Cisco NAC with VPN Concentrators

Similar Messages

• Cisco NAC and Checkpoint VPN

  Hi,
  Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
  Any ideas or collateral would be appreciated.
  Thanks
  mark

  Mark,
  If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
  HTH,
  Faisal

• Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

  Hi
  My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
  The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
  Any update on when a new version is going to be released - Its getting really frustrating?

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• Antivirus scan with nessus plugins on cisco nac

  Hello,
  We plan to use nessus plugins with cisco nac.
  For some users, the computer should have any antivirus installed and updated before it can access network.
  For other users, the computer should have mcafee antivirus installed and updated.
  we tried to use plugins ID  16193 for the 1st check and 12107 for the 2d check.
  We'd like to know if we need to configure credentials under scan option on each computer to check
  if so, how to do if it's a guest's computer and we don't have credentials ?
  For test, a credential was configured (under scan option) for the computers.
  we chose "vulnerable if  hole, warning, info".
  We tried to authenticate from a computer that has no antivirus installed, and from another computer that has mcafee installed but outdated.
  we always get "no vulnerability detected" but when we launch test, it reports mcafee installed but outdated for the 2nd PC, no information for the 1st PC.
  we tried to check if ftp service is running on the computer and it works fine.
  We get notification on user's computer for FTP and client is not allowed to access network, but none for Antivirus (either Mcafee or any antivirus).
  - how to do if we need that user are notified when there's no antivirus installed on his computer or when it is outdated ?
  Any advice is extremelly appreciated.

  You must download and install the appropriate Nessus for your PC.
  After you download the latest plugins from the Nessus site, in the directory (for a Windows install) c:/Program Files/Tenable/Nessus/Plugins you will have a "plugin.tar.gz" file. You must rename or copy this to "plugins.tar.gz".
  Next, in the NAC Manager console, under CLEAN ACCESS -> NETWORK SCANNER -> Plugin Updates, browse to the same folder and pick the "plugins.tar.gz" file. It MUST be named exactly as shown - with the S - to work. Perform the UPLOAD. When finished navigate over to the Scan Setup tab and select All in the Show ___ Plugins dropdown. You should hae around 20,000 of them.
  HTH.
  Jim

• Cisco Anytime Connect VPN working from iMac but not from MacBook Air with same settings and wifi network

  Hi guys,
  I'm having trouble connecting my new MacBook Air to Cisco Anytime Connect VPN.
  The same configuration works with my iMac, in the same network and same Mac OS Mountain Lion on both computers.
  After successfully connecting to VPN after a few seconds it gets disconnected and, what is worse, WIFI is not working any more in my macBook Air, I need to deactivate it and start again.
  With iMac with the same settings it doesn't happen.
  Any ideas?
  Thanks!

  Did you power cycle the network? That's always the first thing you want to do if a device is "missing" or not connecting to your network correctly.
  If you have not already tried this a few times, power down the entire network...all devices, order is not important.
  Wait a few minutes and place the MBAir close to the TC
  Start the modem first and let it run a few moments by itself. Then start the TC if it is the device connected to the modem and let it run a few moments. Then start each device one at a time the same way.

• Error with GPOs on Cisco NAC

  I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?

  I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule
  Allow TCP *:* Server/255.255.255.255: 88
  Allow UDP *:* Server/255.255.255.255: 88
  Allow TCP *:* Server/255.255.255.255: 389
  Allow UDP *:* Server/255.255.255.255: 389
  Allow TCP *:* Server/255.255.255.255: 445
  Allow UDP *:* Server/255.255.255.255: 445
  Allow TCP *:* Server/255.255.255.255: 135
  Allow UDP *:* Server/255.255.255.255: 135
  Allow TCP *:* Server/255.255.255.255: 3268
  Allow UDP *:* Server/255.255.255.255: 3268
  Allow TCP *:* Server/255.255.255.255: 139
  Allow TCP *:* Server/255.255.255.255: 1025

• CISCO NAC deployment with ASA for internal servers (DMZ)

  We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
  from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
  what gateway clients will use. Plz help.
  Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.

  Hello,
  This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
  HTH,
  Faisal

• VPN Concentrators Replaced?

