Comments of the NAC Server replication
I have reimagee one of our NAC comments 2 servers and I now want to restart replication.
To set up replication using two comments Cisco NAC servers, the IP address of the remote server is configured on each server, and one of the following 2 options must be selected:
"This node contains the data.
"This node will copy the data of the other node.
Is 'this node' the remote server or local server (where the configuration is done)?
The initial replication is configured by putting one of the Cisco NAC comments servers to copy all the data from the other server of comments. The comment server that is configured to copy the data from the other device is first set to remove all its own data. This ensures that no conflict exists. Cisco recommends the introduction of replication during the initial installation of the server Cisco NAC comments, or when you add a new comment server to an existing implementation. Once one of host servers received a copy of the data from the other device, they are synchronized and replication is enabled. All data that are updated on a single server of comments are then automatically replicated to the other server of comments.
Tags: Cisco Security
Similar Questions
-
Hi guru,.
Do we need Cisco NAC appliance or controller wireless with Cisco NAC server or Cisco NAC Guest server comments can work independently?
Is it possible to implement the server Cisco NAC comments without NAC device or wireless LAN Controller?
Best regards
Ahmed Shahzad.Can you please check if you can access this link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html.
It's a fully detailed 'Integrated Cisco Web authentication deployment and Configuration Guide Local'.
HTH,
Tiago
-
Comment of the NAC server - how to reactivate suspended users
I wonder if it is possible to reactivate the suspended users.
My client wants to set up users invited to outside consultants who are on the site for a few weeks each year. He won't implement new users every year, instead of reactivate accounts suspended from the previous year.
Is there a way to users of reactive suspension?
It is handled differently depending on the used time profile?
- Start end
- The first connection
- Since the creation
- Time used
Thank you
FelixHello
I'm afraid that's not possible.
As you think, which is managed by the time function, and you have these 4 options you mentioned:
- Start end
- The first connection
- Since the creation
- Time used
So once the account reaches the end of the time set by the timeprofile, it is not longer possible to use.
HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Comment of the NAC with WLC Server
Dear all,
I just need to confirm that it is possible that we add same WLC to AC (wireless users), as well as NAC comments Server (wireless guest users) or do I have to WLC plus one for the comment of the NAC server.
Kind regards
Hello Nameair
You don't need separate WLC... NAC comments servers are perfectly normal RADIUS servers, used for authentication. You can integrate your existing WLC, in addition to IB or OOB to your certification authority, with the comment server. I enclose a doc who gives information on the configuration of wlc and host servers.
I hope this helps... all the best... happy new year to you. the rate of responses if deemed useful...
REDA
-
Comment of the NAC and preconfigured server accounts duration
There seems to be a bug in the way the comment of the NAC Server manages the lifetime pre-configured of guest accounts.
I followed the manual and I did:
-Set up 3 times (24 h, 48 h and 1 week) under templates/accounts/accounts times.
- And the value 'period maximum of account' under user groups
I understand I should now be able to select one of the configured three times when I log on as a co-author.
However, I get only the number I mentioned to the user group.
The strange thing is that if I change the Maximum duration per user group, I have this as the only choice (for example 14 days).
If other have experienced this?
Best regards
Steffen Lindemann
You can use one of the option to know the number of days or hours.
For days;
Authentication > user groups > Add Group | Edit Group includes two new parameters for the number of days in the future, the account can be created and maximum duration of the account (in days)
For the opening hours:
User interface > models > add model. Change the Template > accounts > account duration
http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/11/gsrn110.html
-
Update of Linux in the comments of the NAC 3315
Hi all
Y at - it an option to update the OS of linux pre-installed in the NAC later?
Thank you
Kind regards
Vijay.
Hello
You do not have this option, that the Cisco NAC product line comes with a version of linux that is suitable for the solution.
Thank you
Tarik Admani
* Please note the useful messages *. -
reset of the NAC server to factory default and feeder
I NAC appliance CAM version 4.7 (3) I want to get back to his factory or clea all configuration
and the SME with the server.
