Cisco NAC deployment without Internet in infrastructure

Similar Messages

• CISCO NAC deployment with ASA for internal servers (DMZ)

  We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
  from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
  what gateway clients will use. Plz help.
  Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.

  Hello,
  This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
  HTH,
  Faisal

• Question about cisco nac agent

  When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
  Please answer me early. Thank you for your answer.

  Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
  We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
  1) You have to decide which vulnerabilities you want to scan for.
  2) The more plug-ins you enable, the longer (obviously) the scan takes.
  3) There are configuration steps for many of the plug-ins
  4) Your users will still need to go to a login page in order to be scanned.
  5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
  From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
  It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
  Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
  Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

• Error with GPOs on Cisco NAC

  I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?

  I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule
  Allow TCP *:* Server/255.255.255.255: 88
  Allow UDP *:* Server/255.255.255.255: 88
  Allow TCP *:* Server/255.255.255.255: 389
  Allow UDP *:* Server/255.255.255.255: 389
  Allow TCP *:* Server/255.255.255.255: 445
  Allow UDP *:* Server/255.255.255.255: 445
  Allow TCP *:* Server/255.255.255.255: 135
  Allow UDP *:* Server/255.255.255.255: 135
  Allow TCP *:* Server/255.255.255.255: 3268
  Allow UDP *:* Server/255.255.255.255: 3268
  Allow TCP *:* Server/255.255.255.255: 139
  Allow TCP *:* Server/255.255.255.255: 1025

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• One Cisco prime deployment for three physically different Networks

  Can one Cisco prime deployment be used to manage three physically different Networks without creating a bridge between the networks. It is imperative that the networks remain separated but they will be managed by the same team so can you somehow use one Cisco Prime without the networks becoming connected 

  Hi,
  I believe you can manage any device, if it reachable (ICMP/SNMP) to Prime Infrastructure.
  Just make sure all the 3 different network reachable to PI, it's not required they're reachable among them. 
  PI itself do not do any bridging/routing between your 3 different network , therefore PI doesn't know if you can route between them or if they're separated.
  Since 3 different network are not reachable among themselves, use 3 different seed ip while discovering.
  Also, from management point of view, you can create virtual domain, group the devices network wise, & then while logging in PI, you'll the get feel if you're managing 3 different network by same PI.
  But since we know that PI, all the devices of 3 different network, it'll consume the CPU/RAM/Disc space accordingly. therefore need to pay attention for the resources of PI
  Using Virtual Domains to Control Access to Sites and Devices
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/administrator/guide/PIAdminBook/maint_user_access.html#pgfId-1056197
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• NAC deployment

  Hello there!
  I have 2 NAC Appliance 3310. I want to configure them both as Clean Access Servers(CAS). One will be fail over for the other. In this deployment i will have no Clean Access Manager. Is this possible? If possible how will i configure the CAS without CAM? Is it possible also to install the CAM software in a different hardware other than NAC Appliances(Like normal PCs or Server machines)
  Best regards,
  Stanslaus.

  Hi Stanslaus,
  You need one Clean Access Manager (CAM) and one Clean Access Server (CAS) at a minimum to make any In-band or Out-of-band solution work. What's more, the CAM and the CAS cannot be installed on the same server.
  Here are some excellent references to consult:
  http://cisconac.blogspot.com/
  http://www.networkworld.com/community/heary
  http://blog.tenablesecurity.com/
  http://blogs.cisco.com/security
  http://6200networks.com/
  http://www.demolabs.co.uk/cisconac_demo.html
  Cisco Security Center http://tools.cisco.com/security/center/home.x
  Books:
  Cisco NAC Appliance: Enforcing Host Security with Clean Access by Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal. (2007)
  Hope this helps.
  Best,
  Paul

• Does Cisco NAC support for HP Switches

  Dear all,
                       the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
  Pls revert .
  thanks ,

  Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
  The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
  Please do your research and look at other NAC solutions before you decide the best vendor to go with.

