Question of the NAC CASE HA

Similar Questions

• Question of the NAC

  The NAC policy is run on a cisco switch. If a cisco switch not is connected to these cisco switches, NAC policy can be implemented on the switch cisco no?

  You can do that if you perform the mode in-band NAC deployment. You cannot apply the strategies on other cisco switches in tape mode.

  so if NAC is deployed in in-band mode, your answer is Yes.

  If nac is deployed in band mode, your answer is no.

• NAC - not in HTTPS in the NAC (CASE) servers

  I was wondering if anyone has seen this issue.  I am not able to HTTPS in my NAC servers, but I'm still able to manage via my managers of the NAC.  What would cause this?

  David,

  The network you are trying to access your CASs, is this part of the network of managed subnets CASs?

  Faisal

• Basic of the NAC deployment question

  Hello

  Do I have reason to assume that at least 2 devices - a server and Manager must consist of a NAC deployment? or is the manager, an application running on a Windows Server? the Manager can run on the same machine as the server?

  My second question concerns Cisco Trust Agent and clean access Agent. CTA has actually managed by CAA? from what I see, CTA was part of the old framework of the NAC until they start using devices.

  Many thanks in advance,

  DOM

  Manager and the server can run on both PC or Cisco devices, which are in fact HP ProLiant DL140 G3 or HP ProLiant DL360 G5 PCs ;) You will need two devices in all cases.

  Second question - no one knows what will happen with all technology in the future. Is it completely replaced by MS NAP? The framework of the NAC is cancelled? Two Cisco solutions are not perfect. What customers actually need, is to have all the features of the NAC appliance to operate directly on the routers and Cisco switches. No clean access server no need in this case, only managing! And the OOB mode which is difficult to set up, support and troubleshoot will disappeared. The NAC framework is executed directly on Cisco devices, but it's not feature-REACH as NAC Appliance.

• I have problem with value NULL when the use CASE statement please help this question

  I have problem with value NULL when the use CASE statement please help this question

  
  

  Table: digital_val

  SNO cl C2

  1 San1 11

  2 22 San2

  Actual result: expected to A         B

  A            B                                                                           11        22

  11 NULL

  22 NULL

  
  

  
  

  query:

  Select case when c1 = "san1" then c2,.

  case If c1 = "san2" then c2 B

  of digital_val

  I'm more curious why, when you select 2 rows, you expect a result of row?

  WITH digital_val

  AS (SELECT 1 AS 'Sno', 'San1"C1, c2 FROM DUAL 11)

  UNION ALL

  2 SELECT AS 'Sno', 'San2"C1, c2 FROM DUAL 22)

  SELECT CASE WHEN c1 is "San1" THEN END AS A c2.

  CASE WHEN c1 = "San2" THEN END AS B c2

  OF digital_val;

  With no other input, if you select 2 rows, you get 2 rows.  One of the other solutions use a max function, but is this really what you want, does not specify?

• Question about the license of the NAC

  Hi all

  In the past time, my company has bought server of the NAC with 250 user license. At the present time, my company has 300 users and the intention to expand the capacity of the server of the NAC.

  What I have to buy another server the NAC or simply by another license (for more than 300, e.g. 1000 users)?

  Thank you for your answer!

  See this link about the licenses.

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_bulletin0900aecd805d0358.html

• Actual gateway IP process to strip the NAC

  Hi all

  I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P

  1. How does the gateway IP In-band real?
  2. What is the point of the 30 subnets?
  3. Are there any access/auth pairs VLAN configurations in the band?
  4. How does quarantine work?
  5. I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
  6. Can you do role with configurations mapping in the band?

  Assistance for all or part of these questions would be GREATLY appreciated!

  Thank you a lot =]

  ~ Xavier.

  Hi Xavier,.

  I'll try to answer your questions

  1. How does the Strip Real-IP Gateway?

  The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes

  2. What is the point of the 30 subnets?

  The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.

  Click here for an explanation:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_dhcp.html#wp1057889

  3 is there access/auth pairs VLAN configurations in the band?

  If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.

  4. How does quarantine work?

  When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.

  So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.

  5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?

  The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.

  Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.

