Cisco NAC device filtering question
Cisco NAC provides support for devices such as printers, IP phones, UPS failure, etc. by adding them to a list of filters.
This allows these devices to bypass basically the NAC system and is only available on the network.
My question is this. If exempt us these devices of the NAC evaluation, where is the security? What prevents a person to set the MAC address of the printer using a laptop?
I can't imagine on this subject has not been raised before, but I can't seem to find an answer.
Thanks in advance for your answer!
Tom
Well Yes, it was a big critical with the NAC device out of the box. There is no way to prevent the usurpation of MAC. Cisco has another device called parser SNAC, that solves this problem, but it costs extra.
Tags: Cisco Security
Similar Questions
-
Hello
I have some doubts if any1 can clearly it will be great. I have the deployment of gateway NAS OOB real ip in my network.
Assuming that all ports are Nac_controlled. So as soon as the client caches they are in the local network virtual auth.
now I have a cisco nac Profiler in my network which I will configure IP phones and printers.
by example, if the port of the ip phone is connected to it will be also under auth vlan.
so as soon as as ip phone gets plugged, Profiler cisco will see the profile and change the vlan auth to its vlan respective by mapping the profile and the profile of the NAC that we have mapped in the Profiler and given of the vlan in the user profile of the NAC for the ip phone.
Please correct me if I'm wrong, for the understanding of the operation. I need profile of ip phones. I am not able to connect.
It would be very useful if you can help me.
Thanks in advance.
Nitesh salvation,
the NAC has no control over the voice VLAN, then this would be defined locally on each switch ports.
For example, you assign it not the point endpoint IP Phone profiled in any role, because the input is 'ignored' and the phone works on the configured locally voice VLAN without going through the NAC.
The IP phone case is different from that of printers and ATM... as in this case, these devices are looking at VIRTUAL local network access (which is commissioned by the NAC), and you do not expect to see all other devices (MAC addresses) on the same port of a printer, ATM or other endpoints without an agent. That being said, you can assign profiles different points of endpoints to different roles in this case.
I hope that answers your questions.
Kind regards
Federico
-
Hello
I have some question about Cisco NAC and don't know if it is able to support:
1. can you packets qos to NAC honor/confidence when it is configured for inband/off band?
2. for the creation of the lobby admin on local accounts management comments (using the own access device); cisco nac appliance does support
the lobby admin via acs/external db authentication? If this isn't the case, adding a comment server would reach it?
3 - is not cisco NAC appliance support wireless controller and the mixture of cisco/non-cisco switches? If so, if the switch supports snmp mib mac-notification/link/link down; would this be enough?
4 is Cisco NAC comes with a predefined set of rules AV to verify that all AV support is running for the posture check (example if NAC supports 100 produced different viruses; can he check all 100 different product that can be installed on a PC for control of posture). An example of this would be hotel / that there are people of different products installed antivirus trying to access the network and the antivirus must run and installed and updated to access network). I know that the pre-confgiured default rule can check for installation/setting however not sure on the status of service / application running.
Thank you.
Hello
For VGW configurations, you must have in separate subnets. For RIP, they can be in the same subnet without problem.
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Cisco NAC appliance - after a success does not change users to connect to the vlan propper
Hello
I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.
Also the user does not appear on the list of users online on cam.
Can someone help me figure out how can I fix? version 4.8, I'll post any information requested
Thank you
We recently had the problem with Windows AD SSO and Windows 7 clients.
Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.
Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.
What are the parameters of the port-profile to which is applied the switchport?
What is the map settings vlan ports trunk not approved or confidence?
-
Hello
I wanted to know if anyone can give me help on a Cisco NAC appliance.
Honestly, I've heard of them, but I've never installed or worked on a before and I
have a client who wants to have one installed. So I wanted to know some here can
point me in the right direction regarding the installation and configuration. Thank you
the help in advance and have a very nice evening.
Hello
Everything you need to get started:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Hello
I noticed that there are some features in my v4.7.2 Cisco NAC Manager of production? Can someone explain to me briefly what I can do with these features;
1. What can a Network Scanner in the title of the device management > own access, in do CAM? This feature will focus on my network more away?
2. I noticed that to add rules of traffic under the management of the users control > CAM user roles, is easy, assuming that I have many roles, but to remove them, I have to do this one by one. Is this statement true or false?
Kind regards
RAM
+ 6-0122918870
Hi Ram,
The scanner add overhead to the network. Plugins more you add, the more support there.
Nessus scan is really not possible in academia. Scanning requires administrative access to the machines and the customer firewall allowing traffic from the clean access server. It's much more plausible in a managed desktop scenario.
You're right about the deletion rules, there is no way to support no way to make a deletion block at this time.
Hope that helps.
Cordially, Jeremy
-
Anyone encounter this error on the Cisco NAC Web Agent before (see table)? I am setting up Cisco NAC Aplliance in Out-Of-Band gateway mode virtual for the deployment of Unified Wireless using the WLC. Grateful if someone can help to inform of what could be the cause of the error. Thanks in advance.
This means that the CAM has not received a SNMP trap for this MAC address. Check that the WLC is configured to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
You can see if the cam with got a trap for a specific MAC looking under OOB management > devices > discovered customers.
-
Cisco NAC server and check active number? Would this work?
Hi all
A client has achieved a question when we introduced Cisco NAC today. They wondered, lets say, a client of Cisco NAC agent installed may be connected to the network switch. It has all valid requests and patch levels on his machine (posture validation check pass)
However, even if the customer takes the position of all the parameters, they want to know that if the host name of the client (for most Windows laptops) does not exist in their active database (this database is a database of estate number which is in a similar format or .csv) posture validation must fail.
Have you met such request like this before? Is there a function on the NAC server which checks a field against an external database as an active database?
See you soon.
Dumlu,
Currently, it is not possible. You can create controls who can check values locally, but not against external data warehouses, so for this card against your thinking, NAC would have to know all the names of workstation before hand and then check against that. It is unwieldy and very very difficult to scale.
If it's something you and your client think would be a good addition (and it sounds like a good idea) Please engage with your account team and ask them to request a feature for you.
Thank you
Faisal
-
Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs
Hello
I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.
Kind regards
RAM
+ 6 012-2918870
Hello
It is not possible.
You cannot push the ACL in the NAC manager.
If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.
Using the Radius attributes you can then map users to roles.
Please, take a look at this:
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
What is the difference between Cisco NAC and ACS?
I am currently part of a new construction project and my Cisco account manager and sales engineer recommend Cisco NAC for our new MDF. I'm confused because I don't clearly know the difference between a Cisco ACS and the NAC. What is the difference?
Thank you
Chris
Chris,
The two are completely different, maybe the sales rep could present you with more information and application. Each offers a variety of services tailored to the specific needs. I think that we need to read more in depth on the proceeds of the NAC. NAC seems an excellent solution for authentication authorization but other regulatory compliance.
When you see ask your representative to sales for more information/demo.
ACS is more widely use as a central point to access control to network devices routers, an example is for acs accounting management and the authority to order on all devices on the network using acs as RADIUS server. Considering that the NAC is over a central point of safety inspection on earlier systems of access to your network by via LAN or outside, an example of these respected regulatory defined could be inspections could be virus definition checks before getting lan access thus preventing access to the LAN if the system does not have regulatory compliance defined in NAC access is denied. Another example could be the unknown local host connections etc... So, it seems that NAC is a much broader product that provides endpoint security internal, not only the authentication authorization as acs... ACS has been there for a long time, NAC is rather new product.
NAC
http://www.Cisco.com/en/us/NetSol/ns466/networking_solutions_package.html
ACS
http://www.Cisco.com/en/us/products/sw/secursw/ps5338/index.html
Rgds
Jorge
-
Cisco NAC discovered host field use OOB L3 and L2 OOB
Hi all
We are in the phase of project initiation in a huge deployment of Cisco NAC.
Customer has of 8 regional offices who will be deployed in OOB L2 mode with its own servers of NAC.
Client also As 25 small offices who will be deployed in OOB L3 mode (using the access control list) with two central servers of the NAC.
NAC agent will be deployed at the Center through Microsoft Windows Domain Services on each computer in the domain. However, users could move from a small office to a regional office occasionally.
I was wondering how we should use the Host field discovered in the XML of the Agent?
My opinion is the definition of the scope of the host of the discovery to the IP address of the central servers of the NAC. This setting will be used when the user is in a small office and when in an office regional, the NAC in mode OOB L2 server will already intercept the traffic of the user and the IP address in the host discovery field won't matter in this case?
Am I wrong?
Any help much appreciated.Dumlu
Hi Dumlu,
If your concern relates to users of L2, then this will work regardless of the address of the configured host discovery.