  I see EOL messages on the VPN Concentrators homepage. Are these being replaced with ASA 5500 devices?
  Second question, then will the ASA 5500 VPN editions support Vista Clients with some type of Mandatory Client Firewall Enabled Detection Policy?
  Meaning, you require Vista to have a firewall enabled before it connects to your network via VPN. Otherwise, its a big gaping hole in your network.

  Yes, VPN3000's are being replaced by the ASAs.
  Regarding client firewall, I think you are talking about the Push Policy or Central Protection Policy (CPP).
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1182773
  Regards,
  Arul
  ** Please rate all helpful posts **

• Cisco 2800 - Multiple VPNs Using Virtual-Template

  Hello List,
  I have a question related to the way of setting up multiple VPNs using
  virtual-template configuration (Cisco calls this Dynamic VPN): how can
  I make my configuration to be a "spoke" type VPN rather than "hub" type
  without using "crypto map" on the physical interface?
  Here is how it works now (the VPN hub config):
  !!! the VPN hub config
  crypto keyring PSKs
  pre-shared-key address <peer_ip> key 6 ************
  crypto isakmp profile ISAKMP_Profile
  keyring PSKs
  self-identity address
  match identity address <peer_ip> 255.255.255.255
  virtual-template 1
  crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
  crypto ipsec profile IPSEC_Profile
  set transform-set Transform_Set
  set isakmp-profile ISAKMP_Profile
  interface Loopback1007
  description This is a public IP address from a range routed via my
  gatey IP address (see bellow)
  ip address <my_VPN-hub_ip> 255.255.255.255
  no ip redirects
  interface Multilink1
  description This is my gateway IP address facing the ISP
  ip address <my_public_IP> 255.255.255.252
  no ip redirects
  no ip unreachables
  ip nbar protocol-discovery
  ip nat outside
  ip virtual-reassembly
  rate-limit input access-group 102 8000 1500 2000 conform-action
  transmit exceed-action drop
  ip route-cache flow
  no cdp enable
  ppp multilink
  ppp multilink fragment delay 20
  ppp multilink interleave
  ppp multilink group 1
  ppp multilink multiclass
  service-policy output qos_pm-outbound
  interface Serial0/0/0
  description 1st Serial Interface to ISP
  bandwidth 2048
  no ip address
  encapsulation ppp
  ip route-cache flow
  no fair-queue
  ppp multilink
  ppp multilink group 1
  interface Serial0/0/1
  description 2nd Serial Interface to ISP
  bandwidth 2048
  no ip address
  encapsulation ppp
  ip route-cache flow
  no fair-queue
  ppp multilink
  ppp multilink group 1
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1007
  ip access-group vpn_acl-tunnel-encr-in in
  ip access-group vpn_acl-tunnel-encr-out out
  ip mtu 1400
  ip route-cache flow
  tunnel source Loopback1007
  tunnel mode ipsec ipv4
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  tunnel protection ipsec profile IPSEC_Profile
  service-policy output qos_pm-VPN
  ip access-list extended vpn_acl-tunnel-encr-in
  permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
  ip access-list extended vpn_acl-tunnel-encr-out
  permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255
  !!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
  Cisco VPN concentrators)
  !!! all follow the standard crypto map config on the physical
  interface.
  !!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt
  It is obvious that with my router configured as a VPN hub, if the
  tunnel dies, I need to wait for the peer to reset the tunnel, all this
  time my clients in my network are not able to access the remote sites.
  The reason to use the virtual-template interfaces as suppose to
  traditional "crypto map" way, is that my peers do not want to share the
  same VPN end-point between themselves (different companies all
  together) and they are very strict in regards to ACLs. As I don't have
  a VPN device for each one of them and their number increases (I have 5
  separate tunnels right now with a potential grow to 15 in the next 3
  months), I need to find a way to get rid of the hub config in my end (I
  did not have much choice there when I migrated to this platform from a
  linux box).
  Pros for the Virtual-Template:
  - separate QoS for each tunnel
  - ACLs configured directly on the tunnel interface (grater flexibility)
  - tunnel end-point IP address can be part of a range BGP advertised via
  multiple ISP links
  Cons:
  - hub config, the tunnel needs to be reseted by the peer
  Any help is very much appreciated. Thank you,
  Adrian

