Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?

Similar Messages

• Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

  Hi,
  I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
  After finishing the Installation, when i type "SETUP"... It gives me the below Error;
  # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
  # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
  Please advise....
  I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
  (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
  any idea...
  Regards,
  Mubasher Sultan

  Where did you get the recovery media? Did you download from cisco.com?
  Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
  Supporting link:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
  Jatin Katyal
  - Do rate helpful posts -

• Cisco NAC Appliance

  Hi
  I wanted to know if someone can give me some help on a Cisco NAC appliance.
  Honestly i've heard of them but i've never installed or worked on one before and i
  have a client who wants to have one installed.So i wanted to know can some here
  point me in the right direction as far as installation and configuration. Thanks for
  the help in advance and have a great evening.

  Hi
  Everything you need to get started:
  http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• Cisco NAC AD SSO

  Hi,
  I need help with configuring CASUser Account for NAC AD SSO in a multidomain enviorment.
  We have two child domain (based on region) say A & B. We have created the casuser account in domain A. If a user from Domain A login, everything works fine and they are authenticated.
  But the problem starts if some one from domian B tries to login - they are authenticated by AD (checked through kerbtray and net time \set (can't see ticket for casuser account)....the NAC agaent keeps on prompting for username & password.
  Domain: Windows 20003
  Domain functional level: Windows 2000 native
  Cisco NAC Agent: Version : 4.8.0.32

  Hi Sanjeev,
  I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.
  Do you verify that the created user CASUSER is visible on domain B?
  The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&B.
  Do you used LDAP user mapping to roles?
  Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.
  Which version Cisco NAC have you got?
  Kamil

• What is a Cisco NAC appliance used for?

  We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
  From the documentation, the features of a 3310 NAC are,
  Recognize users, their devices, and their roles in the network
  Evaluate whether machines are compliant with security policies
  Enforce security policies by blocking, isolating, and repairing noncompliant machines
  Provide easy and secure guest access
  Simplify non-authenticating device access
  Audit and report whom is on the network
  What does enforce security polices by blocking, isolating, repairing really mean?
  "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
  I can get an report from my logging traps collector, Solarwinds.

  Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
  What does enforce security polices by blocking, isolating, repairing really mean?
  It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
  "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
  I can get an report from my logging t
  You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
  Sent from Cisco Technical Support iPhone App

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• Question about cisco nac agent

  When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
  Please answer me early. Thank you for your answer.

  Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
  We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
  1) You have to decide which vulnerabilities you want to scan for.
  2) The more plug-ins you enable, the longer (obviously) the scan takes.
  3) There are configuration steps for many of the plug-ins
  4) Your users will still need to go to a login page in order to be scanned.
  5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
  From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
  It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
  Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
  Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

• L2 or l3 switch with NAC appliance

  Hi,
  I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
  Regards,
  Mladen

  Thanks.
  The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
  "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
  So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
  If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
  Regards,
  Mladen

• NAC appliance basic setup

  I have a small project to authenticate around 100 users to access the network. We are planning to use the Cisco NAC appliance. Just to clarify (I have seen some post but I am not sure of the right answer) Do I need 2 separate appliances, one as server and the other as controller; or I just need one doing both tasks?
  Thanks,
  -Arturo

  Hi Arturo,
  You need two appliances to make it work. One manager and one server.
  There is an excellent book from the Cisco Press on the NAC Appliance by James Heary which will provide you with plenty of details and background on setting up the appliances.
  Hope this helps.
  Paul

• NAC Appliance and Novell

  Does anybody know whether or not the Cisco NAC Appliance (CCA) will work with Novell authentication in any fashion.

  We're starting a pilot now. We have to use MAC address authenication because there is no novell support.

• NAC Appliance IPv6 Compatibility

  I read in the book "Cisco NAC Appliance: Enforcing Host Security with Clean Access" (published 2008) that the Real IP Gateway mode is only IPv4 compatible but that IPv6 compatibility will be provided in a future software update.
  Having searched around, I can't find any reference to the NAC Appliance being IPv6 compatible. Does anyone know what modes (if any) are IPv6 compatible?

  Hi,
  Even though IPv6 has been on the road map, currently it is not supported and there is no ETA for IPv6 support by NAC devices.
  HTH,
  Tiago
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• NAC Appliance Deployment issue

  Hi,
  We are going to deploy Cisco NAC Appliance 3310 Clean Access server in our network. Regarding the deployment I have several questions.
  My questions are:
  Do we required any additional server like WSUS for patch/windows update management?
  Does NAC appliance talk with MS AD for authentication?
  Do we required anti-virus server for endpoint security?
  Do we required additional remediation server to remediate the infected endpoint?
  I will be glad if get the above answer.
  Regards,
  Mamun

  Mamun,
  No, the CCA system asks the client to remediate itself, and the Windows update client on the client computer then attempts to remediate based on it's options. The two options are going to Microsoft's WU servers, or if you have an internally defined WSUS server, going to that.
  The other thing you can do also is to "offer" the clients to download files that you store on the CCA system based on different requirements, but doing it this way would be very hard to manage since you're looking at creating requirements for each patch which can become unwieldy very soon.
  View these Video-on-demands on how CCA does posture assessment and remediation. Look at VOD 5:
  http://tinyurl.com/d74t9u
  HTH,
  Faisal

• Ssl certificate for cisco NAC

  Hello All,
  Gurus,out there please help me understand how do i update the SSL certificate on cisco NAC appliance (clean access mananger/clean access server).
  how to check when is the certificate being expired.
  thanks in advance.

  Please have a look at the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1078189
  On the CAM interface, you can export the current certificate and see its validity:
  Administration > Clean Access Manager >> SSL > X509 Certificate >> Select Cert and hit 'Export'
  Please rate if you find the input helpful
  Regards
  Farrukh

• Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

  Hi,
       I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
  FQDN: active.test.com
  Domain Name : test.com
  User : ccasso
  2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server was not running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server starting server ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server is now running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - SPN : [ccasso/[email protected]]
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - done building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - KDC(s) :[10.0.240.100]
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - creating login context ...
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
  text@5ad7b2
  2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
  - Unable to start server ... KDC has no support for encryption type (14)
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Notifying GSSServer status Stopped
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - server is exiting .

  Hi,
  This error means that your DC does not support the encryption method the ACS wants to use.
  Usually this happens when you run 2008 Server with 2003 functionality...
  You will need to run ktpass.exe according to the DC you are running:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
  For Windows 2008 Server at 2003 Server functional level:
  ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
  PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.