L2 or l3 switch with NAC appliance

Similar Messages

• Wireless WLC with NAC appliance

  Hi,
  We just design a wireless network and integrated with NAC appliance :
  1. My customer have campus A & campus B, these 2 campus connected with 100Mbps FTTB link, these 2 campus are in different Layer 2 domain.
  2. Both campus A & B have thin APs, but only campus A have WLC.
  3. all wireless users must check by NAC CAS appliance, then access to wired intranet or internet.
  Is the attached network diagram correct or not? Can you share your experiance to me?
  Best Regards,

  You could layer 3 Lwapp in Byuilding A and REAP for access points in Building B

• NAC Appliance 3350 Server

  Hi ,
  Facing issue with NAC Appliance 3350 Server where we are trying to login via a user configured on newly migrated ADserver win 2008 .
  This AD server was on 2003 where on same NAC its working fine . I am not much in NAC so need your help .
  ========
  Thanks 4 reply

  Hello,
  NAC Appliance:
  • Offers Authentication, Authorization and Remediation
  • Covers Wireless, VPN and LAN.
  • Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
  • Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
  • Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
  • Can leverage Cisco Profiler or whitelist non-NAC capable devices.
  • Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
  • Can Leverage Cisco Guest server for advance guest access.
  • Comes in HP or IBM appliance formats.
  • IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
  • HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE
  ACS 5.X:
  • Offers 802.1x NAC features and device management (TACACS/RADIUS).
  • Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
  • Provides Authentication and Authorization. Does not offer remediation.
  • Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
  • 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

• Authentication mac-move permit with NAC

  Hi,
  I have 2 switches with NAC configured on it. i also have "authentication mac-move permit" configured on my 2 switches that are connected togther. my understanding is authentication mac-move permit does not work with 802.1x enabled ports.
  so i would like to verify i my understanding is correct that if i have authentication mac-move permit configured and a laptop moves to another port without logging off the switch will see that as a violation and block the user right?

  anyone run into this before?

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• Nac appliance deployment with 802.1x

  Hi,
  Is it possible to deploy a nac appliance solution and use 802.1x as protocol to discover users connection on a switch?
  We don't want to use snmp, I have a microsoft radius server in my deployment for user authentication.
  Thanks!
  Jocelyn

  My friend, i have a customer with whis configuration and worki fine.
  symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
  work fine wiht w2k and xp
  cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
  csa i don?t have experience.
  take care, it is hard to configure, if you need something more ask me to.
  Leo.

• Will a NAC appliance work with Meraki WL

  Hi All,
  I have a customer that presently uses the cisco meraki wireless solution and would like to have a NAC appliance installed in there environment. Will Cisco NAC support the meraki for access control?

  Yes Sir.. Check this link for supported devices with Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Access switch lost contact with nac profiler

  hi all,
  We have implement HA for nac profiler using version 3.1.1_18 .My problem is we need manually update for all access switch to connected with nac profiler server and then endpoint detect if i'm don't click button update for all access switch not see the new endpoint .On the acceess switch we configure SNMP cisconac RO and cisconac1 RW .For the SNMP is it needed manually update or automatic if new endpoint connect to the network ?here i'm attach on the my configuration SNMP ..

  Hi Larry,
  I had the same problem with iTune 10.6.5, and one cannot uninstall it. I was on the phone with Apple wireless support. The solution is to upgrae firmware on the Express, whihc cannot be doen with the latest airport utilities. HOwever, Apple re-posted Airport utility 5.6 for lion, which will then allow you to upgrade the firmware on older Aplle Express Units. This in turn will allow iTune 10.6 to communicate properly wit the Express. Doing so  restored my connection to the speakesr without any further issues.
  Give it a try...
  the utility i sloctaed at:
  http://support.apple.com/kb/DL1482?viewlocale=en_US&locale=en_US
  Best,
  rk007

• Authentication NAC appliance with ACS

  I had deployed a L3 Virtual Gateway mode for NAC appliance. There is ACS for authentication. How can I add ACS to "Auth Servers". CAM settings do not need mapping rules. Every user just anthenticate oneself's account, then CAM can pass these info to ACS. What should I do, Thank you?
  Is there any configuration example, e-mail to [email protected]

  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00809b8e3b.shtml

• Is ACS required in NAC appliance.

  Hi,
  One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
  Thx in advance.
  Sonu

  NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
  THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
  The great thing about NAC Appliace is that it works for all four major use cases:
  1. VPN users
  2. WIFI users
  3. LAN/wired users
  4. GUest/vistors
  We can
  1. authenticate
  2. Posture assess (scan)
  3. Quarantine/
  4. Remediate
  You don't want users to have to learn three different ways to connect to the netowrk.
  802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
  I hope this helps.

• NAC Appliance design question

  I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
  Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
  Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
  Thanks

  NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
  It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
  For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
  If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
  If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
  Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
  There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• NAC Appliance Configuration Question

  Hi,
  I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.
  If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?
  Thanks for your assistance.

  Thanks Jesse,
  I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.
  Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN.  See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2.

• NAC Appliance reporting to MARS

  Can MARS be configured to received reports from NAC Appliance CAM/CAS? There isn't an option for for NAC under MARS devices.
  Thanks,
  -KK

  NAC Framework is not NAC Appliance and does not work the same way. Framework is based on 802.1x. CAM/CAS is based on either being inline or via SNMP Control of switches with no ACS involvment at present.
  NAC Appliance (CAM/CAS) is not currently supported under MARs as far as I know.
  You can syslog basic info out of the Appliance but it will tell you things like if the update succeede or failed for the CAS and various other information.
  Hopefully soon it will send out posture assessment messages into MARs or other SIM/SEM type products.
  What info do you want to get out of it.

• ISe with NAC agent pop up and Posture waiting

  Hi,
  I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
  Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
  However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
  Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
  Here is what I have configured on ACL-DEFAULT.
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  permit tcp any any eq domain
  permit udp any any eq 389
  permit tcp any any eq 135
  permit tcp any any eq 445
  permit udp any any eq 445
  permit tcp any any range 135 139
  permit tcp any any eq 389
  permit tcp any any eq 3268
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
  remark Drop all the rest
  deny   ip any any log
  Appreciate if someone can give a solid resolution and explanation to this.

  Hi Saurav,
  We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
  The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
  Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
  thanks

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit