Authentication NAC appliance with ACS

Similar Messages

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

• Netflow Generation Appliance (NGA-3240) and authentication with ACS

  I would like to configure this appliance to use ACS authentication.  Right now I use local authentication, but would prefer ACS instead. 
  Both the WebUI and the console are using this local method and I would much prefer it to use ACS instead.
  I get the following prompts:
  [email protected]# ip http tacacs+ enable <ACS IP ADDRESS> en-secret-key <KEY>
  Failed to enable Tacacs+

  Update...
       [email protected]# ip http tacacs+ enable
       Secret key:
       Repeat secret key:
       Successfully enabled Tacacs+
  The problem, I'm faced with now is that after entering the above the WebUI is still not accessible.

• Is ACS required in NAC appliance.

  Hi,
  One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
  Thx in advance.
  Sonu

  NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
  THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
  The great thing about NAC Appliace is that it works for all four major use cases:
  1. VPN users
  2. WIFI users
  3. LAN/wired users
  4. GUest/vistors
  We can
  1. authenticate
  2. Posture assess (scan)
  3. Quarantine/
  4. Remediate
  You don't want users to have to learn three different ways to connect to the netowrk.
  802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
  I hope this helps.

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• Nac appliance deployment with 802.1x

  Hi,
  Is it possible to deploy a nac appliance solution and use 802.1x as protocol to discover users connection on a switch?
  We don't want to use snmp, I have a microsoft radius server in my deployment for user authentication.
  Thanks!
  Jocelyn

  My friend, i have a customer with whis configuration and worki fine.
  symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
  work fine wiht w2k and xp
  cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
  csa i don?t have experience.
  take care, it is hard to configure, if you need something more ask me to.
  Leo.

• APC (UPS) RADIUS authentication with ACS 5.X

  I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
  According to the APC dictionary file
  VENDOR APC 318
  # Attributes
  ATTRIBUTE APC-Service-Type 1 integer APC
  ATTRIBUTE APC-Outlets 2 string APC
  VALUE APC-Service-Type Admin 1
  VALUE APC-Service-Type Device 2
  VALUE APC-Service-Type ReadOnly 3
  # For devices with outlet users only
  VALUE APC-Service-Type Outlet 4
  I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
  The hit count on the ACS shows that it is getting authentication request from the APC appliance.
  Thanks in advance.

  Hi,
  I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
  ./G

• EAP-TLS authentication with ACS 5.2

  Hi all,
  I have question on EAP-TLS with ACS 5.2.
  If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
  Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
  If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
  And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
  And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
  Hope you guys can help on this. THanks.

  Yes, you can configure:
  machine authentication only
  user authentication only
  Machine and user authentication.
  Machine or user authentication
  So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
  PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
  host/computer.domain
  If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
  Regards,
  Jatin

• L2 or l3 switch with NAC appliance

  Hi,
  I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
  Regards,
  Mladen

  Thanks.
  The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
  "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
  So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
  If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
  Regards,
  Mladen

• AAA authentication is fail on cisco 4505 switch with acs

  i am new in AAA . i want to login switch which authentication come from cisco acs 5.1 but i configure both switch and acs 5.1. when i telnet
  switch it display % Authentication fails. can anybody help me regurding this issue!!!
  on cisco switch end conf:
  aaa new-modle
  aaa authentication  login default group tacacs+
  aaa authentication  login TACASE group tacacs+
  aaa authentication  exec default group tacacs+
  tacacs-server host 10.10.10.1
  tacacs-server key Password!@#
  line vty 0 4
  login  authentication TACASE
  on acs 5.1 side i add switch on its vlan ip address which is connect acs 5.1 but
  BUT when i login using putty terminal its show % Authentication fails.
  Please help me regurding this issue!!!

  Hi,
  what is the error message reported on ACS?
  Are you sure that you are using the same key on ACS and cat4k?
  Can you configure "ip tacacs source-interface " with the vlan interface you are using as source?
  You can also collect these debugs:
  - deb aaa authentication
  - deb tacacs
  Cheers
  Marco

• LMS Authentication with ACS 5.1

  Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...
  Let me know if I missed something.
  Thanks
  Ninja

  Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

• Is it posible? two ACS 4.2 Appliance with the same remote agent

  Hello,
  I have a ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent, i want to agregate another ACS 4.2 Appliance with the same configuration, the same Active Directory, CA. my question is: can i configure the another ACS with the same Remote Agent of the first? in other words ...
  i attach the diagram.
  Thank you

  I have a
  ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent,
  i want to agregate another ACS 4.2 Appliance with the same
  configuration, the same Active Directory, CA. my question is: can i
  configure the another ACS with the same Remote Agent of the first? in
  other words ...i attach the diagram.Thank you
  Hi,
  Maximum number of appliances supported—While a single Cisco Secure ACS Remote Agent can provide services to many Cisco Secure ACS Appliances, support is limited to five concurrent connections by the appliances served. For example, if you have three appliances that are primary Cisco Secure ACSes and three appliances that are secondary Cisco Secure ACSes used for failover purposes only, the remote agent can provide services to all six appliances and stay below the maximum of five concurrent connections.
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_and_configuration_guide_chapter09186a0080193aa1.html
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Will a NAC appliance work with Meraki WL

  Hi All,
  I have a customer that presently uses the cisco meraki wireless solution and would like to have a NAC appliance installed in there environment. Will Cisco NAC support the meraki for access control?

  Yes Sir.. Check this link for supported devices with Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Wireless WLC with NAC appliance

  Hi,
  We just design a wireless network and integrated with NAC appliance :
  1. My customer have campus A & campus B, these 2 campus connected with 100Mbps FTTB link, these 2 campus are in different Layer 2 domain.
  2. Both campus A & B have thin APs, but only campus A have WLC.
  3. all wireless users must check by NAC CAS appliance, then access to wired intranet or internet.
  Is the attached network diagram correct or not? Can you share your experiance to me?
  Best Regards,

  You could layer 3 Lwapp in Byuilding A and REAP for access points in Building B