Does Cisco NAC Support Continuous Posture Assessment ?

Hi all,
Cisco does not seem to support continuous posture assessment when running out of band or in band ? What I mean is after authentication during authorization phase I ve been assigned to a role and according to that role I receive a posture result, if that posture result is pass then Ive been evaluated as a healthy end point and receive a Certificate. Then the switchport that I am connected to gets assigned to the corporate VLAN. Afterwards till my certificate expires system will always think that I am healthy.
Ive gone through 4.8 release notes, it still does not seem to be supported ?
Any comments are appreciated.
Dumlu

I think this is mentioned in the release notes; did you check the following section?
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp1105597
Regards
Farrukh

Similar Messages

  • Does Cisco NAC support Wireless LAN?

    Hi There
    I know Cisco NAC supports Wireless LAN. I have deployed this myself with various brands of Autonomous APs. These works fine only in in-band mode, not in out-of-band mode.
    However, Cisco did mentioned for Cisco AP, with Cisco NAC and Cisco switches, out-of-band is supported. I tried this today, and it's either Cisco is wrong, which is highly unlikely, or I did not configure either the NAC portion or the Cisco AP correctly, which is most likely? I wonder where did I go wrong? Please somebody, advice me on this?
    Regards,
    Ram
    +6012-2918870

    Hi Ramraj,
    You can do out-of-band with Wireless deployments now, however you must have a Wireless Lan Controller managing your APs. You cannot do it with standalone APs.
    The guide below goes through most of the configuration:
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
    Thanks,
    Nate

  • Does Cisco NAC support for HP Switches

    Dear all,
                         the existing network has HP switches , is there any way i can deploy Cisco NAC solution here ?
    Pls revert .
    thanks ,

    Cisco NAC has lots of limitations, and surly this is one of them. But while I respect the fact that cisco will not support NAC on HP switches. It can work. And it will perform just fine, once you understand “Cisco NAC” and able to configure it for the first time, you will be able to support it without the need of TAC.
    The idea is that Cisco NAC sends commands to the switches on the network to apply specific access list or Vlan changes, since Cisco can only speak Cisco, it does not know how to tell other switches to do that. . The work around is that you would have the NAC running in in-line mode on your network, yes this will introduce a bottleneck, but that is the only way to do it. The NAC then will look at the traffic based on the MAC or IP and apply set of policies depending on the source or the destinations.
    Please do your research and look at other NAC solutions before you decide the best vendor to go with.

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • Does Cisco ASA support android ?

    Dear all,
    Does Cisco ASA 5505 support android ? for smartnet phone and other systerm use anddroid.?
    Best Regards,
    Rechard

    Rechard,
    Just adding my two cents:
    ASA and Native L2TP-IPSec Android Client Configuration Example
    Android and L2TP/IPsec Clients
    AnyConnect Mobile License
    HTH.
    Message was edited by: Javier Portuguez

  • Does cisco router support "tcp reset" mesg when the traffic blocked by access lit ?

    hi ,
    im trying to know if i  blocked a destination with an access list on cisco.
    can i make "tcp-rest " to that connection instead on dropping it ??
    i belive it supported on ASA appliance , but not sure if supported on cisco routers.
    im trying to migrate from linux router to cisco router and apply the same config , one of the challenging task is , i have 
    "reject-with=tcp-reset"
    im wondering if i can do it on cisco router
    waiting ur responce
    regards

    One of the things that keeps me engaged with these forums is that they challenge me and give me opportunities to learn new things. My initial reaction to your question about IPS on IOS router was to say that this is not supported. But I did some research and find that apparently IPS functionality is now supported on some (but not all) of Cisco IOS routers. See this link for additional detail:
    http://www.cisco.com/c/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/product_data_sheet0900aecd803137cf.html
    HTH
    Rick

  • Does Cisco 7600 Support QPPB with QoS?

