Verification of the Configuration of the NAC/CCA: OOB + virtual gateway (L2)
Hello
I'm currently setting up a deployment of NAC from out-of-Bound OOB with virtual gateway. Can someone please check my configs below:
Central office switch:
------------------------------------
DB OF VLAN:
----------------
!
VLAN 10
name VLAN_DEPT1
!
VLAN 11
name VLAN_DEPT2
!
VLAN 20
name VLAN_DEPT3
!
VLAN 26
name VLAN_DEPT4
!
VLAN 27
name VLAN_DEPT5
!
VLAN 28
name VLAN_DEPT6
!
VLAN 29
name VLAN_DEPT7
!
VLAN 30
name VLAN_DEPT8
!
VLAN 32
name VLAN_DEPT9
!
VLAN 50
name VLAN_NetMGT
!
VLAN 51
name VLAN_CAS_MGT
!
VLAN 52
name VLAN_CAM_MGT
!
VLAN 210
name VLAN_DEPT1_Auth
!
VLAN 211
name VLAN_DEPT2_Auth
!
VLAN 220
name VLAN_DEPT3_Auth
!
VLAN 226
name VLAN_DEPT4_Auth
!
VLAN 227
name VLAN_DEPT5_Auth
!
VLAN 228
name VLAN_DEPT6_Auth
!
VLAN 229
name VLAN_DEPT7_Auth
!
VLAN 230
name VLAN_DEPT8_Auth
!
VLAN 232
name VLAN_DEPT9_Auth
!
!
Interface Configs
--------------------
interface GigabitEthernet3/41
Description "Link on eth0 Cisco CAM - PRI"
switchport access vlan 52
switchport mode access
spanning tree portfast
spanning tree guard root
No cdp enable
no ip address
!
interface GigabitEthernet3/42
Description "Link to Cisco CAM - FO eth0"
switchport access vlan 52
switchport mode access
spanning tree portfast
spanning tree guard root
No cdp enable
no ip address
!
interface GigabitEthernet3/43
Description "Trunk to eth1 Cisco CASE - PRI / no reliable network.
switchport
switchport trunk encapsulation dot1q
switchport trunk vlan native 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230 232
!
interface GigabitEthernet3/44
Description "Trunk to eth1 Cisco CASE - FO / no reliable network.
switchport
switchport trunk encapsulation dot1q
switchport trunk vlan native 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230 232
!
interface GigabitEthernet3/46
Description ' box Cisco CASE - PRI eth0 / Trusted Network. "
switchport
switchport trunk encapsulation dot1q
switchport trunk vlan native 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
!
interface GigabitEthernet3/48
Description ' box Cisco CASE - FO eth0 / Trusted Network. "
switchport
switchport trunk encapsulation dot1q
switchport trunk vlan native 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
!
!
interface GigabitEthernet1/1
Description 'Link Trunk DEPT1 access SW'
switchport
switchport trunk encapsulation dot1q
switchport trunk vlan native 700
switchport mode trunk
!
! - Example of Interface VLAN.
interface Vlan10
Description "DEPT1 VLAN.
IP address x.x.10.1 255.255.255.0
IP helper-address x.x.50.5
no ip redirection
no ip unreachable
no ip proxy-arp
no ip route cache
no ip mroute-cache
! - No Interface VLAN for AUTH VLAN 210 -.
*
*
*
Access switch configuration
-----------------------------------
interface GigabitEthernet0/1
Description 'Link to central office switch Trunk'
switchport
switchport trunk encapsulation dot1q
switchport trunk vlan native 700
switchport mode trunk
no ip address
!
!
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning tree portfast
spanning tree guard root
No cdp enable
no ip address
!
=========================================
The above configuration is correct?
Thank you
The config looks ok, but we recommend the use of false VLAN native to be used on the trunk ports approved and unapproved.
When you upgrade the client computer on concert 0/6, make sure that moving him vlan 30--> 230.
