ACS NAC and VPN

Similar Messages

• ACS NAC and VLANs.

  We are working on configuring a NAC Framework test network. We've got to the point where we can successfully evaluate and flag a client PC as healthy or quarantine and enable/disable it's switchport as appropriate. The next step that we are having a problem with is assigning the port to a VLAN, whatever we do the port always seems to stay in the default VLAN1. We've created additional VLANs for healthy and quarantined PCs but can't get the ports assigned whatever we try. We're pretty sure we are getting the syntax of the various settings in ACS correct as wherever possible we are using templates to create settings profiles and where no templates are available we've checked our settings very carefully.
  The only error we can see is from a radius debug on the switch during the authentication process where it returns these messages:
  03:48:39: dot1x-ev:Received VLAN is No Vlan
  03:48:39: dot1x-ev:Received VLAN Id -1
  There are several repeats of these during the debug.
  Any ideas?

  did you configure these 3 attributes? You must set them so that the VLAN ID/Name can be assigned correctly. And on the switch you must include AAA network too.
  IETF 64 (Tunnel Type)Set this to VLAN
  IETF 65 (Tunnel Medium Type) Set this to 802
  IETF 81 (Tunnel Private Group ID)Set this to VLAN ID/name

• 802.1x NAC and per-user ACLs

  Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
  Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
  802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
  With per-user ACLs, you'd configure a VSA like:
  ip:inacl#1=deny ip any host 10.1.8.3
  ip:inacl#2=permit ip any any
  The "downloadable IP ACL" config would look like:
  deny ip any host 10.1.8.3
  permit ip any any
  In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
  So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
  Hope this helps,

• NAC and Checkpoint firewall

  Hi to all,
  Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
  Thanks in advance for your help

  Mark,
  If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
  HTH,
  Faisal

• Cisco NAC and Microsoft NAP

  Dear all,
  I need to know what are the differences between Cisco NAC and Microsoft NAP ?
  Can NAP be used instead of NAC or not ? why ? why not ?

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• NAC WiFi + NAC Internal VPN

  Has anyone tested this scenario?
  The idea is the following: Users connect via Wireless connection to the network and are certified by the NAC appliance, after certification they are switched out of Band. This will grant them access to basic network resources. To get access to more secure resources the users will have to establish a VPN connection over the already established Wireless connection. After succesfull VPN connection they will need to go through a second NAC appliance connected in-band to the VPN endpoint for extra security checks.
  My question is, how will these users be treated by the NAC appliance since their user credentials are already logged by the NAC manager because of the succesfull Wifi Login.
  I have looked into the Max users sessions option, but this only works per role. And since Wifi and VPN users will have different roles I suspect that that option will not work for my purpose

  Hi,
  No differerence, except that using a third party cert simplifies the process in that majority of the clients already trust the root certs of the well known CAs. Other than that if you have a way of distributing your internal CA's root cert to your clients, it should work just fine with internal certs.
  HTH,
  Faisal

• Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access

  Hi there,
  I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
  Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
  connect I get the following message "couldn't connect -  We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
  Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
  to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
  RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
  can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
  Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
  the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
  being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
  VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
  Many thanks,
  RocknRollTim

  Any help would be much appreciated.
  Kind regards,
  RocknRollTim

• NAC and AD, Machine GPOs, Roaming Profiles = Chaos

  I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
  We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
  While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
  Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

  I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
  The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
  The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
  I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
  This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
  Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
  Dan S.

• What is the exact purpose of Transaction NACE and NAST Table?

  Hi All,
  What is the exact purpose of Transaction NACE and NAST Table?
  Pls help me…
  Akshitha.

