Cisco NAC technical information

Hello everyone,
So I've been looking through the Cisco website trying to get information about Cisco NAC (at the request of my boss, the IT team leader). Unfortunately, all the information about NAC on this website is geared towards supervisors and purchasing authorities; I haven't been able to find any sort of real technical data, just a bunch of sales mumbo-jumbo. I know a lot about what it can do, but nothing about how it does it.
I would like to know how this system would interact with my network. I'm newly in charge of an almost pure Cisco network consisting of a couple dozen Catalyst 2950 switches and 3 Catalyst 3750 stacks in various positions throughout the network.
Our network uses a star-topology, meaning all the switches tend to radiate from the central Layer 3 switches (the 3750s), meaning we don't, at the moment, have any sort of redundancy like in the Cisco-recommended Core-Distribution-Access topology. We want to get to that point sometime in the future.
Anyways, I'd like to know how I can integrate Cisco NAC into my existing network. How would it connect and where? How does it regulate access? Do all computers require some kind of client to be installed? How does it regulate VLANs (of which we have about 50)?
Like I said, we want to basically overhaul our network sometime in the future, but I'm not really counting on it happening soon, so I'd like to know how NAC would be implemented in our current network so that we may be able to enjoy some of those benefits right away.

My explanations / answers are not authoritative but should provide some general idea about things you could accomplish with this product.
1.) Since you are basically all Cisco you will probably use an out-of-band solution. This allows the NAC to "manage" your switch ports. As the sales literature suggests it's about mapping users/ips/macs to roles and allowing access based on the role. Example would be new device plugs in to a perm switch. You require that all machines have AV, New Defs, and Latest Updates. The client would use the agent to validate it has met these requirements. If not the agent may recommend (at your pref) how to meet the given requirement - I personally like the idea of providing links to pages where they can find information on fixing the issue. Once the 3 requirements are met you allow the system access to your network on a given vlan in a specific role.
2.) Again, because your switches are all Cisco you have many options. Primarily in-band vs out-of-band. I have very little doubt you would choose out-of-band with the description of your topology given above.
3.) Connection would be 2 ports on your 3750 stack.
4.) It regulates traffic by performing requirements checks and by mapping machines to a given role. That role is aloowed to do certain activities on your network. I kinda of think of role management like a firewall of sorts. Once you are authenticated to a given role you are allowed to do things like surf the internet or ftp to an internal server. Each role could be given different access ability.
5.) Technically no machines "require" a client to be installed. You can use a combination of web login with scanning and / or cisco agent installations. For linux machines no agent is currently available to my knowledge. For macs and pcs the agent (once installed) seems to make access simplier.
6.) Vlan regulation depends on the type of install you choose. For example you may map vlans.
Hope that helps.
Greg W.

Similar Messages

  • Cisco NAC Web Agent + Windows 8

    Hello,
    I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
    All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
    Follow are some informations about my Environment:
    ISE 1.2 Patch 3
    OS: Windows 8 Enterprise
    IE: 10 (In Desktop Mode w and w/o Compatibility View)
    NAC Web Agent: 4.9.0.1007
    Could you help me ?
    Best Regards,
    Daniel Stefani

    Hi Charles,
    I can download all this files, but I can’t import it in ISE Resourses.
    NAC Agent MST files
    nacagentsetup-mst-4.9.3.9.zip
    NAC Agent MSI Installation file
    nacagentsetup-win-4.9.3.9.msi
    NAC Agent Installation Package
    nacagentsetup-win-4.9.3.9.tar.gz
    Mac Agent Installation Package for MacOSX
    CCAAgentMacOSX-4.9.3.803.tar.gz
    NAC Agent MST files
    nacagentsetup-mst-4.9.3.5.zip
    NAC Agent MSI Installation file
    nacagentsetup-win-4.9.3.5.msi
    NAC Agent Installation Package
    nacagentsetup-win-4.9.3.5.tar.gz
    In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
    But in the follow yes…
    http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
    Best Regards,
    Daniel Stefani

  • Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

    Hi,
    I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
    3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
    Please, give me some advice.
    Thanks in advance,
    Mladen

    Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
    3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
    I refer to
    "Implementing Network Admission Control Phase One Configuration and Deployment";
    "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
    Thanks in advance,
    Mladen

  • Question about cisco nac agent

    When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
    Please answer me early. Thank you for your answer.

    Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
    We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
    1) You have to decide which vulnerabilities you want to scan for.
    2) The more plug-ins you enable, the longer (obviously) the scan takes.
    3) There are configuration steps for many of the plug-ins
    4) Your users will still need to go to a login page in order to be scanned.
    5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
    From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
    It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
    Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
    Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

  • Antivirus scan with nessus plugins on cisco nac

    Hello,
    We plan to use nessus plugins with cisco nac.
    For some users, the computer should have any antivirus installed and updated before it can access network.
    For other users, the computer should have mcafee antivirus installed and updated.
    we tried to use plugins ID  16193 for the 1st check and 12107 for the 2d check.
    We'd like to know if we need to configure credentials under scan option on each computer to check
    if so, how to do if it's a guest's computer and we don't have credentials ?
    For test, a credential was configured (under scan option) for the computers.
    we chose "vulnerable if  hole, warning, info".
    We tried to authenticate from a computer that has no antivirus installed, and from another computer that has mcafee installed but outdated.
    we always get "no vulnerability detected" but when we launch test, it reports mcafee installed but outdated for the 2nd PC, no information for the 1st PC.
    we tried to check if ftp service is running on the computer and it works fine.
    We get notification on user's computer for FTP and client is not allowed to access network, but none for Antivirus (either Mcafee or any antivirus).
    - how to do if we need that user are notified when there's no antivirus installed on his computer or when it is outdated ?
    Any advice is extremelly appreciated.

    You must download and install the appropriate Nessus for your PC.
    After you download the latest plugins from the Nessus site, in the directory (for a Windows install) c:/Program Files/Tenable/Nessus/Plugins you will have a "plugin.tar.gz" file. You must rename or copy this to "plugins.tar.gz".
    Next, in the NAC Manager console, under CLEAN ACCESS -> NETWORK SCANNER -> Plugin Updates, browse to the same folder and pick the "plugins.tar.gz" file. It MUST be named exactly as shown - with the S - to work. Perform the UPLOAD. When finished navigate over to the Scan Setup tab and select All in the Show ___ Plugins dropdown. You should hae around 20,000 of them.
    HTH.
    Jim

  • Cisco NAC agent services not running on Windows XP

    Hi,
    I've problem with Cisco NAC agent services on Windows XP professional SP3.
    After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
    This situation is not happened on all windows machines, several machines running well.
    Cisco NAC agent version 4.9.0.42
    Has anyone seen this type of problem?
    Below i attached windows machine information from ones running well and not running, Thanks
    Regards,
    Rian

    Hi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
    In sysman log shows this,
    "03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
    oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
    at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
    at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
    at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
    at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
    at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
    at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
    at
    at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
    at java.lang.Thread.run (Thread.java: 595)
    20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
    In event viewer shows this,
    "Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
    I am using the Administrator account

  • Cisco NAC Agent and Windows 8 still not working

    Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
    I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
    Thanks,
    -Collin

    Hi Collin,
    The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
    http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
    The patch should be applied to both 4.9.1 CAM and CAS.
    Please go through the README file for patch provided in the download link provided above. It has detailed information.
    Regards,
    Karthik Chandran

  • Technical Information of Sap Business One

    Hi,
    i need some technical information about a possible installation of Sap Business One Package:
    - Can Sap B1 run on a Microsoft cluster composer of virtual machine VMWARE?
    - Can Sap B1 run on a machine with 64 bit technology?
    - Can client Sap B1 run on Citrix with gateway access?
    If nobody can help me, tell me where I can post this question...
    Thank you
    Regards
    Marco

    Hi Marco,
    This is not the right forum for that question (SAP Support - or the Implemantation Forum in the Channel Partner Solutiuon Network may suit better...), but anway:
    >- Can Sap B1 run on a Microsoft cluster composer of virtual machine VMWARE?
    VMWare hasn't been released; it may work (and I heard about people using it ), but if a problem can actually be traced back being a VMWare issue - you are "alone"...
    >- Can Sap B1 run on a machine with 64 bit technology?
    Yes, please check the "Supported Platforms" information for B1 in the Channel Partner Portal on SAP Service Marketplace!
    >- Can client Sap B1 run on Citrix with gateway access?
    Not sue about "gateway access", but Citrix 4.0 (and 3.0) are officially supported.
    You can find details at the same place as mentioned above (I don't have the link at hand, sorry).
    HTH,
    Frank

  • Cisco NAC server hang issue

    Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
    The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
    The CAS server was recovered after manually power cycle the hardware. 
    After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
    I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
    That will be great if any one can help me out for the same.
    Thanks,
    Eric

    Hi Bro
    This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
    If all else fail, then a hardware swap would seem like the next best thing.

  • Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

    Hi
    My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
    The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
    Any update on when a new version is going to be released - Its getting really frustrating?

