Cisco NAC and GSM

Hi,
Hi can someone tell me what will be the behavior of Cisco NAC in the following scenario?
In a corporate LAN a user (all ready authenticated on domain) decides (because he can) to install a USB dongle that will give him access to Internet by mobile phone carrier (GPRS, 3G). What will be the behavior for NAC, it will block the connection for USB dongle? Will block the connection to corporate network?
Thanks a lot

NAC will check the user only when he tries to access the network. Once he is trusted, he is not checked anymore. Therefore, if the user is already authenticated, the user can do anything he wants on his PC and NAC will have no idea of what is happening. To stop such things to happen you need CSA.

Similar Messages

Cisco NAC and Microsoft NAP

Dear all,
I need to know what are the differences between Cisco NAC and Microsoft NAP ?
Can NAP be used instead of NAC or not ? why ? why not ?

I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
Here is the link that will help you with the basics.
http://www.cisco.com/en/US/netsol/ns466/index.html
We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
Thanks,
Tarik

How Cisco NAC and Cisco NAC Agent works

HI,
Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
Also, what is the path from the time the end user connects to the network till he gets access to the network?
Please reply soon.Its urgent.

I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
Here is the link that will help you with the basics.
http://www.cisco.com/en/US/netsol/ns466/index.html
We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
Thanks,
Tarik

Cisco NAC and Checkpoint VPN

Hi,
Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
Any ideas or collateral would be appreciated.
Thanks
mark

Mark,
If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
HTH,
Faisal

Cisco NAC and Virtual Desktop Infrastructure

Hi all
Does it posiable to implement NAC on VDI infrastructure?
If it can can you post some link?
THanks
Regards

MosielleKwan wrote:
Has anyone know ESSO support VDI client yet ?The current version does not support virtual desktop infrastructure (VDI).
This must go as an Enhancement Request .

Does Cisco NAC support Wireless LAN?

Hi There
I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
Regards,
Ram
+6012-2918870

Hi Ramraj,
You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
The guide below goes through most of the configuration:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
Thanks,
Nate

Does Cisco NAC support for HP Switches

Dear all,
the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
Pls revert .
thanks ,

Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
Please do your research and look at other NAC solutions before you decide the best vendor to go with.

Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

Hi,
     I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .

Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

We have this problem with on of our clients:
"Cisco NAC Agent is having a difficulty with the server. Agent user operation system
is not supported".
Anyone encounter this problem ?
thanks.

Hi Tarik,
We have:
Cisco Clean Access Server Version 4.9.0
Cisco Clean Access Lite Manager Version 4.9.0
I can see Your point now, that I should start from upgrading to 4.9.1.
Let me do that, and see if it helps.
thanks very much, I will keep You posted.

Cisco NAC Agent and Windows 8 still not working

Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
Thanks,
-Collin

Hi Collin,
The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
The patch should be applied to both 4.9.1 CAM and CAS.
Please go through the README file for patch provided in the download link provided above. It has detailed information.
Regards,
Karthik Chandran

Different between cisco NAC agent and cisco Clean Access Agent

Hi all,
if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
thank you

In 4.6, the agent was overhauled and is now called the NAC agent. Previous versions were referred to as the Clean Access Agent. So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging.

Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

Hi There
I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
Regards,
Ram
+6-012-2918870

Hi,
That is not possible.
You cannot push ACLs into the NAC manager.
If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
Using Radius attributes you can then map users to Roles.
Please take a look into this:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Cisco WLC5760 Fail and Cisco NAC Guest v2.0

Hello,
I have a problem to use an Cisco WLC5760 v3.3.1SE and an Cisco NAC Guest v2.0.
Can anyone help me to synchronise Cisco WLC5760 v3.3.1SE and Cisco NAC Guest v2.0. ?
Thanks you for help.

Hi Adoncamille,
I have the same problem with my 5760 and NAC Guest Server. Did you fixed the problem?,
Best Regards,
Marco Muñoz

Cisco Nac 3310 Upgrade From 4.1.6 to 4.7.2

Hi,
I've to upgrade the NAC Enviroment from 4.1.6 version to 4.7.2 version.
This is the scenario.
2 CAM
2 CAS
on 3310 Platform in HA-Pairs.
On Cisco WebSite i found that upgrading to 4.7.2 is possible by this way: 4.1.6 --> 4.1.8 --> 4.5.1 --> 4.7.2. I think that the direct upgrade 4.1.6 --> 4.5.1 is possible. Can you confirm me that?
Well, I've some questions about this upgrade.
1) If the upgrade fails, is there any rollback task to do? Reinstall the CAM/CAS and restore the backup or what?
2) Can you tell me the downtime for the upgrade 4.1.8 --> 4.5.1?
3) The downtime for the upgrade 4.5.1 --> 4.7.2 ?
Thanks in advance for the support!!!

Thanks you very much, really appreciate your help!
I will follow the procedures that Cisco indicates and i hope that everything will work fine!
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/418/418rn.html#wp75888
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/45rn.html#wp75888
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/472rn.html#wp75888
I noticed that the tar.gz for the 4.7.2 frome 4.5.x upgrade is an ISO file. Is this the correct file?
The attach image shows the content of the file: cca_upgrade-4.7.2-from-4.5.x-4.6.x.tar.gz
Is right?

NAC and AD, Machine GPOs, Roaming Profiles = Chaos

I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
Dan S.

Cisco NAC and GSM

Similar Messages

Maybe you are looking for