Implementation of the NAC

Similar Questions

• Upgrade the NAC of 4.5 to 4.8

  Hello everyone

  I'm about to upgrade to a CNA of 4.5 to 4.8 on an application I do in a bank with 1500 users. The upgrade is due because the Bank makes its migration from PC to Windows 7

  The implementation is in a failover situation (2) and (2) CAM. the design is Out of Band, a virtual gateway and integration with a wireless LAN controller.

  I would like to know if when I upgrade the CAM and CAS´s for version 4.8 can I still use the Agent access own version 4.5 on clients? To perform the migration in several steps

  There is a StubAgent for version 4.8? or already included in the Agent 4.8? I install the StubAgent on all computers of the Bank, because they have no administrative rights.

  What is the best way to perform the upgrade of agents which does not affect users?

  Thanks in advance

  Eduardo Navas

  Hi Eduardo,

  Agent 4.5 is compatible with 4.8 CAM/CASE, although with a few restrictions:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/support_guide/agntsprt.html#wp52084

  For example, see also the following notes:

  "If you use version 4.8 of CAM/CASES with a version of the Agent plus early 4.8.0.32, then either use the requirement of the Distribution link or upgrade the Agent to the latest version to use the Distribution of files".

  "Cisco NAC Agent version 4.5.x is not supported by download version 4.6 (1) CAM because the structure of Agent installation files is different in version 4.5 (x) compared to the support in version 4.6 (1) agents."

  The NAC 4.8 agent has not any component necessary as the previous stub, for example:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/48/cam/m_webagt.html#wp1473153

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Question of the NAC

  The NAC policy is run on a cisco switch. If a cisco switch not is connected to these cisco switches, NAC policy can be implemented on the switch cisco no?

  You can do that if you perform the mode in-band NAC deployment. You cannot apply the strategies on other cisco switches in tape mode.

  so if NAC is deployed in in-band mode, your answer is Yes.

  If nac is deployed in band mode, your answer is no.

• Failed to start the NAC CAM

  I want to deploy a CAMbased HA on two 3995 servers. After I put the HA configuration on both servers primary cam could no boot and more. The Grub was not able to start Linux. It stuck in the State "GRUB loading stage1.5."

  What can couse problem? Hardware problem or software?

  Is there any way of rescue the NAC installation CD?

  I tried to install and implement 4.7.1 and 4.7.2 images

  Thank you

  Csaba

  Csaba,

  Please re - burn the CD if you burned it initially after have downloaded you EAC. Make sure that burn you it at the slowest speed possible preference 4 X.

  If you use the original CD of Cisco, then have another go at Re-imaging it. If still it doesn't solve, RMA the box as DOA.

  HTH,

  Faisal

• Problem of the NAC in the virtual tape gateway VPN SSO

  Hello

  I've implemented a NAC solution for remote users. The unit of CASE mode configured in the gateway enVirtual Strip.

  I followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

  Remote users can connect succeffuly using the cisco vpn software and they can ping the SIN, but not the DNS (the ASA offers IP @ but not the DNS I do not know why).

  When I access the NAS, I can download the NAC Agent but VPN SSO is not executed and the Agent asks me to connect using LOCAL DB.

  Any help please,.

  Kind regards

  Larson,

  For VPN SSO work, you must send the accounting package to the CAs. The CASE can in turn send for the ACS if you need accounting also be done on GBA, but for authentication ONLY work, the accountant must reach the CASE.

  HTH,

  Faisal

• Satellite Pro U200 with Vista: ConfigFree can't see implementation of the SUMMIT

  I can't see the implementation of the SUMMIT to configfree.

  Please let me know

  Sorry Ronen, but I really don't understand what you mean exactly below the SUMMIT. ConfigFree is well known to me, but now I'm really confused.
  In my case, it works fine. I can watch and see all networks; LAN and WLan...

• Implementation of the shift from table register

  Hi all

  I am a novice in Labview and I'm trying to implement entrelaceur Convolutional.

  I have a problem with the implementation of the shift register using tables.

  Here I use interleaver in channel 4. First bit should go directly to the output. 2nd bit should go in a shift register which is initialized to 0. 0 should go to the exit and entry should replace the registry of offset value.

  Similarly, in the 3rd round, 2 element shift register is present initialized to 0. Here, too, 0 should go to the exit element (0) first should get input should come in the shift register. And in the 4th inning, 3 element shift register will be there.

  I tried to apply this using tables, but I'm not be able to crack. Using loops with disabled automatic indexing is the key to this?

  Your help to solve this will be highly appreciated.

