NAC managed subnets
Hello
I implement NAS OOB, L3, RIP. We use several sites with different subets on MPLS. for the configuration of subnets managed, must I enter all the subnets between all the remote location and the NAM?
If you explain little more about subnets managed too, I'd be very appreciated.
Thank you
Alex
Alex,
Use static routes for the subnets of L3. Managed subnets are used for L2 adjacent subnets.
More details here: http://tinyurl.com/yzd7v6c
HTH,
Faisal
Tags: Cisco Security
Similar Questions
-
CASE managed subnet and mapping vlan
Hi all,
I would like to ask for help for my device of the NAC. Currently im set up unit of the NAC. I have just the difficulty to which address ip use for the managed subnet. I have install confidence vlan as there are in our network, but which on the VLAN is not reliable? Should I do a new IPs for him and put it in the unreliable? I don't know if it is correct but I can't get an ip address everytime I have change the switchport to the port profile I did. Please guys help me I need to know for my project. Thank you.
Richard,
This looks about right - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.
Do you have the VLAN 100 and 200 to shared resources to your untrusted interface of your certification authorities?
Faisal
-
Judgment of NAC Manager HTTPS response after activation of the AH
Judgment of NAC Manager HTTPS response after activation of the AH
I have currently NAC installation in a lab, and as soon as I restart the Manager after you have configured the AP server stops responding to HTTPS and I got Service temporarily unavailable. After restarting the server I saw something console to check the HA setting but I not see this message again and I don't know how to check these parameter in CLI.
Hello
This may mean that HA is not correctly configured (problem with certificates, heart rate, etc.).
The best thing to do is to connect via SSH for both cams, go to /etc/ha.d/ and delete the files: 'perfigo.conf' and 'ha.cf.
These are the files that contain the HA configuration, if, after deletion, restart the machine and they will come as stand-alone upward again.
As a stand-alone, you can HA startover config again, ensuring that you follow the steps required:
http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/48/hi_ha.html.
HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs
Hello
I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.
Kind regards
RAM
+ 6 012-2918870
Hello
It is not possible.
You cannot push the ACL in the NAC manager.
If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.
Using the Radius attributes you can then map users to roles.
Please, take a look at this:
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
The NAC Manager/Server license question
I use a pair of NAC Manager failover with 5 games of CAS servers. Each set of CAS servers is authorized to perform the different amounts of users. (i.e. 1500 or 3500) I loaded all the licences in the Manager. (All Coses PAK have been validly submitted by using the MAC address of the Senior Manager.) Is it possible to assign... or... How will I know which set of servers will be assigned the appropriate license for a specific set of users max?
It was only from pak or was it separate paks... because he's going like that with a pak u generate license for cam (this is the license for the number of servers it can handle)... for that you must provide the mac cam address. then for each server FO u can use even PAK or a new and mentions the mac address of the server here and makes the exact differenc... If you had separate Pak. each PAK is given based on the license you requested from...
-
The HA NAC Manager stop responding
Hi guys, I have 2 CAM working on failover. 3 times this shift had stopped responding sudenly. I have the device through the GUI SSH o managed by couldn t. Both devices were not answered. The only way to regain control was raise them. They have the version 4.5.
Those who have an idea about this behavior.
Thank you
Gerard
Gerard,
The fix is already released in 4.7 the solution is already there for you to download and upgrade so that you can download the latest version is 4.7.2.
Read it release notes for 4.7.2 carefully! You must be on the console to do the upgrade to 4.7.2 for your NAC devices.
HTH,
Faisal
-
Hello
Manager of the NAC is in a boot loop and showing a disc error so no idea how to fix this.
Kind regards
Nameair,
If you have a backup of the db, try a new image. If that doesn't fly, RMA the box.
Faisal
-
High memory problem NAC Manager
Hi guys, I have a failover CAM´s installed. I had seen a high ram memory in the 2 devices use. The use is greater than 80%. Anyone know what is the cause of this memory usage?
Also, I have a NAC integrated with these CAM Profiler.
