliance 'Host security with clean Access Application' by James Heary for about $60. (available on Amazon)
This covers all deployment scenarios and is invaluable for me when I created the NAC. What it does is put in the necessary steps and is easier than flitting back and forth between the CAM and CASE manual.
Hope that helps
-
NAC Appliance IPv6 compatibility
I read in the book "Cisco NAC Appliance: host security with Clean Access application ' (published 2008) that the real mode IP Gateway is only IPv4 compatible but that IPv6 compatibility will be provided in a future update.
Having searched around, I find no reference to the unit of the ANC being IPv6. Anyone know what ways (if any) are IPv6 compatible?
Hello
Although IPv6 has been on the roadmap, currently it is not supported and there is no ETA for IPv6 supports the devices of NAC.
HTH,
Tiago
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.
-
Hello
I have some question about Cisco NAC and don't know if it is able to support:
1. can you packets qos to NAC honor/confidence when it is configured for inband/off band?
2. for the creation of the lobby admin on local accounts management comments (using the own access device); cisco nac appliance does support
the lobby admin via acs/external db authentication? If this isn't the case, adding a comment server would reach it?
3 - is not cisco NAC appliance support wireless controller and the mixture of cisco/non-cisco switches? If so, if the switch supports snmp mib mac-notification/link/link down; would this be enough?
4 is Cisco NAC comes with a predefined set of rules AV to verify that all AV support is running for the posture check (example if NAC supports 100 produced different viruses; can he check all 100 different product that can be installed on a PC for control of posture). An example of this would be hotel / that there are people of different products installed antivirus trying to access the network and the antivirus must run and installed and updated to access network). I know that the pre-confgiured default rule can check for installation/setting however not sure on the status of service / application running.
Thank you.
Hello
For VGW configurations, you must have in separate subnets. For RIP, they can be in the same subnet without problem.
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
NAC Appliance deployment problem
Hello
We are going to deploy Cisco NAC Appliance 3310 clean access server in our network. Regarding the deployment, I have several questions.
My questions are:
Is that what we required any additional server as WSUS for correction/windows update management?
NAC device speaks with MS AD for authentication?
We required server antivirus for endpoint security?
We required server additional sanitation sanitize the infected end point?
I will be happy if receive the answer above.
Kind regards
Martine
Martinez,
No, the CCA system asks the customer to correct itself and the Windows update client on the client computer, then addressed the function options. The two options are going to the servers of Microsoft WU, or if you have a WSUS server defined internally, which will.
The other thing you can do is to 'offer' customers to download files that you store on the CCA based on different requirements system, but doing it this way would be very difficult to manage since you want to create rules for each patch that would very quickly become tedious.
View this video-on-demand on how the CCA posture assessment and remediation. Watch VOD 5:
HTH,
Faisal
-
Basic configuration of NAC appliance
I have a small project to authenticate users about 100 to access the network. We plan to use the Cisco NAC appliance. Just to clarify (I saw some post but I'm not sure of the correct answer) do I need 2 separate devices, one as a server and the other as a controller; or I just need a do two tasks?
Thank you
-Arturo
Hi Arturo,.
You need two devices to operate. A Manager and a server.
There is a great Cisco Press book on the ANC by James Heary device that will give you a lot of details and information on the configuration of the devices.
I hope this helps.
Paul
-
Only Cisco NAC Posture assessment ongoing support?
Hi all
Cisco does not seem to support the continued study of posture when running out of band or band? What I mean is after authentication during the approval of phase I've been assigned to a role and function to the role that I will receive a result of posture, if that result is pass then Ive been evaluated as a healthy end point and receive a certificate. Then the switchport to which I am connected is assigned to the company VLAN. Subsequently up to what my certificate expires system will always think that I am in good health.
Ive crossed the 4.8 release notes, he still seems not to be supported?
Your comments are appreciated.
Dumlu
I think this is mentioned in the release notes; did you check the next section?
http://www.Cisco.com/en/us/docs/security/NAC/appliance/Release_notes/48/48rn.html#wp1105597
Concerning
Farrukh
-
Cisco Nac Agent type condition Audit
Hi experts,
I can configure a condition audit (mandatory or optional) type, so that the client will always access the network, the user will not be informed, and the information will be sent to the heap.
It is possible to generate an email or a similar automated process to inform administrators on these audits?
(version 4.7.2 running)
Thank you
Andrea
Hello Andrea,
In 4.7.2 there was not much you could do in the cam itself - really you could export from the graphical interface in a spreadsheet and analysis on this basis.
The CAM has an API, but allowing you to export reports via the interfaces of script and give you all the information you could then manipulate. You can access the documentation of the API of CAM by accessing:
https:///admin/api/cisco_api_doc.jsp
(The function "getreports" is probably what you want to watch in).
In version 4.8 and later there was a new section of "Reporting" of the GUI you can see more details about passed and has no requirements:
Thank you
Nate
-
Cisco NAC SSL certificate replacement
Hello
My apologies if this is posted in the wrong community.
We have a NAC Manager and 2 CASES where the external SSL CA certificates are expiring November 1. Here are the certificates based on the internal IP addresses of the applainces.
