Configuration of the switch of the NAC

Hello!!

I bought a NAC server and a manager of the NAC, to centrally manage the vlan where users connect to based on authentication.

I have several sites, but the NAC server will be at Headquarters.

When a remote user authenticates, NAC must configure the user switch port for the vlan right.

What is an out-of-band solution?

Do need me a specific license for out-of-band?

Best of look,

Miguel Amaral

Hello

It's the same pattern: Yo uneed 2 licenses, one for the CAM and the other for CAs.

One cam sets the number of cases you can add.

That case defines how many users is supported.

So either the CASE PAK has been lost, or never bought.

In both cases, you will need to contact the entitiy that sold devices and demand for the PAK CASE.

HTH,

Tiago

--

If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

Tags: Cisco Security

Similar Questions

  • Verification of the Configuration of the NAC/CCA: OOB + virtual gateway (L2)

    Hello

    I'm currently setting up a deployment of NAC from out-of-Bound OOB with virtual gateway. Can someone please check my configs below:

    Central office switch:

    ------------------------------------

    DB OF VLAN:

    ----------------

    !

    VLAN 10

    name VLAN_DEPT1

    !

    VLAN 11

    name VLAN_DEPT2

    !

    VLAN 20

    name VLAN_DEPT3

    !

    VLAN 26

    name VLAN_DEPT4

    !

    VLAN 27

    name VLAN_DEPT5

    !

    VLAN 28

    name VLAN_DEPT6

    !

    VLAN 29

    name VLAN_DEPT7

    !

    VLAN 30

    name VLAN_DEPT8

    !

    VLAN 32

    name VLAN_DEPT9

    !

    VLAN 50

    name VLAN_NetMGT

    !

    VLAN 51

    name VLAN_CAS_MGT

    !

    VLAN 52

    name VLAN_CAM_MGT

    !

    VLAN 210

    name VLAN_DEPT1_Auth

    !

    VLAN 211

    name VLAN_DEPT2_Auth

    !

    VLAN 220

    name VLAN_DEPT3_Auth

    !

    VLAN 226

    name VLAN_DEPT4_Auth

    !

    VLAN 227

    name VLAN_DEPT5_Auth

    !

    VLAN 228

    name VLAN_DEPT6_Auth

    !

    VLAN 229

    name VLAN_DEPT7_Auth

    !

    VLAN 230

    name VLAN_DEPT8_Auth

    !

    VLAN 232

    name VLAN_DEPT9_Auth

    !

    !

    Interface Configs

    --------------------

    interface GigabitEthernet3/41

    Description "Link on eth0 Cisco CAM - PRI"

    switchport access vlan 52

    switchport mode access

    spanning tree portfast

    spanning tree guard root

    No cdp enable

    no ip address

    !

    interface GigabitEthernet3/42

    Description "Link to Cisco CAM - FO eth0"

    switchport access vlan 52

    switchport mode access

    spanning tree portfast

    spanning tree guard root

    No cdp enable

    no ip address

    !

    interface GigabitEthernet3/43

    Description "Trunk to eth1 Cisco CASE - PRI / no reliable network.

    switchport

    switchport trunk encapsulation dot1q

    switchport trunk vlan native 777

    switchport mode trunk

    switchport trunk allowed vlan 210,211,220,226-230 232

    !

    interface GigabitEthernet3/44

    Description "Trunk to eth1 Cisco CASE - FO / no reliable network.

    switchport

    switchport trunk encapsulation dot1q

    switchport trunk vlan native 777

    switchport mode trunk

    switchport trunk allowed vlan 210,211,220,226-230 232

    !

    interface GigabitEthernet3/46

    Description ' box Cisco CASE - PRI eth0 / Trusted Network. "

    switchport

    switchport trunk encapsulation dot1q

    switchport trunk vlan native 700

    switchport mode trunk

    switchport trunk allowed vlan 10,11,20,26-30,32,50-51

    !

    interface GigabitEthernet3/48

    Description ' box Cisco CASE - FO eth0 / Trusted Network. "

    switchport

    switchport trunk encapsulation dot1q

    switchport trunk vlan native 700

    switchport mode trunk

    switchport trunk allowed vlan 10,11,20,26-30,32,50-51

    !

