Cisco NAC Server

Similar Messages

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• Cisco NAC Server eth0 fails communication when connected to trunking switchport

  NAC deployment is L2 OOB Virtual-Gateway-Mode
  When our CAS eth0 is connected to a trunk port, the port will chage to a connected state but we are unable to ping the CAS from the CAM or from switch connected to the CAS. Our CAM is on vlan 32 and the cas is on VLAN 60. Below is the config for the port connecting the CAS. The CAS managment ip is assigned to vlan 60.The switch is a 6509. Blade 2 only supports dot1q so we do not need to set encapsolation type for this switchport.
  interface GigabitEthernet2/39
  description Trust eth0
  no ip address
  switchport
  switchport trunk native vlan 998
  switchport trunk allowed vlan 33,34,40,60
  switchport mode trunk
  end
  If we disable trunking and switch the port to access vlan 60 we are able to communicate with the CAS. Has anyone ran in to this when deploying NAC?
  If so, how was the issue resolved?

  I have the same issue. But it gets even stranger; I had the CAM/CAS working in a test LAN enviroment, got the AD SSO to work by appllying VLANs based on AD group membership of the user logging on. Client was pleased.
  Move the two NAC devices to their location and reloaded clean both CAM & CAS from CD, did the same configuration and now eth0 (Trusted) can't see the AD domain controller but can see the CAM. I ran nslookup on the CAS to test the network settings and the result is no server found - the DNS server is the AD domain controller.

• Question about cisco nac agent

  When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
  Please answer me early. Thank you for your answer.

  Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
  We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
  1) You have to decide which vulnerabilities you want to scan for.
  2) The more plug-ins you enable, the longer (obviously) the scan takes.
  3) There are configuration steps for many of the plug-ins
  4) Your users will still need to go to a login page in order to be scanned.
  5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
  From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
  It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
  Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
  Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

• Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

  Hi,
       I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
  FQDN: active.test.com
  Domain Name : test.com
  User : ccasso
  2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server was not running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server starting server ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server is now running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - SPN : [ccasso/[email protected]]
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - done building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - KDC(s) :[10.0.240.100]
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - creating login context ...
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
  text@5ad7b2
  2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
  - Unable to start server ... KDC has no support for encryption type (14)
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Notifying GSSServer status Stopped
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - server is exiting .

  Hi,
  This error means that your DC does not support the encryption method the ACS wants to use.
  Usually this happens when you run 2008 Server with 2003 functionality...
  You will need to run ktpass.exe according to the DC you are running:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
  For Windows 2008 Server at 2003 Server functional level:
  ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
  PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco NAC Guest Server and shellshock

  Hello,
  We are running NAC server v2.0.2 and would like to know if it's vulnerable to shellshock as the bug report CSCur05629 isn't clear on this. 

  Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Here is a link for the NGS:
  http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
  The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

• NCipher server not in operational mode : Cisco NAC

  One of the NAC server got rebooted and then while restart i am getting an error nCipher server not in operational mode. Please change the settings on back of the card. Also error-sshd-server not running.
  Please let me know how to make the ncipher in operational  mode and change the mode of NAC in FIPS mode.
  It is very urgent. Please let me know the solution.
  Regards,
  Tarunava

  The Cisco NAC is 3315 and software version is 4.1.2.
  Below are the error logs.
  [root@PLHO_CAS_01 ~]# cd /perfigo/common/bin/
  [root@PLHO_CAS_01 bin]# ./test_fips.sh info
  Installed FIPS card is nCipher
  Info-FIPS file exists
  NFastApp_Connect failed: ServerNotRunning
  Error-card is not in operational mode
  Error-httpd worker is in Non FIPS  mode
  Error-sshd  not up
  System not in FIPS mode
  [root@PLHO_CAS_01 bin]#
  [root@PLHO_CAS_01 ~]# /etc/init.d/sshd start
  Starting sshd:WARNING: initlog is deprecated and will be removed in a future rel
  ease
  key_load_private_pem: RSA_blinding_on failed
  Could not load host key: /root/.perfigo/sec/tomcat.key
  Disabling protocol version 2. Could not load host key
  sshd: no hostkeys available -- exiting.
  [FAILED]
  [root@PLHO_CAS_01 ~]# /etc/init.d/httpd start
  Starting httpd: Syntax error on line 167 of /etc/httpd/conf/httpd.conf:
  DocumentRoot must be a directory
  [FAILED]

• NAC server is not available on the network

  I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I  try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

  Hi,
  I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
  The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
  the bug cisco provided me is related to "CSCuc70607".
  Hope this helps,
  Tarik Admani
  *Please rate helpful posts*

• Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

  We have this problem with on of our clients:
  "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
  is not supported".
  Anyone encounter this problem ?
  thanks.

  Hi Tarik,
  We have:
  Cisco Clean Access Server   Version 4.9.0
  Cisco Clean Access Lite Manager   Version 4.9.0
  I can see Your point now,  that I should start from upgrading to 4.9.1.
  Let me do  that, and see if it helps.
  thanks  very much, I will keep You posted.