    Hi,
    The BGP routes can successful marks an IP precedence values by QPPB. But the QoS seems is not working when match the IP precedence. 
    Any help is much appreciated!
    class-map match-all Prec-3
     match access-group 20
     match precedence 5
    class-map match-all allow
     match access-group 20
    policy-map Meter
     class Prec-3
     class allow
    interface GigabitEthernet9/0/0
     ip address 20.20.20.1 255.255.255.0
     media-type rj45
     speed 1000
     no negotiation auto
     bgp-policy destination ip-prec-map
    interface GigabitEthernet9/0/1
     ip address 10.10.10.1 255.255.255.0
     media-type rj45
     speed 1000
     no negotiation auto
     service-policy output Meter
    router bgp 100
     table-map QPPB
     bgp log-neighbor-changes
     network 200.200.200.0
     neighbor 10.10.10.2 remote-as 200
    ip forward-protocol nd
    ip as-path access-list 100 permit 200$
    access-list 20 permit 200.200.200.1
    route-map QPPB permit 10
     match as-path 100
     set ip precedence critical
    Router# show ip bgp
    BGP table version is 3, local router ID is 20.20.20.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
                  x best-external, a additional-path, c RIB-compressed,
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found
         Network          Next Hop            Metric LocPrf Weight Path
     *>  100.100.100.0/24 10.10.10.2               0             0 200 i
     *>  200.200.200.0    0.0.0.0                  0         32768 i
    Router#show ip route 100.100.100.0
    Routing entry for 100.100.100.0/24
      Known via "bgp 100", distance 20, metric 0
      Tag 200, precedence critical (5), type external
      Last update from 10.10.10.2 1d06h ago
      Routing Descriptor Blocks:
      * 10.10.10.2, from 10.10.10.2, 1d06h ago
          Route metric is 0, traffic share count is 1
          AS Hops 1
          Route tag 200
          MPLS label: none
    Router#show policy-map interface
     GigabitEthernet9/0/1
      Service-policy output: Meter
      Counters last updated 00:00:01 ago
        Class-map: Prec-3 (match-all) 
          0 packets, 0 bytes
          5 minute offered rate 0000 bps
          Match: access-group 20
          Match:  precedence 5
        Class-map: allow (match-all) 
          0 packets, 0 bytes
          5 minute offered rate 0000 bps
          Match: access-group 20
        Class-map: class-default (match-any) 
          3908 packets, 261198 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any
    Router#

    Command Accounting is a TACACS+ feature so not for ISE....yet.
    However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
    conf t
    archive
    log config
    logging enable
    logging size 200
    hidekeys
    notify syslog
    end
    wr mem
    Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
    I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
    Please rate post you consider useful.
    -James

  • Does the Cisco3745 Support TBCT on E1's ?

    Hi, The Cisco 3745 Product documentation states that TBCT supports the National ISDN-2 (NI-2)standard for T1 only. It is unclear whether E1 interfaces are supported.
    I would like to know what the case is. i.e. Does Cisco now support TBCT on E1's on the Cisco 3745.

    I think it is a IOS based limitation and not the Hardware based as TBCT is a standard, it should also be supported in the E1 card.
    Check the below URL for the IOS support.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_chapter09186a008017cee3.html#1085519

  • NAC not doing posture assessment

    Hello All,
    I am having diffculty with NAC where its not doing posture assessment. I ran through the configuration guide and followed it to the T but still no luck. I am running NAC 4.5(1) for In Band wireless. Any ideas as to what i should be looking at next?
    Thanks,
    G

    What devices etc you using to implement NAC? Are you using ACS Server? or NAC Appliance?
    What mode of NAC are you using? L2 dot1x; L2 IP or L3 IP?
    What authentication are you using? (Take a look at your settings under System Config -> Global Authentication, if using Cisco ACS)
    A lot of issues I have seen with NAC is down to certificates/ca chains on the NAC posture server and the end clients.
    Stu

  • Cisco ISE inline posture node Posture assessment query

    Hi all,
    i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
    "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
    they are likely to fall into one of the identity groups that already have authenticated and authorized users
    connected to the network.
    For instance, there may be an employee, executive, and guest that have been granted access through the
    outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
    groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
    and authorization uses the existing installed profiles on the Inline Posture node, unless the original
    profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
    with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
    Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
    I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
    Thanks!
    Mario

    I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
    After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
    So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
    If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
    https://communities.cisco.com/docs/DOC-30977
    HTH,
    Ryan

  • NAC Framework with TrendMicro Policy Server? External Posture Assessment?

