Cisco NAC Profiler

Hello

I have some doubts if any1 can clearly it will be great. I have the deployment of gateway NAS OOB real ip in my network.

Assuming that all ports are Nac_controlled. So as soon as the client caches they are in the local network virtual auth.

now I have a cisco nac Profiler in my network which I will configure IP phones and printers.

by example, if the port of the ip phone is connected to it will be also under auth vlan.

so as soon as as ip phone gets plugged, Profiler cisco will see the profile and change the vlan auth to its vlan respective by mapping the profile and the profile of the NAC that we have mapped in the Profiler and given of the vlan in the user profile of the NAC for the ip phone.

Please correct me if I'm wrong, for the understanding of the operation. I need profile of ip phones. I am not able to connect.

It would be very useful if you can help me.

Thanks in advance.

Nitesh salvation,

the NAC has no control over the voice VLAN, then this would be defined locally on each switch ports.

For example, you assign it not the point endpoint IP Phone profiled in any role, because the input is 'ignored' and the phone works on the configured locally voice VLAN without going through the NAC.

The IP phone case is different from that of printers and ATM... as in this case, these devices are looking at VIRTUAL local network access (which is commissioned by the NAC), and you do not expect to see all other devices (MAC addresses) on the same port of a printer, ATM or other endpoints without an agent. That being said, you can assign profiles different points of endpoints to different roles in this case.

I hope that answers your questions.

Kind regards

Federico

Tags: Cisco Security

Similar Questions

  • Cisco NAC appliance - after a success does not change users to connect to the vlan propper

    Hello

    I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.

    Also the user does not appear on the list of users online on cam.

    Can someone help me figure out how can I fix? version 4.8, I'll post any information requested

    Thank you

    We recently had the problem with Windows AD SSO and Windows 7 clients.

    Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.

    Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.

    What are the parameters of the port-profile to which is applied the switchport?

    What is the map settings vlan ports trunk not approved or confidence?

  • Integration of the NAC Profiler - cannot add list of filters on cam

    Hi all

    I have a problem with the Profiler - integration of the NAC for endpoint profiling.

    Here's the situation:

    I have already created the integration based on the steps in the Guide: Setup Cisco NAC Appliance integration. I think that the configuration is correct, because I can do database synchronization between the Profiler and CAM. Here's the log of server profile:

    NAC_SYNC: Task_Queue_Runner commissioning
    NAC_SYNC: Profiler / END of synchronization of the NAC [add 0, upd 0, desc 0, rm 0]
    NAC_SYNC: Profiler / START the synchronization of the NAC
    INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)] is for eth0 MAC

    I have already created a profile of endpoint named "Admin" which is based on the IP address. I also created the NAC events based on endpoint profile 'Admin '.

    The event of the NAC will present 'Admin' profile to a role of the NAC. This event aims to circumvent 'Admin' of the legalisation of the ANC visa so that the "Admin" can connect to the network automatically to a role of the NAC.

    However, when 'Admin' to connect to the network, it still is challanged by NAC. I don't see "Admin" on the filter of the CAM or the list.

    This means that the endpoint profiling is still broken.

    Is there anyone who have experience with this?

    Thanks for the support and comments

    Imad

    Hello

    You cannot add devices manually on the profiler.

    The Profiler has to detect automatically (it is the concept of profiling).

    How this Profiler detects endpoints use the modules of collector.

    Each module has endpoints detection means.

    You will find the description of each collector module here:

    http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_intro231.html#wp1062345.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Being trained by Cisco NAC nuts! Help!

    Hi all

    Getting desperate here... been trying to get the solution NAC Cisco (Cisco NAC 3310) to work, but with limited success, and the results are currently desperately randomly. I have a lot of experience with Cisco product and so far this has been the most painful :-( Here, any help would be appreciated gladly!

    OK, here's the Setup: the cam and CASES are configured in mode OOB VG (Layer 2). I install everything by following the guide from Cisco (I hope) - different VLAN for the CASE, the cam and VLAN mapping, managed subnets, etc. to switch profiles configured. Yet, I get strange answers: some PCs are unable to connect to the network, even if successfully managed switch port informs the cam a new MAC is detected (varies the switch port to the vlan auth of vlan initial). I have accumulated my brain trying to figure out what's wrong, newspapers event does not indicate a lot of problems. Just to check on some uncertainties:

    1. for the managed subnet IP, should I check the box "Enable subnet based Vlan change?"

    2. for the subnet managed, if I put the IP address of subnet managed as the IP of the gateway? E.g. 110 VLAN (vlan not reliable) mapped to 10 VLANS (VLAN trust) which is the 10.1.10.0/24 subnet. The gateway is 10.1.10.254. So should I configure managed subnet IP/netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address from that subnet (for example 10.1.10.1)?

    3. I am also the experience of the situation where to connect with success (pass the verification of the NAC etc.), I unplugged my laptop on the port managed switch and after a while connected. This time no authentication happens, but the network connectivity is broken (even if the Cisco Agent is running). Seems that the network port is placed in the VLAN Auth, yet nothing is invited to open a session. Any ideas?