  Hope the following link will help you
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

• Cisco NAC Placemant

  Hi,
  I am new in to NAC and I have an implementation coming up . we have sold them 2 NAC servers , 1 NAC manager and an ACS server.
  Customer has VPN users, Wireless users and 3 remote branches ,I am planing place the devices in OOB , Virtual IP and L2 mode , Is this a good practice ? will this make any complications ?
  How can i place ACS server (appliance) in the network . do I need to use 802.1x ?  is this a good practice to use NAC solution + 802.1x in a network ?
  Kindly suggest me how place ACS .
  Thanks in advance .

  Hi,
  you can use NAC + ACS for VPN and Wireless access.
  Basically you can leverage VPN Auth using RADIUS and also Wirelss authentication using RADIUS/802.1x.
  Then you can enable VPN/Wireless SSO on the CAS, so to leverage the RADIUS/802.1x authentication also for NAC, and have the clients to go through posture assessment.
  Although you cannot do OOB for VPN, you can do this for Wireless with the Cisco WLC.
  If you use VPN and/or Wireless clients that are not L2 adjacent to the CAS, you will have to use L3 mode on the CAS.
  A CAS can only be IB *OR* OOB.. Virtual-Gateway *OR* Real-IP Gateway at any given time.
  So if you want to combine Wireless OOB with VPN, you will need to use separate CAS for Wireless and VPN.
  Please look at the following documents for more details:
  * CAS config guide:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_vpncon.html
  * Wireless NAC OOB Config example:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  * VPN In-Band VGW config example:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• Order of Shutdown VPN Concentrators

  We have two 3005 VPN Concentrators. We set them up as Load Balancing. We need to shutdown the VPN Concentrators because the building needs to shutdown the power. What are the orders of shutting down and bringing them back up? Would you bring down the Secondary VPN Concentrator first, then bring down the Primary VPN Concentrator? To bring them up, would you bring the Primary VPN Concentrator first, then the Secondary VPN Concentrator?
  Thanks.

  you shut down the VPN Concentrator before you turn power off. If you just turn power off without shutting down, you may corrupt flash memory and affect subsequent operation of the system.
  This guide has informationon the procedures to shutdown the VPN concentrator
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/administration/guide/sysrbt.html

• Cisco NAC Web Agent + Windows 8

  Hello,
  I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
  All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
  Follow are some informations about my Environment:
  ISE 1.2 Patch 3
  OS: Windows 8 Enterprise
  IE: 10 (In Desktop Mode w and w/o Compatibility View)
  NAC Web Agent: 4.9.0.1007
  Could you help me ?
  Best Regards,
  Daniel Stefani

  Hi Charles,
  I can download all this files, but I can’t import it in ISE Resourses.
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.9.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.9.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.9.tar.gz
  Mac Agent Installation Package for MacOSX
  CCAAgentMacOSX-4.9.3.803.tar.gz
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.5.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.5.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.5.tar.gz
  In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
  But in the follow yes…
  http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  Best Regards,
  Daniel Stefani

• Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

  Hi All,
  We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
  Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

  Closest enhancement I could check on this is
  CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
  Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
  This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Load-balancing nat-t connections to VPN concentrators

  I'm currently using a CSS to provide redundancy across some nat-t VPN RAS sessions to some VPN concentrators (in different geographical areas) This works fine, but because I have to create content rules for both UDP 500 and UDP 4500 traffic, I'm concenred that if I move to a genuine load-balanced arrangement instead of merely redundancy, the CSS units might decide to direct UDP500 traffic from a remote user to one concentrator, and the subsequent UDP4500 traffic to another. I tried port ranges and a single content rule - no success. Does anyone know how to associate 2 udp content rules to enforce traffic symmetry, or will a default srcip balancing rule see the concentrator balance traffic based on srcip globally across all content rules?

  if you do balance srcip, the CSS will use a hash and this hash function should be the same for all the content rules, so giving you the same results.
  A single layer3 content rule with advanced-balance sitcky-srcip should work as well.
  Regards,
  Gilles.