NAC - NAC - NM vs CASE

Hello

I have the central site with 50 users, without branches. Can I simply deploy NAC - NM instead of CASE and if I use NAC - 2811 SRI NM there is no bandwidth limitation when it is compared with the CASE solution? In general, what is the rate for SCS (3310) and what for the NAC - NM?

Yes, SL will run in inline mode, but as with all AC it can support only a single (inline or OOB) mode at the same time.

We are desigining our inline NM CASE solution now in our lab and I had similar concerns about flow. I opened a TAC case and was assured that the CASE of NM can do a full concert flow. Our tests have shown that our routing platform (a SRI 2821) cannot do it on 20mbps, however, even with all the features disabled.

Tags: Cisco Security

Similar Questions

  • Generation of url of the NAC 4.7 CASE web login page

    We had third party generated for the ca certs and the CAM and they installed OK, as well as the relevant root and intermediate certificates, and the CASE/CAM communicate very well.

    However when a user is redirected to the authentication page, the generated url using the CN of the certificate...

    https://al-nac.sitename.local.companyname.co.uk/auth/perfigo...etc.

    However, the machine is unable to resolve the url.

    We cannot add entries dns for this url, we administer only in the field of sitename.local.

    Is there a way for certification authorities to ask the user to access a URL via an IP address?

    If I asked a new certificate, but use the IP address instead of the name of the machine, the auhentiation page will be referenced by this?

    Concerning

    Tony

    Hi Tony,.

    Is this only for internal users?  If so, you can be better with something as a cert generated internally (as of Microsoft certification authority) rather than an external one.  I don't think they'll do certs of based on IP addresses, either.

    Thank you

    Lauren

  • NAC Appliance CAM/CASE

    Question:-we currently have NAC devices 1xCAM-2xCAS, no problems works great. The software is v4.0.5.

    We bought another camera of the NAC to use as the CAM as the current CAM will be lost during a "company cut.

    The NAC again has version V4.1.2.1. This is inconsistent with the CASE.

    If we improve the CASE also to V4.1.2.1, then we suffer loss of current functionality with existing CAM. (this is not the plan). We want the current environment run in parallel.

    Can 'downgrade us' the new 4.0.5 CAM?

    Thanks in advance

    That is a difficult question and I'm not a simple answer.

    You can check the release notes for 4.0.5 and see if your new CAM h/w is supported, if so you can recreate the image. But unless you can find a clear statement that 4.0.5 is supported on the new CAM so I wouldn't run the risk.

    You can also find problems in trying to control a CASE of two cams.

    I think you can look at some downtime to upgrade of your CAs.

    Could you make a backup of the CAM 4.0.5 and reatore 4.1.2.1 CAM? Probably not.

    Sorry, I'm no help!

  • NAC L2 and L3 Inband simultaneously does not work

    Dear all,

    I have a problem with the simultaneous deployment of L2 and L3 of the NAC.

    I have a CASE that is configured as a real IP gateway, broadband. Previosly, I can have the NAC working on L3 deployment using PBR. I configured the ACB on distribution switch in order to intercept the traffic of untrusted user NAC.

    Now our society tries to add wireless, using WLC, who have the interface vlan configured in CASES not reliable (using the section "managed subnet" on cam). the wireless run perfectly, they able to authenticate to the NAC and able to connect to the network after the authentication of the NAC.

    But now users of L3 cannot reach the unreliable for performing authentication of the NAC. The CASE cannot ping even L3 user which was previosly correct.

    Is there a limitation on Cisco NAC for the deployment of L2 and L3? I read Cisco that a single CASE can be configured to L3 and L2 UNLIMITED so I should work

    TQ
    Imad

    Imad,

    The way you described work is pretty close to the way in which we would have put in place.

    Glad it works for you now!

    My ' salam.

    Faisal

  • Adding an additional CASE to an existing deployment of NAC OOB 4.7.3

    Hi guys,.

    If I am to add the certificate self-produced my new cases to the authorities of my CAM list existing certificate approved, it just will be added or it will replace the existing trusted certificate?

    Hi Adrien,.

