Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

Hi There
I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
Regards,
Ram
+6-012-2918870

Hi,
That is not possible.
You cannot push ACLs into the NAC manager.
If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
Using Radius attributes you can then map users to Roles.
Please take a look into this:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
HTH,
Tiago
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • Cisco NAC Manager for 40 Servers

    The NAC Super Manager is capable of up to 40 NAC Servers. What happens when I add the 41st NAC Server?
    Is there a way to cluster NAC Managers?
    Thanks!
    Tom

    The no.of servers managed by the CAM (inband or outband) depends on the CAM software (manager lite, standard manager and super manager). The licenses dont differentiate between Inband and OOB licenses. For adding more servers you need to purchase more license.

  • Cisco NAC and Checkpoint VPN

    Hi,
    Wondering if anyone has ever come across a scenario where they've integrated Cisco NAC with a Checkpoint VPN solution (using Power1 5075)?
    Any ideas or collateral would be appreciated.
    Thanks
    mark

    Mark,
    If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
    HTH,
    Faisal

  • What is a Cisco NAC appliance used for?

    We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
    From the documentation, the features of a 3310 NAC are,
    Recognize users, their devices, and their roles in the network
    Evaluate whether machines are compliant with security policies
    Enforce security policies by blocking, isolating, and repairing noncompliant machines
    Provide easy and secure guest access
    Simplify non-authenticating device access
    Audit and report whom is on the network
    What does enforce security polices by blocking, isolating, repairing really mean?
    "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
    I can get an report from my logging traps collector, Solarwinds.

    Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
    What does enforce security polices by blocking, isolating, repairing really mean?
    It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
    "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
    I can get an report from my logging t
    You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
    Sent from Cisco Technical Support iPhone App

  • Can i configure a network with ACS and ISE?

    I have both acs and ise, how do i integrate these appliance to work togheter?
    Thanks

    ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
    Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

  • Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

    Hi,
    I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
    3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
    Please, give me some advice.
    Thanks in advance,
    Mladen

    Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
    1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
    2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
    3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
    I refer to
    "Implementing Network Admission Control Phase One Configuration and Deployment";
    "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
    Thanks in advance,
    Mladen

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • Can Cisco Device Manager Support ACS Authentication?

    Background:
    My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
    Problem:
    My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

    Hi,
    Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
    With HTTP v1 server, same method list is picked, that is used by VTY lines.
    With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
    After the fix of the above mentioned bug, we have some different sent of commands that we can use.
    I would suggest you to give this a try,
    aaa authentication login CONSOLEandHTTP tacacs+ local
    aaa authorization exec CONSOLEandHTTP if-authenticated
    ip http authentication aaa
    line con 0
    login authentication CONSOLEandHTTP
    authorization exec CONSOLEandHTTP
    For detail please refer,
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
    Regards,
    Prem

  • Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

    With Arun Kumar
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
    SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
    IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
    Example question topics include:
    SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
    Basic configuration of IdPs
    Interaction between IdPs and Cisco WMS
    Difference between the cloud client implementation and Cisco WMS
    Meeting access behavior in a split-horizon network topology with SSO
    How to enable public access to Cisco WMS
    Cisco WMS ELM operations
    Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
    Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
    Remember to use the rating system to let Arun know if you have received an adequate response.
    Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Hello Mobile Service,
    CWMS and Jabber integrations:
    http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
    In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
    then move to section: Add Cisco WebEx Meetings Server to a Profile
    Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
    Attached CWMS - AFDS integration doc.
    Please let me know if any furhter question.
    Thanks, Arun

  • Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

    Hi,
         I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
    FQDN: active.test.com
    Domain Name : test.com
    User : ccasso
    2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server was not running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server starting server ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server is now running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - SPN : [ccasso/[email protected]]
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - done building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - KDC(s) :[10.0.240.100]
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - creating login context ...
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
    text@5ad7b2
    2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
    - Unable to start server ... KDC has no support for encryption type (14)
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Notifying GSSServer status Stopped
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - server is exiting .

    Hi,
    This error means that your DC does not support the encryption method the ACS wants to use.
    Usually this happens when you run 2008 Server with 2003 functionality...
    You will need to run ktpass.exe according to the DC you are running:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
    For Windows 2008 Server at 2003 Server functional level:
    ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
    PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

    We have this problem with on of our clients:
    "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
    is not supported".
    Anyone encounter this problem ?
    thanks.

    Hi Tarik,
    We have:
    Cisco Clean Access Server   Version 4.9.0
    Cisco Clean Access Lite Manager   Version 4.9.0
    I can see Your point now,  that I should start from upgrading to 4.9.1.
    Let me do  that, and see if it helps.
    thanks  very much, I will keep You posted.

