NAC with CA
Is it necessary to use the CA with NAC.
If we donot use what is the impact on users.
We can deply without this no problem
Talha,
Yes, it is possible to deploy NAC without AC. You can use self-signed certificates or a certificate from a third-party provider (Verisign or Godaddy etc.)
HTH,
Faisal
Tags: Cisco Security
Similar Questions
-
Comment of the NAC with WLC Server
Dear all,
I just need to confirm that it is possible that we add same WLC to AC (wireless users), as well as NAC comments Server (wireless guest users) or do I have to WLC plus one for the comment of the NAC server.
Kind regards
Hello Nameair
You don't need separate WLC... NAC comments servers are perfectly normal RADIUS servers, used for authentication. You can integrate your existing WLC, in addition to IB or OOB to your certification authority, with the comment server. I enclose a doc who gives information on the configuration of wlc and host servers.
I hope this helps... all the best... happy new year to you. the rate of responses if deemed useful...
REDA
-
NAC with "supported AV/AS Product List 0.
Hello
on the configuration of the NAC for the assessment of Posture, I discovered the system currently don't support them AV/As. Is this normal? I have attached the screen shots show I'm talking about. Furthermore, I configured the system for the automatic update, but nothing has changed.
Appreciate your expertise.
Thank you
Mike
Mike,
For some reason any your auto-update does not work. The screen that shows all zeros for the different parameters must be numbers.
Make sure that your CAM can access the internet and traffic to www.perfigo.com is not blocked and do a manual update on your CAM.
The current version of checks and updates when I did a moment ago was 96132.
HTH
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Hello
¿Does cisco NAC for LAN solution supports a different different Cisco ACS RADIUS server?
Thank you
Jonathan,
I assume you mean RADIUS for authentication providers? If so, any standard Radius server should do.
HTH,
Faisal
-
Hi all
I have mac-notif installation on 6509 chassis, but it sends not mac-notif at the NAC. in agent, I got:
"OOB error; Plug not found MAC»
Here is the config of 6509:
privatecw121 SNMP-Server community! RW
publiccw121 SNMP-Server community! RO
Server SNMP trap-source Vlan5
Server enable SNMP traps snmp linkdown
traps activate SNMP-Server MAC-Notification move threshold
SNMP-server host 192.168.12.250 publiccw121!
any suggestion would be appreciated. This is the type of emergency.
Thank you
Alex
Alex,
The routing on the heap table is stored in the file/proc/click/real_routing_table/table
cat that file and you will see what looks like the table.
HTH,
Faisal
-
Hello
We want to implement a NAC solution for people who call the House HO, then goes to internet through our internet router.
This router contains the security feature and NAC is activated (you can see it from the web interface)
However, a partner of cisco suggests to use the clean access server and not the router security.
is there an advantage of the use of the own access servers or limitation of security rtr.
Note: we only need check windows updates and antivirus updates when computers access the internet
Well, both the NAC framework (SNAC on your router) and NAC Appliance (Clean Access Server) will work. You can dial via PSTN/ISDN or VPN using Cisco VPN Client. In addition, you can buy NME-NAC-K9 module for your router and it will work as clean access server.
To use the framework of the NAC, you'll also need Cisco Secure Access Control Server (ACS CS) 4.0 + (4.1). It's a commercial RADIUS server and is not cheap.
In addition, to check the antivirus updates your antivirus product must be accompanied by the NAC framework or device. For a list of supported products, take a look at:
NAC http://www.Cisco.com/Web/partners/pr46/NAC/partners.html (frame)
http://www.Cisco.com/en/us/docs/security/NAC/appliance/Release_notes/416/416rn.html (NAC Appliance)
Framework of the NAC that you will need to integrate provider .dll files in the Cisco Trust Agent (for all of your providers of antivirus!), and then distribute CTA all the PC user using a mechanism out of band (not easy). CTA is a must for the NAC framework.
NAC Appliance automates this. It is a stand-alone product (not .dll files). Clean access agent can check the anti-virus supported by himself. It can be installed on the PC via a mechanism out of band or downloaded from the login Web page. In addition, Java / ActiveX agent is supported and can check your PC for compliance as well.