    "Certification authorities" are the certificate of all the CAs root and also self signed certs of the trusts of the CAM case. So whenever you add a root/selfsigned certificate to this list, it is added to the list and does not replace any of the CERT. This link gives more information:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_admin.html#wp1092761

    Kind regards

    SOM

    PS: Please mark the same question if it has been answered. Note the useful messages. Thank you

  • NAC CAM/CASE temporary certificate expired

    Hello guys,.

    I have a pair of high-availability NAC(CAM/CAS), last 3 months, I generate temporary certificate and now it has expired.

    I have to generate a new temporary certificate again and delete the old one? Y at - it no certificate who can give me a life certificate?

    Hello

    Please see this document detailing how to generate certificates for longer periods:

    https://supportforums.Cisco.com/docs/doc-11889

    HTH,

    Faisal

    --

    If you find this article useful, please note so that others can easily find the answer

  • NAC v4.7.1 - cannot add CASE to CAM - SSL error

    I have a CAM and CAs who was photographed with the newly recreated v4.7.1 image.  On this, I am unable to add the CASE to the CAM.  So far, I've worked with TAC and they can't seem to understand the question either.

    A substance that has been done after the installation:

    -Installed CAM and LICENSES

    -Guarantees self-generated SSL certificate DN of the point to the IP address of the device (if the CAM that point to the IP of the CAM...)

    -Under the confidence of the Board, CAM and CASE lacked the Perfigo entry.  Imported Perfigo of different certification authorities CA entry he already had.

    [email protected] / * /, CN =www.perfigo.com, OU = product, O = "Perfigo, Inc.", L = San Francisco, ST = California, C = US

    -CAM and CASES point to a DNS server that has the entries advance DNS configuration and back to the cam and the CASE

    -Checked CAM can ping by IP and host name ca and the FULL domain name

    -Check that the time on the cams and CASES are synchronized and are OK

    -Verify that the secret password on CAM and CASE by looking at the file /root/.perfigo/secret (also /root/.perfigo/master) and ensuring the matching strings

    Newspapers of throwing what follows:

    Could not connect to 10.1.2.19

    SSLManager: certificate of the server failed to check the string CN = 10.1.2.19, OU = XXX, O = XXX, L = XXX, ST = XX, C = XX:No found secure certificate

    Any ideas?

    Hey,.

    Cisco NAC Appliance version 4.7 (0) no longer contains the "www.perfigo.com" CA in the. Image ISO or upgrade. Directors, requiring the "www.perfigo.com" CA in the network must manually import the CA of a local after installation or updated computer to upgrade to version 4.7 (0).

    In order to establish the secure communication channel initial between a cam and the CASE, you must import the root certificate of each device in the store of trust of the other device so that the CAM can trust the certificate CASE and vice versa.

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/Release_notes/47/47rn.html#wp826817

    Kind regards

    Parminder Sian

  • NAC SSO vpn: is the CASE real-IP mode supported?

    Hi all

    I tried to setup a CAS like inline real gateway IP to support only enroll via a Cisco ASA running IPsec cisco vpn client.

    CASE and CAM are 4.5.1 running

    I followed the guide online to the letter (except for running in the virtual gateway mode and do the mapping vlan)

    My vpn authentication works on the SAA and Ray is transmitted if the CASE to the ACS server very well.

    I did a tcpdump on the case and cam and saw the package of accounting Radius passed from the ASA to the CAs, and then by the CAS to the CAM, so managing accounts radius 'start' package is sent to the user authenticated on the vpn.

    The problem is that the laptop is trying to access the network does not display the "auto connect" screen of the agent of the CCA, in contrast, agent of the CCA screen the authentication of user request and password details.

    I also following the advice of this link unsuccessfully

    (Known issue for VPN SSO after upgrade to version 4.5)

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/Release_notes/45/45rn.html#wp711526

    So, I am now suspecting whether the CASES can take in charge SSO real-mode gateway IP.

    Dale

    I've implemented in real gw ip mode, but not in 4.5. It has worked well.

    What is the guide that you followed?

    http://www.Cisco.com/en/us/partner/docs/security/NAC/appliance/configuration_guide/45/CAs/s_vpncon.html

  • NAC 4.8 adding to the case because of the cam

    Hi all

    I threw a half because of the NAC installation and this is my first deployment of the NAC, I feel a little overwhelmed.