  This is mentioned here:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_deploy.html#wp1050938

  The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.

  6. can you do role with configurations mapping in the band?

  Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.

  For example, check here for more details:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/cam/m_users.html#wp1040231

  In a Word, regardless of the use of the band vs OutOfBand:

  -customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.

  The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :

  -in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);

  -in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.

  I hope that answers your questions.

  Kind regards

  Federico

  --
  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Upgrade the NAC of 4.5 to 4.8

  Hello everyone

  I'm about to upgrade to a CNA of 4.5 to 4.8 on an application I do in a bank with 1500 users. The upgrade is due because the Bank makes its migration from PC to Windows 7

  The implementation is in a failover situation (2) and (2) CAM. the design is Out of Band, a virtual gateway and integration with a wireless LAN controller.

  I would like to know if when I upgrade the CAM and CAS´s for version 4.8 can I still use the Agent access own version 4.5 on clients? To perform the migration in several steps

  There is a StubAgent for version 4.8? or already included in the Agent 4.8? I install the StubAgent on all computers of the Bank, because they have no administrative rights.

  What is the best way to perform the upgrade of agents which does not affect users?

  Thanks in advance

  Eduardo Navas

  Hi Eduardo,

  Agent 4.5 is compatible with 4.8 CAM/CASE, although with a few restrictions:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/support_guide/agntsprt.html#wp52084

  For example, see also the following notes:

  "If you use version 4.8 of CAM/CASES with a version of the Agent plus early 4.8.0.32, then either use the requirement of the Distribution link or upgrade the Agent to the latest version to use the Distribution of files".

  "Cisco NAC Agent version 4.5.x is not supported by download version 4.6 (1) CAM because the structure of Agent installation files is different in version 4.5 (x) compared to the support in version 4.6 (1) agents."

  The NAC 4.8 agent has not any component necessary as the previous stub, for example:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/48/cam/m_webagt.html#wp1473153

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Configuration of the switch of the NAC

  Hello!!

  I bought a NAC server and a manager of the NAC, to centrally manage the vlan where users connect to based on authentication.

  I have several sites, but the NAC server will be at Headquarters.

  When a remote user authenticates, NAC must configure the user switch port for the vlan right.

  What is an out-of-band solution?

  Do need me a specific license for out-of-band?

  Best of look,

  Miguel Amaral

  Hello

  It's the same pattern: Yo uneed 2 licenses, one for the CAM and the other for CAs.

  One cam sets the number of cases you can add.

  That case defines how many users is supported.

  So either the CASE PAK has been lost, or never bought.

  In both cases, you will need to contact the entitiy that sold devices and demand for the PAK CASE.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Re-evaluation of the NAC 4.8 Passive does not work

  Hello

  After an upgrade to 4.8.0, we would like to use the passive re-evaluation function with L2 OOB.

  Everything is configured properly according to the Cisco NAC docs (enable OOB Logoff, user roles-> activate Passive reassessment).

  However, the sign-out OOB feature works well, for example. What a victory of logoff user, the user disconnects NAC.

  In the first times that the PrA works well, the CAM poster report revaluation records failed with red flags, but now it shows nothing that associated PRA.

  (I know, the poster reports only PrA records failed.).

  Try to reload all the elements of the CAM CASE HA, HA, but nothing has changed.

  Any suggestion?

  Thank you very much

  Attila

  Hi Attila,

  The debugs Agent, I see that the Agent reports the failure for the following conditions:

  % NACAGENT-6-REQUIREMENT_PROC: % [sev = info] [func = Rqmt::completeCheck]: check the result of rqmt [MS: hianyzo Windows frissites Windows XP (BKV)]:FAILED

  That't the only requirement that fails and it is also reported on the "NACAgentReport.xml" file that is part of the package you uplaoded and it has not been quantified.

  I think the problem is actually with the following parameter "default PrA on failure action - continue '.

  Please, set it to "allow the user to fix" or "Logoff user immediately" and check if the behavior is different.

  If this does not help, please open a TAC service request in order to study it.

