Configuration of NAC OOB
Hello!
I implement a solution of oob of the NAC. CASE of tTe and CAM are in the data center on a remote network, and I need to check the vlan that my users access on my remote sites.
How can I make them authenticate on the CASE of distance? (the case is on a remote network)
TKX
Miguel
Hello
Well, it looks like you are starting, so I advise you to contact the OOB concept and guidelines:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
You have the L2/L3 mode.
You have the mode OOB/NVI.
You have the real/virtual Ip gateway mode.
You have 2 VLAN main for customers: access (of confidence) and authentication (not approved) VLAN.
The goal is to make the customer enter the LAN virtual auth before logon, and traffic through the CASE so that the CASE can permit/deny the client to pass traffic.
You also, nice chalk talks where you can see videos explaining the steps to configure several functions/deployments:
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
Tags: Cisco Security
Similar Questions
-
Hello
I am configuring SSO OOB of the NAC with AD. The software on my CASE and the CAM is 4.7 (2)
and my ad is Windows Server 2008.
I have some information I must not run ktpass with this version of the software of the NAC (4.7.2)
on the AD server. Is this true? Because I found this kind of information in any textbook.
So I run the ktpass, and if I do, what version should I use?
Thank you
Zoran,
Check out this link. Even though it says it's for 4.8, he works with 4.7.2 also:
HTH,
Faisal
-
The NAC - OOB L2 authentication login page - does not appear!
Hi all
We have 2 managers of the NAC and NAC 2 servers. We have a failover solution. Our deployment is OOB layer 2 virtual Central Passage. We have successfully added the SIN in NAM and we did the requirements in NAM as a mapping setup VLAN (starting at vlan no reliable 913 to the vlan trust 910), adding managed subnet, change profile, profile, adding switches (cisco 3560) to NAM, the roles configuration on the user, the local users and also port user login page.
Then, we tested it by connecting the PC to port controlled on the switch.
The controlled port configuration was VLAN 910 and after connecting the PC, it is converted to 913 VLAN then we have successfully obtained an IP address from dhcp that is configured on the switch but the authentication login page appeared! and also, when disconnect us from the PC of this port, the configuration is not passed to vlan 913 to vlan 910 then manually change each time to do our tests.Do so that the login page appears and also automatically NAM to change the configuration of the port after having disconnected from the PC?
Thanks in advance.
AD SSO is supported with the Windows 2003, but with 2008, only single server is supported and which should also be 32-bit. 64-bit servers are not yet supported.
HTH,
Faisal
-
Problem of NAC OOB - move users between ports
Hello
I have a problem with an OOB deployment, I am currently working on: when I move an OOB client authenticated from one switch to another, he gets stuck in the auth VLAN. It seems NAC does not correctly detect the new port.
That's what I've done to reproduce the problem in detail:
(1) a computer is connected to the port switch ' a' market 'A' (A [a]). The port is automatically replaced by auth VLAN and authentication and posture assessment are carried out.
(2) the computer goes together, and the port is changed to the VLAN designated access. OOB user appears in the list of users online, and the computer is added to the list of discovered Clients (Wired). All the detailed information on the two pages are correct.
(3) the computer is offline. OOB user is removed from the list of online users, but the computer remains in the list of overdrawn customers.
(4) the computer is connected to the port 'b' switch 'B' (B [b]). It is automatically replaced by auth VLAN and evaluation of authentication and posture successfully passes once more. However, the information contained in the list of discovered customers are not being updated, and in addition, OOB user appears once more in the users online list-, but the specified location to port A [a]!
The end result is that the computer is stuck in the VLAN Auth and NAC Agent authentication dialogue keeps popping out.
I tried the reverse scenario (port B [b] to port A [a]) after clearing manually the user all customer information and the result was pretty much the same thing...
Thank you
Boris
Boris,
These commands allow the mac-move:
MAC-address-table notification mac-move
SNMP-Server enable traps mac-notice change move
HTH,
Faisal
-
Basic configuration of NAC appliance
I have a small project to authenticate users about 100 to access the network. We plan to use the Cisco NAC appliance. Just to clarify (I saw some post but I'm not sure of the correct answer) do I need 2 separate devices, one as a server and the other as a controller; or I just need a do two tasks?
