Mars and NAC 4.8

Similar Messages

• CSA agent and NAC agent together

  Hi, do you have experience of CSA agent and NAC agent together on the same pc ?
  Does one include the other ?
  Which one have I to test first ?
  thank you in advance
  greatings
  RS

  Cisco Trust Agent collects security posture information from the NAC-compliant applications running on the network client and reports them to the Cisco Secure Access Control Server (ACS). These are some NAC-compliant applications:
  - Antivirus applications
  - Personal firewalls
  - Host-based intrusion protection applications, such as Cisco Security Agent (CSA)
  Cisco NAC is a strategic element of the Self-Defending Network. Working together with other Self-Defending Network components such as Cisco Security Agent and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS), Cisco NAC helps organizations achieve more accurate threat identification and prevention while increasing patch management efficiency.

• Mars and accessibility

  I'm working in the field of accessibility for the past years,
  I recently tried the new MARS plugin on Adobe 8 Professional and I
  become very curious about future prospects in Adobe for Mars
  format.
  Will accessibility in PDF be redirected to MARS? Will Adobe
  Reader include the option to read .mars files by default?
  I think that nobody talks about mars and it could be a
  really interesting issue in this field.
  I asked Duff Johnsonn on the subject and he redirected me to
  Adobe, as he thinks Mars and accessibility would be a promising
  issue.
  Thanks in advance for your attention,
  Mireia Ribera
  Universitat de Barcelona. Departament Biblioteconomia i
  Documentació
  http://bd.ub.es/pub/ribera

  Hello Alexander
  Since MARS is going away in a while, you won't find that many device updates,even the latest release does not support NAC 4.8.x (officially).
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/compatibility/local_controller/dtlc6x.html
  However you can always add a NAC  4.8.x box as whatever is supported in the GUI and MARS would work in backwards compatible mode ignoring the  log messages introducted in the newer releases.
  Regards
  Farrukh

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• SQ01-query - how to join MARA and DRAD

  Hi all,
  my problem is that I have to create a sq01 query in which I combine data from the MARA
  with data from DRAD. But I can't join the OBJKY (DRAD) with the MATRN (MARA).
  Hoping for help,
  Barbara

  Hi Barbara,
  As mentioned in the previous post, you cannot join the OBJKY field with MATNR field of MARA.
  But if you want to just read the contents in OBJKY from DRAD, then have a look at the below code:
  Note: In the initial step of creating your infoset, just select direct read from table & select on MARA here.
  SELECT SINGLE DOKNR INTO T_DOKNR
  FROM DRAD
  WHERE OBJKY EQ MARA-MATNR
       AND DOKOB EQ 'MARA'
       AND DOKAR EQ (Specify the type of document for this).
  Now you can combine the fields MATNR, T_DONR & the Z field into the field which you want using the CONCATENATE statement.
  \[removed by moderator\]
  Regards,
  Vivek
  Edited by: Jan Stallkamp on Sep 3, 2008 3:51 PM

• ISE and NAC wireless guest networks

  I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
  Sent from Cisco Technical Support iPad App

  Hello,
  For your query regarding ISE and NAC following are my  findings, which might help you in order to solve your query.
  for your first question:-
  ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
  ISE is a 50% software discount for customers who have  NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
  for your second question:-
  There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs.

• Difference between ISE and NAC?

  Dear All,
  Can you please help to understand difference ISE and NAC?
  Thank You,
  Abhisar.

  Well ISE is the next generation of NAC and has extended the features some of the comparison of features are mentioned in the given diagram

• Guest-Anchor-WLC and NAC integration guide

  I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

  User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

• Macintosh clients, 802.1x and NAC.

  I'm prototyping a NAC setup which has to cater for Macintosh clients as well as Windows. I can get the Macs to authenticate via 802.1x (surprisingly easy using the built in software!) but what I can't do is setup a Posture Validation Rule to identify that the client is a Mac and not a Windows machine. I've tried using the Cisco:PA:OS-Version condition set specifying "contains" MAC. I've also tried "contains" 10 but it doesn't work. I think it probably doesn't work as the condition set depends on the CTA being installed on the Mac which it isn't (and it's not an option either).
  EDIT: Anyone tried installing the CTA on a MAC? It's horrific. Extract the files and run the install, OK so far. It then puts the config ini file in a directory no user (not even Admins) has permissions to so you can't modify it and BOY do you need to modify it!
  Any ideas?

  I'm on the home straight with this one. Essentially to get the CTA to work using the built in 802.1x supplicant on Windows or MacOS you need to run a mix of NAC L2 IP and NAC L2 802.1x. This requires a little extra config on the switch but nothing tragic (it's all in the (NAC Framework Configuration Guide).
  The reason for this is that the CTA requires a network channel to be open so it can run EAP over UDP (EOU) to do posture validation and the 802.1x part of the process gets the machine onto the network so the CTA can do it's stuff.
  With this setup in place and the CTA properly configured (as mentioned previously this is the permissions setup on the Mac created by the CTA install makes this far more difficult than it should be) the process works pretty well, popup messages work, browser launch and URL redirection work. Looks good.
  The fly in the ointment is wireless. The freebie CTA doesn't support it, no way. For a PC the answer is to buy the Cisco Secure Services Client which does support wireless and (I think) run that alongside the CTA (haven't fully worked this one out yet). If you have a wireless Mac, you're stuffed, Simple as that, which from my point of view is a real pain as the customer I'm developing this for wants posture validation for PCs and Macs, wired and wireless.
  Hope this helps someone somewhere avoid a little pain! : )

