Cisco NAC and Microsoft NAP

Similar Messages

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• How Cisco NAC and Cisco NAC Agent works

  HI,
  Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
  Also, what is the path from the time the end user connects to the network till he gets access to the network?
  Please reply soon.Its urgent.

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• Cisco NAC and GSM

  Hi,
  Hi can someone tell me what will be the behavior of Cisco NAC in the following scenario?
  In a corporate LAN a user (all ready authenticated on domain) decides (because he can) to install a USB dongle that will give him access to Internet by mobile phone carrier (GPRS, 3G). What will be the behavior for NAC, it will block the connection for USB dongle? Will block the connection to corporate network?
  Thanks a lot

  NAC will check the user only when he tries to access the network. Once he is trusted, he is not checked anymore. Therefore, if the user is already authenticated, the user can do anything he wants on his PC and NAC will have no idea of what is happening. To stop such things to happen you need CSA.

• Cisco NAC and Checkpoint VPN

  Hi,
  Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
  Any ideas or collateral would be appreciated.
  Thanks
  mark

  Mark,
  If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
  HTH,
  Faisal

• Cisco VPN and Microsoft Virtual PC (xp mode under Windows 7)

  I've installed XP under my users Windows 7 64 bit Enterprise.  Unfortunately I set up networking for DHCP so that the host and guest (too much vmware :) )  get two different IP's.
  So with Cisco anyconnect, I can't get the guest (i.e. the Win xp vm) to connect correctly.  I want to change networking back to bridged and try that, but for the life of me I can't find where the settings are.  I'm thinking that bridged (where
  I don't have to try the Cisco client in the vm might work better)
  But I"m in the US
  My users in Australia
  and right now I can't get remote tools to work on the host and talking this guy through it on the phone is not pleasant.
  Are there instructions somewhere, and where is the full downloadable documentation for this product. I can find online, can't find a full downloadable copy

  On Thu, 2 Sep 2010 14:34:57 +0000, Jim_St wrote:
  I've installed XP under my users Windows 7 64 bit Enterprise.=A0=20
  Unfortunately I set up networking for DHCP so that the host and guest=20
  (too much vmware :) )=A0 get two different IP's.
  So with Cisco anyconnect, I can't get the guest (i.e. the Win xp vm) to=20
  connect correctly.=A0 I want to change networking back to bridged and =
  try=20
  that, but for the life of me I can't find where the settings are.=A0 I'm=
  =20
  thinking that bridged (where I don't have to try the Cisco client in=20
  the vm might work better)
  But I"m in the US
  My users in Australia
  and right now I can't get remote tools to work on the host and talking=20
  this guy through it on the phone is not pleasant.
  Are there instructions somewhere, and where is the full downloadable=20
  documentation for this product. I can find online, can't find a full=20
  downloadable copy
  Bridged networking is what VMWare calls it and it works basically the
  same as the way you don't like here. The guest will interact with the
  NIC on the host and from the outsie it will present a second channel
  with a different MAC address. This channel will acquire an IP address
  of its own from the DHCP server.
  But no matter what you do, the host and guest will NEVER EVER get the
  same IP address!
  Additionally, Cisco VPN by design will shut down ALL other network
  interfaces when it connects the tunnel so the computer running Cisco
  VPN will be effectively disconnected from the local network and
  INSTEAD connected to the remote network. You cannot share this VPN
  tunnel to another local computer and this includes the host.
  Bo Berglund

• Cisco IPT and Microsoft System Centre Operations Manager

  Hi All
  Does anybody used Cisco IPT with System Centre Operations Manager?
  Does System Centre Operations Manager supports Cisco CallManager OS and Hardware for monitoring?
  Thanks
  VKS

  Hi David,
  Thanks for your reply. I have gone through the links which you have mentioned. As per the Overview of Operations Manager 2007 R2 section in What's New & Improved in Operations Manager 2007 R2 document it is clearly mentioned the below points:
  Delivers monitoring across Windows, Linux and Unix servers–all through a single console.
  Extend end to end monitoring of distributed applications to any workload running on Windows, Unix and Linux platforms.
  The Cisco Servers are also Windows and Linux Based.
  Thanks & Regards,
  Vaijanath

• Cisco 5505 and Microsoft DirectAccess

  Does anyone have a complete list of what parameters need to be enabled/set on a ASA 5505 so MS Direct Access is happy?
  I can't be the only one wanting to place a 5505 in front of the DA Server.

  If you are using the ASA to perform NAT, you'll only need to allow inbound TCP 443. If you are routing to the DirectAccess server or have the ASA configured in transparent firewall mode, then you'll need to allow inbound IP protocol 41, and inbound UDP 3544. If your ASA and your DirectAccess clients are on the IPv6 Internet, you will also need to allow inbound IP protocol 50, inbound UDP 500, and all ICMPv6 traffic.
  Richard Hicks - directaccess.richardhicks.com

• Cisco NAC and Virtual Desktop Infrastructure

  Hi all
  Does it posiable to implement NAC on VDI infrastructure?
  If it can can you post some link?
  THanks
  Regards

  MosielleKwan wrote:
  Has anyone know ESSO support VDI client yet ?The current version does not support virtual desktop infrastructure (VDI).
  This must go as an Enhancement Request .

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• Integrating Microsoft NAP with Cisco ASA

  Hello everyone,
  I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?
  Thanks in advance and kind regards

  Hello Jatin,
  thanks for your reply.
  Microsoft states that authentication via PEAP is necessary for NAP to work:
  "One security feature of PEAP is the transmission of Statement of Health (SoH) messages."
  (see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)
  However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742
  Is that true?

• Switch Cisco and Microsoft NPS

  Hi,
  I configure 802.1x wich Cisco Switch and Microsoft NPS Radius but the client cannot connect. I debug radius on switch and receive the debug attached.
  Whats the problem??
  Thanks

  Hi,
  Looks like that switch ip address is 192.168.233.250
  Please add this nas-ip-address 192.168.233.250 in the condition on the NPS server.
  Also, could you please provide me a error message from the event viewer?
  Attached is the document to configure NPS with cisco devices.
  HTH
  JK
  Plz rate helpful posts-

• Does Cisco NAC support Wireless LAN?

  Hi There
  I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
  However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
  Regards,
  Ram
  +6012-2918870

  Hi Ramraj,
  You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
  The guide below goes through most of the configuration:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  Thanks,
  Nate

• Does Cisco NAC support for HP Switches

  Dear all,
                       the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
  Pls revert .
  thanks ,

  Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
  The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
  Please do your research and look at other NAC solutions before you decide the best vendor to go with.

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html