  Thank you

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Logic and rules of the NAC

  I have a question about WINXP rules in the NAC server and more specifically, if a rule reports a failure, but it's part of a! the rule, this means - happening?  For example:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  &(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037) (red indicates failure)

  The NAC is reported as a check failed:

  pc_Windows_ehkeyctl, File Check [$SYSTEM_ROOT\ehome\ehkeyctl.dll is]

  It is a failure because it finds the file and there is a negative on the rule?

  What about this:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  &(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)

  The first part of the reports as passage, and the second reports failure... but logically, this part of the rule must pass because only after the first part?  Which apparently correct?

  Thank you!

  Gavin - Budd

  He actually reports a failure audit - and in many cases, it is expected (and confusing!).  For example, with Windows controls preconfigured, if it is a 32-bit client you will see fail the verification of 64-bit.

  Same with your second example check

  &(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)

  We expect that it is not the first cheque or spend the second control - but one of these controls will show as failed.  Clear as mud?

• The NAC replacement procedure

  Hi Experts,

  Our 3315 NAC does not work because of a hardware failure. So let's replace that. Therefore kindly confirm the steps to take the backup and the procedure to install it?

  Thank you

  Kind regards

  Vijay.

  Since there seems to be no method to perform a backup of the CLI on the appliance 3315, we go the route of the workaround. This may seem a little out there, but the only way I can see a backup being created without using the WebGUI interface.

  First of all, you have IP access to the device of the ANC?

  If this isn't the case, quit reading and contact TAC.

  If you have backups of configuration in the past, they are stored in the/guest/bakcups directory and can be transferred via FTP, SFTP, etc...

  If not, then download a upgrade file that is newer than the version you are running (if you are running the latest version, download the upgrade file for this version). In this case, v2.1.  Transfer the file to your repository and run the upgrade on the comment of the NAC server.

  Note Before the 2.1 update, a snapshot backup of the existing 1.x or 2.0.x database is automatically created and stored in the guest.bak directory. In the case of an upgrade failure, Cisco recommends to make a local backup of this directory.

  http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/21/gsrn21.html#wp111257

  Otherwise, I am at a loss on this issue.

  Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

  Charles Moreton

• A few questions about the difference between the Satellite P70, L70, S70

  Hello, I have a lot of questions about the P70, L70, S70 series that come with a 1920 x 1080 panel.

  (1) what are the differences between the L70 and S70 series? With the exception of the RAM and HARD drive capacity, books seem pretty identical.

  (2) P70, L70, S70 doesn't support a 2nd HARD drive or it's just the P70 series that support?

  (3) all the three (P70, L70, S70 series) come with the same TFT panels?

  (4) of the above series, which supports mSata?

  (5) all the model of each series are delivered with support from mSata? For example, it could be that L70 - a - 13 m supports mSata is not the case of the L70-a-146?

  (6) all the foregoing, are delivered with a S - ATA II or III S - ATA interface?

  (7) who is the best of these series listed? I'm trying to understand what makes the big difference of S70 to P70 except for the envelope for example.

  Thank you in advance.

  > (1) what are the differences between the series L70 and S70? With the exception of the RAM and HARD drive capacity, books seem pretty identical.

  What models Sat L70 and S70 do you mean exactly? There are different L70-xxx-xxx and S70 models on the market that supports different hardware specifications.

  (> S70 2) P70, L70, support a 2nd drive HARD or is - it just the series P70 that support?
  As you can see in this [Sam P70 HDD replacement document, | http://aps2.toshiba-tro.de/kb0/CRU3903II0000R01.htm] the P70 series supports the 2nd drive Bay HARD, BUT even if there is a 2nd HARD drive Bay, this does not mean that you can use the 2nd HARD drive. In the case where the 2nd HARD drive Bay are equipped with HARD drive connector, you can use the 2nd HARD drive

  I also found the [Sam L70/S70 HDD replacement | http://aps2.toshiba-tro.de/kb0/CRU3703HG0000R01.htm] the document on the Toshiba page and there I see this 2nd HARD drive Bay is not available

  (> 3) all three (P70, L70, S70 series) come with the same TFT panels?
  See point 1). Different P70, L70, S70 models were equipped with different material parts.

  (> 4) of the series above, which takes in charge mSata?
  As far as I know that some P70 models are equipped with an mSATA SSD of 256 GB.