    W

    Woon,

    What policies do they install on your current user roles?

    You can try allowing all TCP/UDP and fragments to see if not connect at all times.

    Right-click on the agent access as well and select Properties. Make sure that there not a host of discovery, since it is an implementation of L2

    You also have to note the previous post, so if others have similar problems that they will look at this thread

    Thank you!

  • Cisco NAC Agent Login screen

    There is a problem that is coming with the customers, sometimes on some of the connection start screen customer Cisco NAC Agent is not displayed on the login screen for some of the newly added machines. Are there special requirements for cisco Agent on the client machines.

    Concerning

    Waqas

    Waqas,

    No specific requirement, except that they be on the list of the OS supported. For example server OSs don't are not so supported if you were trying to install/run on a Server 2003 or 2008, which will not work.

    HTH,

    Faisal

  • Support of the NAC Profiler address & ip

    Hello

    I have a layer 3 OOB NAC Profiler deployment and I am trying Profiler some IP phones from a remote location by using the statement of helper-ip address on the interface on the remote router. The problem is that the remote router acts as a dhcp server for the vlan voice and fact not forword DHCP discover for Colectionneurs of the NAC, and I can't phone ip profile. Do you know a way (an order of configuration on the router) to forword the dhcp even though the router acts as a DHCP server for this vlan?

    Thank you

    Victor

    Hi Victor,

    To do this... You must add a SVI for the voice VLAN on the switch behind the router, and then add the IP helper on the new interface VLAN voice.

    -Hassan

  • Base installation of Cisco NAC

    Hello

    I bought a Cisco NAC server and a Cisco NAC Manager.  I have it in the laboratory to test for the moment, but I would extend approximately 200 users possibly on campus lan.  I just check that a user is valid on active directory.  Perhaps the best way I can do that is by making a discovery on the server of the NAC to valid mac addresses.

    What is the best way to do this? That is to say

    user connects to a port on the campus lan

    Active directory checks that they are a valid user on the domain

    they get their usual dhcp address once they are authenticated

    If they are not a user validates on the field that they will not be authenticated

    I'm not worried about the verification of the antivirus, pc built... for now

    For the moment, I installed the server of the NAC and the NAC Manager and both can access it through a layer 3 switch.

    Thank you

    Kevin

    Kevin,

    Essentially, you ask for advice on how to do this. As I just pulled out of 1000 users NAC L2 VG OOB (who looks like, it's what you want to do) and a 3000user of the NAC L3 RIP OOB as well as OOB wirless and looking IB VPN right now. My best advice would be to buy the next book.

    Cisco NAC Appliance 'Host security with clean Access Application' by James Heary for about $60. (available on Amazon)

    This covers all deployment scenarios and is invaluable for me when I created the NAC. What it does is put in the necessary steps and is easier than flitting back and forth between the CAM and CASE manual.

    Hope that helps

  • Cisco NAC Appliance

    Hello

    I wanted to know if anyone can give me help on a Cisco NAC appliance.

    Honestly, I've heard of them, but I've never installed or worked on a before and I

    have a client who wants to have one installed. So I wanted to know some here can

    point me in the right direction regarding the installation and configuration. Thank you

    the help in advance and have a very nice evening.

    Hello

    Everything you need to get started:

    http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.

    HTH,
    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Cisco NAC does support Wireless LAN?

    Hello

    I know that Cisco NAC support LAN wireless. I sent myself with various brands of autonomous APs. These work very well using the in-band, out-of-band mode.

    However, Cisco has been mentioned for Cisco AP, with Cisco switches and Cisco NAC, out-of-band is supported. I tried this today and it's or Cisco's fake, which is highly unlikely, or I have not configured the portion of the NAC or the access point Cisco correctly, which is most likely? I wonder where am I wrong? Please someone advice me on this?

    Kind regards

    RAM

    + 6012-2918870

    Hi Jean Claude,

    You can now do out-of-band with wireless deployments, but you must have a Wireless Lan Controller manage your APs. You can't do it with autonomous APs.

    The guide below will for most of the configuration:

    http://www.Cisco.com/en/us/products/ps6128/products_configuration_example09186a0080a138cc.shtml

    Thank you

    Nate

  • Cisco NAC features?

    Hello

    I noticed that there are some features in my v4.7.2 Cisco NAC Manager of production? Can someone explain to me briefly what I can do with these features;

    1. What can a Network Scanner in the title of the device management > own access, in do CAM? This feature will focus on my network more away?

    2. I noticed that to add rules of traffic under the management of the users control > CAM user roles, is easy, assuming that I have many roles, but to remove them, I have to do this one by one. Is this statement true or false?

    Kind regards

    RAM

    + 6-0122918870

    Hi Ram,

    The scanner add overhead to the network. Plugins more you add, the more support there.

    Nessus scan is really not possible in academia. Scanning requires administrative access to the machines and the customer firewall allowing traffic from the clean access server. It's much more plausible in a managed desktop scenario.

    You're right about the deletion rules, there is no way to support no way to make a deletion block at this time.