Thank you
-Arturo
Hi Arturo,.
You need two devices to operate. A Manager and a server.
There is a great Cisco Press book on the ANC by James Heary device that will give you a lot of details and information on the configuration of the devices.
I hope this helps.
Paul
-
Adding an additional CASE to an existing deployment of NAC OOB 4.7.3
Hi guys,.
If I am to add the certificate self-produced my new cases to the authorities of my CAM list existing certificate approved, it just will be added or it will replace the existing trusted certificate?
Hi Adrien,.
"Certification authorities" are the certificate of all the CAs root and also self signed certs of the trusts of the CAM case. So whenever you add a root/selfsigned certificate to this list, it is added to the list and does not replace any of the CERT. This link gives more information:
Kind regards
SOM
PS: Please mark the same question if it has been answered. Note the useful messages. Thank you
-
We have just upgraded to Windows 2003 AD to Win2k8 R2 and Single Sign it has stopped working. Authentication works very well, but the NAC agent does not use the Windows credentails. Users must enter their user name and password manually.
The AD server is a new server but has the same IP addresses as the old man. I'm running the CAM/CASE 4.7.2.
Gregg
Gregg,
2 k 8 does not by default, so I suspect that is where it's a failure. Please look at the following sections and rerun ktpass (on a new user preference) as shown in the link:
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Hello world
"My friend" (:-)) which I want to deploy NAC OOB L3.
Why this one? Because it has a central location and a few branches (a little more in fact) and these branches are 2 hops L3 at the center ball. Specifically, there is a L3 switch as a gateway for users of general management of the LAN, and after that, a router that connects to the Center (GRE/IPSec).
It is, and I failed to find or to realize by myself: it is mandatory to use a DHCP server to allocate ip-s to customers? (for all their States: permit unauthenticated, authenticated, etc.).
If not, how it should be done?
Second: if it is mandatory, must it only works with a DHCP server deployed centrally, or I can use the L3 switch in all industries as a dhcp server?
Thank you for your patiance.
DHCP is required for gateway real-ip L3 OOB given that the system will have to obtain a new address when it is permitted to VLAN and then again after the posture process when it is switched back to its VLAN 'normal '.
As for the DHCP server, you can use a central server with a local switch provide addresses or a combination of both.
In our facility, the local switch is the DHCP server for the auth VLAN and a local server is used to access VIRTUAL local area network.
Mike
-
Being trained by Cisco NAC nuts! Help!
Hi all
Getting desperate here... been trying to get the solution NAC Cisco (Cisco NAC 3310) to work, but with limited success, and the results are currently desperately randomly. I have a lot of experience with Cisco product and so far this has been the most painful :-( Here, any help would be appreciated gladly!
OK, here's the Setup: the cam and CASES are configured in mode OOB VG (Layer 2). I install everything by following the guide from Cisco (I hope) - different VLAN for the CASE, the cam and VLAN mapping, managed subnets, etc. to switch profiles configured. Yet, I get strange answers: some PCs are unable to connect to the network, even if successfully managed switch port informs the cam a new MAC is detected (varies the switch port to the vlan auth of vlan initial). I have accumulated my brain trying to figure out what's wrong, newspapers event does not indicate a lot of problems. Just to check on some uncertainties:
1. for the managed subnet IP, should I check the box "Enable subnet based Vlan change?"
2. for the subnet managed, if I put the IP address of subnet managed as the IP of the gateway? E.g. 110 VLAN (vlan not reliable) mapped to 10 VLANS (VLAN trust) which is the 10.1.10.0/24 subnet. The gateway is 10.1.10.254. So should I configure managed subnet IP/netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address from that subnet (for example 10.1.10.1)?
3. I am also the experience of the situation where to connect with success (pass the verification of the NAC etc.), I unplugged my laptop on the port managed switch and after a while connected. This time no authentication happens, but the network connectivity is broken (even if the Cisco Agent is running). Seems that the network port is placed in the VLAN Auth, yet nothing is invited to open a session. Any ideas?
W
Woon,
What policies do they install on your current user roles?