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

  • Missing technical information on X200/X200s/X300 for final buying decision

    Hello Thinkpad community,
    I am planning to buy a thinkpad x200s, x200, x300 or x301 to replace my z61m.
    Since I am missing some detailed technical information, it is hard for me to make this decision. Please help me to fill the gaps.
    X200/X200s
    My favourite is the x200s, since the main requirement is ultra mobility. To make it usable also on the outside of buildings, I am interested how bright is the display
    1.) Candela / nit of X200s?
    2.) Candela / nit of X200?
    However, I want to use the notebook when I am at home as desktop system with a dual Monitor setup, too.
    3.) Does the x200 / x200s with extension bay support dual monitor setup (one via vga, one via digital output)?
    4.) If dual monitor setup is supported, what is the maximal supported resolution for two monitors?
    5.) Is dual monitor setup supported with linux?
    X300/X3001
    Just in case the display / resolution of the X200s is two small (I will have to check it in real in a lenovo partner store if it will be available in Germany) for me I will switch to X300 / X301.
    5.) Candela / nit of X300?
    6.) Candela / nit of X301?
    Dual Monitor support of X300 series?
    7.) AFAIK, X300 supports only dual monitor in combination with this usb-docking station with NO linux support (window drivers needed). Is that true?
    8.) AFIAK, the X3001 has dual display out on the notebook itself (vga and display port). Can thes ports be used in parallel fo dual monitor set up?
    9.) If dual monitor setup is supported with X301 is it working in combination with linux?
    64-Bit Operation System support
    If I wouldn't have stumbled across this tread (http://forums.lenovo.com/lnv/board/message?board.id=X_Series_Thinkpads&thread.id=1485&view=by_date_a... I wouldn't dare to ask, thought it would be impossible because of the 32-Bit processors. Does the X200 / x200s support 64-Bit Operation systems? Especially Windows Server 2003 Standard Edition or SUSE / REDHAT X86_64 64BIT? Not that I would need it for office usage, however some servers (local development & testing on ultra mobile thinkpads rocks ) require this.
    Thanks to your feedback! I am really eager to come to a decision, place the order and have a terrific ultra-mobile, but still desktop friendly notebook
    BTW: Is there any technical document listing some or all of the information which I am missing? If yes, I cannot find it on the lenovo web site...
    Thanks & Regards!
    Kris
    Solved!
    Go to Solution.

    welcome to the forum!
    here are a few links which may help your research.   the last link will give you specs on the various display panels among many other specs as well.
    http://www.pc.ibm.com/us/thinkpad/tech_library.html
    http://shop.lenovo.com/ISS_Static/merchandising/US/PDFs/x200_datasheet.pdf
    http://shop.lenovo.com/ISS_Static/merchandising/US/PDFs/x300_USEN_00.pdf
    http://shop.lenovo.com/ISS_Static/merchandising/US/PDFs/X301_Datasheet.pdf
    ftp://ftp.software.ibm.com/pc/pcinstitute/psref/tabook.pdf
    64-bit OSes are supported on all X300/X301 and X200/X200s models.   server 2003 and 2008 are not officially supported but will run on the above equipment.   there's a chance that not all drivers can be found however, especially for 2003.   2008 is much easier to implement since it registers with most drivers and apps as simply being vista with SP1 (since vista shares 2008's kernel).
    ThinkStation C20
    ThinkPad X1C · X220 · X60T · s30 · 600

  • Fill technical information to the column of an ALV

    Hi,
    I've developed a report that using an OOP ALV.
    In the output of report, I chose a column and press F1 the window performance assistant will show up.
    Then I click 'technical information' button the window will show up. How to add the information to this window (screen data, GUI data...)
    Thank you very much if you would help.
    Best Regards
    Thang

    Hi Venkat,
    Thanks for recommending the solution,
    However I do not use field catalog in this case, I develop ALV in new way with OOP.
    I used cl_salv_table, cl_salv_functions, cl_salv_display_settings, cl_salv_columns_table, cl_salv_column_table.
    Do you know the solution like using field catalog.
    Regards,
    Thang
    Edited by: thang tran on Mar 1, 2010 7:30 AM

  • removed_by_mod How can I get technical information of screen fields by FM?

    Hi, experts.
    I want to get technical information of screen fields by using any FM.
    Actually, I know the screen field name and I need which DATA ELEMENT IS ASSIGNED
    to the screen field.
    Thanks for your answers in advance.
    Edited by: Julius Bussche on Jul 15, 2008 10:52 PM
    I edited your subject title. Pkease read [the rules|https://www.sdn.sap.com/irj/sdn/wiki?path=/display/home/rulesofEngagement]

    Hi Kim,
    I hope you may use the standard function module RS_IMPORT_DYNPRO .
    This function module takes input as program name, screen no and gives the complete information abot that screen.
    The tables parameter FTAB holds the information regarding all controls in the screen.
    FTAB parameters :
    FNAM : control name
    FILL : control type incase of push button it would be P
    STXT : Label or text of the control
    RES1 : Function code ,
    You can check all other parameter , and debug that function module to know more .
    Regards,
    Naveen Veshala

  • Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

    Hi,
    I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
    After finishing the Installation, when i type "SETUP"... It gives me the below Error;
    # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
    # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
    Please advise....
    I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
    (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
    any idea...
    Regards,
    Mubasher Sultan

    Where did you get the recovery media? Did you download from cisco.com?
    Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
    Supporting link:
    http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

    Hi All,
    We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
    Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

    Closest enhancement I could check on this is
    CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
    Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
    This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

Maybe you are looking for