Cisco NAC Appliance

Hi
I wanted to know if someone can give me some help on a Cisco NAC appliance.
Honestly i've heard of them but i've never installed or worked on one before and i
have a client who wants to have one installed.So i wanted to know can some here
point me in the right direction as far as installation and configuration. Thanks for
the help in advance and have a great evening.

Hi
Everything you need to get started:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
HTH,
Tiago
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

    Hi,
    I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
    After finishing the Installation, when i type "SETUP"... It gives me the below Error;
    # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
    # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
    Please advise....
    I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
    (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
    any idea...
    Regards,
    Mubasher Sultan

    Where did you get the recovery media? Did you download from cisco.com?
    Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
    Supporting link:
    http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
    Jatin Katyal
    - Do rate helpful posts -

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • What is a Cisco NAC appliance used for?

    We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
    From the documentation, the features of a 3310 NAC are,
    Recognize users, their devices, and their roles in the network
    Evaluate whether machines are compliant with security policies
    Enforce security policies by blocking, isolating, and repairing noncompliant machines
    Provide easy and secure guest access
    Simplify non-authenticating device access
    Audit and report whom is on the network
    What does enforce security polices by blocking, isolating, repairing really mean?
    "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
    I can get an report from my logging traps collector, Solarwinds.

    Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
    What does enforce security polices by blocking, isolating, repairing really mean?
    It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
    "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
    I can get an report from my logging t
    You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
    Sent from Cisco Technical Support iPhone App

  • Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?

    Hello, I have a question. it is posible implement NAC Appliance SSO AD VG/Real IP - L2/L3 for OU (Organization Unit), for example; if i have OU sales and OU market in the windows domain X. it is posible restrict the police and assign diferent network (10.1.1.0/24 for OU sales and 10.1.2.0/24 for OU market).
    Regards
    Alvaro

    Yes that is possible, first you will create a user role for the two seperate OU, then you assign a user role vlan to each role. then you will have to create a ldap lookup server. You will then create a attribute condition which will map users that are a memberOf xxx to user role yyy.
    this is for out of band scearios because the clients at first will get the same authenticaiton ip address but after the port is switched over then the ip address they get after will be based off the vlans they land on.
    let me know if you need anything else.
    Tarik

  • Cisco NAC server hang issue

    Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
    The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
    The CAS server was recovered after manually power cycle the hardware. 
    After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
    I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
    That will be great if any one can help me out for the same.
    Thanks,
    Eric

    Hi Bro
    This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
    If all else fail, then a hardware swap would seem like the next best thing.

  • Question about cisco nac agent

    When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
    Please answer me early. Thank you for your answer.

    Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
    We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
    1) You have to decide which vulnerabilities you want to scan for.
    2) The more plug-ins you enable, the longer (obviously) the scan takes.
    3) There are configuration steps for many of the plug-ins
    4) Your users will still need to go to a login page in order to be scanned.
    5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
    From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
    It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
    Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
    Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

  • L2 or l3 switch with NAC appliance

    Hi,
    I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
    Regards,
    Mladen

    Thanks.
    The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
    "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
    So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
    If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
    Regards,
    Mladen

  • NAC appliance basic setup

    I have a small project to authenticate around 100 users to access the network. We are planning to use the Cisco NAC appliance. Just to clarify (I have seen some post but I am not sure of the right answer) Do I need 2 separate appliances, one as server and the other as controller; or I just need one doing both tasks?
    Thanks,
    -Arturo

    Hi Arturo,
    You need two appliances to make it work. One manager and one server.
    There is an excellent book from the Cisco Press on the NAC Appliance by James Heary which will provide you with plenty of details and background on setting up the appliances.
    Hope this helps.
    Paul

  • NAC Appliance and Novell

    Does anybody know whether or not the Cisco NAC Appliance (CCA) will work with Novell authentication in any fashion.

    We're starting a pilot now. We have to use MAC address authenication because there is no novell support.

  • NAC Appliance IPv6 Compatibility

    I read in the book "Cisco NAC Appliance: Enforcing Host Security with Clean Access" (published 2008) that the Real IP Gateway mode is only IPv4 compatible but that IPv6 compatibility will be provided in a future software update.
    Having searched around, I can't find any reference to the NAC Appliance being IPv6 compatible. Does anyone know what modes (if any) are IPv6 compatible?

