The upgrade of the NAC 4.6 (1) 4.7 (2):

Dear all,

I want to improve NAC Appliance of 4.6 (1) to 4.7 (2). I just want to check if I need a license for this upgrade.

Also need to 4.6 upgrade procedure (1) to 4.7 (2).

Concerning

Amar

Amar,

Same license should be good. Here is the procedure: http://tinyurl.com/3yjn8qk

HTH,

Faisal

Tags: Cisco Security

Similar Questions

  • Upgrade the NAC of 4.5 to 4.8

    Hello everyone

    I'm about to upgrade to a CNA of 4.5 to 4.8 on an application I do in a bank with 1500 users. The upgrade is due because the Bank makes its migration from PC to Windows 7

    The implementation is in a failover situation (2) and (2) CAM. the design is Out of Band, a virtual gateway and integration with a wireless LAN controller.

    I would like to know if when I upgrade the CAM and CAS´s for version 4.8 can I still use the Agent access own version 4.5 on clients? To perform the migration in several steps

    There is a StubAgent for version 4.8? or already included in the Agent 4.8? I install the StubAgent on all computers of the Bank, because they have no administrative rights.

    What is the best way to perform the upgrade of agents which does not affect users?

    Thanks in advance

    Eduardo Navas

    Hi Eduardo,

    Agent 4.5 is compatible with 4.8 CAM/CASE, although with a few restrictions:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/support_guide/agntsprt.html#wp52084

    For example, see also the following notes:

    "If you use version 4.8 of CAM/CASES with a version of the Agent plus early 4.8.0.32, then either use the requirement of the Distribution link or upgrade the Agent to the latest version to use the Distribution of files".

    "Cisco NAC Agent version 4.5.x is not supported by download version 4.6 (1) CAM because the structure of Agent installation files is different in version 4.5 (x) compared to the support in version 4.6 (1) agents."

    The NAC 4.8 agent has not any component necessary as the previous stub, for example:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/48/cam/m_webagt.html#wp1473153

    Kind regards

    Fede

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Profiler in the NAC 2.1 to 3.1 upgrade

    Hi guys,.

    I'm setting up a Profiler from the NAC that accompanies 2.1 installed. I upgraded to 3.1, prayed and installed the license without any problems, but I always get this message: "ERROR: [2010-12-08 09:25:01 (main: 668)] valid no key not found [no such file or directory]" "

    The license file exists, and on the interface Web Profiler from the NAC, the State of the license is OK.

    A single line in the license file gives me this information: 'cisco 2.1 INCREMENT CCA-MANAGER countless Permanent '.

    Does anyone know if the license is linked with the version of Profiler?

    The upgrade from 2.1 to 3.1 is allowed or it is necessary to purchase a new license 3.1?

    Best regards

    Hello

    So I guess you spotted the problem here...

    You have a collector's license?

    You need 2 licenses: 1 to the server profile, and one for the collector.

    Basically, the mac address you provide is the same (eth0 ot Server Profiler), but you need a PAK Server Profiler to generate the license Server Profiler (the one you already have) and a PAK for license collector (which is missing).

    You have the collector PAK?

    If Yes, then just go to the license page and submit this PAK and the mac address.

    HTH,
    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Help the NAC OOB Windows SSO

    We have just upgraded to Windows 2003 AD to Win2k8 R2 and Single Sign it has stopped working. Authentication works very well, but the NAC agent does not use the Windows credentails. Users must enter their user name and password manually.

    The AD server is a new server but has the same IP addresses as the old man. I'm running the CAM/CASE 4.7.2.

    Gregg

    Gregg,

    2 k 8 does not by default, so I suspect that is where it's a failure. Please look at the following sections and rerun ktpass (on a new user preference) as shown in the link:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_adsso.html#wp1257882

    HTH,

    Faisal

    --

    If you find this article useful, please note so that others can easily find the answer

  • Reuse the material of the NAC

    Is is possible to reuse our equipment of the NAC Server and Manager 3310 with ISE?

    Hello

    You cannot reuse the NAC 3310, the 33 x 5 and 1121 ACS are the platforms supported for ISE. However existing customers have benefits for the upgrade to ISE. Please join your Cisco partner and if you don't practice you can reach for me and I can help you.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Problem of the NAC - Agent is a disconnect

    Hello

    We have a problem with the NAC in mode virtual outofband.

