NAC Appliance OOB L3

Hello world

"My friend" (:-)) which I want to deploy NAC OOB L3.

Why this one? Because it has a central location and a few branches (a little more in fact) and these branches are 2 hops L3 at the center ball. Specifically, there is a L3 switch as a gateway for users of general management of the LAN, and after that, a router that connects to the Center (GRE/IPSec).

It is, and I failed to find or to realize by myself: it is mandatory to use a DHCP server to allocate ip-s to customers? (for all their States: permit unauthenticated, authenticated, etc.).

If not, how it should be done?

Second: if it is mandatory, must it only works with a DHCP server deployed centrally, or I can use the L3 switch in all industries as a dhcp server?

Thank you for your patiance.

DHCP is required for gateway real-ip L3 OOB given that the system will have to obtain a new address when it is permitted to VLAN and then again after the posture process when it is switched back to its VLAN 'normal '.

As for the DHCP server, you can use a central server with a local switch provide addresses or a combination of both.

In our facility, the local switch is the DHCP server for the auth VLAN and a local server is used to access VIRTUAL local area network.

Mike

Tags: Cisco Security

Similar Questions

  • NAC L2 OOB VG Design for wired

    Hi all

    I need help of the NAC 2 OOB virtual layer for wired users design bridge . On Cisco documentation configuration only example is present, but it is for wireless users who is not applicable to my case (wired users); Here are the details; Please correct me if the design does not at any time;

    1: create a virtual local network (241) for the management of the CAM on the kernel.

    2: create a virtual local area network (240) for the management of CASES on the kernel.

    3: the IP addresses of both (10.10.240.1) E0 and E1 (10.10.240.1) for the CASE will be on the same subnet and same ip address.

    4: create all Trusted SVI's VLAN (vlan 10,20) on the kernel.

    5: configure manage subnets for vlan not reliable (100, 200) on CASES

    6: create a vlan mapping n/b approved and not approved (10 to 100, from 20 to 200)

    7: core connected to the CAs: E0, trunk allowed vlan 10, 20, 240

    8: core connected to the CAs: E1, trunk allowed vlan 100, 200

    9: another typical configuration

    I don't have a LABORATORY to test. I'm just confused if I missed something as implementation will be critical, and I'll try to avoid all risks.

    Please give me suggestion and best practices. Also please let me know if I need a config added?

    Kind regards

    Abdul Majid Khan

    Abdul,

    Port profiles are used to determine if a port is managed or not managed, so you will need at least a port profile. Here you can define what will be the VLAN initial of the switchports that the final VLAN will be etc etc.

    More details here: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wp1083087

    HTH

    Faisal

  • Cisco NAC Appliance

    Hello

    I wanted to know if anyone can give me help on a Cisco NAC appliance.

    Honestly, I've heard of them, but I've never installed or worked on a before and I

    have a client who wants to have one installed. So I wanted to know some here can

    point me in the right direction regarding the installation and configuration. Thank you

    the help in advance and have a very nice evening.

    Hello

    Everything you need to get started:

    http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.

    HTH,
    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Web NAC NAC Appliance Agent Vs agent

    Hello

    What is the difference between 'NAC Appliance Agent' and "NAC Web Agent"?
    I my case I do not get the pop up 'NAC Appliance Agent' screen, although I am able to correctly connect through "NAC Web Agent.
    I would like to know if the connection via "Agent of NAC Appliance" is mandatory.

    PFA, the 'CiscoSupportReport.zip' for 'Agent NAC Appliance'.

    Thank you
    Sagar

    It is not mandatory to use the agent unless you specify in the policy for the role of user assigned to your username.

    The web agent can do most of what makes the installable agent, at least with respect to authentication and posture.

    Check the role assigned to your user as part of the management of devices-> own access and see what is required for this role.

    Hope this helps

  • NAC Appliance IPv6 compatibility

    I read in the book "Cisco NAC Appliance: host security with Clean Access application ' (published 2008) that the real mode IP Gateway is only IPv4 compatible but that IPv6 compatibility will be provided in a future update.

    Having searched around, I find no reference to the unit of the ANC being IPv6. Anyone know what ways (if any) are IPv6 compatible?

    Hello

    Although IPv6 has been on the roadmap, currently it is not supported and there is no ETA for IPv6 supports the devices of NAC.