    Hi,
    Even though IPv6 has been on the road map, currently it is not supported and there is no ETA for IPv6 support by NAC devices.
    HTH,
    Tiago
    If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

  • NAC Appliance Deployment issue

    Hi,
    We are going to deploy Cisco NAC Appliance 3310 Clean Access server in our network. Regarding the deployment I have several questions.
    My questions are:
    Do we required any additional server like WSUS for patch/windows update management?
    Does NAC appliance talk with MS AD for authentication?
    Do we required anti-virus server for endpoint security?
    Do we required additional remediation server to remediate the infected endpoint?
    I will be glad if get the above answer.
    Regards,
    Mamun

    Mamun,
    No, the CCA system asks the client to remediate itself, and the Windows update client on the client computer then attempts to remediate based on it's options. The two options are going to Microsoft's WU servers, or if you have an internally defined WSUS server, going to that.
    The other thing you can do also is to "offer" the clients to download files that you store on the CCA system based on different requirements, but doing it this way would be very hard to manage since you're looking at creating requirements for each patch which can become unwieldy very soon.
    View these Video-on-demands on how CCA does posture assessment and remediation. Look at VOD 5:
    http://tinyurl.com/d74t9u
    HTH,
    Faisal

  • Ssl certificate for cisco NAC

    Hello All,
    Gurus,out there please help me understand how do i update the SSL certificate on cisco NAC appliance (clean access mananger/clean access server).
    how to check when is the certificate being expired.
    thanks in advance.

    Please have a look at the following link:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1078189
    On the CAM interface, you can export the current certificate and see its validity:
    Administration > Clean Access Manager >> SSL > X509 Certificate >> Select Cert and hit 'Export'
    Please rate if you find the input helpful
    Regards
    Farrukh

  • NAC Appliance - Cisco Clean Access v4.7.0

    Hi,
    I have a nac appliance (lite manager and server) version 4.7.0. Does these device support Windows 7? The last time I check it only support Win XP, 2k, Me, NT, 95, 98 and Vista. But I did not see Windows 7 OS. I want to upgrade the client workstation from Windows XP to Windows 7 but I'm not sure if its going to support by the NAc Appliance I have. Could somebody help me on this? Thanks in advance.
    Richard

    Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
    http://newsroom.cisco.com/dlls/2005/prod_101805.html

  • NAC Appliance & Cisco Trust Agent

    Hi,
    I have a requirement to implement NAC using the NAC Appliance (Cisco Clean Access). Does anyone know if this will work correctly with CTA in the same way that the NAC framework would do?? I am interested as I wish to use the Cisco Secure Services Client as an 802.1x supplicant and this interfaces directly with the CTA.

    Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
    http://newsroom.cisco.com/dlls/2005/prod_101805.html

Maybe you are looking for

  • Unable to open Applications folder

    I am unable to open my Applications folder and my Pictures folder. When I click on either one of them, this box pops up: "There is no default application specified to open the document Applications (or Pictures, if that is the folder I'm clicking on)

  • Blank files appearing in User Folder???

    Hello, I'm not quite sure what to call it, but my "user folder" contains Desktop, Documents, Downloads, Movies, Music, etc. in Finder. It's the folder that is my name. Anyway, I've noted that there are a bunch of random blank files that have appeared

  • BPM Error: no interface action for sender or receiver found

    Dear All I am doing an HTTP to Proxy scenario using BPM Synch Asynch bridge. The error in HTTP is error 500 (Internal Serve Error) I am getting following error in moni <Trace level="1" type="T">select interface namespace urn:WorkDelivery</Trace>   <T

  • Consecutive Numbering in New Documetns (Action)

    Hi all, About two years ago I posted this query regarding a possible bug in Photoshop 4.  As much as christoph pfaffenbich tried extremely hard to help me, he was unable to provide a solution.  UNFORTUNATELY, the problem still exists in Photoshop CS

  • Can't upload individual files into ITunes.

    I click Add to library and go to a folder. I used to be able to double click on the folder to expand it and add an individual file from within. Now the whole folder gets uploaded. Now to add individual files from a folder, I have to first drag the fi