You can try allowing all TCP/UDP and fragments to see if not connect at all times.
Right-click on the agent access as well and select Properties. Make sure that there not a host of discovery, since it is an implementation of L2
You also have to note the previous post, so if others have similar problems that they will look at this thread
Thank you!
-
Cisco NAC - VLAN ID mapping rules
Hello
I have a L3 of the NAC - OOB - environment real gateway IP.
The NAC is the version 4.8.1.
Each floor of the company has a virtual local network access, a Vlan Auth and a user role.
I set up a LDAP server, where the default role is unauthenticated
and based on mapping rules created on the Auth Vlan Vlan ID on each floor.
Ex: The Vlan access of the 8th floor is 380, Auth Vlan is 908 and the user role is
FuncionariosB8.
When I run a Test Auth, the result is as expected and user is mapped to the desired role.
But what production start-up, the user enters the unauthenticated role by default.
Fixed figures show my settings in the NAC.
The logfile below is taken from nac_manager.log
2011-02-25 17:42:23.091 + 0100 [TP-Processor23] INFO com.perfigo.wlan.web.admin.UserInfoManager - UIM - removeUsersByMacList: 0 1 MACs users
2011-02-25 17:42:44.709 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 1 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 907
2011-02-25 17:42:44.709 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.709 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 0 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 908
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 2 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 909
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 3 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 929
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 8 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 928
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 11 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 910
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 13 = 1 type = 2 lOp = VLAN ID op = condId is equivalent to rOp = 931
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.710 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 15 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 911
2011-02-25 17:42:44.711 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:44.711 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond #1:AuthServerMapCondition: mapid = 17 condId = 1 type = 2 lOp = VLAN ID op = equals rOp = 912
2011-02-25 17:42:44.711 + 0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1 = false}
2011-02-25 17:42:49.103 + 0100 [Thread-72] ERROR com.perfigo.wlan.web.sms.SnmpUtil - do not have access VLAN for the port of the switch [10.5.0.121] [88]. Use default access VLAN 380.
2011-02-25 17:42:49.354 + 0100 [Thread-73] ERROR com.perfigo.wlan.web.sms.SnmpUtil - do not have access VLAN for the port of the switch [10.5.0.121] [88]. Use default access VLAN 380.
Can you help me with this problem? to open a TAC?
Kind regards
Daniel Stefani
The connection between the switches are L3?
You have in your active network L3 routing protocol?
What is your deployment model for NAC, is a VG OOB L2 or L3 OOB RG?
Kamil
-
NAC - STACKED IN THE AUTHENTICATION VLAN IF THE PC IS CONNECTED TO THE CISCO IP PHONE
Hello
I have configured my NAC in L3OOB, if I connect my pc directly to the switch I have no problem, I can access the network as out-of-band user, I can pass authentication. BUT IF I CONNECT a Cisco ip to switch phone and my pc is connected to the Cisco ip phone I'm stacked to the vlan authentication and cannot access the network. The event logs of the my CAM, it's say that it detects several mac address.
Please guys help me with this problem...
Thank you and best regards.
Hello
Have you added your phone MAC address to your CAM in the filter to IGNORE it?
Faisal
-
Hi all
We use NAC OOB, L3, gateway real IP with AD - SSO. When users connect to the computer, the PC is supposed to change the IP address after the authentication with the windows user account. But based on security policy, users cannot change the IP address, in order to change the IP address will be failed. There is no work around for this issue? should we change our security policy and allow users to have right to change IP address?
in this case, what security in GPO to change to give them permission to do "ipconfig / renew" purchase order?
any suggestions would be much appreciated.
Thank you
Alex
You must install the heel first with admin rights. Then once that the user connects with its own rights (not administrator) and he needs to do anything administratively (like change the IP address), the agent asks the stub to do and it works.
Click on the link I sent. He has a lot more details :)
HTH,
Faisal
-
WLC 5508 internal DHCP server issues
Hello
I'm hoping to get your comments around the issues of dhcp, I faced with two centrally switched Wireless LAN. I have attempted to explain the installation and the problems below and would be grateful if anyone can suggest a solution for the problems I am facing:
The configuration is the following:
-J' have a WLC 5508, which has been configured with 4 SSID, of which 2 are the Central authentication and commissioning.