    HTH,

    Tiago

    --

    If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

  • NAC Appliance deployment problem

    Hello

    We are going to deploy Cisco NAC Appliance 3310 clean access server in our network. Regarding the deployment, I have several questions.

    My questions are:

    Is that what we required any additional server as WSUS for correction/windows update management?

    NAC device speaks with MS AD for authentication?

    We required server antivirus for endpoint security?

    We required server additional sanitation sanitize the infected end point?

    I will be happy if receive the answer above.

    Kind regards

    Martine

    Martinez,

    No, the CCA system asks the customer to correct itself and the Windows update client on the client computer, then addressed the function options. The two options are going to the servers of Microsoft WU, or if you have a WSUS server defined internally, which will.

    The other thing you can do is to 'offer' customers to download files that you store on the CCA based on different requirements system, but doing it this way would be very difficult to manage since you want to create rules for each patch that would very quickly become tedious.

    View this video-on-demand on how the CCA posture assessment and remediation. Watch VOD 5:

    http://tinyurl.com/d74t9u

    HTH,

    Faisal

  • NAC Appliance and LDAP Lookup

    Hello

    I have two CAM HA and two CASES in HA.

    I set up LDAP search to create role assignment rule.

    In this configuration is only a windows server to find the properties of the user.

    There is a problem when this servers Windows is out of service. There are configurations of attenuation when the server isn't here.

    Thanks to you all.

    The search server configs State LDAP use LDAP authentication provider. LDAP authentication provider says that you can have multiple entries in the unique field

    LDAP

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/413/cam/m_auth.html#wp1158614

    You can add LDAP authentication servers redundancy by recording several LDAP URL in the URL field of the server, separated by a space, for example:

    LDAP://ldap1. ABC.com ldap://ldap2.abc.com ldap://ldap3.abc.com

  • Basic configuration of NAC appliance

    I have a small project to authenticate users about 100 to access the network. We plan to use the Cisco NAC appliance. Just to clarify (I saw some post but I'm not sure of the correct answer) do I need 2 separate devices, one as a server and the other as a controller; or I just need a do two tasks?

    Thank you

    -Arturo

    Hi Arturo,.

    You need two devices to operate. A Manager and a server.

    There is a great Cisco Press book on the ANC by James Heary device that will give you a lot of details and information on the configuration of the devices.

    I hope this helps.

    Paul

  • NAC Appliance reporting to MARS

    Configurable MARCH for reports received of NAC Appliance CAM/ect? It is not an option for NAC under devices in MARCH.

    Thank you

    -KK

    I apologize for not going too far with my answer. Fortunately, there are NetPros who know much better than I the NAC.

    In summary:

    "During deployment NAC framework in your network, if the NAC router is already configured to send syslogs and NetFlow events to MARS, all you have to do is configure the router to send specific syslogs NAC."

    To answer your question, it is not the CAM/AR but the router that must be set up in MARCH. That's why you see no option under devices of MARCH for the CAM/CAs.

    I hope this helps.

  • NAC appliance 3315 OOB remote management with BMC (ILO) does not work

    Hello

    We have several 3355 servers configured with the ILO, we can handle (on/off switch) with web interface of the ILO.

    But we have a few 3315, witch are IBM X 3250 M2 servers.

    Sound also have a port management in the back, and we can set up IP/name username/password to the BIOS (Baseboard Management Controller - the BMC settings).

    But if we try to connect is a switch, there is no link. (the switch is capable auto-mdx).

    What we need to make it work? The IBM BIOS, BMC firmware is the most recent.

    Thanks in advance

    Attila

    Atilla,

    We had the same problem (no link light) and discovered that these servers were not equipped with a card RSA (adapter supervisor). Looks like the 3355 are delivered with these already installed, but not the 3315.

    I hope this helps.

    Kind regards

    Denzil

  • NAC appliance purchase question

    Dear Experts,

    This summer we bought a Server Appliance from Cisco NAC3315-K9-500-500-NAC3315-K9.

    And we are about to begin its deployment. But to our surprise, we learned that it is a separate physical server to manage the NAC and NAC Manager license is required.

    Unfortunately, we bought the unit of the NAC with support (rather hasty) that management (CAM) and the access server (CASES) are integrated into a single box. But, after checking a configuration guide, he said that one or other of the CAM or CASES can be installed on the device.

    So is it possible to integrate them both on the same machine? Or must buy this CAM server that cost a fortune?