Concerning
Gerard
Gerard,
Your system seems well. Linux uses free/used memory to cache data and so the reported free memory space may seem very low, but it is used by the kernel to use for caching. As and when necessary, the kernel frees the memory for the process to be used, so it's normal. If you want to watch which processes are using the most memory try this command:
PS auwwwx | AWK ' {print$ 4 "\t" $11 ' "} | kind | uniq - c | AWK ' {print $2 ""$1""$3 "} ' | sort - nr
The output will show you the process with the memory used. For example on a cam test here was the result of the above command:
14.3 1 /usr/java/jdk1.6.0_12/bin/java
0.8 /usr/sbin/httpd.worker 1
0.7 1 /usr/sbin/httpd.worker
0.6 /usr/sbin/httpd.worker 1
0.6 1 postgres:
0.5 1 postgres:
0.5 1 heartbeat:Java sense takes the most memory.
HTH,
Faisal
-
NAC Manager high availability peer CAM DEAD
Hello
I have two managers of the NAC with high availability and I used both interface eth1 of sides as a link Heartbit.
I did following steps for high availability.
(1) synchronize the time between two cams.
(2) generate a temporary SSL certificate in CAMs and import-export procedure made in the other.
(3) make a CAM as a primary and the other as secondary.
But after all this made configuration I can see the State in surveillance > reports-primary CAM is in place in both servers and redundant CAM is down.
Also on the failover tab, I can see - Local CAM - OK [Active] and counterpart CAM:-DEAD.
I have attached some screenshots so that you can find the same.
Your help will be very appreciated.
Thank you
Try these steps and check that all steps were followed:
http://www.Cisco.com/c/en/us/support/docs/security/NAC-appliance-clean-access/99945-NAC-cam-HA.html
-
Can someone please confirm something for me. I have two managers of the NAC configured in a failover set up and both are configured correctly with a failover license. I need to add three new CASES Server licenses to the CAM, but it looks like I can add it only to the primary. When I navigate to the secondary CAM, the option to navigate to the new .lic files is all grayed out. In addition, I see that CAM and failover license installed on secondary cam. Do I need to switch manually install the licenses of CASES on the secondary? Or I just download them on the primary and not worry about high school?
Thank you.
No need to worry about adding the licenses at the secondary level. License files ate synchronized to the device dry and will be applied when the sec became active.
Sent by Cisco Support technique iPhone App
-
Failover problem Manager HA of the NAC
Hi all
I have a high availability manager high availability server of the NAC and NAC. When I try to active failover primary NAC Manager to secondary NAC Manager, NAC Server is not able to connect to the secondary NAC Manager. I don't know that ip connectivity is not a problem. When I try to do the NAC Manager primary such as active, the NAC server can connect to the main Manager of NAC. It seems that NAC Server cannot connect to the secondary NAC Manager.
Does anyone have an idea?
Thank you.
have you checked certificates between them?
you export the certificate of the secondary primary NAC NAC?
-
Actual gateway IP process to strip the NAC
Hi all
I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P
- How does the gateway IP In-band real?
- What is the point of the 30 subnets?
- Are there any access/auth pairs VLAN configurations in the band?
- How does quarantine work?
- I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
- Can you do role with configurations mapping in the band?
Assistance for all or part of these questions would be GREATLY appreciated!
Thank you a lot =]
~ Xavier.
Hi Xavier,.
I'll try to answer your questions
1. How does the Strip Real-IP Gateway?
The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes
2. What is the point of the 30 subnets?
The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.
Click here for an explanation:
3 is there access/auth pairs VLAN configurations in the band?
If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.
4. How does quarantine work?
When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.
So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.
5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.
Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.
This is mentioned here:
The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.
6. can you do role with configurations mapping in the band?
Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.
For example, check here for more details:
In a Word, regardless of the use of the band vs OutOfBand:
-customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.
The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :
-in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);
-in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.