-J' have a LWAP connected to the WLC in HREAP mode.
-WLC is configured as a DHCP server for clients that connect to the SSID "Guest." For the rest, I'm on external dhcp server.
-Only one scope of comments Interface is configured on the WLC.Problems:
1. as far as I know, to WLC serve internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to 'Internet' SSID are
Unable to get an external dhcp server ip address, if the proxy dhcp is enabled on the WLC. If I disable the proxy, everything works fine.
2 DHCP does not release the ip addresses assigned to clients, even after that that they are connected.
3. If a machine that has previously been connected to "Guest" SSID connects to the 'Internet' SSID, he asks the same ip address, he was charged by the WLC assigned under "Guest", it gets the tag with the Vlan configured on the management interface.
The controller output *.
(Cisco Controller) > show sysinfo
Name of the manufacturer... Cisco Systems Inc..
Product name... Cisco controller
Version of the product... 7.0.116.0
Bootloader Version... 1.0.1
Retrieving Image Version field... 6.0.182.0
Firmware version... Console USB 1.3, 1.6 Env FPGA, 1.27
Build Type....................................... DATA + WPS, LDPE(Cisco Controller) > show interface summary
Name interface Vlan Id IP port address Type Ap Mgr. Gu
EST
-------------------------------- ---- -------- --------------- ------- ------ --
1 301 10.255.255.30 dynamic guest no no
Management 1 100 172.17.1.30 static yes noservice-port s/o s/o 192.168.0.1 static no no
n/a n/a 10.0.0.1 no nonstatic virtual(Cisco Controller) > show wlan summary
Number of wireless LANs... 4
Profile WIFI WLAN ID name / name of the SSID status Interface
------- ------------------------------------- -------- --------------------
1 active LAN management
2 active Internet management
3 active active management management
4 comments comments enabled(Cisco Controller) > show dhcp detailed comments
Scope: comments
Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day)
Pool Start....................................... 10.255.255.31
Pool End......................................... 10.255.255.254
Network.......................................... 10.255.255.0
Netmask.......................................... 255.255.255.0
Default routers... 10.255.255.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0
NetBIOS name servers... 0.0.0.0 0.0.0.0 0.0.0.0(Cisco Controller) > show detailed interface management
... Management interface
MAC address... e8:b7:48:9 b: 84:20
IP Address....................................... 172.17.1.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.17.1.1
State IP NAT outside... People with disabilities
External IP NAT... 0.0.0.0
VLAN............................................. 100
Quarantine-vlan... 0
Active physical Port... 1
The primary physical Port... 1
Port of physical backup... Not configured
Primary DHCP server... 172.30.50.1
Secondary DHCP server... Not configured
Option DHCP 82... People with disabilities
ACL.............................................. Not configured
AP Manager....................................... Yes
Comments interface... NO.
L2 multicast... Activated(Cisco Controller) > show detailed comments from interface
Interface name... Comments
MAC address... e8:b7:48:9 b: 84:24
IP Address....................................... 10.255.255.30
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.255.255.1
State IP NAT outside... People with disabilities
External IP NAT... 0.0.0.0
VLAN............................................. 301
Quarantine-vlan... 0
Active physical Port... 1
The primary physical Port... 1
Port of physical backup... Not configured
Primary DHCP server... Not configured
Secondary DHCP server... Not configured
Option DHCP 82... People with disabilities
ACL.............................................. Not configured
AP Manager....................................... NO.
Comments interface... NO.
