Does Cisco NAC Appliance deployment require CS-ACS?

Similar Messages

• NAC Appliance Deployment issue

  Hi,
  We are going to deploy Cisco NAC Appliance 3310 Clean Access server in our network. Regarding the deployment I have several questions.
  My questions are:
  Do we required any additional server like WSUS for patch/windows update management?
  Does NAC appliance talk with MS AD for authentication?
  Do we required anti-virus server for endpoint security?
  Do we required additional remediation server to remediate the infected endpoint?
  I will be glad if get the above answer.
  Regards,
  Mamun

  Mamun,
  No, the CCA system asks the client to remediate itself, and the Windows update client on the client computer then attempts to remediate based on it's options. The two options are going to Microsoft's WU servers, or if you have an internally defined WSUS server, going to that.
  The other thing you can do also is to "offer" the clients to download files that you store on the CCA system based on different requirements, but doing it this way would be very hard to manage since you're looking at creating requirements for each patch which can become unwieldy very soon.
  View these Video-on-demands on how CCA does posture assessment and remediation. Look at VOD 5:
  http://tinyurl.com/d74t9u
  HTH,
  Faisal

• Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

  Hi,
  I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
  After finishing the Installation, when i type "SETUP"... It gives me the below Error;
  # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
  # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
  Please advise....
  I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
  (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
  any idea...
  Regards,
  Mubasher Sultan

  Where did you get the recovery media? Did you download from cisco.com?
  Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
  Supporting link:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
  Jatin Katyal
  - Do rate helpful posts -

• Cisco NAC Appliance

  Hi
  I wanted to know if someone can give me some help on a Cisco NAC appliance.
  Honestly i've heard of them but i've never installed or worked on one before and i
  have a client who wants to have one installed.So i wanted to know can some here
  point me in the right direction as far as installation and configuration. Thanks for
  the help in advance and have a great evening.

  Hi
  Everything you need to get started:
  http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• What is a Cisco NAC appliance used for?

  We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
  From the documentation, the features of a 3310 NAC are,
  Recognize users, their devices, and their roles in the network
  Evaluate whether machines are compliant with security policies
  Enforce security policies by blocking, isolating, and repairing noncompliant machines
  Provide easy and secure guest access
  Simplify non-authenticating device access
  Audit and report whom is on the network
  What does enforce security polices by blocking, isolating, repairing really mean?
  "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
  I can get an report from my logging traps collector, Solarwinds.

  Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
  What does enforce security polices by blocking, isolating, repairing really mean?
  It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
  "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
  I can get an report from my logging t
  You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
  Sent from Cisco Technical Support iPhone App

• Does Cisco NAC Support Continuous Posture Assessment ?

  Hi all,
  Cisco does not seem to support continuous posture assessment when running out of band or in band ? What I mean is after authentication during authorization phase I ve been assigned to a role and according to that role I receive a posture result, if that posture result is pass then Ive been evaluated as a healthy end point and receive a Certificate. Then the switchport that I am connected to gets assigned to the corporate VLAN. Afterwards till my certificate expires system will always think that I am healthy.
  Ive gone through 4.8 release notes, it still does not seem to be supported ?
  Any comments are appreciated.
  Dumlu

  I think this is mentioned in the release notes; did you check the following section?
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp1105597
  Regards
  Farrukh

• Does Cisco NAC support for HP Switches

  Dear all,
                       the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
  Pls revert .
  thanks ,

  Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
  The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
  Please do your research and look at other NAC solutions before you decide the best vendor to go with.

• Does Cisco NAC support Wireless LAN?

  Hi There
  I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
  However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
  Regards,
  Ram
  +6012-2918870

  Hi Ramraj,
  You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
  The guide below goes through most of the configuration:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  Thanks,
  Nate

• Does Cisco IPS appliance 4200 and 4300 series have whitelist?

  Hi all,
  I am wondering if I can do whitelist on the Cisco IPS appliance itself. I understand for IPS module in ASA it is possible...hope anyone can enlighten me.
  Cyrus

  Cyrus,
  It kinda does, it is called Event action filters, where you can excempt host/subnets for triggering certain signatures.
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html
  Whatever you put on them, wont trigger the signatures you dont want it to trigger.
  Hope it helps.
  Mike

• Nac appliance deployment with 802.1x

  Hi,
  Is it possible to deploy a nac appliance solution and use 802.1x as protocol to discover users connection on a switch?
  We don't want to use snmp, I have a microsoft radius server in my deployment for user authentication.
  Thanks!
  Jocelyn

  My friend, i have a customer with whis configuration and worki fine.
  symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
  work fine wiht w2k and xp
  cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
  csa i don?t have experience.
  take care, it is hard to configure, if you need something more ask me to.
  Leo.

• Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?

  Hello, I have a question. it is posible implement NAC Appliance SSO AD VG/Real IP - L2/L3 for OU (Organization Unit), for example; if i have OU sales and OU market in the windows domain X. it is posible restrict the police and assign diferent network (10.1.1.0/24 for OU sales and 10.1.2.0/24 for OU market).
  Regards
  Alvaro

  Yes that is possible, first you will create a user role for the two seperate OU, then you assign a user role vlan to each role. then you will have to create a ldap lookup server. You will then create a attribute condition which will map users that are a memberOf xxx to user role yyy.
  this is for out of band scearios because the clients at first will get the same authenticaiton ip address but after the port is switched over then the ip address they get after will be based off the vlans they land on.
  let me know if you need anything else.
  Tarik

• Does Cisco LMS and CNC require what kind of access on device

                     I would like to know what kind of device access needs to collect information? I have another team trying to collect the information. I have given LMS server snmp access to Cisco Devices. It seems that snmp for LMS is not enough as per their comment. We have CNC server is different than LMS. Please advise. Thanks!!!
  If you have sample output report for LMS and CNC will be also very much appreciated.

  You can check the credentials required by LMS for managing devices for different features here :
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/install/guide/prereq.html#wp1170227
  Not sure about CNC. Let the other experts comments on it.
  -Thanks

• Authentication NAC appliance with ACS

  I had deployed a L3 Virtual Gateway mode for NAC appliance. There is ACS for authentication. How can I add ACS to "Auth Servers". CAM settings do not need mapping rules. Every user just anthenticate oneself's account, then CAM can pass these info to ACS. What should I do, Thank you?
  Is there any configuration example, e-mail to [email protected]

  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00809b8e3b.shtml

• Question about cisco nac agent

  When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
  Please answer me early. Thank you for your answer.

  Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
  We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
  1) You have to decide which vulnerabilities you want to scan for.
  2) The more plug-ins you enable, the longer (obviously) the scan takes.
  3) There are configuration steps for many of the plug-ins
  4) Your users will still need to go to a login page in order to be scanned.
  5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
  From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
  It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
  Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
  Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

• L2 or l3 switch with NAC appliance

  Hi,
  I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
  Regards,
  Mladen

  Thanks.
  The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
  "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
  So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
  If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
  Regards,
  Mladen