• Cisco NAC profiler

  Hi,
  I have few doubts if any1 can clear out it will be great. i have NAS OOB real ip gateway deployment in my network.
  Assuming all the ports are Nac_controlled. Hence as soon as the client plugs in they will be in auth vlan.
  now i have a cisco nac profiler in my network which i am going to configure for IP phones and printers.
  for example if the port the ip phone is connected to it will be under auth vlan also.
  hence as soon as ip phone as gets connected it, cisco profiler will see the profile and change the auth vlan to its respective vlan by mapping the profile with nac profile which we have mapped in the profiler and given the vlan in the NAC user profile for the ip phone.
  please correct me if i am wrong, for the understanding of the working. I need to profile ip phones. i am not able to bridge the connection.
  it would be great help if you can help me out.
  thanks in advance.

  Dear Nitesh,
  The IP phones should be configured to work on the Voice VLAN; the NAC Manager on its OOB config can only manage the access VLAN for the switch port.
  Given this, the correct config for the filters for the IP Phones is "ignore", as described here:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1092789
  The NAC Profiler can help to add these filters without manual intervention, so you should configure the Profiler with the appropriate NAC event that configures the filter for the IP Phone MAC address to "ignore".
  This won't cause the port to change status NAC wise, as the NAC Manager will simply "ignore" the MAC notification for the IP Phone(s).
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Deployment of Internet services

  Hi All,
  We are in the throws of planning to move our production data centre that currently resides with the business to a professional facility that is roughly 3kms from the current business premise. We currently have 2 x 2Mbps services deployed in the data centre. Our plan is to deploy new Internet services in the new data centre and route traffic from our business premise through these.
  My question is, do you, in your designs, also deploy Internet services with the business or just move them to the data centre? I am thinking the latter options as if you host a connection with the business it could be difficult to host Internet facing services without deploying these with the business (DMZ, email, etc).
  Just looking for some feedback on how others have designned their networks?
  I guess another issue is content filtering (browsing).
  Thoughts?
  Thanks,
  Darren

  Hi Darren,
  Your question is little bit confusing what the goal you are trying to achive?
  ty

• Installing Arch on PC without Internet Connection/Slow Connection

  Arch Linux requires a fairly good internet connection to set up. How can one install it on machines which don't have any internet connectivity? Is there any way to make a DVD of Arch on a computer connected to internet and having Arch setup(DE,Media Players,Codecs etc) which can then be used on machines without internet connections This would come useful for me to install at my friends place. Does anyone even has a remote solution on this?

  https://wiki.archlinux.org/index.php/Of … f_Packages
  https://wiki.archlinux.org/index.php/Lo … ory_HOW-TO
  and, of course:
  https://wiki.archlinux.org/index.php/Beginners%27_Guide
  You could also install on a computer with a connection, then use something like Clonezilla to deploy it.

• NAC Server without NAC manager

  Hi,
  Would like to know whether NAC server (NAC appliance 3355) is enough to provide NAC functionality without NAC manager in the network for one location say Datacenter.
  Regards,
  Ashok

  Hi Ashok,
  You can use a single CAS in the network in a single location in case you have a centralized CAM for multiple locations but you would need atleast one CAM to manage all the CAS servers as all the settings and policies for CAS are stored in CAM.
  Moreover, the CAS product licenses are generated based on the eth0 MAC address of the CAM, so atleast one CAS is essential.
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp39625
  HTH!
  Regards,
  Sumir

• Cisco NAC technical information

  Hello everyone,
  So I've been looking through the Cisco website trying to get information about Cisco NAC (at the request of my boss, the IT team leader). Unfortunately, all the information about NAC on this website is geared towards supervisors and purchasing authorities; I haven't been able to find any sort of real technical data, just a bunch of sales mumbo-jumbo. I know a lot about what it can do, but nothing about how it does it.
  I would like to know how this system would interact with my network. I'm newly in charge of an almost pure Cisco network consisting of a couple dozen Catalyst 2950 switches and 3 Catalyst 3750 stacks in various positions throughout the network.
  Our network uses a star-topology, meaning all the switches tend to radiate from the central Layer 3 switches (the 3750s), meaning we don't, at the moment, have any sort of redundancy like in the Cisco-recommended Core-Distribution-Access topology. We want to get to that point sometime in the future.
  Anyways, I'd like to know how I can integrate Cisco NAC into my existing network. How would it connect and where? How does it regulate access? Do all computers require some kind of client to be installed? How does it regulate VLANs (of which we have about 50)?
  Like I said, we want to basically overhaul our network sometime in the future, but I'm not really counting on it happening soon, so I'd like to know how NAC would be implemented in our current network so that we may be able to enjoy some of those benefits right away.