This is the case, the Agent will try the host address configured discovered on top of the default gateway address.
In L2, the NAC server is between the host and the default gateway, so the L2 discovery process will still work.
Consider that for users of L3, the discovery packet sent to the discovered host address just reach the server of the ANC, no matter if so the agent can reach this address; the point is to ensure that the NAC server receives this package in order to meet with the NAC server specific info.
I hope that answers your question.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.
-
There is a problem that is coming with the customers, sometimes on some of the connection start screen customer Cisco NAC Agent is not displayed on the login screen for some of the newly added machines. Are there special requirements for cisco Agent on the client machines.
Concerning
Waqas
Waqas,
No specific requirement, except that they be on the list of the OS supported. For example server OSs don't are not so supported if you were trying to install/run on a Server 2003 or 2008, which will not work.
HTH,
Faisal
-
where can I find viso and the CISCO CAD device icon?
where can I find viso and the CISCO CAD device icon? Thank you guys!
Not sure about visio CAD but heres
http://www.Cisco.com/c/en/us/products/Visio-stencil-listing.html
-
It is recommended to have a vulnerability for Cisco ASA device scan.
Dear everybody.
I have a doubt about the analysis of vulnerabilities for Cisco ASA device. Currently we have a vulnerability to network devices include firewalls. But after race for cisco ASA vulnerability scanning, found nothing in the analysis report.
Is it is recommended to have a Cisco ASA vulnerability scanning and it will defeat the purpose of the firewall?
I do not understand you ask you can set the ASA to allow an external user, run an analysis on the internal network?
If so the answer is generally no. The ASA, by default, not allow incoming connections (or attempts of connections) that are not explicitly allowed in a list of inbound access (applied to the external interface). In most cases there should also be (NAT) network address translation rules configured.
If you had a remote access VPN, you can allow external scanner to connect through that, then they would have the necessary access to analyze internal systems (assuming that allowed VPN access to all internal networks)
-
Base installation of Cisco NAC
Hello
I bought a Cisco NAC server and a Cisco NAC Manager. I have it in the laboratory to test for the moment, but I would extend approximately 200 users possibly on campus lan. I just check that a user is valid on active directory. Perhaps the best way I can do that is by making a discovery on the server of the NAC to valid mac addresses.
What is the best way to do this? That is to say
user connects to a port on the campus lan
Active directory checks that they are a valid user on the domain
they get their usual dhcp address once they are authenticated
If they are not a user validates on the field that they will not be authenticated
I'm not worried about the verification of the antivirus, pc built... for now
For the moment, I installed the server of the NAC and the NAC Manager and both can access it through a layer 3 switch.
Thank you
Kevin
Kevin,
Essentially, you ask for advice on how to do this. As I just pulled out of 1000 users NAC L2 VG OOB (who looks like, it's what you want to do) and a 3000user of the NAC L3 RIP OOB as well as OOB wirless and looking IB VPN right now. My best advice would be to buy the next book.
Cisco NAC Appliance 'Host security with clean Access Application' by James Heary for about $60. (available on Amazon)
This covers all deployment scenarios and is invaluable for me when I created the NAC. What it does is put in the necessary steps and is easier than flitting back and forth between the CAM and CASE manual.
Hope that helps
Maybe you are looking for
-
Satellite C660 - 26G - unexpected error after removing the USB
Hello all, I need help here. I have a Satellite C660 - 26G, 2 days and a USB key has been removed from the laptop while he was working, and I think that caused a kind of corruption. The machine starts, passes the logo and the windows, come the white
-
Hallo I got a picture of some VI´s, I would seem like the name, can´t to find it anywhere Best wishes CBJ
-
I run windows xp sp3 and I installed w.m. player11 but microsoft fix it error center tells me "cannot install the drive of w.m..."
-
How to solve the problems of windows 10 shut down (power, lighting the keyboard is always on)?
Nice day How to solve the problems of windows 10 shut down (power, lighting the keyboard is always on)? with regard to my question above. I need to hold the button of power for 5 seconds to completely shut down my laptop. even restart or sleep does n
-
Cannot remove items under My Documents / my pictures on the right by clicking on them.
PRIORITY: HIGH Go to: start > Documents > My Documents / my pictures > right click on any of the two does nothing. And if there are other items below. Make a right click does nothing no more. [Unable to remove items under My Documents / my pictures o