NAC 4.7.2 OOB ADSSO win7

Similar Messages

• NAC 4.7.2 OOB SNMP issues

  Hello,
  I am setting up a NAC CAM and CAS 4.7.2 OOB setup in a test environment (NAC failover for CAM and CAS), and I am seeing some strange SNMP issues.  I am testing with a 3750 switch (12.2(53)SE1) using SNMP v2 and v3 since v3 and accessing the switch port configuration in the NAC manager is extremely slow.  I click OOB Management -> devices -> switch XXX and it takes several minutes for the port listing to display.  Then sometimes it comes up quickly but a 'show debug snmp' on the switch shows that it isn't polling the switch so it apparently starts pulling the ports page from cache, but I can see now logic in how it does this.
  Q1) When and why does the ports page pull cached info?
  Q2) Why is SNMP queries operating so slowly with NAC 4.7.2 OOB?
  Here is my test switch/NAC SNMP config (with pseudo names and fake passwords):
  snmp-server community switch_read ro   (matches OOB Management -> Profiles -> Device -> SNMP Read v2 settings)
  snmp-server view v1default iso included
  snmp-server user switch_write switch_group v3 auth md5 <my-password>  (matches OOB Management -> Profiles -> Device -> SNMP Write v3 settings)
  snmp-server group switch_group v3 auth read v1default write v1default
  snmp-server user cam_notify cam_group v3 auth md5 <my-password>
  snmp-server host 10.200.11.100 traps version 3 auth cam_notify mac-notification snmp  (matches OOB Management ->  Profiles -> SNMP Receiver v3 settings)
  snmp-server group cam_group v3 auth read v1default write v1default notify v1default
  What is wrong with my setup?  Any help is appreciated.

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

• NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

  Hello,
  I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
  Core Switch:
  VLAN DB:
  vlan 10
  name VLAN_DEPT1
  vlan 11
  name VLAN_DEPT2
  vlan 20
  name VLAN_DEPT3
  vlan 26
  name VLAN_DEPT4
  vlan 27
  name VLAN_DEPT5
  vlan 28
  name VLAN_DEPT6
  vlan 29
  name VLAN_DEPT7
  vlan 30
  name VLAN_DEPT8
  vlan 32
  name VLAN_DEPT9
  vlan 50
  name VLAN_NetMGT
  vlan 51
  name VLAN_CAS_MGT
  vlan 52
  name VLAN_CAM_MGT
  vlan 210
  name VLAN_DEPT1_Auth
  vlan 211
  name VLAN_DEPT2_Auth
  vlan 220
  name VLAN_DEPT3_Auth
  vlan 226
  name VLAN_DEPT4_Auth
  vlan 227
  name VLAN_DEPT5_Auth
  vlan 228
  name VLAN_DEPT6_Auth
  vlan 229
  name VLAN_DEPT7_Auth
  vlan 230
  name VLAN_DEPT8_Auth
  vlan 232
  name VLAN_DEPT9_Auth
  Interface Configs
  interface GigabitEthernet3/41
  description "Link to Cisco CAM-PRI eth0"
  switchport access vlan 52
  switchport mode access
  spanning-tree portfast
  spanning-tree guard root
  no cdp enable
  no ip address
  interface GigabitEthernet3/42
  description "Link to Cisco CAM-FO eth0"
  switchport access vlan 52
  switchport mode access
  spanning-tree portfast
  spanning-tree guard root
  no cdp enable
  no ip address
  interface GigabitEthernet3/43
  description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 777
  switchport mode trunk
  switchport trunk allowed vlan 210,211,220,226-230,232
  interface GigabitEthernet3/44
  description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 777
  switchport mode trunk
  switchport trunk allowed vlan 210,211,220,226-230,232
  interface GigabitEthernet3/46
  description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  switchport trunk allowed vlan 10,11,20,26-30,32,50-51
  interface GigabitEthernet3/48
  description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  switchport trunk allowed vlan 10,11,20,26-30,32,50-51
  interface GigabitEthernet1/1
  description "Trunk link to DEPT1 Access SW"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  !------- Example of VLAN Interface --------
  interface Vlan10
  description "DEPT1 VLAN"
  ip address x.x.10.1 255.255.255.0
  ip helper-address x.x.50.5
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  no ip mroute-cache
  !------- No VLAN Interface for AUTH VLAN 210 --------
  Access Switch Configuration
  interface GigabitEthernet0/1
  description "Trunk Link to Core Switch"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  no ip address
  interface GigabitEthernet0/6
  switchport access vlan 30
  switchport mode access
  spanning-tree portfast
  spanning-tree guard root
  no cdp enable
  no ip address
  =========================================
  Is the above config correct?
  Thanks