    !

    interface GigabitEthernet1/1

    Description 'Link Trunk DEPT1 access SW'

    switchport

    switchport trunk encapsulation dot1q

    switchport trunk vlan native 700

    switchport mode trunk

    !

    ! - Example of Interface VLAN.

    interface Vlan10

    Description "DEPT1 VLAN.

    IP address x.x.10.1 255.255.255.0

    IP helper-address x.x.50.5

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    no ip route cache

    no ip mroute-cache

    ! - No Interface VLAN for AUTH VLAN 210 -.

    *

    *

    *

    Access switch configuration

    -----------------------------------

    interface GigabitEthernet0/1

    Description 'Link to central office switch Trunk'

    switchport

    switchport trunk encapsulation dot1q

    switchport trunk vlan native 700

    switchport mode trunk

    no ip address

    !

    !

    interface GigabitEthernet0/6

    switchport access vlan 30

    switchport mode access

    spanning tree portfast

    spanning tree guard root

    No cdp enable

    no ip address

    !

    =========================================

    The above configuration is correct?

    Thank you

    The config looks ok, but we recommend the use of false VLAN native to be used on the trunk ports approved and unapproved.

    When you upgrade the client computer on concert 0/6, make sure that moving him vlan 30--> 230.

    Thank you

    Syed

  • Update the Configuration of the switch switch 2.1 Executive to 3.5

    Hello world

    I tried the switch 2.1 update Executive to 3.5 and have known, that my configurations have stoppped working. To me, it looks like 3.5 dislikes my IVI configuration for switching modules.

    The function check in MAX tells me that the PXI cards are not available. The first page of the configuration of the switch shows no configuration / terminal blocks.

    Because the configuration consists of nine matrix with lots of report cards, I would really appreciate a way to properly import the old configurations (xml files are available)

    Any ideas?

    See you soon

    Oli

    Hi Oli,

    Yes, there was a major change in the Switch Executive 3.5 - it now uses for switching NI DAQmx calls material. There is a KB document the upgrade process a simulated configuration from an earlier version, but of course, you can try the steps that make sense, too:

    Import of NI Switch Executive 3.0 and previous virtual devices in OR Switch Executive 3.5 and later versions

    http://digital.NI.com/public.nsf/allkb/1D1099A85B156FA68625778500787444

    However, I have noticed that the KB Editor uses a configuration file to .txt instead of the .xml you have. I see two options here: first of all, if you have even an operating system with Switch Executive 2.1, you could probably export settings in the form of text or you can try to modify the .xml file manually to resemble the layout of the text (probably a lot of work, you would have to learn the structure of the text by trial and error using newly created Switch E.g. 3.5 configurations...)

    Best regards

    Sebastian

  • Best practices for the configuration of virtual switches with ESXi

    So we have a dish network, no VLAN. I have a total of 6 NETWORK adapters per ESX host... Since there is no Service Console or is it shared with the Prod vswitch here is how I have the configuration of the NETWORK adapters.

    Keep in min, we use ESXi 3.5

    vSwitch0 - Vmotion - 2 NETWORK cards

    vSwitch1 - Vmkernel Port & Machine virtual port group - 4 NETWORK cards

    I have attached the screenshot.

    Please let me know if you do anything differently?

    Dave bang on! the IP of VMotion ESXi will be used for the same purpose. For many ESX on the brain, sorry.

    Each VM will get no more than 1 GbE over four network adapters. Once a virtual computer is given a NIC, it will remain on the NETWORK card using the default configuration and it is good because the virtual machines are distributed between the four of them.

    http://blog.laspina.ca/

    vExpert 2009

  • Ports of the NAC

    Hello Experts,

    Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

    Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

    the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

    Apprecite all help, thank you.