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• Cisco NAC AD SSO

  Hi,
  I need help with configuring CASUser Account for NAC AD SSO in a multidomain enviorment.
  We have two child domain (based on region) say A & B. We have created the casuser account in domain A. If a user from Domain A login, everything works fine and they are authenticated.
  But the problem starts if some one from domian B tries to login - they are authenticated by AD (checked through kerbtray and net time \set (can't see ticket for casuser account)....the NAC agaent keeps on prompting for username & password.
  Domain: Windows 20003
  Domain functional level: Windows 2000 native
  Cisco NAC Agent: Version : 4.8.0.32

  Hi Sanjeev,
  I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.
  Do you verify that the created user CASUSER is visible on domain B?
  The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&B.
  Do you used LDAP user mapping to roles?
  Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.
  Which version Cisco NAC have you got?
  Kamil

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• What happens when NAC Server License Exceeds ?

  Hi all,
  Got a simple question for which I could not find the explanations ?
  I know that licensing is run by the endpoints which are in Online User (posture assessed) list.
  Lets say I purchased a NAC server with 100 License. What happens if a client connects to the network as the 101th user ? Is there a flexible licensing option as in other security products of Cisco ?
  Also anyone has any info about the roadmap of licensing for Cisco NAC products ? Such as central management of licenses, license pools or etc. ?
  Thanks in advance.
  Any comments appreciated.
  Dumlu

  Thanks a lot.
  You said "BPEL developer should make sure unique value is supplied for correlation..",but I am confused,
  "BPEL developer" means business process developer(process caller) or bpel engine developer(process runtime enviroment developer) ?
  This afternoon,I installed oracle PM and did some tests. The bpel server creates two process instances which have the same correlation data.

• NAC Server without NAC manager

  Hi,
  Would like to know whether NAC server (NAC appliance 3355) is enough to provide NAC functionality without NAC manager in the network for one location say Datacenter.
  Regards,
  Ashok

  Hi Ashok,
  You can use a single CAS in the network in a single location in case you have a centralized CAM for multiple locations but you would need atleast one CAM to manage all the CAS servers as all the settings and policies for CAS are stored in CAM.
  Moreover, the CAS product licenses are generated based on the eth0 MAC address of the CAM, so atleast one CAS is essential.
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp39625
  HTH!
  Regards,
  Sumir

• Cisco NAC technical information

  Hello everyone,
  So I've been looking through the Cisco website trying to get information about Cisco NAC (at the request of my boss, the IT team leader). Unfortunately, all the information about NAC on this website is geared towards supervisors and purchasing authorities; I haven't been able to find any sort of real technical data, just a bunch of sales mumbo-jumbo. I know a lot about what it can do, but nothing about how it does it.
  I would like to know how this system would interact with my network. I'm newly in charge of an almost pure Cisco network consisting of a couple dozen Catalyst 2950 switches and 3 Catalyst 3750 stacks in various positions throughout the network.
  Our network uses a star-topology, meaning all the switches tend to radiate from the central Layer 3 switches (the 3750s), meaning we don't, at the moment, have any sort of redundancy like in the Cisco-recommended Core-Distribution-Access topology. We want to get to that point sometime in the future.
  Anyways, I'd like to know how I can integrate Cisco NAC into my existing network. How would it connect and where? How does it regulate access? Do all computers require some kind of client to be installed? How does it regulate VLANs (of which we have about 50)?
  Like I said, we want to basically overhaul our network sometime in the future, but I'm not really counting on it happening soon, so I'd like to know how NAC would be implemented in our current network so that we may be able to enjoy some of those benefits right away.

  My explanations / answers are not authoritative but should provide some general idea about things you could accomplish with this product.
  1.) Since you are basically all Cisco you will probably use an out-of-band solution. This allows the NAC to "manage" your switch ports. As the sales literature suggests it's about mapping users/ips/macs to roles and allowing access based on the role. Example would be new device plugs in to a perm switch. You require that all machines have AV, New Defs, and Latest Updates. The client would use the agent to validate it has met these requirements. If not the agent may recommend (at your pref) how to meet the given requirement - I personally like the idea of providing links to pages where they can find information on fixing the issue. Once the 3 requirements are met you allow the system access to your network on a given vlan in a specific role.
  2.) Again, because your switches are all Cisco you have many options. Primarily in-band vs out-of-band. I have very little doubt you would choose out-of-band with the description of your topology given above.
  3.) Connection would be 2 ports on your 3750 stack.
  4.) It regulates traffic by performing requirements checks and by mapping machines to a given role. That role is aloowed to do certain activities on your network. I kinda of think of role management like a firewall of sorts. Once you are authenticated to a given role you are allowed to do things like surf the internet or ftp to an internal server. Each role could be given different access ability.
  5.) Technically no machines "require" a client to be installed. You can use a combination of web login with scanning and / or cisco agent installations. For linux machines no agent is currently available to my knowledge. For macs and pcs the agent (once installed) seems to make access simplier.
  6.) Vlan regulation depends on the type of install you choose. For example you may map vlans.
  Hope that helps.
  Greg W.