Cisco NAC and Checkpoint VPN
Hi,
Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
Any ideas or collateral would be appreciated.
Thanks
mark
Mark,
If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
HTH,
Faisal
Similar Messages
-
Dear all,
I need to know what are the differences between Cisco NAC and Microsoft NAP ?
Can NAP be used instead of NAC or not ? why ? why not ?I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
Here is the link that will help you with the basics.
http://www.cisco.com/en/US/netsol/ns466/index.html
We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
Thanks,
Tarik -
Hi to all,
Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
Thanks in advance for your helpMark,
If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
HTH,
Faisal -
Cisco wireless and Sonicwall VPN
My network consists of an 871 router, 48 port Switch, 2006 WLAN Controller, 1231 APs, and SonicWall VPN.
VPN connections are fine if the client is using the wired network. VPN connections do not work if the client is wireless. I've had a couple of suggestions...VPN Passthrough on the WLAN Controller - that didn't work, but I'm not sure I had the right gateway. And they also suggested changing the MTU size on the wireless card in the laptop. Still trying to figure out how to do that.
Any other ideas? This seems like it should be a fairly easy fix.
Thanks.Are your wireless clients getting an IP? That is are you using the SonicWall as your DHCP server for the wireless clients?
If so it will probably not work. There is something with the SonicWalls that they don't support. I went round and round with SonicWall and couldn't get DHCP working for wireless clients coming through Cisco WLC Controllers. -
Hi,
Hi can someone tell me what will be the behavior of Cisco NAC in the following scenario?
In a corporate LAN a user (all ready authenticated on domain) decides (because he can) to install a USB dongle that will give him access to Internet by mobile phone carrier (GPRS, 3G). What will be the behavior for NAC, it will block the connection for USB dongle? Will block the connection to corporate network?
Thanks a lotNAC will check the user only when he tries to access the network. Once he is trusted, he is not checked anymore. Therefore, if the user is already authenticated, the user can do anything he wants on his PC and NAC will have no idea of what is happening. To stop such things to happen you need CSA.
-
How Cisco NAC and Cisco NAC Agent works
HI,
Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
Also, what is the path from the time the end user connects to the network till he gets access to the network?
Please reply soon.Its urgent.I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
Here is the link that will help you with the basics.
http://www.cisco.com/en/US/netsol/ns466/index.html
We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
Thanks,
Tarik -
No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall
Hello!
We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
Any help would be very much appreciated!
Jakob J. BlaetteHi Jakob,
Adding my two cents here.
You always need to confirm that the following ports and protocol are opened:
1- UDP port 500 --> ISAKMP
2- UDP port 4500 --> NAT-T
3- Protocol 50 ---> ESP
A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
HTH.
Portu.
Please rate any helpful posts and mark this post as answered. -
Cisco NAC and Virtual Desktop Infrastructure
Hi all
Does it posiable to implement NAC on VDI infrastructure?
If it can can you post some link?
THanks
RegardsMosielleKwan wrote:
Has anyone know ESSO support VDI client yet ?The current version does not support virtual desktop infrastructure (VDI).
This must go as an Enhancement Request . -
Does Cisco NAC support Wireless LAN?
Hi There
I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
Regards,
Ram
+6012-2918870Hi Ramraj,
You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
The guide below goes through most of the configuration:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
Thanks,
Nate -
Does Cisco NAC support for HP Switches
Dear all,
the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
Pls revert .
thanks ,Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
Please do your research and look at other NAC solutions before you decide the best vendor to go with. -
Site to site VPN between cisco asa 5550 and checkpoint r75
Hi all ,
below is cisco asa config for our customer end:
crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
What should i configure on checkpoint for first phase and second phase ?
Regards,
SuhailIn checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there. Phase II default is 28,800 so you need to edit the parameter and change it to 3600. the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
Easy right? -
I am trying to set up NAC using ACS 4.1 and a VPN concentrator 3015 using 4.7.2K. I have had it working before using 3.3 and 4.0, but had to wipe out my server because of some issues. This is all in test, but I would like to complete this soon.
Is there some document out there that will allow me to see examples of this setup? I have googled it and checked on Cisco, but the examples are normally IOS specific. Any help would be appreciated.
Thanks
DwaneRefer to the link to the NAC Phase One whitepaper which is the best guide to configuring NAC at the moment.
The document was released prior to NAC introduction on the VPN concentrator, but all the ACS and CTA configuration is valid.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
also refer these links to know more info about VPN concentrator with NAC:
http://www.cisco.com/warp/public/471/vpn3k-nac-config-471.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee22f.html#wp1652431 -
Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO
Hi,
I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683
We have this problem with on of our clients:
"Cisco NAC Agent is having a difficulty with the server. Agent user operation system
is not supported".
Anyone encounter this problem ?
thanks.Hi Tarik,
We have:
Cisco Clean Access Server Version 4.9.0
Cisco Clean Access Lite Manager Version 4.9.0
I can see Your point now, that I should start from upgrading to 4.9.1.
Let me do that, and see if it helps.
thanks very much, I will keep You posted. -
Cisco NAC Agent and Windows 8 still not working
Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
Thanks,
-CollinHi Collin,
The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
The patch should be applied to both 4.9.1 CAM and CAS.
Please go through the README file for patch provided in the download link provided above. It has detailed information.
Regards,
Karthik Chandran
Maybe you are looking for
-
How can i print an email without printing the attachment?
I just got my new macbook pro retina display. I am using Mac mail and want to know how I can print an email without printing the attachement. Any suggestions and solutions would be appreciated.
-
Handling unit status at table level
Dear Experts, I want to know the logic to find only those HUs which exist in the inventory i.e. which are present physically. I do not want those which have been delivered/deleted/scrapped etc. How can I get this at table level and what filters shoul
-
Looking for a music / radio app that let me play all songs of one artist
Say Madonna or Britney. Last.fm let me play music LIKE selected artist but not strictly OF that artist. Then I can buy songs i like via itunes. Itunes only play 30 seconds so u don't know if you'd like the whole song or not.
-
Taking display value for calculations using structures in Bex query
Hi I am using Bex analyzer to do a simple report with two key figures Sales and Plans from cube and two more calculated key figures Abs Deviation and % error. The report displays at category and product levels. Category is higher and one cate
-
Refreshing access points in the environment, models???
I am slowly going through the environment replacing the 80 AIR-1252 access points. I have decided to replace our 1142s at the same time so that the environment is up to date. I was curious what the recommended replacement is for these access points