  Thank you

  Try something like this:

  

• e all in a single photosmart 6520: 6520 implemented of the ink cartridges

  Hello I recently had a new photosmart printer of hp 6520.  However the implementation of the ink cartridges were not in the box.  I was wondering if there was a way around it or if I would be able to get a new set of these cartridges in order to set up the printer so we can use it.   I registered and installed all the software.  the only thing I don't have is the cartridges of configuration to use it.   Thank you for your time

  Hello! Welcome to the @jbuckley21 forums

  I read your post on how your 6520 Photosmart did not include cartridges Setup. In this case, you will need to contact HP for the Setup cartridges sent to you, to install the printer.

  Please, give us a call:

  Call our technical support at the 800-474-6836. If you do not live in the United States / Canada region, please click the link below to get help from your region number. http://WWW8.HP.com/us/en/contact-HP/WW-phone-assist.html

  

• I've implemented all the information for an email from the Charter and then when I click on get mail, it says there is a connection to the server error... Why?

  I've implemented all the information for an email from the Charter and then when I click on get mail, it says there is a connection to the server error... Why?

  Hello ChevyDriver10,

  Thanks for your post.  What email app do you use to receive your mail?

  In the meantime, take a look at the Charter of General electronic installation instructions.

  If you do not currently have an e-mail client, feel free to go on Windows Live Mail.

  See you soon

• Implementation of the Web Service on Blackberry

  Hello

  I am new to web services so now I want to know how you can hit the web services via the blackberry app?

  Y at - there no web service sample I can use to test the object.

  In fact, I want to know the implementation of the web service on blackberry.

  Please provice me useful links and resources.

  What is KSOAP2 in blackberry?

  I think there are 2 ways to use web services

  1 http

  2 SOAP

  I want to know the two tests.

  Please help me.

  Sorry for non trivial stuff like this there is nothing like "sample code" of my side - I work in a business environment, not as a developer open source.

• Version of the NAC

  Dear,

  Can what version of the NAC I install VMware?

  Can anyone help please with the above query.

  Thank you

  NAC is not supported on Vmware. Yet people have managed to install NAC4.1 on Vmware, but newer version do not work.

  There is a new product called Cisco ISE, which will eventually replace the NAC. Cisco ISE can be installed on Vmware.

• Ports of the NAC

  Hello Experts,

  Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

  Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

  the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

  Apprecite all help, thank you.

  Hello

  See online:

  If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

  [Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.

  Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

  the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

  [Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.

  So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Support of the NAC Profiler address & ip

  Hello

  I have a layer 3 OOB NAC Profiler deployment and I am trying Profiler some IP phones from a remote location by using the statement of helper-ip address on the interface on the remote router. The problem is that the remote router acts as a dhcp server for the vlan voice and fact not forword DHCP discover for Colectionneurs of the NAC, and I can't phone ip profile. Do you know a way (an order of configuration on the router) to forword the dhcp even though the router acts as a DHCP server for this vlan?

  Thank you

  Victor

  Hi Victor,

  To do this... You must add a SVI for the voice VLAN on the switch behind the router, and then add the IP helper on the new interface VLAN voice.

  -Hassan

• Actual gateway IP process to strip the NAC

  Hi all

  I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P

  1. How does the gateway IP In-band real?
  2. What is the point of the 30 subnets?
  3. Are there any access/auth pairs VLAN configurations in the band?
  4. How does quarantine work?
  5. I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
  6. Can you do role with configurations mapping in the band?

  Assistance for all or part of these questions would be GREATLY appreciated!

  Thank you a lot =]

  ~ Xavier.

  Hi Xavier,.

  I'll try to answer your questions

  1. How does the Strip Real-IP Gateway?

  The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes

  2. What is the point of the 30 subnets?

  The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.

  Click here for an explanation:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_dhcp.html#wp1057889

  3 is there access/auth pairs VLAN configurations in the band?

  If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.

  4. How does quarantine work?

  When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.

  So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.

  5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?

  The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.

  Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.

  This is mentioned here:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_deploy.html#wp1050938

  The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.

  6. can you do role with configurations mapping in the band?

  Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.

  For example, check here for more details:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/cam/m_users.html#wp1040231

  In a Word, regardless of the use of the band vs OutOfBand:

  -customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.

  The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :

  -in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);

  -in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.

  I hope that answers your questions.

  Kind regards

  Federico

  --
  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Fight against exclusion the NAC mac

  Experts, assuming that few users are now authenticate & viz cisco NAC network access, they be filtered from the NAC to exclude the posture of NAC will be they be disconnected from the network & reconnected since they were connected & now are going to be ignorant of the NAC.

  How it works in this case. users will be disconnected for that to be effective, or will they be disconnected by force before it takes effect.

  Thanks to you all.

  Hello

  There is a port bouncing feature Cisco NAC that accomplishes this task for you. But it depends on your deployment mode, it is not required for each of them. Please see this link:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/48/cam/m_oob.html

  Please indicate if you will find the entrance helpul. Thank you

  Farrukh