    Hello

    See online:

    If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

    [Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.

    Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

    the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

    [Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.

    So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Support of the NAC Profiler address & ip

    Hello

    I have a layer 3 OOB NAC Profiler deployment and I am trying Profiler some IP phones from a remote location by using the statement of helper-ip address on the interface on the remote router. The problem is that the remote router acts as a dhcp server for the vlan voice and fact not forword DHCP discover for Colectionneurs of the NAC, and I can't phone ip profile. Do you know a way (an order of configuration on the router) to forword the dhcp even though the router acts as a DHCP server for this vlan?

    Thank you

    Victor

    Hi Victor,

    To do this... You must add a SVI for the voice VLAN on the switch behind the router, and then add the IP helper on the new interface VLAN voice.

    -Hassan

  • Connection disabled for the Nac Agent

    Hello

    After installing the NAC Agent on Windows XP.

    The login window does not appear.

    Please see the attached support cisco report.

    Please suggest to overcome this problem.

    Thank you

    Abuzar

    Well, the default gw is an L3 device you have on your network, and if there is a firewall you will need to open the communication to these ports.

    What is the configuration of VLANS on the switch where the client is connected?

    Do you have an organizational chart?

    See you soon,.

    Tiago

  • Free devices in the NAC 4.1

    Hello friends,

    I m the virtual gateway layer2 mode configuration, I m bit confused regarding what would be the free features of layer2 virtual gateway mode.

    whenever any device in the vlan for authentication, it will pass through NAC server but if I moved the normal port access vlan in the switch of ' switchport mode access vlan "that the device is off flow from the NAC.

    My knowledge regardless of the mapping vlan is being done in the NAC between authentication and vlan access only those VLANs is affected rest are all out of the stream of ANC, they will go as normal traffic.

    Also all my switches vlan management so when I don't create the mapping for management vlan that they do not pass through the NAC. Am I wrong?

    Please suggest me what other devices should be exempted from the networks, for example: printers and what else?

    Estela,

    You are right, in most of your assumptions. The essential with the NAC is to follow the flow of traffic and make sure in the not authenticated state, the flow of traffic is always in the CASE. It follows that if a port is not in a local VIRTUAL alongside unreliable network, it would never be repercussions of the NAC. For your VLAN authenticated, we need to ensure that taxiway, they are allowed only through CBS. This simple design rule in mind, look at your VLAN again and you will get most of the answers you seek.

    HTH,

    Faisal

  • The NAC - OOB L2 authentication login page - does not appear!

    Hi all

    We have 2 managers of the NAC and NAC 2 servers. We have a failover solution. Our deployment is OOB layer 2 virtual Central Passage. We have successfully added the SIN in NAM and we did the requirements in NAM as a mapping setup VLAN (starting at vlan no reliable 913 to the vlan trust 910), adding managed subnet, change profile, profile, adding switches (cisco 3560) to NAM, the roles configuration on the user, the local users and also port user login page.
    Then, we tested it by connecting the PC to port controlled on the switch.
    The controlled port configuration was VLAN 910 and after connecting the PC, it is converted to 913 VLAN then we have successfully obtained an IP address from dhcp that is configured on the switch but the authentication login page appeared! and also, when disconnect us from the PC of this port, the configuration is not passed to vlan 913 to vlan 910 then manually change each time to do our tests.

    Do so that the login page appears and also automatically NAM to change the configuration of the port after having disconnected from the PC?

    Thanks in advance.

    AD SSO is supported with the Windows 2003, but with 2008, only single server is supported and which should also be 32-bit. 64-bit servers are not yet supported.

    HTH,

    Faisal

  • The NAC Agent autoUpgrade ISE possible?

    Hi all

    I have this:

    802.1 x-window with the NacAgent version (say 1) <---->802. 1 x switch active (RADIUS aaa OK) <------>ISE and AD on the same LAN

    ISE is configured for client provisioning with hardware (NacAgent version 2) downloaded from Cisco's Web site (as described in the documentation)

    I have a basic plan of authentication and authorization that allow me to well but I expect the NACAgent to be upgraded.