Thank you
Syed
Tags: Cisco Security
Similar Questions
-
NAC L2 OOB VG Design for wired
Hi all
I need help of the NAC 2 OOB virtual layer for wired users design bridge . On Cisco documentation configuration only example is present, but it is for wireless users who is not applicable to my case (wired users); Here are the details; Please correct me if the design does not at any time;
1: create a virtual local network (241) for the management of the CAM on the kernel.
2: create a virtual local area network (240) for the management of CASES on the kernel.
3: the IP addresses of both (10.10.240.1) E0 and E1 (10.10.240.1) for the CASE will be on the same subnet and same ip address.
4: create all Trusted SVI's VLAN (vlan 10,20) on the kernel.
5: configure manage subnets for vlan not reliable (100, 200) on CASES
6: create a vlan mapping n/b approved and not approved (10 to 100, from 20 to 200)
7: core connected to the CAs: E0, trunk allowed vlan 10, 20, 240
8: core connected to the CAs: E1, trunk allowed vlan 100, 200
9: another typical configuration
I don't have a LABORATORY to test. I'm just confused if I missed something as implementation will be critical, and I'll try to avoid all risks.
Please give me suggestion and best practices. Also please let me know if I need a config added?
Kind regards
Abdul Majid Khan
Abdul,
Port profiles are used to determine if a port is managed or not managed, so you will need at least a port profile. Here you can define what will be the VLAN initial of the switchports that the final VLAN will be etc etc.
More details here: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wp1083087
HTH
Faisal
-
Problem of the NAC - Agent is a disconnect
Hello
We have a problem with the NAC in mode virtual outofband.
AD SSO, sanitation, everything is working, but the strange things happening: after awhile, when downloading large files, Agent connects to the formula of network users, and the registration process is restarted.
I disabled the pulsation clocks and timers, session, but we still have a problem.
Also, while sniffing traffic on the switch port, I noticed that after have correctly connected you to the own Cisco Agent network always send traffic to UDP Port 8905. Is this a normal behavior?
I noticed problems with this version of the agent causing connections to give up intermittently. I would upgrade to agent v4.1.3.1.
-
Configuration of the switch of the NAC
Hello!!
I bought a NAC server and a manager of the NAC, to centrally manage the vlan where users connect to based on authentication.
I have several sites, but the NAC server will be at Headquarters.
When a remote user authenticates, NAC must configure the user switch port for the vlan right.
What is an out-of-band solution?
Do need me a specific license for out-of-band?
Best of look,
Miguel Amaral
Hello
It's the same pattern: Yo uneed 2 licenses, one for the CAM and the other for CAs.
One cam sets the number of cases you can add.
That case defines how many users is supported.
So either the CASE PAK has been lost, or never bought.
In both cases, you will need to contact the entitiy that sold devices and demand for the PAK CASE.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
verification of the file system and the disk check
I always thought I knew.
But I'll have more in addition to the doubts and uncertainties.When is to perform the verification of the file system?
When is to perform the disk check?t-4-2
Hello
SFC/scannow - run when you suspect that there may be a file system corruption as it will check the digital
Signatures. Of course, SFC will attempt to overwrite any file that is not signed correctly. For many errors
It should be considered a first step in the effort to repair.How to repair the operating system and how to restore the configuration of the operating system to a previous version
point in time in Windows Vista
http://support.Microsoft.com/kb/936212How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows
Vista or Windows 7
http://support.Microsoft.com/kb/929833System File Checker
http://msdn.Microsoft.com/en-us/library/aa382541 (vs.85) .aspxSystem File Checker
http://en.Wikipedia.org/wiki/System_File_Checker==================================================
CheckDisk (chkdsk) should be run every time you think that hard drive corruption as possible which could be
1 file on the disc as it verifies the logical integrity of the disc. My preference is to run it also
SFC is executed at any time, especially if there was any found errors.This explains how Vista and Windows 7 checkdisk (chkdsk)
An explanation of CHKDSK and the new /C and /I switches
http://support.Microsoft.com/kb/187941Chkdsk
http://en.Wikipedia.org/wiki/chkdskI hope this helps.