  Hi,
  By bogus I assume you mean something like;
  interface Vlan700
  description "BIT BUCKET for unused ports"
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  no ip mroute-cache
  shutdown

• NAC migration from L2 OOB to L3

  Hello,
  I have a question about a migration NAC Appliance 7.0 version in L2 OOB deployment to L3 Real-IP Gateway.
  Do I need any other issue to this or I only must change settings on CAM in "Clean Access Server Type"?
  I don't have a lab to test it.
  Kamil,

  Kamil,
  That would require a major design change in your network -  something I guarantee you is not possible to handle in a forum setting :-)
  If you have a Cisco account team, engage them, so they can help you get a workable design for L3 RIP.
  HTH,
  Faisal

• NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

  We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.
  When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.
  I did a packet capture of a machine that was experiencing the problem.
  The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)
  If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.
  Has anybody else experienced this? Any ideas?

  Faisal,
  I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.
  I decided to span a port a MAC was connected to and performed another capture.
  Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.
  I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.
  The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"
  When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.
  I changed the filter to just "ends with verisign.com" and it worked 95% of the time.
  Why only 95%?
  One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.
  No problems now.
  Later!
  Bob

• Process to upgrade Certs in NAC 4.7.2 OOB VG HA environment

  I am in the process of replacing the CCA manager certificate which is about to expire. My environment is HA and as such consists of two CAM servers and two pairs of HA-CAS servers.
  First - I have submitted and generated the CAM server certificate (Easy enough as the CAM SSL is accessible via the GUI.) I think, although I'm not sure that I need to generate a new cert for the CAS(S).
  If I do I need to access at least one CAS in an HA pair via the GUI. Does it matter which one? When I attempt to GUI to the "secondary" CAS in a pair I am of course being treated like a device that need to be "NAC'd".
  To access the CAS I think I need to stop perfigo services which should drop me out of the HA pair. True?
  Will I need to take each server out of "service" to update the cert.
  If there is a document sequence of events I would love to see it.
  Thanks!
  Bob

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

• NAC ADSSO not 100% work

  Hello,
  We have a NAC System which has the ADSSO not 100% work.
  Sometimes the agent pops up and ask for credentials and sometimes it logs in automatically (ADSSO works).
  Does anybody have the same experience before?
  Thanks

  Are you running OOB Layer-3 with Real-IP gateway? Are you running 4.1.3? Are you using Certificate Authority? If the answer is yes to all. You may want to review this http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html#wp74768. Be careful though, you may also need to apply an egress ACL to block trusted vlan from sending TCP-8910 to the FQDN of the OOB-CAS's Untrusted IP. Otherwise, the CCA agent may continue to send TCP-8910 to CAS and process SSO and refresh IP continuously(looping process).

• NAC - L3 OOB

  Hi all,
  We would like to authenticate users L3 adjacent to the NAC appliance server. The NAC is setup as OOB virtual gateway.
  Is that possible, what should be the configuration ?