    I read the installation guide for the devices from the back to the front, but I have a problem after the addition of a case to the cam.

    I am able to add the case to the cam successfully, but almost immediately, the case and the cam can no longer ping between them in the cli.

    the States of event logs that the heap in connected to the cam, but newspapers then an error that the cam is unable to push the registration to the CAs. from this point, I get several questions of event log indicating that the case is out of sync

    I copied a part of the nac_manager.log which show the connection process:

    2012-03-09 22:33:06.037 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.SecureSmartServer - SSS - connect: get the new connectorClient of 10.0.0.100

    2012-03-09 22:33:36.433 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.SecureSmartManager - SSM - addSecureSmartServer: sleep for 2 seconds to click to restart

    2012-03-09 22:33:38.434 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.SecureSmartManager - SSM - addSecureSmartServer: sleep for 2 seconds to click to restart

    2012-03-09 22:33:40.436 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.SecureSmartManager - SSM - addSecureSmartServer: sleep for 2 seconds to click to restart

    2012-03-09 22:33:42.438 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.SecureSmartManager - SSM - addSecureSmartServer: click on the STOPPED state

    2012-03-09 22:33:42.617 + 1100 WARN [TP-Processor24] com.perfigo.wlan.web.admin.SecureSmartPublisher - NAC Server 10.0.0.100 is out-of-sync.

    2012-03-09 22:33:42.702 + 1100 [TP-Processor24] ERROR com.perfigo.wlan.web.admin.FilePublisher - FilePublisher - writing: setPath failed...

    2012-03-09 22:33:42.793 + 1100 [TP-Processor24] ERROR com.perfigo.wlan.web.admin.FilePublisher - FilePublisher - writing: setPath failed...

    2012-03-09 22:33:42.833 + 1100 [TP-Processor24] ERROR com.perfigo.wlan.web.admin.SecureSmartPublisher - SSM publishAccess: impossible to publish the comments sign-up page

    2012-03-09 22:33:42.872 + 1100 [TP-Processor24] com.perfigo.wlan.jmx.admin.FileUtil - FileUtil - readFile INFO: /perfigo/control/conf/os-detection.fp

    2012-03-09 22:33:42.887 + 1100 [TP-Processor24] ERROR com.perfigo.wlan.web.admin.AccessConf - cannot activate ETH1 on 10.0.0.100

    2012-03-09 22:33:42.888 + 1100 [TP-Processor24] ERROR c.perfigo.wlan.web.admin.AdminIpAccessInfoManager - AIAIM - publishAccess: failure

    2012-03-09 22:33:42.888 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.ServerConf - SC - stopOobSWissServer()

    2012-03-09 22:33:42.905 + 1100 [TP-Processor24] INFO com.perfigo.wlan.web.admin.SecureSmartManager - 10.0.0.100 added to Clean Access Manager

    2012-03-09 22:33:46.922 + 1100 [pool-1-thread-1] ERROR com.perfigo.wlan.web.admin.ConnectorClient - Exception of Communication: can't connect with the exception of server access own creation connection to: 10.0.0.100. nested exception is:

    java.net.SocketTimeoutException: connect timed out

    2012-03-09 22:33:46.922 + com.perfigo.wlan.web.admin.SecureSmartPublisher - SSP - connectAndPublish 1100 [pool-1-thread-1] ERROR: could not connect to 10.0.0.100

    2012-03-09 22:34:01.614 + 1100 [pool-1-wire-2] ERROR com.perfigo.wlan.web.admin.ConnectorClient - Exception of Communication: can't connect with the exception of server access own creation connection to: 10.0.0.100. nested exception is:

    java.net.SocketTimeoutException: connect timed out

    2012-03-09 22:34:01.615 + com.perfigo.wlan.web.admin.SecureSmartPublisher - SSP - connectAndPublish 1100 [pool-1-wire-2] ERROR: could not connect to 10.0.0.100

    2012 03-09 22:34:01.627 + 1100 [pool-1-wire-2] WARN com.perfigo.wlan.web.admin.SecureSmartPublisher - NAC Server 10.0.0.100 is out-of-sync.