Rob Brown - MS MVP - Windows Desktop Experience: Bike - Mark Twain said it right.
-
Hello Experts,
Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.
Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.
the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.
Apprecite all help, thank you.
Hello
See online:
If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.
[Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.
Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.
the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.
[Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.
So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Support of the NAC Profiler address &; ip
Hello
I have a layer 3 OOB NAC Profiler deployment and I am trying Profiler some IP phones from a remote location by using the statement of helper-ip address on the interface on the remote router. The problem is that the remote router acts as a dhcp server for the vlan voice and fact not forword DHCP discover for Colectionneurs of the NAC, and I can't phone ip profile. Do you know a way (an order of configuration on the router) to forword the dhcp even though the router acts as a DHCP server for this vlan?
Thank you
Victor
Hi Victor,
To do this... You must add a SVI for the voice VLAN on the switch behind the router, and then add the IP helper on the new interface VLAN voice.
-Hassan
-
Actual gateway IP process to strip the NAC
Hi all
I did a lot of research, and I can not find good answers to some of my questions. All the big questions are answered for out-of-band configuration, but I find that it is assumed that this understanding in the Strip is taken for granted lol... I guess I'm slow = P
- How does the gateway IP In-band real?
- What is the point of the 30 subnets?
- Are there any access/auth pairs VLAN configurations in the band?
- How does quarantine work?
- I read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
- Can you do role with configurations mapping in the band?
Assistance for all or part of these questions would be GREATLY appreciated!
Thank you a lot =]
~ Xavier.
Hi Xavier,.
I'll try to answer your questions
1. How does the Strip Real-IP Gateway?
The CASE works in routed mode, if you have different IP addresses (on different subnets) on interfaces approved and unapproved. Because the CASE does not support routing protocols, routing must be configured through static routes
2. What is the point of the 30 subnets?
The idea is to have small subnets for your customers so that with this config IP customers in authentication VLAN should through the CASE even to talk to other clients on the same subnet L2.
Click here for an explanation:
3 is there access/auth pairs VLAN configurations in the band?
If you ask if there is mapping VLAN, then the answer is NO, as the purpose of the VLAN mapping must * bridge * traffic between approved and unapproved mapped VLAN, but in real-IP the L3 routing traffic CASES.
4. How does quarantine work?
When a client is quarantined, it works the same way as OOB, as in this phase, the client is always online to the CAs.
So the concept is assigned to the CASE by the temporary user or the role of midlife and he applies a traffic policy you've set up temporary or the role of midlife.
5. I have read that the NAC server cannot send traffic on untrusted port to a VIRTUAL LAN and that you are not allowed to trunk port. This means that there is no support for several VLAN reliable, mapped to a single server at the NAC?
The restriction of VLAN "single" for Real - IP CASE applies only to the * trust * side. The CASE may be the default gateway for several subnets VLAN / IP on the * rogue * side.
Configuring addresses VLAN / additional IP on the unreliable side by using the configuration "managed subnet.
This is mentioned here:
The clean access server can manage one or more subnets, with its untrusted interface, acting as a gateway for managed subnets. For more information on the setup of managed subnets, see Configuring managed subnets or static routes page 5-26.
6. can you do role with configurations mapping in the band?
Yes, you can do it! However, you cannot assign a VLAN as you do in OOB, but you can assign the different level of access based on IP traffic strategies and bandwidth restrictions that you assign the specific role.
For example, check here for more details:
In a Word, regardless of the use of the band vs OutOfBand:
-customers are InBand before CAs in CASE detection, authentication, the phases of assessment and remediation of posture.
The main difference occurs when the user is allowed to access the network and that you run the IB role assignment and OOB but... :
-in customer traffic keeps on inline flowing to the IB CAs, so you can apply different access policies (ACL) and control of bandwidth depending on the role policies (but you cannot assign a VLAN);
-in OOB, customer traffic bypasses the CASE once it is authorized: in this case, you can apply different VLAN but (given that the CASE is no longer along the way) you cannot apply ACL and/or ensuring the policy in this case.