  • Cisco Call Manager 8.5 and Lync 2013

    Dear all,
    Our customer wants to integrate their Lync 2013 to the Cisco Call Manager 8.5.
    Out of some not so recent information i thought that if u want to use the enterprise voice of lync you'll have to make a sip trunk between Cisco Call Manager & Lync 2013.
    I think that this still counts, i've also heard that there have been a moderate amount of changes between cucm 8.5 and cucm 8.6 on matters of sip.
    I'm unable to find them though, also what does CUCI - Lync do?
    Kr,
    Yannick Vranckx

    Hi Yannick,
    There can be three types of integrations between Lync and Cisco Systems
    1)      Direct SIP Trunk between Lync Server and Call Manager - In this, we can setup shared line between Cisco extensions and Lync extensions, and Sip trunk between the servers. Any Cisco phone / Lync client  can call each other vice-versa. Initial setup needs planning, but later it does not need much configurations in client side. The following document explains the configurations needed.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucilync/9/CUCI_BK_C0B36AC1_00_cisco-uc-integration-for-microsoft.pdf
    2) CUCILYNC, which is like Cisco Jabber client but connects with Lync and Call Manager: Lync Client <----> CUCILYNC <-----> CUCM
    In this option, a plug-in is installed in each client side. Although initial configurations is easier, each user needs to install the client and operate it. The below document explains the configuration and setup.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucilync/9/CUCI_BK_C0545A41_00_cisco-uc-integration-for-microsoft.html
    3) RCC (Remote Call Plugin) which just provides basic call control feature but for that you need Cisco Unified Presence Server: Lync Client <----> CUPS <-----> CUCM
    HTH
    Manish

  • Cisco call manager integration with mediant

    How can we add and integrate mediant with cisco call manager ?
    Can you have doc for this kind of setup ?

    Hi Sachin,
    We do run a hybrid Callmanager to Nortel Meridian setup (works well).
    Here are some great docs;
    Cisco Unified CallManager
    Case Study: Nortel 61C PBX to Cisco IP Telephony Migration
    From this good doc;
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_white_paper09186a00801115e0.shtml
    Nortel Meridian PBX and Cisco CallManager Integration
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a008011888c.shtml
    Cisco Unified CallManager System Guide, Release 4.2(1)
    Cisco DPA Integration
    http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008055cd53.html
    Hope this helps! Let me know if you need additional info.
    Rob

  • Catalyst 3750x and 4510R and Cisco Security Manager

    Hi,
    I just downloaded and install trial (evaluation) version of Cisco Security Manager 4.3. In supported devices list I saw Cisco Catalyst 3750 and 4510R but when I try to add it I got for 3750:
    Invalid device: Device is a switch and cannot be mapped to a Generic Router model.
    Please verify the selected device type, OS version and device configuration
    For 4510R:
    Invalid device: Version 03.03.00.SG (N/A) is not supported for the device type of Cisco Catalyst 4510R Switch Please verify the selected device type, OS version and device configuration
    We need to make a purchase decision but for it we need to import all of our devices and perform some tests.
    Thanks in advance for your replies!
    BR, Vasily.

    I figured this out on my own -- change Compatibility mode of the installer to be Windows 8 (which is same OS version as Windows 2012) and it installs just fine.

  • Cisco NAC Agent and Windows 8 still not working

    Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
    I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
    Thanks,
    -Collin

    Hi Collin,
    The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
    http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
    The patch should be applied to both 4.9.1 CAM and CAS.
    Please go through the README file for patch provided in the download link provided above. It has detailed information.
    Regards,
    Karthik Chandran

Maybe you are looking for

  • Problem with pictures in iPhoto '09 on a Mac

    After a recent download of travel pictures numbering over 1,000, every so often a few pictures will split and have normal color on half but the other half is very light.  Sometimes when these thumbnails are opened the color is just fine but I end up

  • How to read data from clusters ( Time Management )

    Hi All,    How can we read data from cluster tables related to Time Management in different ways?    Can somebody help me please.. Thanks, Sankar.

  • Issue in Transport Request

    Hi, I am trying to understand how does transport works. I have a issue while moving some SAP BW objects. Transport X - Containts - A process chain , Transformations, some newly created variants and routines. - Moved to Q. Now the problem is I dont ne

  • Actionscript 3 Help

    Hello ! I am trying to build a dynamic menu with php , mysql and actionscript 3 ! As far as this point all works fine as i can display my menu to flash using actionscript 3 and loading vars from php the problem is that i cant pass the variable correc

  • TS3274 Where is my location services on my iPad 3 I need to turn it on

    Where is my location services located on my iPad 3 , I need to turn it on