    Hope that helps.

    Cordially, Jeremy

  • How to clear the directory of endpoint in NAC Profiler

    Hi all

    I want to delete all discovered endpoint and profiles by the NAC Profiler.

    Can someone guide me on this point, I can remove all the end of discovery and profiles by the Profiler at once point.

    Thank you

    Abuzar.

    Hello

    You can either try to restart or to go to 'configuration', 'apply changes' and then 'new model '.

    I don't think that you can just delete everything, you just re - profile from the beginning

    Nicolas

  • Cisco NAC offers Support

    Hello

    I have some question about Cisco NAC and don't know if it is able to support:

    1. can you packets qos to NAC honor/confidence when it is configured for inband/off band?

    2. for the creation of the lobby admin on local accounts management comments (using the own access device); cisco nac appliance does support

    the lobby admin via acs/external db authentication? If this isn't the case, adding a comment server would reach it?

    3 - is not cisco NAC appliance support wireless controller and the mixture of cisco/non-cisco switches? If so, if the switch supports snmp mib mac-notification/link/link down; would this be enough?

    4 is Cisco NAC comes with a predefined set of rules AV to verify that all AV support is running for the posture check (example if NAC supports 100 produced different viruses; can he check all 100 different product that can be installed on a PC for control of posture). An example of this would be hotel / that there are people of different products installed antivirus trying to access the network and the antivirus must run and installed and updated to access network). I know that the pre-confgiured default rule can check for installation/setting however not sure on the status of service / application running.

    Thank you.

    Hello

    For VGW configurations, you must have in separate subnets. For RIP, they can be in the same subnet without problem.

    HTH,

    Faisal

    --

    If you find this article useful, please note so that others can easily find the answer

  • Cisco NAC Web Agent error.

    Anyone encounter this error on the Cisco NAC Web Agent before (see table)? I am setting up Cisco NAC Aplliance in Out-Of-Band gateway mode virtual for the deployment of Unified Wireless using the WLC. Grateful if someone can help to inform of what could be the cause of the error. Thanks in advance.

    This means that the CAM has not received a SNMP trap for this MAC address.  Check that the WLC is configured to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626

    You can see if the cam with got a trap for a specific MAC looking under OOB management > devices > discovered customers.

  • difference between cisco NAC agent and cisco Clean Access Agent

    Hi all

    If anyone has the idea on different between cisco NAC agent and cisco Clean Access Agent, please let us know your ideas.

    Thank you

    In 4.6, the agent has been revised and is now called the NAC agent.  Previous versions were called the clean access Agent.  So roughly, 4.5 and 4.1.3.2 agent are own access agents, and agents 4.6.x and 4.7.x are called NAC agents.

    Some of the changes are moving a lot of the agent configuration in an XML file, redesign of the GUI, adding a service portion (of the sort that the agent of heel is no longer necessary) and the best journaling agent.

  • Cisco NAC server and check active number? Would this work?

    Hi all

    A client has achieved a question when we introduced Cisco NAC today.  They wondered, lets say, a client of Cisco NAC agent installed may be connected to the network switch. It has all valid requests and patch levels on his machine (posture validation check pass)

    However, even if the customer takes the position of all the parameters, they want to know that if the host name of the client (for most Windows laptops) does not exist in their active database (this database is a database of estate number which is in a similar format or .csv) posture validation must fail.

    Have you met such request like this before? Is there a function on the NAC server which checks a field against an external database as an active database?

    See you soon.

    Dumlu,

    Currently, it is not possible. You can create controls who can check values locally, but not against external data warehouses, so for this card against your thinking, NAC would have to know all the names of workstation before hand and then check against that. It is unwieldy and very very difficult to scale.

    If it's something you and your client think would be a good addition (and it sounds like a good idea) Please engage with your account team and ask them to request a feature for you.

    Thank you

    Faisal

Maybe you are looking for

  • How to download Firefox for Raspberry pi?

    Apparently, it was possible (http://youtu.be/9cODs3ft8Xc), but not when you try the same thing, said terminal "404 error" several times while trying to install. " Firefox has left on a Linux system?

  • Take a Verizon iPhone outspoken

    I have an iPhone 6 s more on Verizon right now and I'm trying to take outspoken and use Verizon's network. But when I try to go through the process of my straight talk phone registration, he says it is not compatible with byop there service. I don't

  • Outgoing calls accompanies this number online?

    Outgoing calls also included in the purchase of an online number?

  • Replace ram on HP 4520 s could result in the warranty cancellation?

    I need to upgrade the ram and hard drive to a HP Probook 4520 s, and I don't want to void the warranty. Knowing that I'll have to remove the switchcover, the keyboard and palmrest. Would it be possible to take assistance material hp to do the upgrade

  • Help! My Sansa Fuze has no option of Volume of Normal\High!

    Hey guys, I have looked for a solution on the net but can't seem to find a.   The problem is that, after I've updated my Sansa Fuze V2 with the sansa updater my options for high or normal volume disappeared!   I looked everywhere, but it's just not t