Cisco NAC and Checkpoint VPN

Hi,
Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
Any ideas or collateral would be appreciated.
Thanks
mark

Mark,
If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
HTH,
Faisal

Similar Messages

  • Cisco NAC and Microsoft NAP

    Dear all,
    I need to know what are the differences between Cisco NAC and Microsoft NAP ?
    Can NAP be used instead of NAC or not ? why ? why not ?

    I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
    Here is the link that will help you with the basics.
    http://www.cisco.com/en/US/netsol/ns466/index.html
    We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
    Thanks,
    Tarik

  • NAC and Checkpoint firewall

    Hi to all,
    Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
    Thanks in advance for your help

    Mark,
    If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
    HTH,
    Faisal

  • Cisco wireless and Sonicwall VPN

    My network consists of an 871 router, 48 port Switch, 2006 WLAN Controller, 1231 APs, and SonicWall VPN.
    VPN connections are fine if the client is using the wired network. VPN connections do not work if the client is wireless. I've had a couple of suggestions...VPN Passthrough on the WLAN Controller - that didn't work, but I'm not sure I had the right gateway. And they also suggested changing the MTU size on the wireless card in the laptop. Still trying to figure out how to do that.
    Any other ideas? This seems like it should be a fairly easy fix.
    Thanks.

    Are your wireless clients getting an IP? That is are you using the SonicWall as your DHCP server for the wireless clients?
    If so it will probably not work. There is something with the SonicWalls that they don't support. I went round and round with SonicWall and couldn't get DHCP working for wireless clients coming through Cisco WLC Controllers.

  • Cisco NAC and GSM

    Hi,
    Hi can someone tell me what will be the behavior of Cisco NAC in the following scenario?
    In a corporate LAN a user (all ready authenticated on domain) decides (because he can) to install a USB dongle that will give him access to Internet by mobile phone carrier (GPRS, 3G). What will be the behavior for NAC, it will block the connection for USB dongle? Will block the connection to corporate network?
    Thanks a lot

    NAC will check the user only when he tries to access the network. Once he is trusted, he is not checked anymore. Therefore, if the user is already authenticated, the user can do anything he wants on his PC and NAC will have no idea of what is happening. To stop such things to happen you need CSA.

  • How Cisco NAC and Cisco NAC Agent works

    HI,
    Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
    Also, what is the path from the time the end user connects to the network till he gets access to the network?
    Please reply soon.Its urgent.

    I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
    Here is the link that will help you with the basics.
    http://www.cisco.com/en/US/netsol/ns466/index.html
    We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
    Thanks,
    Tarik

  • No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

    Hello!
    We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
    From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
    The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
    Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
    Any help would be very much appreciated!
    Jakob J. Blaette

    Hi Jakob,
    Adding my two cents here.
    You always need to confirm that the following ports and protocol are opened:
    1- UDP port 500 --> ISAKMP
    2- UDP port 4500 --> NAT-T
    3- Protocol 50 ---> ESP
    A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
    HTH.
    Portu.
    Please rate any helpful posts and mark this post as answered.

  • Cisco NAC and Virtual Desktop Infrastructure

    Hi all
    Does it posiable to implement NAC on VDI infrastructure?
    If it can can you post some link?
    THanks
    Regards

    MosielleKwan wrote:
    Has anyone know ESSO support VDI client yet ?The current version does not support virtual desktop infrastructure (VDI).
    This must go as an Enhancement Request .

  • Does Cisco NAC support Wireless LAN?

    Hi There
    I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
    However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
    Regards,
    Ram
    +6012-2918870

    Hi Ramraj,
    You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
    The guide below goes through most of the configuration:
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
    Thanks,
    Nate

  • Does Cisco NAC support for HP Switches

    Dear all,
                         the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
    Pls revert .
    thanks ,

    Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
    The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
    Please do your research and look at other NAC solutions before you decide the best vendor to go with.

