ACS5 and MS NAP

Similar Messages

• Cisco NAC and Microsoft NAP

  Dear all,
  I need to know what are the differences between Cisco NAC and Microsoft NAP ?
  Can NAP be used instead of NAC or not ? why ? why not ?

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• NAP DHCP not getting IP and "netsh nap client show group" shows no results

  Hey guys, 
  I have just set up DHCP basen NPSand I get no IP address on my machine, which should be compliant (just firewall is being checked). I have on both enforcement client up. Logs on NPS shows that the connection request did not match any configures network policy,
  but I have configured 3 of them - compliant, non compliant and non-nap-compliant. It should serve all of cases. Authentication SType is Unathenticated, maybe this is the case?
  Thanks for any feedback
  Cheers
  Aggie

  in Network policies I have as follows:
  DHCPv2 Compliant 
  DHCPv2 Noncompliant 
  DHCPv2 Non NAP-Capable
  and my NAS?
  I am testing it not based on NAS access, but on IP address it is given and logs from Event viewer.
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
                  Security ID:                                       
  NULL SID
                  Account Name:                                              
                  Account Domain:                                           
                  Fully Qualified Account Name:  -
  Client Machine:
                  Security ID:                                       
  SANDBOXG\TESTCLIENTG1$
                  Account Name:                                              
  TestClientG1.sandboxG.com
                  Fully Qualified Account Name:  SANDBOXG\TESTCLIENTG1$
                  OS-Version:                                     
  6.1.7601 1.0 x64 Workstation
                  Called Station Identifier:                            
  192.168.50.0
                  Calling Station Identifier:                            
  00155DFD0520
  NAS:
                  NAS IPv4 Address:                         192.168.50.1
                  NAS IPv6 Address:                         -
                  NAS Identifier:                                
  TESTGDANSKDC2
                  NAS Port-Type:                                              
  Ethernet
                  NAS Port:                                          
  RADIUS Client:
                  Client Friendly Name:                   -
                  Client IP Address:                                          
  Authentication Details:
                  Connection Request Policy Name:          DHCPv2
                  Network Policy Name:                 -
                  Authentication Provider:                           
  Windows
                  Authentication Server:                 testGdanskdc2.sandboxG.com
                  Authentication Type:                    Unauthenticated
                  EAP Type:                                         
                  Account Session Identifier:                       
  31373339373131393039
                  Logging Results:                                             
  Accounting information was written to the local log file.
                  Reason Code:                                  
  48
                  Reason:                                                             
  The connection request did not match any configured network policy."
  And a health policy is just to check wheather Firewall is enabled (and is ).

• Mavericks and APP NAP

  I have tried everything I know to stop APP NAP. it kills everything I do on the mac... I have checked the prevent app nap box, i have tried the terminal I also reloaded Mavericks and still it does what it wants to... I contacted apple the they dont give a ratsazz there reponse is, contact the creater of the other services and make them fix it...... any solutions before I sell off my MAC computers??

  If you're interested in posting some additional details of the application(s) and of what's happening with the processes around app nap or whatever is happening, then somebody here might recognize what's going on.
  If the Finder ⌘I "Get Info" path to disable App Nap doesn't prevent App Nap for the particular application, then there's an OS X bug.  Apple Support has probably already led you through this sequence, so it would seem that there's either an OS X bug lurking or there's something else going on with the particular application(s) in use, or there's possibly an application bug or application incompatibility with 10.9 Mavericks.
  You're quite right, too.   Should the particular application(s) and/or OS X no longer provide your computing requirements,  then a platform migration is certainly expected and appropriate.

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• Leopard and processor/NAP/CHUD settings/m-audio 410

  I've got a G5 DP with the infamous white noise problem coming through my speakers that was only fixed after downloading the chud tools and disabling the NAP settings - does anyone know if I'll have the same issues if I install Leopard? Want to upgrade but don't want to waste my money if the noise comes back and I can't get it to work. Also, I'm using an m-audio firewire 410 that doesn't have drivers yet; has anyone used the Tiger drivers with success on Leopard? Hoping that Leopard will fix intermittent problems; system locking up, etc., that have plauged me for years...
  Thanks!

  This sounds perfect. I'm on a pretty chirpy G5! However, this going to sound really silly but where can I find the pref pane you mentioned. I've looked for the path you gave and I don't have a /developer directory. I've looked on my Leopard install disk and I can't see it there either. I then looked in the optional installs on the Leopard disk for something that might make sense...but sorry nothing looked right. I've also used spotlight to search for lots of things like 'developer' and 'Processor.prePane' but no luck.
  Any help would be great - sorry to be such a noob!
  Cheers,
  James

• Power Nap doesn't work right in my MBA mid 2011. Anyone knows why?