I hope that answers your questions.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it. -
NAC L2 OOB VG Design for wired
Hi all
I need help of the NAC 2 OOB virtual layer for wired users design bridge . On Cisco documentation configuration only example is present, but it is for wireless users who is not applicable to my case (wired users); Here are the details; Please correct me if the design does not at any time;
1: create a virtual local network (241) for the management of the CAM on the kernel.
2: create a virtual local area network (240) for the management of CASES on the kernel.
3: the IP addresses of both (10.10.240.1) E0 and E1 (10.10.240.1) for the CASE will be on the same subnet and same ip address.
4: create all Trusted SVI's VLAN (vlan 10,20) on the kernel.
5: configure manage subnets for vlan not reliable (100, 200) on CASES
6: create a vlan mapping n/b approved and not approved (10 to 100, from 20 to 200)
7: core connected to the CAs: E0, trunk allowed vlan 10, 20, 240
8: core connected to the CAs: E1, trunk allowed vlan 100, 200
9: another typical configuration
I don't have a LABORATORY to test. I'm just confused if I missed something as implementation will be critical, and I'll try to avoid all risks.
Please give me suggestion and best practices. Also please let me know if I need a config added?
Kind regards
Abdul Majid Khan
Abdul,
Port profiles are used to determine if a port is managed or not managed, so you will need at least a port profile. Here you can define what will be the VLAN initial of the switchports that the final VLAN will be etc etc.
More details here: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wp1083087
HTH
Faisal
-
NAC L2 and L3 Inband simultaneously does not work
Dear all,
I have a problem with the simultaneous deployment of L2 and L3 of the NAC.
I have a CASE that is configured as a real IP gateway, broadband. Previosly, I can have the NAC working on L3 deployment using PBR. I configured the ACB on distribution switch in order to intercept the traffic of untrusted user NAC.
Now our society tries to add wireless, using WLC, who have the interface vlan configured in CASES not reliable (using the section "managed subnet" on cam). the wireless run perfectly, they able to authenticate to the NAC and able to connect to the network after the authentication of the NAC.
But now users of L3 cannot reach the unreliable for performing authentication of the NAC. The CASE cannot ping even L3 user which was previosly correct.
Is there a limitation on Cisco NAC for the deployment of L2 and L3? I read Cisco that a single CASE can be configured to L3 and L2 UNLIMITED so I should work
TQ
ImadImad,
The way you described work is pretty close to the way in which we would have put in place.
Glad it works for you now!
My ' salam.
Faisal
-
NAC - not in HTTPS in the NAC (CASE) servers
I was wondering if anyone has seen this issue. I am not able to HTTPS in my NAC servers, but I'm still able to manage via my managers of the NAC. What would cause this?
David,
The network you are trying to access your CASs, is this part of the network of managed subnets CASs?
Faisal
Maybe you are looking for
-
Re: Satellite m30 - 404 only standard installed driver windows
Hello I have a M30-404 and I had problems with the graphics (nvidia GeForceTM FX Go5200) driver. The interface works very well with the standard vga driver in windows, but when I install the driver nvidia screen remains black. Sometimes, you see the
-
After having upgraded to iOS 9 all the ipads and iphones running very slowly not to backout ios8
Since the update to iOS 9 + all our apple devices have worked extremely slowly. iPad 3, mini ipad and iphone 6s, who were all 16 MB of memory. Is it possible to improve or uninstalling 07:51?
-
Installation of the minimum runtime for the program using the driver USB of NI-VISA personal
I have a LabVIEW 2009 application that uses a driver for a USB device, created using the wizard of the Driver NI-VISA. What my minimum installation of runtime needed to understand when I move it on a non-development machine? On my dev machine, I wen
-
What should I buy? Canon 6 d or Canon 5 d Mark 3?
Dear all, It's my first message and participation in the community of Canon... I am owner of Canon 1000 d, 7 d and then Mark I I'm architect and architectural love & Cityscpae photography during the time Gold & blue and also night photography. That's
-
Update... 0x8024400a error code
will not be update(turned on). Don't let me. A recent accident and had to reload xp