  (> 5) do all the model of each series are delivered with support mSata? For example, it could be that L70 - a - 13 m supports mSata is not the case of the L70-a-146?
  See point 4) not all models supports the same hardware specifications

  (> 6) all of the above, come with a S - ATA II or III S - ATA interface?
  I don t think that SATA III is supported. I guess it would be SATA II

  (> 7) which is the best of these series listed? I'm trying to understand what makes the big difference of S70 to P70 except for the envelope for example.
  Not easy to answer because there are too many models released in Europea.
  And not all models are available in each country. So I guess you will have to look for the models that have been released in your country.

• A few questions about the upgrade on Satellite A300-144

  Sorry for the typos, English is not my mother tongue.
  I want to ask some questions about the upgrade of a300-144.

  * Some info first.*

  CPU: T2370 ([http://ark.intel.com/products/34445/Intel-Pentium-Processor-T2370-1M-Cache-1_73-GHz-533-MHz-FSB]).
  Chipset: GM965 ([http://ark.intel.com/products/29821/Intel-82GM965-Graphics-and-Memory-Controller]).

  * Questions.*

  1. my frequency of laptop memory at 533 MHz, supports 667 MHz memory controller, memory modules can work at 667 MHz. Is - this because CPU FSB 533 MHz frequency and new processor at 667/800 MHz FSB will fix it or it is hardcoded in the BIOS?

  2 Intel said that the size of max memory for my chipset is 4 GB (2 x 2 GB), but Toshiba says that only 2 GB (2 x 1 GB), who is right?

  3 I know, taken of my CPU is μFCPGA-478 aka socket P, max FSB 800 MHz, max 35 W TDP, so T9500 ([http://ark.intel.com/products/33918/Intel-Core2-Duo-Processor-T9500-6M-Cache-2_60-GHz-800-MHz-FSB]) is a compatible processor or there are some limitations in the BIOS?

  > 1. My frequency of laptop memory at 533 MHz, supports 667 MHz memory controller, memory modules can work at 667 MHz. Is - this because CPU FSB 533 MHz frequency and new processor at 667/800 MHz FSB will fix it or it is hardcoded in the BIOS?

  The speed of the memory is related on the material. This means that the FSB is responsible for the limitation.
  If the FSB would allow support 667 MHz then the memory would also at this speed.

  > 2. Intel says that the size of max memory for my chipset is 4 GB (2 x 2 GB), but Toshiba says that only 2 GB (2 x 1 GB), who is right?
  The memory depends on the chipset. So if the chipset supports 4 GB of RAM, you should be capable of this move to 4 GB of RAM

  > 3. I know, my CPU is? FC-PGA-478 aka socket P, max FSB 800 MHz, max 35 W TDP, so T9500 (http://ark.intel.com/products/33918/Intel-Core2-Duo-Processor-T9500-6M-Cache-2_60-GHz-800-MHz-FSB) will be a compatible processor or there are some limitations in the BIOS?

  It might be possible that the new processor would be fully supported by the BIOS, but in most cases it should not be a problem if the chipset would support the new processor.
  But as far as I know the upgrade of the CPU is not supported by Toshiba or any other manufacturers of portable and its your own risk to run laptop with the new processor.

• Question about the use of the battery double on Portege M100

  I recently had a M100 with a pair of slim-Bay batteries optionally. I have a question regarding the loading / unloading of sequence.
  It seems that when loading main battery is charged 1 followed by the secondary battery (removable). This seems logical and fair enough.

  However when it comes to the main battery appears to discharge 1 with secondary battery not passing it is 99% of the value.
  I expect the machine to unload 1 secondary battery so that in the case of having 2 secondary batteries, you can redeem them on without any worries. Also when you then install the CD player, I also, then you max left in the internal main battery autonomy.

  Are there settings to change the way in which my machine seems to work?

  Hi Max

  I'm not a technician and cannot explain how it works exactly. All that I know is all of this is controlled by electronic power supply and the user has no influence on it, and as far as I know, there is no settings allows you to specify the energy consumption.

  I agree with your opinion, but I think that there is nothing to do.