I hope that answers your questions.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it. -
Activation of the NAC HA puts several hosts and ASA with processor clocked at 100%
I installed a NAC Manager and a NAC server in OOB without any problems, but when I configured the AP (high availability) with another server, my ASA and several guests in my network started work ant 100% of the cpu.
I tried to configure each interface of the NAC on a single DMZ and the problem stops there.
-That someone had this problem (NAC version 4.7)
TKX
Miguel Amaral
Hello Miguel.
When I started a NAC InBand HA solution I had a similar problem that I solved the heart rate HA configuration to use ETH0 just instead use ETH0 and ETH1.
Best regards
Luciano Carvalho
-
Cam of the NAC could not add the access switch
Hi all
My problem is I can't add the access switch to the cam using mozilla firefox or IE.here attech file cannot add the device. Any idea to solve my problem?
Hello
Plese note to add a device (switch) to the CAm, you must go to the leadership of OOB-> appliances-> New.
First, you must configure the SNMP settings on the switch and the cam so that the cam and the switch can communicate.
I advise you to make sure that carefully read the configuration for OOB guide and management switch:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Integration of the NAC Profiler - cannot add list of filters on cam
Hi all
I have a problem with the Profiler - integration of the NAC for endpoint profiling.
Here's the situation:
I have already created the integration based on the steps in the Guide: Setup Cisco NAC Appliance integration. I think that the configuration is correct, because I can do database synchronization between the Profiler and CAM. Here's the log of server profile:
NAC_SYNC: Task_Queue_Runner commissioning
NAC_SYNC: Profiler / END of synchronization of the NAC [add 0, upd 0, desc 0, rm 0]
NAC_SYNC: Profiler / START the synchronization of the NAC
INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)] is for eth0 MACI have already created a profile of endpoint named "Admin" which is based on the IP address. I also created the NAC events based on endpoint profile 'Admin '.
The event of the NAC will present 'Admin' profile to a role of the NAC. This event aims to circumvent 'Admin' of the legalisation of the ANC visa so that the "Admin" can connect to the network automatically to a role of the NAC.
However, when 'Admin' to connect to the network, it still is challanged by NAC. I don't see "Admin" on the filter of the CAM or the list.
This means that the endpoint profiling is still broken.
Is there anyone who have experience with this?
Thanks for the support and comments
Imad
Hello
You cannot add devices manually on the profiler.
The Profiler has to detect automatically (it is the concept of profiling).
How this Profiler detects endpoints use the modules of collector.
Each module has endpoints detection means.
You will find the description of each collector module here:
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
In the NAC MAC address filter list
How are Faisal Hi, you? I have a question about this list of filters in the unit of the NAC. I want to do those recognized unit of the NAC mac addresses are to be get the network. However if a workstation's mac address is not in the filter list, would it not able to do the network. Is that the NAC has the ability to do? Please let me know. Thank you.
Richard
I'm not Faisal, but...
You want to make additional (such as LDAP or such) or any authentication simply based on the MAC address? If you want to only via the MAC, you can add them to the list of filters and then either set to 'allow' to allow all traffic, 'role' to put them in a specific role, or "check" to apply the evaluation of posture and then put them in the role. If no other server authentication is configured, users who were not in the list of filters would not be able to authenticate, and they would be stuck in the authenticated VLAN.
Thank you
Lauren
-
Profiler in the NAC 2.1 to 3.1 upgrade
Hi guys,.
I'm setting up a Profiler from the NAC that accompanies 2.1 installed. I upgraded to 3.1, prayed and installed the license without any problems, but I always get this message: "ERROR: [2010-12-08 09:25:01 (main: 668)] valid no key not found [no such file or directory]" "
The license file exists, and on the interface Web Profiler from the NAC, the State of the license is OK.
A single line in the license file gives me this information: 'cisco 2.1 INCREMENT CCA-MANAGER countless Permanent '.
Does anyone know if the license is linked with the version of Profiler?