Verification of Service Pack number is not
difficult in these two products. However, to check the patches for Windows, you need to create complex rules as part of the NAC. When a new patch is released by Microsoft, you will need to change your rules manually (not easy). NAC Appliance automates this. It can download rules on the Cisco site. But you will need to purchase technical support for it.
In general, set up and maintain the framework of the ANC are not an easy task. However, you can buy additional products, integrating them into the frame and they will automate a lot of things for you. It is cheap and easy. NAC Appliance is autonomous. You don't have to be anything else.
HTH
-
NAC integrated with the comment server
Hi all
I met a problem that happened when I joined NAC with the comment server.
Hope I can find the solution here!
When I create an account to the comment server, the account will be created in the NAC as a local user.
If I chose "time profile - start-end", the account will be created in the NAC.
But if I chose "Time profile - first Login", the account will not be created in the NAC.
If the guest cannot connect with this account using "time profile - first Login.
All configurations of the document including "Radius Client and Accounting" has been correctly configured.
But I can't yet find the solution.
Please answer me if you know the answer. Thank you very much!!!
Jet Li
If Taiwan
Hi Jet Li,
This should be because only based on time with beginning and end is supported when you turn on the END with the NAC Appliance solution:
http://www.Cisco.com/en/us/docs/security/NAC/guestserver/configuration_guide/20/g_guestpol.html#wp1063409"Cisco NAC comments Server Version 2.0 supports only start/end and creating profiles when used with Cisco NAC appliances"
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it. -
NAC appliance purchase question
Dear Experts,
This summer we bought a Server Appliance from Cisco NAC3315-K9-500-500-NAC3315-K9.
And we are about to begin its deployment. But to our surprise, we learned that it is a separate physical server to manage the NAC and NAC Manager license is required.
Unfortunately, we bought the unit of the NAC with support (rather hasty) that management (CAM) and the access server (CASES) are integrated into a single box. But, after checking a configuration guide, he said that one or other of the CAM or CASES can be installed on the device.
So is it possible to integrate them both on the same machine? Or must buy this CAM server that cost a fortune?
Or alternatively, the cam can be installed as a virtual machine?
Looking forward for your answer,
Thank you very much!
Hello
You cannot run the cam and the CASE on a single piece of material (when you install the software, you must choose the Manager or the server prior to installation scripts), you must run on separate devices. However, you can get a job in Ise (licenses), which is the last product that can take advantage of all the features of the NAC in one device. However based on your network (amount of endpoints) it can easily take more material.
ISE can run on devices that you have purchased, you will need to go to your cisco account representative or your partner of cisco in order to have their with the discount and you get to put on the same page on ISE (providing the demonstration or proof of concept).
I supported the NAC and ISE and your best approach should not go forward with the NAC product now that ISE is out, it is a design much better in the way it integrates into your network, it uses also not only the manager and server, but it includes the profiling and reviews management services which are all of different products within the line of the NAC.
Thank you
Tarik Admani
* Please note the useful messages *. -
ACS + NAC-L2-IP & 802. 1 x
Hello! I implement NAC now, I knew of the NAC Framework configuration guide, I can use the NAC-L2-IP for posture validation, but this model (technology) does not provide the identity of the user. So the question is - at the same time we use the NAC-L2-IP for the validation of the posture and 802. 1 x for authentication of the user (using MS-CHAPv2) on Catalyst 3560 G and with ACS 4.1?
Thank you in advance!
Yes, this can work. If you are migrating at some point to have NAC with 802. 1 X, well, you will get are studying twice on the ports configured for two well.
-
Hello
I am configuring SSO OOB of the NAC with AD. The software on my CASE and the CAM is 4.7 (2)
and my ad is Windows Server 2008.
I have some information I must not run ktpass with this version of the software of the NAC (4.7.2)
on the AD server. Is this true? Because I found this kind of information in any textbook.
So I run the ktpass, and if I do, what version should I use?
Thank you
Zoran,
Check out this link. Even though it says it's for 4.8, he works with 4.7.2 also:
HTH,
Faisal
-
Question about the license of the NAC
Hi all
In the past time, my company has bought server of the NAC with 250 user license. At the present time, my company has 300 users and the intention to expand the capacity of the server of the NAC.