  Hi
  When a Output type in an apllication doc is configured with a Medium, Partner, Lang and other communication paramters an entry is created in NAST table
  so to trigger the output an entry in NAST is compulsory
  Output is a link between the Driver Program and the Sapscript,
  An output type summarizes messages of the same meaning. It contains parameters that are valid for all its assigned messages, for example appropriate partner functions.
  Transmission medium is a medium which the layout will be come out, this may be printout, Fax or Mail
  Check this link.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/c8/19884743b111d1896f0000e8322d00/content.htm
  ex-how to config output type.
  You will assign output types using Transaction NACE.
  Do the follow steps to assign output type
  1)Select Application Type V2 which will have description Shipping.
  2)Click on Output types button.
  3)Go to change mode by pressing Ctrl+F4.
  4)Select one output type which already exists
  5)Do Copy As(F6)
  6)Give your output type against Output Type field.
  7)Under General data Tab, Give Program and Form routine and Save the data.
  i think it a work of functional guy but at senior level i think it is not a big deal for abaper.
  Check the following documentation
  In NACE t-codewe have the application for each one. based on the application output type can be defined, based on output type script and print progrma can be defined.
  If suppose data can be read from EDI then we should go for condition records.
  So whenever we execute the script first composer checks the output type and then execute the program. in program whenever opn form FM will be populate then script will open first. After that again program till another FM will populate if it then script will populate........like it is cycle proces. Composer does all these things and at last it will submit that output to spool.
  Go to the Transaction NACE.
  choose the related sub module.. like billing or shipping
  doubel click on Output Types
  Choose the Output Type for which whcih you wanted your script to trigger
  Then select the Output Type and double click on Processing Routine
  Then go to create new entries--> Select the Medium (1- print output), then enter your Script and Print Program detls --> Save and come out
  Now go to the Transaction (for which you have created the output type)... Issue output--> Select the output type --> Print....
  Device Types for SAP Output Devices (Detail Information)
  Definition
  The device type indicates the type of printer to be addressed. When you define an output device, choose the name of the device type that was defined in the SAP System for your printer model, such as Post2 for a PostScript printer. In the case of frontend printing under Microsoft Windows, you can also use the generic (device-independent) device type SWIN.
  The system uses the information in the device type to convert a document from the internal SAP character representation (spool request in OTF or in text format) to a device-specific, print-ready data stream (output request). Since a device type specifies attributes that apply to all devices of a certain model, it can be shared among device definitions. For example, all devices in the SAP spool system that are compatible with Hewlett-Packard LaserJet IIID printers would use the HPLJIIID device type.
  You should not confuse the device type with the printer driver. The device type is the total of all attributes of an output device that the SAP System must know to control the output device correctly, such as control commands for font selection, page size, character set selection, and so on. These attributes also include the printer driver that SAPscript/Smart Forms (the SAP form processor) should use for this printer. The SAPscript printer driver that is to be used for devices of this type for output formatting is therefore only an attribute that the device type specifies.
  How do I choose the correct device type?
  • In most cases, the SAP System already provides the appropriate device type for the printer type for the printer model that you want to use.
  These standard device types are completely defined and need no modification or extension before you use them in device definitions.
  • You can also download missing device types from the sapserv server. For a current list of the supported device types, see SAP Note 8928 in the SAP Service Marketplace.
  • Most printers can be controlled using a generic format, such as PostScript. They can be switched to a mode that is compatible with one of the standard printers for which an SAP device type is available. In this case, a supported model is emulated.
  • Almost all printers are delivered with Microsoft Windows printer drivers. The system can control these printers with the generic (device-independent) device type SWIN. The Microsoft Windows spool system then performs the processing of the print data.
  • If the specified device types are not available, and generic device types cannot be used, you must create your own device type or edit a copy of an existing device type. We recommend that only those with specialist knowledge of the SAP Spool System and printer driver code do this. For more information, see Defining a New Device Type .
  Attributes of a Device Type
  A device type is distinguished by the attributes listed below. If you change an existing device type or create a new device type, you must change at least some of these attributes.
  • Character set: A character set specifies the codes with which characters must be represented in the print-ready output stream (output request). This code replaces the generic SAP characters set that is used internally by the SAP spool system (spool request).
  • Printer driver: You can specify different printer drivers for printing SAPscript documents and ABAP lists.
  • Print controls: Print controls represent printer operations, such as boldface or changing the font size. These print control are replaced by printer-specific commands during the creation of the output request from a spool request.
  • Formats: Formats specify the format supported by the SAP system. The system differentiates between SAPScript formats (DINA4 and LETTER) and ABAP list formats (X_65_132 = 65 rows/132 columns).
  • Page format: A page format is the interface between a format and SAPscript. It specifies the paper dimensions with which SAPScript can calculate the row and column lengths.
  • Actions: Actions are output device-specific commands that are required for the implementation of a format. The action printer initialization, for example, can contain a printer command with which the number of rows on a page is defined. There is a set of actions for every format supported by a device type.
  Reward points for useful Answers

• Do I need to use open directory on Yosemite Server, I'm only looking to use file sharing and VPN

  I'm setting up a new mac mini server with Yosemite and I was wondering if there are any advantages or disadvantages to not using the open directory service? The only services I'm planning on using are File Sharing and VPN.

  You don't need Open Directory unless you want to manage user accounts centrally on the server.

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• NAC and WSUS

  Hi to all,
  I'm new at NAC, does anyone know the steps on how to configure the remediation on a client machine using NAC and WSUS?? Is there a rule that match it??, etc, etc...
  Thanks in advance for your help!

  Click clean access under device mgmt.
  Click the clean access agent tab.
  Click requirements.
  Add one for MS update check if you don't already have one made by clicking new requirement. Choose windows update service for the requirement type drop down box. If you already have a rule for the windows update service check you can click edit instead (next to the move up down arrow buttons).
  About half way down you can choose MS servers or WSUS servers.

• Using 802.1x and vpn on t-mobile hotspot

  hi all,
  how do i configure 802.1x and vpn to enhance security on t-mobile hotspot?
  thanx for your help.

  Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.
  You need to set host-mode to  "multi-auth"

• Kindly Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN ?

  Kindly 
  Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN?
  Thanks,

  Linksys/Cisco E4200 are compatible with DHCP. Second, these Wireless-N routers are only capable of enabling the VPN traffic to pass through the device.  You will need a VPN router and software to create the actual network to connect with your VPN client.