The upgrade from 2.1 to 3.1 is allowed or it is necessary to purchase a new license 3.1?
Best regardsHello
So I guess you spotted the problem here...
You have a collector's license?
You need 2 licenses: 1 to the server profile, and one for the collector.
Basically, the mac address you provide is the same (eth0 ot Server Profiler), but you need a PAK Server Profiler to generate the license Server Profiler (the one you already have) and a PAK for license collector (which is missing).
You have the collector PAK?
If Yes, then just go to the license page and submit this PAK and the mac address.
HTH,
Tiago--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Re-evaluation of the NAC 4.8 Passive does not work
Hello
After an upgrade to 4.8.0, we would like to use the passive re-evaluation function with L2 OOB.
Everything is configured properly according to the Cisco NAC docs (enable OOB Logoff, user roles-> activate Passive reassessment).
However, the sign-out OOB feature works well, for example. What a victory of logoff user, the user disconnects NAC.
In the first times that the PrA works well, the CAM poster report revaluation records failed with red flags, but now it shows nothing that associated PRA.
(I know, the poster reports only PrA records failed.).
Try to reload all the elements of the CAM CASE HA, HA, but nothing has changed.
Any suggestion?
Thank you very much
Attila
Hi Attila,
The debugs Agent, I see that the Agent reports the failure for the following conditions:
% NACAGENT-6-REQUIREMENT_PROC: % [sev = info] [func = Rqmt::completeCheck]: check the result of rqmt [MS: hianyzo Windows frissites Windows XP (BKV)]:FAILED
That't the only requirement that fails and it is also reported on the "NACAgentReport.xml" file that is part of the package you uplaoded and it has not been quantified.
I think the problem is actually with the following parameter "default PrA on failure action - continue '.
Please, set it to "allow the user to fix" or "Logoff user immediately" and check if the behavior is different.
If this does not help, please open a TAC service request in order to study it.
Thank you
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.
-
I have a question about WINXP rules in the NAC server and more specifically, if a rule reports a failure, but it's part of a! the rule, this means - happening? For example:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
&(!pc_Windows_ehkeyctl|pc_XP_MCE_KB973768_MS09-037) (red indicates failure)
The NAC is reported as a check failed:
pc_Windows_ehkeyctl, File Check [$SYSTEM_ROOT\ehome\ehkeyctl.dll is]
It is a failure because it finds the file and there is a negative on the rule?
What about this:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
&(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)
The first part of the reports as passage, and the second reports failure... but logically, this part of the rule must pass because only after the first part? Which apparently correct?
Thank you!
Gavin - Budd
He actually reports a failure audit - and in many cases, it is expected (and confusing!). For example, with Windows controls preconfigured, if it is a 32-bit client you will see fail the verification of 64-bit.
Same with your second example check
&(!pc_XP_2115168_MS10-052_FileChk|pc_XP_2115168_MS10-052)
We expect that it is not the first cheque or spend the second control - but one of these controls will show as failed. Clear as mud?
Maybe you are looking for
-
So my 5s will not store all photos taken with the built-in Photo App. I can shoot and store the video with the built in app but no pictures. If I use the photo taking function in the Facebook app, the phone will take and store the image in the area o
-
Hpg61-429mw: Hp g61-429mw
When I start my laptop, it is the installation is from services goes no further. What can I do I have tried f11 - f10 nothing in it works.
-
HP 6500 E709a network main AIO: printer Ethernet cable to the router
This should be a simple question. My home/office network has a router Belkin Wireless 600n. I'm not sure how to respond to the installation of the software asking how the printer is connected to the computer. I have both wireless and Ethernet wired c
-
Original title: c:\windows\prefetch\taskmgr.exe-06144c13.pf every time I hit him ctrl alt del, I get the Task Manager, but I get a pop up that says c:\windows\prefetch\taskmgr.exe-06144c13.pf I tried everything... y at - it software that I can buy or
-
MN - 700 router worked for a while (over 3 years) without password. How to set a password?