Wael,
Elly's right. For production systems if you want to start over, best idea is to recreate the image.
If you are in a lab setting, you can cancel the database on cam by running the following commands:
-stop service perfigo
-dropdb localhost h postgres - U controlsmartdb
-createdb localhost h postgres - U controlsmartdb
-psql localhost h postgres - U controlsmartdb< > >
-perfigo service startThe CASE, you can remove the/perfigo/access/bin/env file and restart.
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Hello friends, I add a server to the CAM when the system displays an error telling me that I reached the maximum number of sensors when actually there isn't any server added to the CAM. It can be the cause of this unusual and strange behavior? any suggestions?. Thanks in advance.
CAM Lite would be the license for the cam itself, and it can handle up to 3 CASES.
To actually add the CASES in the CAM, you need to install the CAM CASE license.
Here is more information about CCA licenses for your reference:
http://www.Cisco.com/en/us/docs/security/NAC/appliance/support_guide/license.html#wp42302
-
Hi Experts,
Our 3315 NAC does not work because of a hardware failure. So let's replace that. Therefore kindly confirm the steps to take the backup and the procedure to install it?
Thank you
Kind regards
Vijay.
Since there seems to be no method to perform a backup of the CLI on the appliance 3315, we go the route of the workaround. This may seem a little out there, but the only way I can see a backup being created without using the WebGUI interface.
First of all, you have IP access to the device of the ANC?
If this isn't the case, quit reading and contact TAC.
If you have backups of configuration in the past, they are stored in the/guest/bakcups directory and can be transferred via FTP, SFTP, etc...
If not, then download a upgrade file that is newer than the version you are running (if you are running the latest version, download the upgrade file for this version). In this case, v2.1. Transfer the file to your repository and run the upgrade on the comment of the NAC server.
Note Before the 2.1 update, a snapshot backup of the existing 1.x or 2.0.x database is automatically created and stored in the guest.bak directory. In the case of an upgrade failure, Cisco recommends to make a local backup of this directory.
http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/21/gsrn21.html#wp111257
Otherwise, I am at a loss on this issue.
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
Maximum guests of the NAC 3315 accounts
Hi Experts,
What is the maximum number of accounts that can be created or maintained by the comment of the 3315 NAC Server?
Thank you
Kind regards
Vijay.
Sorry, you have requested on the NAC server, not the ISE.
Q. is there a limit to the amount of guests that I can provision/authenticate with Cisco NAC server comments?
A. there are no limits to the amount of sponsors who may use the system or guests can be configured.
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
Actual gateway IP process to strip the NAC
Hi all
I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P
- How does the gateway IP In-band real?
- What is the point of the 30 subnets?
- Are there any access/auth pairs VLAN configurations in the band?
- How does quarantine work?
- I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
- Can you do role with configurations mapping in the band?
Assistance for all or part of these questions would be GREATLY appreciated!
Thank you a lot =]
~ Xavier.
Hi Xavier,.
I'll try to answer your questions
1. How does the Strip Real-IP Gateway?
The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes
2. What is the point of the 30 subnets?
The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.
Click here for an explanation:
3 is there access/auth pairs VLAN configurations in the band?
If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.
4. How does quarantine work?
When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.
So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.
5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.
Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.
This is mentioned here:
The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.
6. can you do role with configurations mapping in the band?
Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.
For example, check here for more details:
In a Word, regardless of the use of the band vs OutOfBand:
-customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.
The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :
-in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);
-in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.
I hope that answers your questions.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it. -
Configuration of the switch of the NAC
Hello!!
I bought a NAC server and a manager of the NAC, to centrally manage the vlan where users connect to based on authentication.
I have several sites, but the NAC server will be at Headquarters.
When a remote user authenticates, NAC must configure the user switch port for the vlan right.
What is an out-of-band solution?