    AD SSO, sanitation, everything is working, but the strange things happening: after awhile, when downloading large files, Agent connects to the formula of network users, and the registration process is restarted.

    I disabled the pulsation clocks and timers, session, but we still have a problem.

    Also, while sniffing traffic on the switch port, I noticed that after have correctly connected you to the own Cisco Agent network always send traffic to UDP Port 8905. Is this a normal behavior?

    I noticed problems with this version of the agent causing connections to give up intermittently. I would upgrade to agent v4.1.3.1.

  • The NAC replacement procedure

    Hi Experts,

    Our 3315 NAC does not work because of a hardware failure. So let's replace that. Therefore kindly confirm the steps to take the backup and the procedure to install it?

    Thank you

    Kind regards

    Vijay.

    Since there seems to be no method to perform a backup of the CLI on the appliance 3315, we go the route of the workaround. This may seem a little out there, but the only way I can see a backup being created without using the WebGUI interface.

    First of all, you have IP access to the device of the ANC?

    If this isn't the case, quit reading and contact TAC.

    If you have backups of configuration in the past, they are stored in the/guest/bakcups directory and can be transferred via FTP, SFTP, etc...

    If not, then download a upgrade file that is newer than the version you are running (if you are running the latest version, download the upgrade file for this version). In this case, v2.1.  Transfer the file to your repository and run the upgrade on the comment of the NAC server.

    Note Before the 2.1 update, a snapshot backup of the existing 1.x or 2.0.x database is automatically created and stored in the guest.bak directory. In the case of an upgrade failure, Cisco recommends to make a local backup of this directory.

    http://www.Cisco.com/en/us/docs/security/NAC/guestserver/Release_notes/21/gsrn21.html#wp111257

    Otherwise, I am at a loss on this issue.

    Please rate useful messages and mark this question as answered if, in fact, does that answer your question.  Otherwise, feel free to post additional questions.

    Charles Moreton

  • The NAC Agent autoUpgrade ISE possible?

    Hi all

    I have this:

    802.1 x-window with the NacAgent version (say 1) <---->802. 1 x switch active (RADIUS aaa OK) <------>ISE and AD on the same LAN

    ISE is configured for client provisioning with hardware (NacAgent version 2) downloaded from Cisco's Web site (as described in the documentation)

    I have a basic plan of authentication and authorization that allow me to well but I expect the NACAgent to be upgraded.

    No profiling is configured at the moment.

    Is that someone can help?

    Best regards?

    Hello

    In the ISE settings provisioning client, activate you the option where the NAC upgrade agent is required. However, it is to you to run updates perioidic and map the most recent agent in the configuration of the parameters of the client.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Version of the NAC

    Dear,

    Can what version of the NAC I install VMware?

    Can anyone help please with the above query.

    Thank you

    NAC is not supported on Vmware. Yet people have managed to install NAC4.1 on Vmware, but newer version do not work.

    There is a new product called Cisco ISE, which will eventually replace the NAC. Cisco ISE can be installed on Vmware.

  • Ports of the NAC

    Hello Experts,

    Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

    Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

    the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

    Apprecite all help, thank you.

    Hello

    See online:

    If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

    [Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.

    Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

    the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

    [Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.

    So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Support of the NAC Profiler address &amp; ip

    Hello

    I have a layer 3 OOB NAC Profiler deployment and I am trying Profiler some IP phones from a remote location by using the statement of helper-ip address on the interface on the remote router. The problem is that the remote router acts as a dhcp server for the vlan voice and fact not forword DHCP discover for Colectionneurs of the NAC, and I can't phone ip profile. Do you know a way (an order of configuration on the router) to forword the dhcp even though the router acts as a DHCP server for this vlan?

    Thank you

    Victor

    Hi Victor,

    To do this... You must add a SVI for the voice VLAN on the switch behind the router, and then add the IP helper on the new interface VLAN voice.

    -Hassan

  • Actual gateway IP process to strip the NAC

    Hi all

    I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P

    1. How does the gateway IP In-band real?
    2. What is the point of the 30 subnets?
    3. Are there any access/auth pairs VLAN configurations in the band?
    4. How does quarantine work?
    5. I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
    6. Can you do role with configurations mapping in the band?

    Assistance for all or part of these questions would be GREATLY appreciated!

    Thank you a lot =]

    ~ Xavier.

    Hi Xavier,.