  I just boght a MBA middle 2011 and power nap doesn't work right on it, specially in Mail app, where it downloads only a few mails and the rest of them are downloaded as usual, when recativate my laptop. Does anyone knows why?... i also tried to download the SMC update, but when i try to install it i get the message that my system is not compatible with the update.
  Please somebody help me!!
  Thanks in adevence!

  http://support.apple.com/kb/HT5394

• Server 2012 NPS NAP DHCP for VPN

  I have setup a server with DHCP and NPS and configured NAP DHCP.
  DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com). 
  Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
  is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
  so all works well and as NAP DHCP should work.
  Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
  On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
  My questions:
  Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
  My problem:
  P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
  your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
  I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
  group domain admins
  But then I have an issue with NAP DHCP...
  When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
  so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
  BUT it SHOULD be restricted as the firewall is off.
  What could be wrong?

  Hi,
  After discussed with so many people, I think this will not work.
  First we need know how DHCP enforcement works.
  1. The DHCP client sends a DHCP request message to the DHCP server.
  If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
  the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
  2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
  by policy.
  3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
  routes, as defined by policy.
  But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
  in VPN tunnel.
  Hope this helps.

• "Power Nap" & "Find My Mac" not working together

  Is anyone else having issues with "Find my Mac" and Power Nap? Its supposed to be to find the MacBook air when it is sleeping but im not having any luck. my MacBook air has the latest firmware, and find my Mac is enabled under iCloud.
  I can find my MacBook air when it awake. Just not with the power nap feature when it's asleep, Power nap is check on under Battery and Pluged in, and it's charge 100% and plugged in.
  Any suggestions ? Or anyone else having this problem?

  Just one question:
  Are you able to find your mac everytime you want? Or just every hour?
  I think that the ability to find your mac just happens once a hour, im wrong?
  Thanks

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• Server 2012 NPS NAP DHCP

  I've setup a server with DHCP and NPS and configured NAP
  DHCP with 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com)
  NPS/NAP DHCP is working (all is setup health, shv, gpo etc..) so when i connect a client with firewall i get a normal IP and when i disable the firewall i get an IP but no gateway and subnet 255.255.255.255 so all works well.
  Now in DHCP i created a DHCP policy so i can assign a different DNS server and Domain Name (restricted.domain.com) to non-compliant clients.
  Policy i created is as per --> http://social.technet.microsoft.com/Forums/getfile/257005 because User Class option on advanced tab in scope option is not available in 2012)
  But when i connect a non-compliant client i still get the DNS Domain Name domain.com instead of restricted.domain.com
  ipconfig /all shows its restricted but i dont get the DHCP policy i setup for it

  Indeed the 255.255.255.255 subnet mask is expected for non-compliant clients.
  But my issue is that non-compliant clients get an IP address from the entire subnet and i want to assign only a specific
  range in my entire subnet/scope to be assigned to non-compliant clients. 
  It's funny you can specify an IP Address Range in the DHCP policy but then it doesnt work. 
  On the other hand you have a valid point there Greg about DNS/DHCP flooding.
  Still hope to hear why this setup will not work and if it is supported or can work tough :-)

• Cant use Napster to go and zen micro windows explor

  If i want to use my napster to go and have to use firmware --02, but if I want to use zen micro win explorer it wont recog. my device so I have to upgrade to firmware -2-05 erasing all my dl songs from napster....what i want to do is use my zen micro to upload cd's I own and use nap to go, not one or the other.....btw I woke up today and my micro is dead no matter what I try....so let me figure that out now.....should I take this back? my battery life is only like 6hrs!!!....anyway i want to like this so if anyone can help me out?

  i see a lot of threads about charging the battery.
  i sell high end digital cameras, have for 6 years now. i'm not talking the stuff you find at fry's but the really high end stuff.
  this stuff also uses proprietary lithium ion batteries (actually the only thing proprietary is the connectors, all cells come from the same manufacturers)
  the key to lithium ion batteries is:
  ) let it charge overnight the first time you charge it
  2) it takes about 3 full charges and full drains to get the proper life out of it
  3) they dont have memory, ever. i have several abused lithium ion camera batteries that can attest to this
  4) replace after 8 months without fail
  my point is, don't stress over it. my micro only got about 7 hours of continous playback with eq on and it just sitting there, and not much more with eq off. the player's life on a single charge and constant crashing when switching off are the only reasons why i returned it on sunday for an ipod mini.

• ACS 4.1 to differentiate and restrict users

  Hello all,
  I've bee wrestling with this issue off and on for some time, but have had limited success. There is something I don't quite understand just yet. I hope someone here can help.
  I want to set up AAA on ACS 4.1 for authenticating login sessions to my swtiches, ASA and access points. That part is easy, and it even works, but here's what I 'm having trouble with:
  Our ACS server points to our Windows 2003 AD database. If I set up my switches with AAA, anyone in the AD database can login to the switch. I only need about 5 people to have admin access to my switches, not the 4000 others.
  Also, I need to administer my access points. I am also a wireless user. Betty Sue in accounting is a wireless user, but has no need to administer the access point to which she associates. Same thing goes with our ASA and remote access VPN connections. How do I identify how a user connects to the device and set restrictions based on this?
  To put it another way:
  User A is Admin, wireless user, VPN user. Needs full access to all these devices. This part is easy.
  User B is accountant (or whatever), wireless user, VPN user. Should not have any access to administer the switch, AP, or ASA they are connecting to.
  I hope that makes sense. I've been through the NAP documents. I think the solution is there, but I'm not bright enough or brave enough to figure it out, at least not on a live network:)
  Thanks for any help.
  Scott