    No profiling is configured at the moment.

    Is that someone can help?

    Best regards?

    Hello

    In the ISE settings provisioning client, activate you the option where the NAC upgrade agent is required. However, it is to you to run updates perioidic and map the most recent agent in the configuration of the parameters of the client.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Configuration of the BIOS XW8600 for SSD and HDD

    Until recently, my xw8600 has been configured with the emulation of SATA under storage on the separate IDE controller Options.  250 GB hard drives connected to the SATA 1 and SATA ports 0 and readers of DVD RW Drive connected to 2 SATA and SATA 3 ports.

    I wanted to install a GTX240 Neutron Corsair SSD, but discovered when I changed the SATA RAID + DCIS emulation (to activate all 5 ports of SATA controller and optimize the performance of the SSD), the system could not find the boot drive.  I checked the startup command settings and found the slot drive HARD listed title module of memory into the attached USB printer HP Officejet 7500 a first and could not be changed.

    I decided to go back to SATA IDE emulation separate, remove the optical drive on SATA 2 port and attach the SSD it.  This facility is expected to start successfully; but after installing windows 7 x 64 on the SSD (Windows XP, x 64, still on the HARD drive), I found Windows 7 has been very very slow.

    Can anyone offer any suggestions or comments on how I can improve this situation?

    Thanks for any help, you can suggest.

    What is an installation of Windows 7 Pro 64 - bit of a retail installation DVD purchase, or something HP?  If I remember well Vista 64 was the latest HP OS with sold.  In this case you won't have to deal with a set of HP restore disks.  I would never do an "upgrade" of a prior installation of OS in W7.  I only do not clean install W7 on a freshly long-type reformatted hard drive or an SSD.  I buy my "system builder" OEM license W7Pro 64 - bit DVD/COA from newegg.com (you can find that many sources and approximately 140.00 each).

    Plan to do a clean install on this SSD from scratch and when you format before that settle does long formatting version, while it is booted from the W7 DVD.  That will take some time.  Or, if you have a functioning before the OS install on a hard drive, you can restore the xw8600 you can connect the SSD in the second or third SATA port and reformat (long version) management of records like this.

    The boot drive or SSD, Spinner, must always be connected to the primary SATA port, which in these workstations, is usually blue plastic, while the rest are a dark black.

    Make sure that your BIOS is later... There was a version for this and the xw6600 with a few months ago.  It is an important.

    Put the SSD in your favorite mount, hang it in the main SATA port, prepare the W7 DVD in the DVD drive (which should be attached to the second port SATA or IDE cable if it's a DVD ATA drive). Throwing xw8600, go straight into the BIOS and go to which you can change the SATA emulation.  Change that on "RAID + AHCI.  Save on the way out of the BIOS, and the workstation will now reboot usually requiring formal approval of the change F1.

    Demarrer start on the DVD, select clean install and things will be fine.  I usually set my boot order to start hard drive/SSD first and second optical drive.  Then, when I load an OS I just use the F9 key during the early start to switch to the DVD player for this single event.

    It's the key information: If you have correctly set to "RAID + AHCI" SATA emulation for the W7 installation process, then the appropriate drivers will not be loaded from the DVD on the startup disk, and you won't receive anywhere near your expected speed.  I helped a friend who had done exactly what you did, and when we corrected things literally double SSD performance scores.  I recommend that the reformatting/clean reinstall from zero here, because you want to really perfect the basics and the way he was treated initially can leave you with a few important questions.

    After you have things working with the SSD and the DVD player you can add in your other material sequentially.  I would like to make a reboot between each addition, just be very careful.  Some old HP DVD drives have a problem with W764 loading during the emulation of the SATA BIOS is set correctly and there is a solution for this, but you don't want from now this info.

    All the advice I have written in this forum about the xw6400 installs apply to the xw6600 and xw8600, including information on the upgrades of the processor.

    Let us know how things are, so that others can enjoy...