L2 multicast... Activated(Cisco Controller) > show dhcp leases
IP MAC remaining rental period
00:21: 6a: 9 c: 03:04 10.255.255.46 23 hours, 52 minutes, 42 seconds< lease="" remains="" even="" when="" the="" client="" is="">Example of customer connected to the Vlan right with an ip address from the incorrect interface. *************
(Cisco Controller) > show customer detail 00:21: 6a: 9 c: 03:04
MAC address of the client... 00:21: 6a: 9 c: 03:04
User name of the client... N/A
AP MAC address... a0:cf:5 b: 00:49:c0
AP Name.......................................... mel
Status of the client... Associates
Customer of the NAC OOB State... Access
Wireless LAN Id... 2< 'internet'="">
BSSID... a0:cf:5 b: 00:49: this
Connected to... dry 319
Channel.......................................... 36
IP Address....................................... 10.255.255.46< ip="" address="" assigned="" from="" the="" 'guest'="" interface="" or="" dhcp="" scope="" on="" the="">
Association ID... 1
Authentication algorithm... Open System
Reason code... 1
Status code... 0
Session timeout... 1800
Client CCX version... 4
Version of E2E customer... 1
QoS Level........................................ Silver
Beacon priority P 802,1... disabled
Support WMM... Activated
Power Save....................................... OFF
State of mobility... Local
County of movement mobility... 0
Complete security policy... Yes
State Policy Manager... RUN
Policy Manager rule created... Yes
ACL name... no
Status to apply ACL... Not available
Type of strategy... N/A
Encryption Cipher... None
Protection management framework... NO.
EAP Type......................................... Unknown
Data HARVEST-H switching... Central
H - HARVEST authentication... Central
Management of the interface...
VLAN............................................. 100< right="">
Quarantine VLAN... 0
Access VIRTUAL LAN... 100Well it's good news. At least you have to operate.
Thank you
Scott Fella
Sent from my iPhone
-
Out-of-Band management on the servers in the DMZ
Hi, I have four PC7048s in my DMZ. External, internal making face and 2 separate demilitarized. Everything is good. All workers.
Since they are demilitarized I want only their route between them and thus in position off http, Https, Telnet, and SSH management so that they cannot be managed remotely from the DMZ subnets.
I then plugged the OOB interfaces in my internal management switch and VLAN them accordingly. Very well, now I can ping my OOB interfaces on all four. But I can't manage them because I have disabled SSH, HTTPS, HTTP and Telnet
If I allow them (just SSH and HTTPS) I am now able to manage the switches of the DMZ on the IPs DMZ subnet
I thought that the point of the OOB was so this does not happen and there is isolation? If I have to spend globally on HTTPS and SSH, then they are not really well isolated (I understand that OOB traffic cannot talk to IN-Band etc. - is the fact that I turn on a global configuration for remote OOB service)
Am I missing something?
Thank you
Your results are correct. To lock the management more far I suggest looking to implement ACLs. With the ACL you can permit/deny access to various management services.
Page 1471, guide the user passes over these commands.
FTP.Dell.com/.../PowerConnect-7048r_Reference%20Guide_en-US.pdf
Thank you
-
VLAN question Unauthentication scaling
Hi all
I'm in the process of creating a solution of NAC OOB. The solution is scaling for end-users of 2700. Is there a rule to determine the scale of a vlan authenticated?
Dirk
Hello
You should always 1-1 vlan mapping in deployments of gateway virtual so that the CASE can put traffic customer prior to authentication, on the vlan corresponding to get access ip address for example.
Only if you use Real-IP gateway, there is no mapping vlan as the CASE acts as a router for the customer of VLAN.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
Maybe you are looking for
-
I need to know how to enlarge the text whenever I go on the Internet
My text of the e-mail is fine. It is when I go on the Internet and need to look for a website that gets printing super small. Can someone tell me how can I make bigger it? Again, it is only when I use internet access... email and the office are
-
Named for the installation of the driver for Windows Server 2003 standard edition for the printer model HP OfficeJet 5610 all-in-one.
-
BIOS settings changed by a cheater
Dear Sir, I had given him a laptop for repair in a store (I couldn't give it to an authorized service center as there were none in are, I was assigned), this person has fiddled around with my bios settings. It has removed the name. ID of product and
-
Compare sysdate with another date
I need compare a date with the current date.the date value cannot be less than sysdate.I have this method to know the actual date:public Date getCurrentSysDate() {}try {}Calendar now = Calendar.GetInstance ();java.util.Date date = Now.getTime ();Simp
-
Photoshop Elements 12 - create your OWN custom shapes
I was wondering if there was a way to create your own custom in Photoshop elements 12 shapes. Tutorials that I looked but I found only those for regular Photoshop in which they use the tool pen and paths window, something 12 elements do not seem...