Does Cisco NAC Support Continuous Posture Assessment ?
Hi all,
Cisco does not seem to support continuous posture assessment when running out of band or in band ? What I mean is after authentication during authorization phase I ve been assigned to a role and according to that role I receive a posture result, if that posture result is pass then Ive been evaluated as a healthy end point and receive a Certificate. Then the switchport that I am connected to gets assigned to the corporate VLAN. Afterwards till my certificate expires system will always think that I am healthy.
Ive gone through 4.8 release notes, it still does not seem to be supported ?
Any comments are appreciated.
Dumlu
I think this is mentioned in the release notes; did you check the following section?
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp1105597
Regards
Farrukh
Similar Messages
-
Does Cisco NAC support Wireless LAN?
Hi There
I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
Regards,
Ram
+6012-2918870Hi Ramraj,
You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
The guide below goes through most of the configuration:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
Thanks,
Nate -
Does Cisco NAC support for HP Switches
Dear all,
the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
Pls revert .
thanks ,Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
Please do your research and look at other NAC solutions before you decide the best vendor to go with. -
Does Cisco NAC Appliance deployment require CS-ACS?
I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
Anybody have any ideas on that?
Thanks!Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
Hope this helps. -
Does Cisco ASA support android ?
Dear all,
Does Cisco ASA 5505 support android ? for smartnet phone and other systerm use anddroid.?
Best Regards,
RechardRechard,
Just adding my two cents:
ASA and Native L2TP-IPSec Android Client Configuration Example
Android and L2TP/IPsec Clients
AnyConnect Mobile License
HTH.
Message was edited by: Javier Portuguez -
Does cisco router support "tcp reset" mesg when the traffic blocked by access lit ?
hi ,
im trying to know if i blocked a destination with an access list on cisco.
can i make "tcp-rest " to that connection instead on dropping it ??
i belive it supported on ASA appliance , but not sure if supported on cisco routers.
im trying to migrate from linux router to cisco router and apply the same config , one of the challenging task is , i have
"reject-with=tcp-reset"
im wondering if i can do it on cisco router
waiting ur responce
regardsOne of the things that keeps me engaged with these forums is that they challenge me and give me opportunities to learn new things. My initial reaction to your question about IPS on IOS router was to say that this is not supported. But I did some research and find that apparently IPS functionality is now supported on some (but not all) of Cisco IOS routers. See this link for additional detail:
http://www.cisco.com/c/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/product_data_sheet0900aecd803137cf.html
HTH
Rick -
Does Cisco 7600 Support QPPB with QoS?
Hi,
The BGP routes can successful marks an IP precedence values by QPPB. But the QoS seems is not working when match the IP precedence.
Any help is much appreciated!
class-map match-all Prec-3
match access-group 20
match precedence 5
class-map match-all allow
match access-group 20
policy-map Meter
class Prec-3
class allow
interface GigabitEthernet9/0/0
ip address 20.20.20.1 255.255.255.0
media-type rj45
speed 1000
no negotiation auto
bgp-policy destination ip-prec-map
interface GigabitEthernet9/0/1
ip address 10.10.10.1 255.255.255.0
media-type rj45
speed 1000
no negotiation auto
service-policy output Meter
router bgp 100
table-map QPPB
bgp log-neighbor-changes
network 200.200.200.0
neighbor 10.10.10.2 remote-as 200
ip forward-protocol nd
ip as-path access-list 100 permit 200$
access-list 20 permit 200.200.200.1
route-map QPPB permit 10
match as-path 100
set ip precedence critical
Router# show ip bgp
BGP table version is 3, local router ID is 20.20.20.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 100.100.100.0/24 10.10.10.2 0 0 200 i
*> 200.200.200.0 0.0.0.0 0 32768 i
Router#show ip route 100.100.100.0
Routing entry for 100.100.100.0/24
Known via "bgp 100", distance 20, metric 0
Tag 200, precedence critical (5), type external
Last update from 10.10.10.2 1d06h ago
Routing Descriptor Blocks:
* 10.10.10.2, from 10.10.10.2, 1d06h ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 200
MPLS label: none
Router#show policy-map interface
GigabitEthernet9/0/1
Service-policy output: Meter
Counters last updated 00:00:01 ago
Class-map: Prec-3 (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: access-group 20
Match: precedence 5
Class-map: allow (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps
Match: access-group 20
Class-map: class-default (match-any)
3908 packets, 261198 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
Router#Command Accounting is a TACACS+ feature so not for ISE....yet.
However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory. The notify syslog is what sends it via syslog.
conf t
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
end
wr mem
Remember, syslog is clear text :-) log away from user traffic when possible. Or use TLS based syslog when possible.
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James -
Does the Cisco3745 Support TBCT on E1's ?
Hi, The Cisco 3745 Product documentation states that TBCT supports the National ISDN-2 (NI-2)standard for T1 only. It is unclear whether E1 interfaces are supported.
I would like to know what the case is. i.e. Does Cisco now support TBCT on E1's on the Cisco 3745.I think it is a IOS based limitation and not the Hardware based as TBCT is a standard, it should also be supported in the E1 card.
Check the below URL for the IOS support.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_chapter09186a008017cee3.html#1085519 -
NAC not doing posture assessment
Hello All,
I am having diffculty with NAC where its not doing posture assessment. I ran through the configuration guide and followed it to the T but still no luck. I am running NAC 4.5(1) for In Band wireless. Any ideas as to what i should be looking at next?
