Traffic control in the NAC

Similar Questions

• Actual gateway IP process to strip the NAC

  Hi all

  I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P

  1. How does the gateway IP In-band real?
  2. What is the point of the 30 subnets?
  3. Are there any access/auth pairs VLAN configurations in the band?
  4. How does quarantine work?
  5. I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
  6. Can you do role with configurations mapping in the band?

  Assistance for all or part of these questions would be GREATLY appreciated!

  Thank you a lot =]

  ~ Xavier.

  Hi Xavier,.

  I'll try to answer your questions

  1. How does the Strip Real-IP Gateway?

  The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes

  2. What is the point of the 30 subnets?

  The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.

  Click here for an explanation:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_dhcp.html#wp1057889

  3 is there access/auth pairs VLAN configurations in the band?

  If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.

  4. How does quarantine work?

  When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.

  So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.

  5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?

  The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.

  Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.

  This is mentioned here:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/CAs/s_deploy.html#wp1050938

  The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.

  6. can you do role with configurations mapping in the band?

  Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.

  For example, check here for more details:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/45/cam/m_users.html#wp1040231

  In a Word, regardless of the use of the band vs OutOfBand:

  -customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.

  The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :

  -in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);

  -in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.

  I hope that answers your questions.

  Kind regards

  Federico

  --
  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• The traffic load between the power of Cisco ASA and FireSight Management Center fire

  Hi all

  I have a stupid question to ask.

  Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?

  Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.

  Maybe you all have no idea to provide.

  It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.

  Generally it is not a heavy load, however.

• Ports of the NAC

  Hello Experts,

  Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

  Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

  the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

  Apprecite all help, thank you.

  Hello

  See online:

  If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

  [Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.

  Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

  the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

  [Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.

  So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• In the NAC MAC address filter list

  How are Faisal Hi, you? I have a question about this list of filters in the unit of the NAC. I want to do those recognized unit of the NAC mac addresses are to be get the network. However if a workstation's mac address is not in the filter list, would it not able to do the network. Is that the NAC has the ability to do? Please let me know. Thank you.

  Richard

  I'm not Faisal, but...

  You want to make additional (such as LDAP or such) or any authentication simply based on the MAC address?  If you want to only via the MAC, you can add them to the list of filters and then either set to 'allow' to allow all traffic, 'role' to put them in a specific role, or "check" to apply the evaluation of posture and then put them in the role.  If no other server authentication is configured, users who were not in the list of filters would not be able to authenticate, and they would be stuck in the authenticated VLAN.

  Thank you

  Lauren

• Logic and rules of the NAC

  I have a question about WINXP rules in the NAC server and more specifically, if a rule reports a failure, but it's part of a! the rule, this means - happening?  For example:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  &(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037) (red indicates failure)

  The NAC is reported as a check failed:

  pc_Windows_ehkeyctl, File Check [$SYSTEM_ROOT\ehome\ehkeyctl.dll is]

  It is a failure because it finds the file and there is a negative on the rule?

  What about this:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  &(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)

  The first part of the reports as passage, and the second reports failure... but logically, this part of the rule must pass because only after the first part?  Which apparently correct?

  Thank you!

  Gavin - Budd

  He actually reports a failure audit - and in many cases, it is expected (and confusing!).  For example, with Windows controls preconfigured, if it is a 32-bit client you will see fail the verification of 64-bit.

  Same with your second example check

  &(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)

  We expect that it is not the first cheque or spend the second control - but one of these controls will show as failed.  Clear as mud?

• Free devices in the NAC 4.1

  Hello friends,

  I m the virtual gateway layer2 mode configuration, I m bit confused regarding what would be the free features of layer2 virtual gateway mode.

  whenever any device in the vlan for authentication, it will pass through NAC server but if I moved the normal port access vlan in the switch of ' switchport mode access vlan "that the device is off flow from the NAC.

  My knowledge regardless of the mapping vlan is being done in the NAC between authentication and vlan access only those VLANs is affected rest are all out of the stream of ANC, they will go as normal traffic.

  Also all my switches vlan management so when I don't create the mapping for management vlan that they do not pass through the NAC. Am I wrong?

  Please suggest me what other devices should be exempted from the networks, for example: printers and what else?

  Estela,

  You are right, in most of your assumptions. The essential with the NAC is to follow the flow of traffic and make sure in the not authenticated state, the flow of traffic is always in the CASE. It follows that if a port is not in a local VIRTUAL alongside unreliable network, it would never be repercussions of the NAC. For your VLAN authenticated, we need to ensure that taxiway, they are allowed only through CBS. This simple design rule in mind, look at your VLAN again and you will get most of the answers you seek.

  HTH,

  Faisal

• The NAC - OOB L2 authentication login page - does not appear!

  Hi all

  We have 2 managers of the NAC and NAC 2 servers. We have a failover solution. Our deployment is OOB layer 2 virtual Central Passage. We have successfully added the SIN in NAM and we did the requirements in NAM as a mapping setup VLAN (starting at vlan no reliable 913 to the vlan trust 910), adding managed subnet, change profile, profile, adding switches (cisco 3560) to NAM, the roles configuration on the user, the local users and also port user login page.
  Then, we tested it by connecting the PC to port controlled on the switch.
  The controlled port configuration was VLAN 910 and after connecting the PC, it is converted to 913 VLAN then we have successfully obtained an IP address from dhcp that is configured on the switch but the authentication login page appeared! and also, when disconnect us from the PC of this port, the configuration is not passed to vlan 913 to vlan 910 then manually change each time to do our tests.