    2012-03-09 22:34:05.628 + 1100 [TP-Processor19] com.perfigo.wlan.web.admin.ConnectorClient - Exception of Communication ERROR: could not connect with the exception of server access own creation connection to: 10.0.0.100. nested exception is:

    java.net.SocketTimeoutException: connect timed out

    2012-03-09 22:34:20.618 + 1100 [pool-1-wire-3] ERROR com.perfigo.wlan.web.admin.ConnectorClient - Exception of Communication: can't connect with the exception of server access own creation connection to: 10.0.0.100. nested exception is:

    java.net.SocketTimeoutException: connect timed out

    I've followed all of the installation guides recommendation of the disconnection of the interface untrust on the CASE and there is no HA configuration currently...

    What I don't understand is the inability of webcams and cases of ping each other, but they can ping other devices on the network. The SCA and the cam are in different VLANS.

    Any assistant to a guru of the NAC would be greatly appreciated.

    Thank you

    JS

    Thanks a lot Man, saved you my day

  • NAC - not in HTTPS in the NAC (CASE) servers

    I was wondering if anyone has seen this issue.  I am not able to HTTPS in my NAC servers, but I'm still able to manage via my managers of the NAC.  What would cause this?

    David,

    The network you are trying to access your CASs, is this part of the network of managed subnets CASs?

    Faisal

  • NAC does not insert the CASE.

    Hello

    I have a problem when going to insert a Nac server in our manager of the NAC, the message that appears is "failed to add the server: Maximum limit for access servers own supported has been reached", but I Don t no matter what server do not have in this handler of the NAC. "»

    Someone has an idea?

    Kind regards

    Wagner Silveira

    Display resolution for registration: customer had bad licenses as they have been issued to the MAC address of the CASs. Licenses are always supposed to be issued to the MAC address of the CAM.

  • Question of the NAC CASE HA

    Hello

    I currently have an IB and OoB VG environment. BOTH work fine, but now I want to add HA at a time. Watch you documentation (CASE 4.1.3 user guide) I see that I need to two addresses IP of Service, one for the trust interface and one for the unreliable. In my case because they ar works normally in mode VG, iwould have the same ip address in both approved and not approved. Is the same applies for addresses IP of Service? can I use the same ip address of service on both sides?

    Should I total 1 three IP addresses for both of the IB of the int AC, 1 for the two int of the OoB AC and 1 for both addresses IP of Service?

    Thanks in advance for any info...

    For a VGW solution, you must use the same IP for approved and unapproved.

    You will need three IP addresses: primary real IP, real school, of the Service. It is a system not by interface.

  • OOB - WLC VG OOB error

    I configured OOB 4.5.1 VG with 2100 WLC.

    NAC:

    #####################

    CASE is on VLAN 40 with 192.168.123.2/24

    CAM is located on the VLAN 60 with 192.168.199.2/24

    Receiver SNMP - community: cam_v2

    Profile WLC:-V2C read: cam_v2.

    V2C read/write: cam_v2

    The success has added 192.168.123.3 with profile WLC

    NAC server is connected to Gi2/0/2 and 0/Gi2/3

    Manager of the NAC is connected to Gi2/0/1

    Switch:

    #####################

    3750 is the core switch as follows:

    interface GigabitEthernet1/0/6

    Description connect to 1 Port WLC

    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface GigabitEthernet1/0/7
    Description connect to WLC Port 2

    switchport trunk encapsulation dot1q
    switchport trunk vlan native 40
    switchport trunk allowed vlan 40,70,170
    switchport mode trunk

    ::

    GigabitEthernet2/0/1 interface
    CAM description
    switchport access vlan 60
    !
    interface GigabitEthernet2/0/2
    Description trsut_VLAN
    switchport trunk encapsulation dot1q
    switchport trunk vlan native 999
    switchport trunk allowed vlan 3-10, 40, 60, 70
    switchport mode trunk
    !
    interface GigabitEthernet2/0/3
    Description untrust_VLAN
    switchport trunk encapsulation dot1q
    switchport trunk vlan native 998
    switchport trunk allowed vlan 13-20 170
    switchport mode trunk

    Switch 3750 is the main switch.

    We put article gi1/0/6 as an interface of trunk to WLC Port 1, item in gi1/0/7 as trunk but only 40,70 and 170 with native 40 connected to 2 ports WLC.