Thanks,
GWhat devices etc you using to implement NAC? Are you using ACS Server? or NAC Appliance?
What mode of NAC are you using? L2 dot1x; L2 IP or L3 IP?
What authentication are you using? (Take a look at your settings under System Config -> Global Authentication, if using Cisco ACS)
A lot of issues I have seen with NAC is down to certificates/ca chains on the NAC posture server and the end clients.
Stu -
Cisco ISE inline posture node Posture assessment query
Hi all,
i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
"In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
they are likely to fall into one of the identity groups that already have authenticated and authorized users
connected to the network.
For instance, there may be an employee, executive, and guest that have been granted access through the
outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
and authorization uses the existing installed profiles on the Inline Posture node, unless the original
profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
Thanks!
MarioI'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
https://communities.cisco.com/docs/DOC-30977
HTH,
Ryan -
NAC Framework with TrendMicro Policy Server? External Posture Assessment?
Hi
I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
https://win2k3std:4343/antibody
And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
Posture Validation Failure on External Policy
Does anyone have any experience or help with this. Thanks very much.
Jason HumesPlease check the links for the Configuration and Troubleshoot of NAC
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860 -
Posture Assessment passed in Error using Cisco ISE
Hi all,
I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
We have 2 mandatory posture requirements,
1. Symantec Av MUST be installed
2. the AV definitions MUST be LESS THAN 28 days out of date
Currently, the machine I have is showing the AV defs as being 25th March 2013.
When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
Is there anything else I can check on the ISE to help debug this?
MarioHi,
You might have two problems:
1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
2. NAC Agent version problem?
I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
Check
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) Cisco supports different versions of the NAC Agent for integration with NAC Appliance and ISE. Current releases are developed to work in either environment, however, interoperability between deployments is not guaranteed. Therefore, there is no explicit interoperability support for a given NAC Agent version intended for one environment that will necessarily work in the other. If you require support for both NAC Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in your specific environment to verify compatibility. Unless there is a specific defect or feature required for your NAC Appliance deployment, Cisco recommends deploying the most current agent certified for your ISE deployment. If an issue arises, Cisco recommends restricting the NAC Agent's use to its intended environment and contacting Cisco TAC for assistance. Cisco will be addressing this issue through the standard Cisco TAC support escalation process, but NAC Agent interoperability is not guaranteed. Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release. -
NAC posture assessment error?
Hi experts
i have a NAC with 4.8.3 IOS installed. Everything works perfect if i am not putting any posture assesment like WSUS or AV check. Ican authenticate successfully and VLAN shifts ok. but if i put any posture assesment rule than NAC windows agent says NAC server is not available at network. And user goes to temporary role.
any suggestions?
Sent from Cisco Technical Support iPhone AppPlease check the links for the Configuration and Troubleshoot of NAC
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860 -
Does Cisco MOC RCC Plug-in support Windows 7 64bits?
Hi,
I tried to install the Cisco_MOC_RCC_Plug-in.msi on a Windows 7, 64 bits. (CUPS is 7.0.8, the plug-in is coming from the CUPS server)
I use the command line, I receive the installation windows, do a complete install. But, after I don't see the Cisco Phone Selection tab in the MOC.
The same steps works properly on Windows XP, 32 bits.
I verified the Cisco document but they never mention the OS supported by the RCC plug-in.
Does Cisco MOC RCC Plug-in support Windows 7 64bits?
ThanksHi,
Actually, it is mentioned on the CUPS server itself on the page of the plug-in download (CUPS Server admininstration > Applications > Plugins > ..).
Here is a copy/paste from CUPS 8.0.4.x -
"The Cisco Unified Presence Microsoft Office Communicator (MOC) 2007 Remote Call Control plugin allows MOC users to select which phone line they wish MOC to control. When installed, the plugin will expose a CUP web page within the MOC application where users can change their current MOC phone line of control. This version is supported on Microsoft Windows XP/Vista"
Although it doesn't mention windows 7 (32/64) (meaning dev team haven't tested it to certify), please feel free to give it a try.
Thanks -
Does Cisco ISE 1.2 support Catalyst SRW224G4P and Small business ESW520 Switches?
Hello all,
Does Cisco ISE 1.2 support Catalyst SRW224G4P and Small business ESW520 Switches?
Best regards.Hi there, the link below outlines the ISE supported Cisco hardware:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
Thank you for rating helpful posts!
Maybe you are looking for
-
Hi I am looking for the best approach to generate a CSV File extract from a database result set. I am currently using Workshop 8.1. Are there any controls that enables to perform this task. Thanks for your ideas Chrs Raj
-
Problem in servlet engine (WLS 7.0) with the chunked transfer
Hi, While using jakarta-slide on weblogic 7.0, I encountered the following problem while uploading files using WebDAV servlet deployed on WLS: "**** This file has a corrupted %%EOF marker, or garbage after the
-
Problems Securing Web.show_document using the java bean
Friends, I know this is a hot topic, but after reading through a lot of the previous posts I can not find any reference to the problem I am encountering. I am using Forms 10g Release 2 (10.1.2.0.2) Basically I have implemented the bean as the white p
-
Ipod touch is not responsive to anything!
My iPod touch 3g has a blank white screen and is not responding to anything. I have tried turning the device of and I have tried puting it into the computer but nothing happened. What do i do??
-
Can't import .json file
I'm trying import a json file into my EA project (I'm on version 2014.1.1) by creating a json file with a .json extension, then clicking on the + sign next to Scripts. However, the .json file does not appear in the list. It only appears if I change t