Due to a change in the CAB Forum, external case will be putting anymore based on interally CERT be resolved IPs or hostnames, so I need to replace these certificates with those based on their FULL domain name.
However, I do have the option to generate a CSR based on the existing cert or to generate a new temporary certificate. This will allow me to generate a certificate based on the FULL domain name, but I'm not sure of the generation of impact that causes a new certificate?
Did anyone done this before? If so, is it safe to do it or it will cause problems within the devices / with end users who connect?
What is the only way to generate a new certificate?
Thanks in advance for any help or suggestions you can provide
Richard,
No need to remove the old cert, generating a new cert temp will not cause any problem.
This should respond to your request.
http://www.Cisco.com/c/en/us/TD/docs/security/NAC/appliance/configuratio...
~ JG
Note the useful messages
-
Anyone encounter this error on the Cisco NAC Web Agent before (see table)? I am setting up Cisco NAC Aplliance in Out-Of-Band gateway mode virtual for the deployment of Unified Wireless using the WLC. Grateful if someone can help to inform of what could be the cause of the error. Thanks in advance.
This means that the CAM has not received a SNMP trap for this MAC address. Check that the WLC is configured to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
You can see if the cam with got a trap for a specific MAC looking under OOB management > devices > discovered customers.
-
Hello
I have two CAM HA and two CASES in HA.
I set up LDAP search to create role assignment rule.
In this configuration is only a windows server to find the properties of the user.
There is a problem when this servers Windows is out of service. There are configurations of attenuation when the server isn't here.
Thanks to you all.
The search server configs State LDAP use LDAP authentication provider. LDAP authentication provider says that you can have multiple entries in the unique field
LDAP
You can add LDAP authentication servers redundancy by recording several LDAP URL in the URL field of the server, separated by a space, for example:
LDAP://ldap1. ABC.com ldap://ldap2.abc.com ldap://ldap3.abc.com
-
Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs
Hello
I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.
Kind regards
RAM
+ 6 012-2918870
Hello
It is not possible.
You cannot push the ACL in the NAC manager.
If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.
Using the Radius attributes you can then map users to roles.
Please, take a look at this:
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
There is a problem that is coming with the customers, sometimes on some of the connection start screen customer Cisco NAC Agent is not displayed on the login screen for some of the newly added machines. Are there special requirements for cisco Agent on the client machines.
Concerning
Waqas
Waqas,
No specific requirement, except that they be on the list of the OS supported. For example server OSs don't are not so supported if you were trying to install/run on a Server 2003 or 2008, which will not work.
HTH,
Faisal
-
Hello
I have some doubts if any1 can clearly it will be great. I have the deployment of gateway NAS OOB real ip in my network.
Assuming that all ports are Nac_controlled. So as soon as the client caches they are in the local network virtual auth.
now I have a cisco nac Profiler in my network which I will configure IP phones and printers.
by example, if the port of the ip phone is connected to it will be also under auth vlan.
so as soon as as ip phone gets plugged, Profiler cisco will see the profile and change the vlan auth to its vlan respective by mapping the profile and the profile of the NAC that we have mapped in the Profiler and given of the vlan in the user profile of the NAC for the ip phone.
Please correct me if I'm wrong, for the understanding of the operation. I need profile of ip phones. I am not able to connect.
It would be very useful if you can help me.
Thanks in advance.
Nitesh salvation,
the NAC has no control over the voice VLAN, then this would be defined locally on each switch ports.
For example, you assign it not the point endpoint IP Phone profiled in any role, because the input is 'ignored' and the phone works on the configured locally voice VLAN without going through the NAC.
The IP phone case is different from that of printers and ATM... as in this case, these devices are looking at VIRTUAL local network access (which is commissioned by the NAC), and you do not expect to see all other devices (MAC addresses) on the same port of a printer, ATM or other endpoints without an agent. That being said, you can assign profiles different points of endpoints to different roles in this case.
I hope that answers your questions.
Kind regards
Federico
Maybe you are looking for
-
Satellite 230cx: Question about HARD drive, memory and CD recovery.
Can someone tell me if I can get a recovery for a 230cx disk? And what is the max hard drive that I have and RAM. Thank you...
-
Need to sort the photos by date and time taken
It is ridiculous that there is no possibility to sort the photos in an album by the date and time taken. I imported the photos of several cards, two cameras take pictures at the same time, there is no way to sort photos, so the photos appear in true
-
HPLaserjet 100 color MFP M175a: hp laserjet 100 color mfp m175a suddenly very slow
I have a printer HP LaserJet 100 color MFP M175a, which has always worked well (except when in cooling mode). All of a sudden he started printing very slowly: for example, last night I sent a document of 20 pages to print at about 21:00 and was still
-
Cannot remove everyshere.search - sm and Indexed Locations.seachr - ms Windows Server 2012
All of the built-in AD user account are stored on a network share. I deleted an account in AD and now I want to delete its folder on sharing. So I changed the permissions on all subcontainers and objects to his home folder so I can delete its files.
-
M/S Office 2007 install on other personal PC
I have a copy of the M/S Office Small Business 2007, which came with my office in 2008. Can I install it on my laptop? If so, how? Thank you