    Wireless:

    ######################

    WLC Mgr interface is VLAN40 with 192.168.123.3/24

    Interface of the AP is VLAN7 with 192.168.120.2/24

    General SNMP - cam_v2

    Trap read/write: cam_v2

    SSID with vlan_nac with Quarantee VLAN 170 interface and Interface VLAN 70

    I did 2 tests:

    1 associate WLC ' PORT 1 ' <---Result :=""> can get the login page, but fail to connect (OOB error: OOB Client can not find.)

    2 associate WLC "PORT 2" <-- result: =""> can't get the login page

    WLAN configure the interface vlan_nac and check the option 'NAC' active.

    How success configured WLC with NAC? Any Suggestion? or any case of success could be shared? Thank you very much

    I have attached the result for reference.

    Hello

    I can assure you it is a question of SNMP or the traffic of the trap is not arrive at the CAM. Please post your screenshots of your CAM SNMP and WLC configuration.

    Thank you

    Faisal

  • NAC appliance purchase question

    Dear Experts,

    This summer we bought a Server Appliance from Cisco NAC3315-K9-500-500-NAC3315-K9.

    And we are about to begin its deployment. But to our surprise, we learned that it is a separate physical server to manage the NAC and NAC Manager license is required.

    Unfortunately, we bought the unit of the NAC with support (rather hasty) that management (CAM) and the access server (CASES) are integrated into a single box. But, after checking a configuration guide, he said that one or other of the CAM or CASES can be installed on the device.

    So is it possible to integrate them both on the same machine? Or must buy this CAM server that cost a fortune?

    Or alternatively, the cam can be installed as a virtual machine?

    Looking forward for your answer,

    Thank you very much!

    Hello

    You cannot run the cam and the CASE on a single piece of material (when you install the software, you must choose the Manager or the server prior to installation scripts), you must run on separate devices. However, you can get a job in Ise (licenses), which is the last product that can take advantage of all the features of the NAC in one device. However based on your network (amount of endpoints) it can easily take more material.

    ISE can run on devices that you have purchased, you will need to go to your cisco account representative or your partner of cisco in order to have their with the discount and you get to put on the same page on ISE (providing the demonstration or proof of concept).

    I supported the NAC and ISE and your best approach should not go forward with the NAC product now that ISE is out, it is a design much better in the way it integrates into your network, it uses also not only the manager and server, but it includes the profiling and reviews management services which are all of different products within the line of the NAC.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Cisco NAC appliance - after a success does not change users to connect to the vlan propper

    Hello

    I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.

    Also the user does not appear on the list of users online on cam.

    Can someone help me figure out how can I fix? version 4.8, I'll post any information requested

    Thank you

    We recently had the problem with Windows AD SSO and Windows 7 clients.

    Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.

    Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.

    What are the parameters of the port-profile to which is applied the switchport?

    What is the map settings vlan ports trunk not approved or confidence?

Maybe you are looking for

  • I use firefox on desktop religiously for the Add-'empty your monitor. " When he's FINALLY hit your version of android? Pay him if you must.

    This module is unequalled among any other browser. Chrome has an add-on even if it's a color inversion, which destroys the images accordingly when browing. Vacuum your monitor changes ONLY the backgroud leaving intact frames. This app is potentially

  • Picture 2D to intensity curve

    I have three paintings 2D U8 representing red, green and blue image components. I can easily combine them into a single table of U32 2D using "RGB to Color.vi" and display it as an image (see annex VI). I need well must not display the same image as

  • Cisco's NAC agent does not

    Hey guys! My school uses the Cisco NAC Agent for security on our network, but it gives me problems at the moment. My Windows is fully updated, a mandatory requirement. However, I have done some Windows updates automatically for a while now, and I spe

  • I have a problem with access to the C drive.

    Original title: lost access to the C: drive... When I was a noob after installing a new HARD drive, I have written an autorun.inf file to my C: drive to make it look cool (you know, give it a cool name, and change the icon). I was not allowed to save

  • Oracle ADF + WebLogic session with browser

    Greetings, community!I use Jdev 12.1.3. Authorization in my project's handwritten, in two words the Application starts with a parameter in the URL, and it is converted to user_ID.Test case:(1) start the browser(2) start without parameter-> applicatio