    Hi
    I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
    I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
    What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
    https://win2k3std:4343/antibody
    And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
    I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
    Posture Validation Failure on External Policy
    Does anyone have any experience or help with this. Thanks very much.
    Jason Humes

    Please check the links for the Configuration and Troubleshoot of NAC
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

  • Posture Assessment passed in Error using Cisco ISE

    Hi all,
    I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
    We have 2 mandatory posture requirements,
    1. Symantec Av MUST be installed
    2. the AV definitions MUST be LESS THAN 28 days out of date
    Currently, the machine I have is showing the AV defs as being 25th March 2013.
    When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
    Is there anything else I can check on the ISE to help debug this?
    Mario              

    Hi,
    You might have two problems:
    1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
    2. NAC Agent version problem?
    I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
    Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
    Check
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
    Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) Cisco supports different versions of the NAC Agent for integration with  NAC Appliance and ISE. Current releases are developed to work in either  environment, however, interoperability between deployments is not  guaranteed. Therefore, there is no explicit interoperability support for  a given NAC Agent version intended for one environment that will  necessarily work in the other. If you require support for both NAC  Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in  your specific environment to verify compatibility. Unless there is a specific defect or feature required for your NAC  Appliance deployment, Cisco recommends deploying the most current agent  certified for your ISE deployment. If an issue arises, Cisco recommends  restricting the NAC Agent's use to its intended environment and  contacting Cisco TAC for assistance. Cisco will be addressing this issue  through the standard Cisco TAC support escalation process, but NAC  Agent interoperability is not guaranteed. Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.

  • NAC posture assessment error?

    Hi experts
    i have a NAC with 4.8.3 IOS installed. Everything works perfect if i am not putting any posture assesment like WSUS or AV check. Ican authenticate successfully and VLAN shifts ok. but if i put any posture assesment rule than NAC windows agent says NAC server is not available at network. And user goes to temporary role.
    any suggestions?
    Sent from Cisco Technical Support iPhone App

    Please check the links for the Configuration and Troubleshoot of NAC
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

  • Does Cisco MOC RCC Plug-in support Windows 7 64bits?

    Hi,
    I tried to install the Cisco_MOC_RCC_Plug-in.msi on a Windows 7, 64 bits. (CUPS is 7.0.8, the plug-in is coming from the CUPS server)
    I use the command line, I receive the installation windows, do a complete install. But, after I don't see the Cisco Phone Selection tab in the MOC.
    The same steps works properly on Windows XP, 32 bits.
    I verified the Cisco document but they never mention the OS supported by the RCC plug-in.
    Does Cisco MOC RCC Plug-in support Windows 7 64bits?
    Thanks

    Hi,
    Actually, it is mentioned on the CUPS server itself on the page of the plug-in download (CUPS Server admininstration > Applications > Plugins > ..).
    Here is a copy/paste from CUPS 8.0.4.x -
    "The Cisco Unified Presence Microsoft Office Communicator (MOC) 2007  Remote Call Control plugin allows MOC users to select which phone line  they wish MOC to control. When installed, the plugin will expose a CUP  web page within the MOC application where users can change their current  MOC phone line of control. This version is supported on Microsoft  Windows XP/Vista"
    Although it doesn't mention windows 7 (32/64) (meaning dev team haven't tested it to certify), please feel free to give it a try.
    Thanks

  • Does Cisco ISE 1.2 support Catalyst SRW224G4P and Small business ESW520 Switches?

    Hello all,
    Does Cisco ISE 1.2 support Catalyst SRW224G4P and Small business ESW520 Switches?
    Best regards.

    Hi there, the link below outlines the ISE supported Cisco hardware:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
    Thank you for rating helpful posts!

Maybe you are looking for

  • Generation of CSV file

    Hi I am looking for the best approach to generate a CSV File extract from a database result set. I am currently using Workshop 8.1. Are there any controls that enables to perform this task. Thanks for your ideas Chrs Raj

  • Problem in servlet engine (WLS 7.0) with the chunked transfer

    Hi,           While using jakarta-slide on weblogic 7.0, I encountered the following           problem while uploading files using WebDAV servlet deployed on WLS:           "**** This file has a corrupted %%EOF marker, or garbage after the           

  • Problems Securing Web.show_document  using the java bean

    Friends, I know this is a hot topic, but after reading through a lot of the previous posts I can not find any reference to the problem I am encountering. I am using Forms 10g Release 2 (10.1.2.0.2) Basically I have implemented the bean as the white p

  • Ipod touch is not responsive to anything!

    My iPod touch 3g has a blank white screen and is not responding to anything. I have tried turning the device of and I have tried puting it into the computer but nothing happened. What do i do??

  • Can't import .json file

    I'm trying import a json file into my EA project (I'm on version 2014.1.1) by creating a json file with a .json extension, then clicking on the + sign next to Scripts. However, the .json file does not appear in the list. It only appears if I change t