  • How to check the system configuration of the SX20 if the touch screen and the remote control does not work

    Hello friends, would like to know how can we access/check the system configuration of the SX20 if we not touch and remote control or they are not in working condition.

    I think that we can check this Switch interface, but unfortunately, I don't have access to the local switch right now.

    Hello

    option is to have access to the local switch and run "show cdp neighbors detail."

    or

    Connect the mobile to PC/computer LAN, run tftpd32 with affected DHCP pool. Then you can login to get the config.

    regds,

    Aman

  • Actual gateway IP process to strip the NAC

    Hi all

    I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P

    1. How does the gateway IP In-band real?
    2. What is the point of the 30 subnets?
    3. Are there any access/auth pairs VLAN configurations in the band?
    4. How does quarantine work?
    5. I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
    6. Can you do role with configurations mapping in the band?

    Assistance for all or part of these questions would be GREATLY appreciated!

    Thank you a lot =]

    ~ Xavier.

    Hi Xavier,.

    I'll try to answer your questions

    1. How does the Strip Real-IP Gateway?

    The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes

    2. What is the point of the 30 subnets?

    The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.

    Click here for an explanation:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_dhcp.html#wp1057889

    3 is there access/auth pairs VLAN configurations in the band?

    If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.

    4. How does quarantine work?

    When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.

    So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.

    5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?

    The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.

    Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.

    This is mentioned here:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_deploy.html#wp1050938

    The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.

    6. can you do role with configurations mapping in the band?

    Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.

    For example, check here for more details:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/cam/m_users.html#wp1040231

    In a Word, regardless of the use of the band vs OutOfBand:

    -customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.

    The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :

    -in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);

    -in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.

    I hope that answers your questions.

    Kind regards

    Federico

    --
    If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

  • Activation of the NAC HA puts several hosts and ASA with processor clocked at 100%

    I installed a NAC Manager and a NAC server in OOB without any problems, but when I configured the AP (high availability) with another server, my ASA and several guests in my network started work ant 100% of the cpu.

    I tried to configure each interface of the NAC on a single DMZ and the problem stops there.

    -That someone had this problem (NAC version 4.7)

    TKX

    Miguel Amaral

    Hello Miguel.

    When I started a NAC InBand HA solution I had a similar problem that I solved the heart rate HA configuration to use ETH0 just instead use ETH0 and ETH1.

    Best regards

    Luciano Carvalho

  • Integration of the NAC Profiler - cannot add list of filters on cam

    Hi all

    I have a problem with the Profiler - integration of the NAC for endpoint profiling.

    Here's the situation:

    I have already created the integration based on the steps in the Guide: Setup Cisco NAC Appliance integration. I think that the configuration is correct, because I can do database synchronization between the Profiler and CAM. Here's the log of server profile:

    NAC_SYNC: Task_Queue_Runner commissioning
    NAC_SYNC: Profiler / END of synchronization of the NAC [add 0, upd 0, desc 0, rm 0]
    NAC_SYNC: Profiler / START the synchronization of the NAC
    INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)] is for eth0 MAC

    I have already created a profile of endpoint named "Admin" which is based on the IP address. I also created the NAC events based on endpoint profile 'Admin '.

    The event of the NAC will present 'Admin' profile to a role of the NAC. This event aims to circumvent 'Admin' of the legalisation of the ANC visa so that the "Admin" can connect to the network automatically to a role of the NAC.

    However, when 'Admin' to connect to the network, it still is challanged by NAC. I don't see "Admin" on the filter of the CAM or the list.

    This means that the endpoint profiling is still broken.

    Is there anyone who have experience with this?

    Thanks for the support and comments

    Imad

    Hello

    You cannot add devices manually on the profiler.

    The Profiler has to detect automatically (it is the concept of profiling).

    How this Profiler detects endpoints use the modules of collector.

    Each module has endpoints detection means.

    You will find the description of each collector module here:

    http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_intro231.html#wp1062345.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

Maybe you are looking for