  I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
  Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
  Sachin

• NAC OOB L2 VG Managed Subnet

  I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.
  sometime i change the managed subnet, I work...
  I wonder what exact IP address should be typed into the managed subnet?
  Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)
  IP address for VLAN 10: 192.168.10.0/24
  IP address for VLAN 11: 192.168.11.0/24
  IP address for VLAN 12: 192.168.12.0/24
  IP address for VLAN 13: 192.168.10.0/24
  I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.
  However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?
  192.168.10.254/24 VLAN20
  192.168.11.254/24 VLAN21
  192.168.12.254/24 VLAN22
  192.168.13.254/24 VLAN23
  or
  192.168.10.254/24 VLAN10
  192.168.11.254/24 VLAN11
  192.168.12.254/24 VLAN12
  192.168.13.254/24 VLAN13
  also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??
  I'm green hand in NAC...hope someone guide. Many Thanks

  Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.
  Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..
  The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.
  Extracted as below:
  Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment
  For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.
  So.................... my Question is:
  Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???
  My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..
  SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM
  SW2 and SW3 could success performing CAS login.
  SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.

• NAC OOB-Logoff

  Hi
  How is the host communicating wiht the NAC server ?
  In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards  default-gateway or L3 8906 towards discovery host), but the nac server  does not have an IP in the access-vlan, it only has a management adress  i another vlan...
  And the discovery host is commonly the CAM, so the agent wont reach the server on the trusted side.
  Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob  non of these solutions would not work, because the nac server only has a  management adress and no L3 conectivity to access vlan.
  If discovery host should be used - how is multible nac servers then supportet ??
  Can the cam tell the agent anything or forward the swiss packets ??
  Am i missing something ??
  Regards Henrik

  Hi
  How is the host communicating wiht the NAC server ?
  In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards  default-gateway or L3 8906 towards discovery host), but the nac server  does not have an IP in the access-vlan, it only has a management adress  i another vlan...
  And the discovery host is commonly the CAM, so the agent wont reach the server on the trusted side.
  Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob  non of these solutions would not work, because the nac server only has a  management adress and no L3 conectivity to access vlan.
  If discovery host should be used - how is multible nac servers then supportet ??
  Can the cam tell the agent anything or forward the swiss packets ??
  Am i missing something ??
  Regards Henrik

• NAC L3 OOB VGM Deployment examples

  Greetings,
  Currently my customer has a L2 OOB VGM deployment for the users inside the campus network.
  The customer is opening new branch offices and wants to use the same NAC server for those office (NAC centrally deployed).
  I would like to get some example and guidance on how to configure the NAC in Layer 3 OOB VGM, since I wouldn't like to change my network topology in order to accomodate for Real-IP mode.
  I have only found examples for Real-IP Layer 3.

  Yes i agree with you. I asked because the NAC can be configured that way, and also Cisco's documentation suggests it is possible.
  The only way I thought that could accomplish L3 OOB VGM is by having a second interface in the WAN router connected to the unauthenticated VLAN, and redirecting traffic to that interface (PBR).

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

• Grocery List Needed for WLAN Guest NAC

  Hello - what I want to do is put a solution in place that will control any guest wireless that is out of bounds. What i mean by that for locations that have a DSL line along side the corporate network to be controlled through a NAC guest server.
  Scope of the enterprise is:
  * 2k8 domain.
  * cisco 1200 and 1240 AP's
  * 1 cisco NAC guest server
  * 1 acs
  * sites are all connected via MPLS
  What else do I need? Of course I am trying to be mindful regarding budgetary numbers.
  From reading the configuration guise for the clean access server I assume I need the Client Access manager NAC appliace as well, to have this all tie together?
  Please advise on any other things, tips or tricks. :)
  thank you kindly in advance.

  NAC Out-Of-Band (OOB) Wireless Configuration Example
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

• NAC with NON-cisco wireless

  Hi there,
  I know that with WLC 5.1 and NAC 4.5 Cisco started to support OOB, NAC implementation. Now here is my question:
  A customer has CISCO environment except for the wireless which is another vendor. What are the options to bring wireless traffic into NAC server? Is OOB deployment possible?
  Thanks,
  rdianat

  So what is the solution for this scenario?
  remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?