Do need me a specific license for out-of-band?
Best of look,
Miguel Amaral
Hello
It's the same pattern: Yo uneed 2 licenses, one for the CAM and the other for CAs.
One cam sets the number of cases you can add.
That case defines how many users is supported.
So either the CASE PAK has been lost, or never bought.
In both cases, you will need to contact the entitiy that sold devices and demand for the PAK CASE.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
I have a question about WINXP rules in the NAC server and more specifically, if a rule reports a failure, but it's part of a! the rule, this means - happening? For example:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037) (red indicates failure)
The NAC is reported as a check failed:
pc_Windows_ehkeyctl, File Check [$SYSTEM_ROOT\ehome\ehkeyctl.dll is]
It is a failure because it finds the file and there is a negative on the rule?
What about this:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
&(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)
The first part of the reports as passage, and the second reports failure... but logically, this part of the rule must pass because only after the first part? Which apparently correct?
Thank you!
Gavin - Budd
He actually reports a failure audit - and in many cases, it is expected (and confusing!). For example, with Windows controls preconfigured, if it is a 32-bit client you will see fail the verification of 64-bit.
Same with your second example check
&(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)
We expect that it is not the first cheque or spend the second control - but one of these controls will show as failed. Clear as mud?
-
Cisco NAC server and check active number? Would this work?
Hi all
A client has achieved a question when we introduced Cisco NAC today. They wondered, lets say, a client of Cisco NAC agent installed may be connected to the network switch. It has all valid requests and patch levels on his machine (posture validation check pass)
However, even if the customer takes the position of all the parameters, they want to know that if the host name of the client (for most Windows laptops) does not exist in their active database (this database is a database of estate number which is in a similar format or .csv) posture validation must fail.
Have you met such request like this before? Is there a function on the NAC server which checks a field against an external database as an active database?
See you soon.
Dumlu,
Currently, it is not possible. You can create controls who can check values locally, but not against external data warehouses, so for this card against your thinking, NAC would have to know all the names of workstation before hand and then check against that. It is unwieldy and very very difficult to scale.
If it's something you and your client think would be a good addition (and it sounds like a good idea) Please engage with your account team and ask them to request a feature for you.
Thank you
Faisal
-
Is is possible to reuse our equipment of the NAC Server and Manager 3310 with ISE?
Hello
You cannot reuse the NAC 3310, the 33 x 5 and 1121 ACS are the platforms supported for ISE. However existing customers have benefits for the upgrade to ISE. Please join your Cisco partner and if you don't practice you can reach for me and I can help you.
Thank you
Tarik Admani
* Please note the useful messages *.
Maybe you are looking for
-
Crash at startup when opening bookmark: Bookmark menu covers general password prompt
Firefox asks a general password by using a drop-down window when you open a page with a section opening session, presumably for an auto-fill. (It is annoying and I could get rid of him, but that's another story.) My home page has a login section, so
-
Does anyone know if Reg Clean Pro is safe or if it's some kind of virus?
While working with Microsoft office, I had a window that pops up and began scanning my computer and then to tell me I had 6535 problems with the performance of my computer and that my state of health of the system are POOR with the level of damage is
-
How can I report useless and unwanted emails without having to OPEN the file?
When I go to the junk e-mail filter, I see that I don't want to receive emails. If I can find a way to report them as smam or phishing maybe I can get rid of them (because I don't know what that is) can someone help me and lead me through this [roces
-
HP OfficeJet 5610xi all-in-one: windows 10
After you have installed Windows 10, I get the following error message when you try to print from applications: We could not reach this printer. Make sure that the printer is turned on and that you are connected to the network printer, or try a diffe
-
Why are there updates as long as there is no place for the programs they update?
I have a Sony notebook with windows XP operating system. Whenever I turn it on, I have more updates. It got to the point that there is no more space left on the drive C for programs that are updated. Why are updates written so sloppily? Would not tak