  • Site to site VPN between cisco asa 5550 and checkpoint r75

    Hi all ,
    below is cisco asa config for our customer end:
    crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto isakmp policy 10
      authentication pre-share
      encryption 3des
      hash sha
      group 2
      lifetime 86400
    What should i configure on checkpoint for first phase and second phase ?
    Regards,
    Suhail

    In checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there.  Phase II default is 28,800 so  you need to edit the parameter and change it to 3600.  the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
    Easy right?

  • ACS NAC and VPN

    I am trying to set up NAC using ACS 4.1 and a VPN concentrator 3015 using 4.7.2K. I have had it working before using 3.3 and 4.0, but had to wipe out my server because of some issues. This is all in test, but I would like to complete this soon.
    Is there some document out there that will allow me to see examples of this setup? I have googled it and checked on Cisco, but the examples are normally IOS specific. Any help would be appreciated.
    Thanks
    Dwane

    Refer to the link to the NAC Phase One whitepaper which is the best guide to configuring NAC at the moment.
    The document was released prior to NAC introduction on the VPN concentrator, but all the ACS and CTA configuration is valid.
    http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
    also refer these links to know more info about VPN concentrator with NAC:
    http://www.cisco.com/warp/public/471/vpn3k-nac-config-471.html
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee22f.html#wp1652431

  • Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

    Hi,
         I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
    FQDN: active.test.com
    Domain Name : test.com
    User : ccasso
    2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server was not running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server starting server ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server is now running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - SPN : [ccasso/[email protected]]
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - done building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - KDC(s) :[10.0.240.100]
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - creating login context ...
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
    text@5ad7b2
    2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
    - Unable to start server ... KDC has no support for encryption type (14)
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Notifying GSSServer status Stopped
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - server is exiting .

    Hi,
    This error means that your DC does not support the encryption method the ACS wants to use.
    Usually this happens when you run 2008 Server with 2003 functionality...
    You will need to run ktpass.exe according to the DC you are running:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
    For Windows 2008 Server at 2003 Server functional level:
    ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
    PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

    We have this problem with on of our clients:
    "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
    is not supported".
    Anyone encounter this problem ?
    thanks.

    Hi Tarik,
    We have:
    Cisco Clean Access Server   Version 4.9.0
    Cisco Clean Access Lite Manager   Version 4.9.0
    I can see Your point now,  that I should start from upgrading to 4.9.1.
    Let me do  that, and see if it helps.
    thanks  very much, I will keep You posted.

  • Cisco NAC Agent and Windows 8 still not working

    Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
    I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
    Thanks,
    -Collin

    Hi Collin,
    The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
    http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
    The patch should be applied to both 4.9.1 CAM and CAS.
    Please go through the README file for patch provided in the download link provided above. It has detailed information.
    Regards,
    Karthik Chandran

Maybe you are looking for

  • How can i print an email without printing the attachment?

    I just got my new macbook pro retina display.  I am using Mac mail and want to know how I can print an email without printing the attachement.  Any suggestions and solutions would be appreciated.

  • Handling unit status at table level

    Dear Experts, I want to know the logic to find only those HUs which exist in the inventory i.e. which are present physically. I do not want those which have been delivered/deleted/scrapped etc. How can I get this at table level and what filters shoul

  • Looking for a music / radio app  that let me play all songs of one artist

    Say Madonna or Britney. Last.fm let me play music LIKE selected artist but not strictly OF that artist. Then I can buy songs i like via itunes. Itunes only play 30 seconds so u don't know if you'd like the whole song or not.

  • Taking display value for calculations using structures in Bex query

    Hi I am using Bex analyzer to do a simple report with two key figures ‘Sales’ and ‘Plans’ from cube and two more calculated key figures ‘Abs Deviation’ and ‘% error’. The report displays at category and product levels. Category is higher and one cate

  • Refreshing access points in the environment, models???

    I am slowly going through the environment replacing the 80 AIR-1252 access points.  I have decided to replace our 1142s at the same time so that the environment is up to date.  I was curious what the recommended replacement is for these access points