  Do so that the login page appears and also automatically NAM to change the configuration of the port after having disconnected from the PC?

  Thanks in advance.

  AD SSO is supported with the Windows 2003, but with 2008, only single server is supported and which should also be 32-bit. 64-bit servers are not yet supported.

  HTH,

  Faisal

• Problem of the NAC - Agent is a disconnect

  Hello

  We have a problem with the NAC in mode virtual outofband.

  AD SSO, sanitation, everything is working, but the strange things happening: after awhile, when downloading large files, Agent connects to the formula of network users, and the registration process is restarted.

  I disabled the pulsation clocks and timers, session, but we still have a problem.

  Also, while sniffing traffic on the switch port, I noticed that after have correctly connected you to the own Cisco Agent network always send traffic to UDP Port 8905. Is this a normal behavior?

  I noticed problems with this version of the agent causing connections to give up intermittently. I would upgrade to agent v4.1.3.1.

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• Virtual network traffic control

  I am currently evaluating different virtualization products and have a special interest in virtual machine network traffic control.  What I want to know is: is it possible, in VMware Server (or drive), to completely control the network traffic between virtual machines?  In other words, can I programmatically control the virtual network so that I can decide if and when, a bunch of VM #1 is passed to VM #2?

  I had planned on using network invited only, but if NAT or Bridged Networking is necessary to make this work, I'm ready to do.

  Thanks in advance,

  Dan

  Is it possible, in VMware Server (or drive), to completely control the network traffic between virtual machines?

  N ° Server VM Ware or player has no such controls.  ESX has traffic shaping.  None of these can do however to balance INCOMING traffic load.

  You would need a virtual computer with the software between them to control data.  But if you do, upgrade to ESX Enterprise Plus with Cisco Nexus.

• character controlled with the mouse problem

  I would like to make a game in which the character is controlled with the mouse exactly like this game: http://flashdo.com/item/asteroid-wave-game/1053/full_screen_preview

  I guess that the author simply used the code snippet that changes the cursor to an object. However, this causes a game to break the question; If the user makes the cursor off the screen flash and then come back somewhere else, the spacecraft will Warp to that location. Full screen, because the user cannot make the cursor off the screen, this problem does not occur.

  The code snippet using drag-and - déposer, when cursor the user comes out of the screen, the object did follow the borders of the screen Flash. However, given that the user has to hold the left button of the mouse and the cursor does not disappear, it is not very useful.

  Is there a way to control the character exactly as the game above, but when the cursor leaves the screen, make the character well follow the borders of the screen Flash like the drag and drop code snippet don't?

  Also, is there a way to make the box where the character can move smaller than the scene?

  Thank you very much.

  If you check the startDrag function, you will see that it provides the inclusion of the two arguments.

  startDrag (lockCenter:Boolean = false, limit:Rectangle = null):void

  The first is to have the cursor centered on the object or not, and the second is where you can specify a rectangle which limits the area of traffic allowing drag.  What to do in smaller just step specify a rectangle for your needs.

• Quarter playback controls when the 3rd party app plays

  When a 3rd party application plays on my iPhone (Audible, Castro,...), my Apple Watch does not show the playback controls to it. Wait for the watch to show the same controls as the control center on my iPhone. But it shows a Play button and gray < <>> / buttons. Volume controls work well and when I press the play button, the 3rd party app is dimmed and the iOS app music begins to play.

  I'm doing something wrong?

  iPhone 6 s more - iOS 10.0.1

  Apple Watch series 2 - Watch OS 3.0

  Hello

  Audible or Castro iPhone applications currently include an app for Apple Watch:

  • Sound: https://itunes.apple.com/us/app/audible-audio-books-original/id379693831?mt=8
  • Castro: https://itunes.apple.com/us/app/castro-play-share-podcasts/id1080840241?mt=8

  I suggest that you see the respective developers support resources and/or consult the developers directly on the contribution of functionlity for their applications on Apple Watch:

  • Sound: http://audible.custhelp.com/
  • Castro: http://supertop.co/castro/press/#contact

• Apple: Can allow you parents more control over the access of children iTunes?

  Parental restrictions on mini iPad 16 GB of my granddaughter running iOS 9.3.5 (original version) do not seem to allow parents to control properly the child access iTunes. We have music, news and Podcasts (iTunes), reserved for the 'Clean' as opposed to 'Explicit', but he is always happy that we find unacceptable.

  Apple or someone you suggest a way to further control access of the child to the iTunes app?

  If not, then... Apple - there must be a way to create a framework between Clean and Explicit. You please solve this problem?

  There are other parents who have the same problem?

  Thanks for your thoughts / feedback.

  Apple isn't here.

  This is a support forum user community product technique.

  Aside from Apple employees who are specialist community technical and support the community moderators, we are all users here, just like you.

  If you want to leave a comment on the ability of your iPad to have parental controls more complete, leave your comments here.

  http://www.Apple.com/feedback/iPad.html

  Good luck!

• How to stop the remote control to the setting

  How to stop the remote control to the setting

  Disable the settings > general > accessibility > voiceover.