    I'll try to answer your questions

    1. How does the Strip Real-IP Gateway?

    The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes

    2. What is the point of the 30 subnets?

    The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.

    Click here for an explanation:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_dhcp.html#wp1057889

    3 is there access/auth pairs VLAN configurations in the band?

    If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.

    4. How does quarantine work?

    When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.

    So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.

    5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?

    The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.

    Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.

    This is mentioned here:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_deploy.html#wp1050938

    The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.

    6. can you do role with configurations mapping in the band?

    Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.

    For example, check here for more details:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/cam/m_users.html#wp1040231

    In a Word, regardless of the use of the band vs OutOfBand:

    -customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.

    The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :

    -in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);

    -in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.

    I hope that answers your questions.

    Kind regards

    Federico

    --
    If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

  • Fight against exclusion the NAC mac

    Experts, assuming that few users are now authenticate & viz cisco NAC network access, they be filtered from the NAC to exclude the posture of NAC will be they be disconnected from the network & reconnected since they were connected & now are going to be ignorant of the NAC.

    How it works in this case. users will be disconnected for that to be effective, or will they be disconnected by force before it takes effect.

    Thanks to you all.

    Hello

    There is a port bouncing feature Cisco NAC that accomplishes this task for you. But it depends on your deployment mode, it is not required for each of them. Please see this link:

    http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/48/cam/m_oob.html

    Please indicate if you will find the entrance helpul. Thank you

    Farrukh

  • Activation of the NAC HA puts several hosts and ASA with processor clocked at 100%

    I installed a NAC Manager and a NAC server in OOB without any problems, but when I configured the AP (high availability) with another server, my ASA and several guests in my network started work ant 100% of the cpu.

    I tried to configure each interface of the NAC on a single DMZ and the problem stops there.

    -That someone had this problem (NAC version 4.7)

    TKX

    Miguel Amaral

    Hello Miguel.

    When I started a NAC InBand HA solution I had a similar problem that I solved the heart rate HA configuration to use ETH0 just instead use ETH0 and ETH1.

    Best regards

    Luciano Carvalho

  • Integration of the NAC Profiler - cannot add list of filters on cam

    Hi all

    I have a problem with the Profiler - integration of the NAC for endpoint profiling.

    Here's the situation:

    I have already created the integration based on the steps in the Guide: Setup Cisco NAC Appliance integration. I think that the configuration is correct, because I can do database synchronization between the Profiler and CAM. Here's the log of server profile:

    NAC_SYNC: Task_Queue_Runner commissioning
    NAC_SYNC: Profiler / END of synchronization of the NAC [add 0, upd 0, desc 0, rm 0]
    NAC_SYNC: Profiler / START the synchronization of the NAC
    INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)] is for eth0 MAC

    I have already created a profile of endpoint named "Admin" which is based on the IP address. I also created the NAC events based on endpoint profile 'Admin '.

    The event of the NAC will present 'Admin' profile to a role of the NAC. This event aims to circumvent 'Admin' of the legalisation of the ANC visa so that the "Admin" can connect to the network automatically to a role of the NAC.

    However, when 'Admin' to connect to the network, it still is challanged by NAC. I don't see "Admin" on the filter of the CAM or the list.

    This means that the endpoint profiling is still broken.

    Is there anyone who have experience with this?

    Thanks for the support and comments

    Imad

    Hello

    You cannot add devices manually on the profiler.

    The Profiler has to detect automatically (it is the concept of profiling).

    How this Profiler detects endpoints use the modules of collector.

    Each module has endpoints detection means.

    You will find the description of each collector module here:

    http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_intro231.html#wp1062345.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • In the NAC MAC address filter list

    How are Faisal Hi, you? I have a question about this list of filters in the unit of the NAC. I want to do those recognized unit of the NAC mac addresses are to be get the network. However if a workstation's mac address is not in the filter list, would it not able to do the network. Is that the NAC has the ability to do? Please let me know. Thank you.

    Richard

    I'm not Faisal, but...

    You want to make additional (such as LDAP or such) or any authentication simply based on the MAC address?  If you want to only via the MAC, you can add them to the list of filters and then either set to 'allow' to allow all traffic, 'role' to put them in a specific role, or "check" to apply the evaluation of posture and then put them in the role.  If no other server authentication is configured, users who were not in the list of filters would not be able to authenticate, and they would be stuck in the authenticated VLAN.

    Thank you

    Lauren

Maybe you are looking for