  All,
  I'm just now getting back to this. ACS is upgraded and the NAP is configured and almost working as I need it to be, with a big exception. Maybe someone can help?
  When I use telnet to login to a device, I am asked for "Username". With a sniffer, I can see that the AV Pair used to identify VTY connections is being sent with the proper value, and the user I want to be denied is denied. Subsequent requests to login are all asking for "Username", and all send the correct AV Pair, and all are rejected. Nice.
  Here's the issue. When I use SSH lo login to the same device, with the same credentials, I am asked to "Login as". The first time, the AV Pair I need is sent and the user is denied. When I am asked again, I'm not asked for user name or to "login as" again, I'm only asked for the password. If I enter the correct password, the user, any user, is allowed. Not good. With the sniffer, I see that the AV Pair is only sent with the first attempt, subsequent attempts don't send the AV Pair in question, so ACS can't act on this information, and so the user who should be denied, is not.
  Any ideas for how to get around this? Can SSH be setup to present the username to the login session every time? Is there a way to force the sending of this AV Pair every time? Can I set up something to say that any user has only one attempt to login?
  The AV Pair in question is [061]NAS-Port-Type=5
  Thanks for any help

• MiniTOC does not appear in translated source file

  RoboHelp 8.0.2
  WebHelp Output
  I added a miniTOC placeholder to three of my topics. This is the first time I am using the placeholder.
  The English WebHelp project was sent for translation to French Canadian. I received the source project and noticed that the placeholder does not appear in the source file. Therefore, when I compile the output the miniTOC does not appear.
  The translation company is using the latest version of RoboHelp, but I am not sure what tool they use to translate.
  I have no clue how to resolve this issue. Sample code and screens are listed below.
  Donna
  English Source
  <h1><a name="Top"></a>Working with Web Ordering</h1>
  <p&gt;This topic explains how to generate and maintain NAPA and Factory orders.
  (Special orders and Non NAPA orders will be available in a future release).
  You perform these tasks on the <span style="font-weight: bold;">Order
  Maintenance</span> page. This topic assumes you have launched <span style="font-weight: bold;">Order
  Maintenance</span> from the TAMS II Landing Page or selected <span style="font-weight: bold;">Inventory
  &gt; Web Ordering</span&gt; from TAMS II BackOffice.</p&gt;
  <p>See: <span style="font-weight: bold;">TAMS II Web Interface Overview
  </span&gt;<span&gt;topic</span&gt; for instructions on common functionality such
  as sorting data.</p&gt;
  <?rh-placeholder type="minitoc" ph-style="font-family:Arial;font-size:10pt;font-weight: bold;font-style: normal;text-decoration: none;"
  list-type="ul" list-style="circle" caption="Topic Contents" caption-style="font-family:Arial;font-size:11pt;font-weight: bold;font-style: normal;text-decoration: underline;"
  margin=";;0px;1px" min-heading-level="h2" max-heading-level="h2" flags="7" ?>
  <p&gt;&#160;</p&gt;
  <h2>Adding a New Order</h2>
  <p&gt;Follow these instructions to create a new purchase order:</p&gt;
  French Source
  h1&gt;<a name="Top"&gt;</a&gt;Utiliser le module de commande en ligne</h1&gt;
  <p&gt;Cette rubrique explique comment créer et gérer des commandes NAPA et
  d'envoi direct. (Les commandes spéciales seront disponibles dans une version
  future.) Ces tâches sont effectuées à partir de l'écran <span style="font-weight: bold;"&gt;Gestion
  des commandes</span&gt;. Cette rubrique suppose que l'utilisateur est connecté
  et que la <span style="font-weight: bold;"&gt;Gestion des commandes</span&gt;
  a été lancée à partir de la page de renvoi de TAMS&#160;II. </p&gt;
  <p&gt;Voir&#160;: La rubrique <span style="font-weight: bold;"&gt;Survol de l'interface
  Web de TAMS&#160;II</span&gt; pour des instructions sur les fonctions courantes
  comme le tri des données.</p&gt;
  <h2&gt;Ajouter une nouvelle commande</h2&gt;
  <p&gt;Suivre les instructions ci-dessous pour créer un nouveau bon de commande&#160;:</p&gt;

  The Shuffle can only be linked to one computer at a time if you want to use the Shuffle on a different computer you must allow Itunes to restore the Shuffle and than you can use it. Sorry there's really no good way around this besides going third party.

• Features not available on Mountain Lion

  Hi,
  Does any one know which feature i'll not have access on Mountain Lion from my MacBook Pro mid 2010? Reading the documentation, seems that the airplay mirroring and power nap will be disabled, why?
  Thanks

  Hi there,
  No one will know for sure until Mountain Lion is out but Power Nap does require specific hardware that is capable of running tasks while the computer is in sleep mode, at this point only the late model MacBook Air's and Macbook Pro Retina display have that feature.  I can find nothing anywhere that states that Airplay Mirroring won't work on any machine.
  Regards
  Chris