What I have to buy another server the NAC or simply by another license (for more than 300, e.g. 1000 users)?
Thank you for your answer!
See this link about the licenses.
-
NAC Manager high availability peer CAM DEAD
Hello
I have two managers of the NAC with high availability and I used both interface eth1 of sides as a link Heartbit.
I did following steps for high availability.
(1) synchronize the time between two cams.
(2) generate a temporary SSL certificate in CAMs and import-export procedure made in the other.
(3) make a CAM as a primary and the other as secondary.
But after all this made configuration I can see the State in surveillance > reports-primary CAM is in place in both servers and redundant CAM is down.
Also on the failover tab, I can see - Local CAM - OK [Active] and counterpart CAM:-DEAD.
I have attached some screenshots so that you can find the same.
Your help will be very appreciated.
Thank you
Try these steps and check that all steps were followed:
http://www.Cisco.com/c/en/us/support/docs/security/NAC-appliance-clean-access/99945-NAC-cam-HA.html
-
Hello
When I login to windows for 1st the NAC agent installation, I was redirecting to the login WEB page but my windows credentials of the user name and password are not accepted. ???
Thank you
It's true.
After installation of the Agent of the NAC, with you configure ADSSO, the user should be
Justo to connect to windows and the NAC agent will do SSO by using powers of windows
used on windows, log in.
Best regards
-
Place in untrusted clients after disconnection AS SSO
I have a deployment L3 OOB of the NAC with AD SSO. Users are mapped to different roles according to their belonging to OU, then to different VLANS. What happens is that if a user with a certain role connects to a customer and is NEGLIGIBLE in its VLAN, say VLAN10, and then disconnects from the PC, the PC remains in VLAN10.
Another user to a different role now arrives and opens a session on that same PC remains in the same VLAN, but really need to switch to a different VIRTUAL LAN because it has a different role.
If the system is restarted then everything works well as the linkdown SNMP trap is sent to the NAM.
How can I cause clients using AD SSO change the role of the port in not authenticated when they connect from the system? I know this can work with band but I don't know if this can be done with OOB.
Sachin,
Logoff OOB service is 4.8, which release in late summer. Now you want to can not do.
HTH,
Faisal
-
CCA Agent refreshing kills mapped IP apps?
Deployment of the NAC L2OOB with AD SSO - users have the drive mapping connection scripts and kick sending apps but CCA Agent refreshes the IP address that by Cisco TAC are unconfigurable (despite the authentic giving optional web!). During this update, any mapped application disappears from the office and must be updated. I do NO need DHCP to update, but since you apparently, how can I avoid these applications mapped to disappear? Surely, this is done in many places with NAC and SSO AD? Thank you!
Check if the dhcp configuration is done correctly on the cisco NAC.
see the "dhcp Configuration" section in the following url for more information about the dhcp configuration:
http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/412/CAs/s_dhcp.html
See the following url for more information on troubleshooting cisco NAC with Active Directory Single Sign-On (SSO AD):
Maybe you are looking for
-
How to turn off sync on Firefox Android?
The settings pane shows that Sync is enabled. No option is visible 'disconnect' as in the desktop version.
-
How can I increase the size of the drive D: Image factory D? My OS is Vista.
How can I increase the size of the D: drive?
-
Why not a dialer interface must a 'chain of Dialer?
Hi guys, when linking an ISP using xDSL why does not need a "Dialer string"? The dialer interface is not supposed to make a call or dial or something like that? Thank you.
-
Cumulative total for each day - how to deal with nulls
I'm on 11.2.0.3. I want to write a query to calculate a running total of the incidents a day - this request will be used for an APEX line chart.Sample table and data: create table sales ( id number primary key, time_of_sale date, item varchar2
-
11r2 SLOW SQL on ORACLE fast on 9i
Hello guru´s We have a sql that runs to more information, then 3 minutes on data bases with oracle11r2 but the same sql finish in 1 second on oracle 9i databasesdatabases oracle 11r2 normally are upgraded to 9i, I tested it on databases created on 11