  My explanations / answers are not authoritative but should provide some general idea about things you could accomplish with this product.
  1.) Since you are basically all Cisco you will probably use an out-of-band solution. This allows the NAC to "manage" your switch ports. As the sales literature suggests it's about mapping users/ips/macs to roles and allowing access based on the role. Example would be new device plugs in to a perm switch. You require that all machines have AV, New Defs, and Latest Updates. The client would use the agent to validate it has met these requirements. If not the agent may recommend (at your pref) how to meet the given requirement - I personally like the idea of providing links to pages where they can find information on fixing the issue. Once the 3 requirements are met you allow the system access to your network on a given vlan in a specific role.
  2.) Again, because your switches are all Cisco you have many options. Primarily in-band vs out-of-band. I have very little doubt you would choose out-of-band with the description of your topology given above.
  3.) Connection would be 2 ports on your 3750 stack.
  4.) It regulates traffic by performing requirements checks and by mapping machines to a given role. That role is aloowed to do certain activities on your network. I kinda of think of role management like a firewall of sorts. Once you are authenticated to a given role you are allowed to do things like surf the internet or ftp to an internal server. Each role could be given different access ability.
  5.) Technically no machines "require" a client to be installed. You can use a combination of web login with scanning and / or cisco agent installations. For linux machines no agent is currently available to my knowledge. For macs and pcs the agent (once installed) seems to make access simplier.
  6.) Vlan regulation depends on the type of install you choose. For example you may map vlans.
  Hope that helps.
  Greg W.

• RV042 Windows incompatibility HTTP Connections between Subnets without Internet access

  Hello, 
  We are a company of the banking sector
  We have two RV042 Router.
  One of this Router (R1) is configured for restrict users without internet access. This router doesn´t internet connections, the Wan ports are blocked.
  Router 1: restricted users
  Router 1 IP Lan: 10.22.4.1/24   
  Router 1 IP Subnet 1: 10.22.1.2/24 (For communication with Web Servers on Lan 10.22.1.0/24)
  Pc1: 10.22.4.3/24
  DNS: 10.22.4.51/24 (This DNS Server have an Internet connection through subnet 2)
  The other router (R2) has an internet connection through the wan port for the access of the DNS Servers for respond to request of clients, and a web server in this subnet
  Router 2:  Web Server´s LAN and Internet Connection for the DNS Server
  Router 2 IP Lan: 10.22.1.1/24
  Router 2 IP Subnet 2: 10.22.4.2/24 (For communication with restricted user on Lan 10.22.4.0/24)
  Web Server: 10.22.1.60/24
  We need to access the web server from the network restricted users.
  From Linux Operating System, the access to web server its ok
  But, from Windows Operating Systems, we can´t access to web server. Time Out
  So, we think that there are some incompatibility between the Router RV042 and the windows operating systems 
  On the website of microsoft, there is an article regarding an incompatibility issue with the RV042 which could help
  http://support.microsoft.com/kb/934430
  we copied a file attachment.
  Thanks, sorry for bad English

  Hi,
  Have you also tested configuring static route?
  I am asking that, because RV042 does not support VLANs and following that cannot do inter-VLAN routing. Configuring subnet with Multiple Subnet option is only giving access to this subnet to internet. Unless a static route is not configured as where this traffic to be routed in the LAN, the router itself normally will drop the packet.
  If it works for you, this leads me to the thought that there is other routes that packets from LAN 10.22.1.0 to LAN 10.22.4.2 (and vice versa) are taking, but not necessarily the routers.
  Here I can just give a direction of where to look, but if you think you checked all possibilities, it would be better to contact the support line. They will help as long as the device is under warranty.
  Hereby the contacts:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Kremena