    Or alternatively, the cam can be installed as a virtual machine?

    Looking forward for your answer,

    Thank you very much!

    Hello

    You cannot run the cam and the CASE on a single piece of material (when you install the software, you must choose the Manager or the server prior to installation scripts), you must run on separate devices. However, you can get a job in Ise (licenses), which is the last product that can take advantage of all the features of the NAC in one device. However based on your network (amount of endpoints) it can easily take more material.

    ISE can run on devices that you have purchased, you will need to go to your cisco account representative or your partner of cisco in order to have their with the discount and you get to put on the same page on ISE (providing the demonstration or proof of concept).

    I supported the NAC and ISE and your best approach should not go forward with the NAC product now that ISE is out, it is a design much better in the way it integrates into your network, it uses also not only the manager and server, but it includes the profiling and reviews management services which are all of different products within the line of the NAC.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Cisco NAC appliance - after a success does not change users to connect to the vlan propper

    Hello

    I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.

    Also the user does not appear on the list of users online on cam.

    Can someone help me figure out how can I fix? version 4.8, I'll post any information requested

    Thank you

    We recently had the problem with Windows AD SSO and Windows 7 clients.

    Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.

    Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.

    What are the parameters of the port-profile to which is applied the switchport?

    What is the map settings vlan ports trunk not approved or confidence?

  • Virtual gateway Wirelles In-Band NAC Appliance

    Hi, people.

    Knows someone like NAC Wirelles in-band Gateway Virtual Appliance configuration.

    TKS.

    Hello

    Well, it's a pretty simple question and I can say that many people know how to configure NAC to WIreless NVI VG.

    Can you be more clear on exactly what you need?

    ARO

    Tiago

  • NAC L3 OOB does not not on WAN

    I'll put up proof of lab validation for installation of the NAC.

    I use Cisco Catalyst 3550 and 2950 switches (the real environment is using 3750 and 2960 and 2950 switches) and have defined NAC in Central L3 OOB configuration. In this configuration, I have a SIN and NAM "MAIN_SITE" and then two sites branch "BRANCH1" and "BRANCH2.

    On the main site, the OOB works very well, and when a user logs in, the port is moved from the VLAN authenticated (290) role service VLAN (200) However, in the 'branches' switches do not put the port in the role in function of VLAN, or if a port is in VLAN 200 and a PC is connected to this port don't switch port to 290 of VLAN (unauthenticated).

    Sniff traffic with Wireshark, I see SNMP sets sent by the NAM to the switch to tell it to place the port VLAN 200, but the switch does not.

    My writing strings are configured correctly and the NAM is able to implement initial orders on the switch for the NAC ('mac-added notification of snmp trap' orders for the ports).

    Can we say what is the problem?

    Sachin

    Sachin,

    Must be at least 12.1 (14) EA1

    Visit this link for all the switches you need for OOB and supported codes: http://bit.ly/SwitchSupport

    HTH,

    Faisal

  • NAC L2 OOB VG issue with wired user

    Hi all

    Need your favour, I tried to do L2 OOB virtual door of entrance to the NAC for wired user with the following text:

    The two interfaces of certification authorities are trunk with only the VLANS respective authorized.

    CASE is added to the CAM.

    Switch is added to the CAs.

    Mapping VLAN is configured as 50 (untrusted) was located in 60 (trusted)

    Port profile is configured.

    The CASE switch port is configured with the profile of this port

    QUESTIONS:

    When I connect my client to Auth vlan 50 so should I give the static IP address to my NIC or he should get the IP address of the DHCP server (for VLANs both auth and access)

    First of all, I gave auth static vlan 50 but normally connected port and doesn't show any web page of NAC.

    Next, I set up DHCP for access vlan 60 and put the client port in vlan auth 50, but still don't ask me page of posture of the NAC.

    When I check discovered the clients then it shows my MAC laptop.

    Am I still missing something?

    Kind regards

    The captive portal of the NAC is able to provide 3 options: use Cisco NAC webagent, download Agent access clean and restricted access.

    "Agent access own download" allows the user to download the agent, without using the webagent first. The user is only required to open a session.

    The button "Download Cean access Agent", is available for all the roles that are required to use the clean access agent. This is configurable to: device management > access > General Setup > Agent Login.

    For more information, see the Installation and Configuration Guide (chapter 10)

Maybe you are looking for