• MARS and MPLS networks

  Hi folks,
  I have an 80+ node network connected via a service provider managed MPLS VPN cloud. Each one of my 'spokes' connects to the provider edge (PE) router via a /30 subnet. All of my customer edge (CE) routers are in MARS, but of course the PE routers are not. When MARS graphs my network it shows 80 'stub' networks with no connectivity between them.
  I've spoken with the TME and I think the feature is planned for a future release, but I had a idea I wanted to bounce off of the folks here:
  What if I created a virtual generic router in MARS, and populated it with 80 interfaces. Each interface would have the corresponding PE router's /30 IP address. I think this would let MARS tie all of the stub networks together.
  Has anyone tried this? Will it only fix the graphing problem, or is there added benefit for MARS when everything is tied together as a cohesive network.
  Any input would be greatly appreciated.

  I think the idea of creating a virtual router and then assigning its interfaces with corresponding IP addresses will work for MARS to tie the networks. It could fix the graphing problem but I dont think anything more it will deliver.

• MARS and Check Point Firewall Logging

  Hi,
  I have added my Check Point CMA object to MARS, but am not getting seeing any log information.  My CLM is a separate server (child enforcement module), which is discovered OK when the intial CMA discovery takes place in MARS.  I have configured the Log Info settings for the CLM entry in MARS with the SIC details for the Check Point MARS and CLM objects.
  I've created a simple query to gather outbound ftp data (for which there is lots) and I am seeing nothing when running this query in MARS.  The associated CLM log shows plenty of entries.  I am keen to be able to get some historical logging data via MARS, so any help to resolve this issue would be appreciated.
  Many thanks
  Liam

  Liam;
    CS-MARS<>Check Point integration can be very tricky and is very dependent on the versions of software involved.  You may be able to find out some additional insight into the process by raising the CS-MARS logging level for Check Point and monitoring the output.  This is accomplished from the CS-MARS CLI:
  [pnadmin]$ pnlog setlevel cpdebug
  You can then view the messages via the CLI as well:
  [pnadmin]$ pnlog show cpdebug
    If this does not shed any light on the communication between CS-MARS and the Check Point devices, it would be best to open a service request with TAC to further troubleshooting can be performed.
  Scott

• MARS and CiscoWorks

  Is there any way to integrate MARS and CiscoWorks? I would like to have the CiscoWorks Common Syslog Collector to forward all syslog messages to MARS. Is this possible? Thanks for any help in advance.

  I don't believe that Ciscoworks does syslog forwarding, but the latest version of MARS supports being 'fed' syslog messages via a true syslog forwarder (e.g. Kiwi Syslog). I think Kiwi is free or otherwise inexpensive (compared to MARS!). Have the devices forward to the Kiwi server, and then forward to LMS and MARS respectively.
  There's not much integration between Ciscoworks LMS and MARS since it was developed as an independent product and then acquired by Cisco a little over a year ago. Based on conversations I've had with the MARS TME and my Cisco reps I think they've heard the message that we want better integration, but they're probably going to focus on security features first, and integration second (and rightly so.) Still, it certainly would be nice to tie into the DCR instead of the kludgy way you add devices to MARS now.

• MARS and AIP-SSM

  I am working on a MARS appliance and have devices reporting to it. I also have an ASA with the AIP-SSM installed. I have added the ASA and AIP to MARS and from MARS I can SSH to the AIP module. But If I run a report I do not see anything coming from teh AIP module. I can SSH to the SIP from MARS and run the "show events" and I see events. Any ideas on why I will not be seeing those events in MARS? The AIP is running 6.0.3 S315, MARS is running 4.3.2(2627) S315. Thank you, James

  In order to get events in MARS for any Cisco IDS/IPS sensor you will need to create a "Viewer" account on the sensor for MARS to login and grab them. You will also need to configure MARS to be able to SSH to the sensor as well. To test the SSH you can SSH to MARS and then SSH out to the sensor.
  ssh "username"@"ip_address_sensor"

• Sqvi join of Mara and Marc with erroneous output

  hello all
  I have made a join between Mara and Marc in a SQVI query.
  as input i select material according to material type, material group and plants.
  output i want the material, the group and the maintenance view of material for each plant.
  not all the plants have the same maintenance view but the query returns the material for each plant with wrong maintenance view!
  what can it be?

  i am trying to achieve the following:
  material 12345 is in plants A, B, C
  plant A has maintenance status KBVE
  plant B has maintenance status BVE
  plant C has maintenance status KVB
  when I run the view, with the tables MARA and MARC joined by the material number, i requested the material filtering by material group, material type and maintenance view E.
  i want the system to return material 12345 for plant A and B with the respective statuses and exclude C because it does not have the status E.
  instead it returns material 12345 with plants A, B, C and all with maintenance status KBVE
  is it clearer now?
  also, what is the difference between mainenace status in MARA and in MARC?

• NAC Framework and NAC Appliance in scenary WAN

  How will be the scenary of NAC appliance and NAC Framework in a topology WAN, for example i have my core and remote office and I want to implement NAC for all remote site and central site.
  which will be the solution?
  Best Regards

  Hello Daladen,
  Which is the solution for WAN topology in NAC Appliance?
  one NAS for Site? and the NAM in the Central?
  Thanks
  Álvaro