Comments of the NAC Server replication

Similar Questions

• Comment of the NAC Server

  Hi guru,.

  Do we need Cisco NAC appliance or controller wireless with Cisco NAC server or Cisco NAC Guest server comments can work independently?

  Is it possible to implement the server Cisco NAC comments without NAC device or wireless LAN Controller?

  Best regards
  Ahmed Shahzad.

  Can you please check if you can access this link:

  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html.

  It's a fully detailed 'Integrated Cisco Web authentication deployment and Configuration Guide Local'.

  HTH,

  Tiago

• Comment of the NAC server - how to reactivate suspended users

  I wonder if it is possible to reactivate the suspended users.

  My client wants to set up users invited to outside consultants who are on the site for a few weeks each year. He won't implement new users every year, instead of reactivate accounts suspended from the previous year.

  Is there a way to users of reactive suspension?

  It is handled differently depending on the used time profile?

  1. Start end
  2. The first connection
  3. Since the creation
  4. Time used

  Thank you
  Felix

  Hello

  I'm afraid that's not possible.

  As you think, which is managed by the time function, and you have these 4 options you mentioned:

  1. Start end
  2. The first connection
  3. Since the creation
  4. Time used

  So once the account reaches the end of the time set by the timeprofile, it is not longer possible to use.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Comment of the NAC with WLC Server

  Dear all,

  I just need to confirm that it is possible that we add same WLC to AC (wireless users), as well as NAC comments Server (wireless guest users) or do I have to WLC plus one for the comment of the NAC server.

  Kind regards

  Hello Nameair

  You don't need separate WLC... NAC comments servers are perfectly normal RADIUS servers, used for authentication. You can integrate your existing WLC, in addition to IB or OOB to your certification authority, with the comment server. I enclose a doc who gives information on the configuration of wlc and host servers.

  I hope this helps... all the best... happy new year to you. the rate of responses if deemed useful...

  REDA

• Comment of the NAC and preconfigured server accounts duration

  There seems to be a bug in the way the comment of the NAC Server manages the lifetime pre-configured of guest accounts.

  I followed the manual and I did:

  -Set up 3 times (24 h, 48 h and 1 week) under templates/accounts/accounts times.

  - And the value 'period maximum of account' under user groups

  I understand I should now be able to select one of the configured three times when I log on as a co-author.

  However, I get only the number I mentioned to the user group.

  The strange thing is that if I change the Maximum duration per user group, I have this as the only choice (for example 14 days).

  If other have experienced this?

  Best regards

  Steffen Lindemann

  You can use one of the option to know the number of days or hours.

  For days;

  Authentication > user groups > Add Group | Edit Group includes two new parameters for the number of days in the future, the account can be created and maximum duration of the account (in days)

  For the opening hours:

  User interface > models > add model. Change the Template > accounts > account duration

  http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/11/gsrn110.html

• Update of Linux in the comments of the NAC 3315

  Hi all

  Y at - it an option to update the OS of linux pre-installed in the NAC later?

  Thank you

  Kind regards

  Vijay.

  Hello

  You do not have this option, that the Cisco NAC product line comes with a version of linux that is suitable for the solution.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• reset of the NAC server to factory default and feeder

  I NAC appliance CAM version 4.7 (3) I want to get back to his factory or clea all configuration

  and the SME with the server.

  Wael,

  Elly's right. For production systems if you want to start over, best idea is to recreate the image.

  If you are in a lab setting, you can cancel the database on cam by running the following commands:

  -stop service perfigo
  -dropdb localhost h postgres - U controlsmartdb
  -createdb localhost h postgres - U controlsmartdb
  -psql localhost h postgres - U controlsmartdb< >
  -perfigo service start

  The CASE, you can remove the/perfigo/access/bin/env file and restart.

  HTH,

  Faisal

  --

  If you find this article useful, please note so that others can easily find the answer

• Add the NAC Server error

  Hello friends, I add a server to the CAM when the system displays an error telling me that I reached the maximum number of sensors when actually there isn't any server added to the CAM. It can be the cause of this unusual and strange behavior? any suggestions?. Thanks in advance.

  CAM Lite would be the license for the cam itself, and it can handle up to 3 CASES.

  To actually add the CASES in the CAM, you need to install the CAM CASE license.

  Here is more information about CCA licenses for your reference:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/support_guide/license.html#wp42302

• The NAC replacement procedure

  Hi Experts,

  Our 3315 NAC does not work because of a hardware failure. So let's replace that. Therefore kindly confirm the steps to take the backup and the procedure to install it?

  Thank you

  Kind regards

  Vijay.

  Since there seems to be no method to perform a backup of the CLI on the appliance 3315, we go the route of the workaround. This may seem a little out there, but the only way I can see a backup being created without using the WebGUI interface.

  First of all, you have IP access to the device of the ANC?

  If this isn't the case, quit reading and contact TAC.

  If you have backups of configuration in the past, they are stored in the/guest/bakcups directory and can be transferred via FTP, SFTP, etc...

  If not, then download a upgrade file that is newer than the version you are running (if you are running the latest version, download the upgrade file for this version). In this case, v2.1.  Transfer the file to your repository and run the upgrade on the comment of the NAC server.

  Note Before the 2.1 update, a snapshot backup of the existing 1.x or 2.0.x database is automatically created and stored in the guest.bak directory. In the case of an upgrade failure, Cisco recommends to make a local backup of this directory.

  http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/21/gsrn21.html#wp111257

  Otherwise, I am at a loss on this issue.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• Maximum guests of the NAC 3315 accounts

  Hi Experts,

  What is the maximum number of accounts that can be created or maintained by the comment of the 3315 NAC Server?

  Thank you

  Kind regards

  Vijay.

  Sorry, you have requested on the NAC server, not the ISE.

  Q. is there a limit to the amount of guests that I can provision/authenticate with Cisco NAC server comments?

  A. there are no limits to the amount of sponsors who may use the system or guests can be configured.

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_qas0900aecd806f525a.html

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• Actual gateway IP process to strip the NAC

  Hi all

  I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P

  1. How does the gateway IP In-band real?
  2. What is the point of the 30 subnets?
  3. Are there any access/auth pairs VLAN configurations in the band?
  4. How does quarantine work?
  5. I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
  6. Can you do role with configurations mapping in the band?

  Assistance for all or part of these questions would be GREATLY appreciated!

  Thank you a lot =]

  ~ Xavier.

  Hi Xavier,.

  I'll try to answer your questions

  1. How does the Strip Real-IP Gateway?

  The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes

  2. What is the point of the 30 subnets?

  The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.

  Click here for an explanation:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_dhcp.html#wp1057889

  3 is there access/auth pairs VLAN configurations in the band?

  If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.

  4. How does quarantine work?

  When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.

  So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.

  5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?

  The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.

  Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.

  This is mentioned here:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_deploy.html#wp1050938

  The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.

  6. can you do role with configurations mapping in the band?

  Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.

  For example, check here for more details:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/cam/m_users.html#wp1040231

  In a Word, regardless of the use of the band vs OutOfBand:

  -customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.

  The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :

  -in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);

  -in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.

  I hope that answers your questions.

  Kind regards

  Federico

  --
  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Configuration of the switch of the NAC

  Hello!!

  I bought a NAC server and a manager of the NAC, to centrally manage the vlan where users connect to based on authentication.

  I have several sites, but the NAC server will be at Headquarters.

  When a remote user authenticates, NAC must configure the user switch port for the vlan right.

  What is an out-of-band solution?

  Do need me a specific license for out-of-band?

  Best of look,

  Miguel Amaral

  Hello

  It's the same pattern: Yo uneed 2 licenses, one for the CAM and the other for CAs.

  One cam sets the number of cases you can add.

  That case defines how many users is supported.

  So either the CASE PAK has been lost, or never bought.

  In both cases, you will need to contact the entitiy that sold devices and demand for the PAK CASE.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Logic and rules of the NAC

  I have a question about WINXP rules in the NAC server and more specifically, if a rule reports a failure, but it's part of a! the rule, this means - happening?  For example:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  &(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037) (red indicates failure)

  The NAC is reported as a check failed:

  pc_Windows_ehkeyctl, File Check [$SYSTEM_ROOT\ehome\ehkeyctl.dll is]

  It is a failure because it finds the file and there is a negative on the rule?

  What about this:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  &(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)

  The first part of the reports as passage, and the second reports failure... but logically, this part of the rule must pass because only after the first part?  Which apparently correct?

  Thank you!

  Gavin - Budd

  He actually reports a failure audit - and in many cases, it is expected (and confusing!).  For example, with Windows controls preconfigured, if it is a 32-bit client you will see fail the verification of 64-bit.

  Same with your second example check

  &(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)

  We expect that it is not the first cheque or spend the second control - but one of these controls will show as failed.  Clear as mud?

• Cisco NAC server and check active number? Would this work?

  Hi all

  A client has achieved a question when we introduced Cisco NAC today.  They wondered, lets say, a client of Cisco NAC agent installed may be connected to the network switch. It has all valid requests and patch levels on his machine (posture validation check pass)

  However, even if the customer takes the position of all the parameters, they want to know that if the host name of the client (for most Windows laptops) does not exist in their active database (this database is a database of estate number which is in a similar format or .csv) posture validation must fail.

  Have you met such request like this before? Is there a function on the NAC server which checks a field against an external database as an active database?

  See you soon.

  Dumlu,

  Currently, it is not possible. You can create controls who can check values locally, but not against external data warehouses, so for this card against your thinking, NAC would have to know all the names of workstation before hand and then check against that. It is unwieldy and very very difficult to scale.

  If it's something you and your client think would be a good addition (and it sounds like a good idea) Please engage with your account team and ask them to request a feature for you.

  Thank you

  Faisal

• Reuse the material of the NAC

  Is is possible to reuse our equipment of the NAC Server and Manager 3310 with ISE?

  Hello

  You cannot reuse the NAC 3310, the 33 x 5 and 1121 ACS are the platforms supported for ISE. However existing customers have benefits for the upgrade to ISE. Please join your Cisco partner and if you don't practice you can reach for me and I can help you.

  Thank you

  Tarik Admani
  * Please note the useful messages *.