NAC applianc OOB dns problem

Similar Messages

• NAC Appliance OOB L3

  Hi everyone,
  "i have a friend" ( :-) )to which i want to deploy the NAC OOB L3.
  Why this one? Because he has a central location and a few branches (a few more actually) and these branches are at 2 L3 hops prom the center. More specific, there is a L3 switch as a gateway to the branch LAN users and after that, a router that connects to the center (GRE/IPSec).
  The question is, and i did not manage to find or to realise by myself: it is mandatory to use a DHCP server for allocating ip-s to clients? (for all of their states: unauthenticated, authenticated, permited etc).
  If not how it should be done?
  Second: if is mandatory, should it work only with a centraly deployed DHCP server, or i can use the L3 switch in every branch as a dhcp server?
  Thank you for your patiance.

  DHCP is required for L3 OOB real-ip gateway since the system will need to get a new address when it is switch to the authorization VLAN and then again after the posture process when it is switched back to its "normal" VLAN.
  As for the DHCP server, you can use either a central server, have a local switch provide the addresses or a combination of both.
  In our install, the local switch is the DHCP server for the auth VLAN and a local server is used for the access VLAN.
  Mike

• NAC Appliance + OOB Virtual Gateway Trunking issues

  I have the following problem. When I connect the CAS eth0 to a trunk port in the core switch it disconnects from the CAM. When the port is in access mode, the CAM can connect to the CAS. The core switch is a 4500 with IOS 12.2(25)EW. What could be the problem?

  Hi prananth,
  I managed to resolve the issue. It was a HA issue. I had configured "Link failure detect" on the redundant CAS app. Apparently the CAS couldnt reach the pingable IP causing failover to take place many times between the two boxes causing the CAS not to communicate with the CAM.
  Kindly help me with the following problem I am now having:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf45d4/0#selected_message
  I will really appreciate. Thank you.

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• NAC - L3 OOB

  Hi all,
  We would like to authenticate users L3 adjacent to the NAC appliance server. The NAC is setup as OOB virtual gateway.
  Is that possible, what should be the configuration ?

  I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
  Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
  Sachin

• NAC L2 OOB Auth and Access VLAN

  I'm new to Cisco NAC appliance.
  I wanted to deploy L2 OOB VGM for my wired userd.
  I wanted to check whether can I have multple Authentication to Access VLAN mapping.
  For example :
  Authentication VLAN - 111 Map to Trusted VLAN 311
  and
  Authentication VLAN - 112 Map to Trusted VLAN 312
  Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
  Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

  Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
  Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
  Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
  Choose User Management > User Roles, select the role (vencorp) and click Edit.
  Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
  Save the role.
  Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
  Change the Access VLAN to User Role VLAN and click Update.
  Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

• NAC Appliance and LDAP Lookup

  Hello,
  I have two CAM in HA and two CAS in HA.
  I configure the LDAP Lookup for create rule to role allocation.
  In this configuration are only one windows server to make find the user properties.
  There are one problem when this Windows servers is down. There are any configuration to mitigation when the server is not there.
  Thank you all.

  The LDAP lookup server configs state it uses the LDAP Authentication Provider. The LDAP Authentication Provider says you can have multiple entries in the single field
  LDAP
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158614
  You can add redundancy for LDAP Authentication servers by entering multiple LDAP URLs in the Server URL field separated by a space, for example:
  ldap://ldap1.abc.com ldap://ldap2.abc.com ldap://ldap3.abc.com

• I am having a DNS problem with my computer. My laptop connects to the internet and my skype works normally but when i try to surf the web it says "DNS Look up failed".

  MY PROBLEM
  I am having a DNS problem with my laptop. It connects normally to th e wifi internet but when i try to surf the net it says "DNS Look up failed"
  This problem only occurs when with the internet at my house. whenever i connect elsewhere my computer works normally. My ipod, iphone, tablet and other friends computers work normally when they are connected to my internet. i use dmy neigbours nework a couple of times from my house and it wrks normally.
  Also when i turn my laptop on or off i can browse for a few minutes or seconds before it fails again. My skype works like there is no problem
  WHAT I HAVE TRIED TO RESOLVE IT
  I have tried changing the DNS, i used open DNS and google free DNS and it still didnt make a difference.
  I have rebooted router many times, nothing
  I have changed my home router, nothing
  I backed up my computer, resored everything it to factory setting and put everything back on; still nothing
  Run a diagnostics at 'Best buy' and they say nothing is wrong; but i know there is something wrong with the DNS
  I have tried different "sudo" type of codes on my comupter from stuff i got online and nothign has proved fruitful yet.
  i tried using safari, Google chrome and firefox, all not loading
  WHAT DO I DO TO FIX THIS?

  You are correct.  Syncing should transfer any purchased media, including videos, from your device to your iTunes library provided your computer is authorized for the Apple ID used to make these purchases.  You mentioned that you have uninstalled iTunes before, but if you didn't follow this guide exactly, uninstalling iTunes and all of its components in the order specified, it may not have been successful so you should try again:  Windows XP or Windows Vista/7.

• Windows 7 VM has DNS Problem When Using Wireless

  Hello All,
  I've been fighting this virtual machine networking problem for over a week now. If anyone has a well-informed suggestion (not a guess) I would appreciate hearing about it.
  Here's the problem in a nutshell and then I'll give more details: I'm running Windows 7 Ultimate (64 bit) as my primary (i.e., host) OS. I'm running Windows 7 Home Professional (32 bit) as the guest OS in "Windows Virtual PC" (note that this is *not* the same as "Virtual PC 2007"). If I configure the VM to use my host's wired Ethernet connection, the guest OS can always see the machines on my local network and can always reach the Internet just fine. On the other hand, if I configure the VM to use only my host's wireless connection then the guest OS can still see machines on my local network but CANNOT reach the Internet, except very intermittently (e.g., for maybe 1-2 minutes every hour or so).
  I've tried to anticipate the questions you might ask so here is some additional information:
  The computer is a Lenovo W500 laptop running Windows 7 Ultimate, 64-bit. The wireless network adapter is an "Intel WiFi Link 5300 AGN".
  My Internet connection is via AT&T DSL using a wire2 wireless modem/router.
  I have all the updates from Microsoft and Lenovo for this machine. It is 100% up to date with the latest patches and drivers.
  I'm running the 64-bit version (or at least I used the 64 bit installer) of "Windows Virtual PC" which I downloaded  from this link.
  I am *not* running and I did not download "XP Mode".
  When the guest OS loses it's connection to the Internet the following message appears in the Windows Event Log:
  "Name resolution for the name address.yahoo.com timed out after none of the configured DNS servers responded."
  I am able to ping an external machines outside my network but only if I use the IP address. If I specify the host name it cannot be resolved.
  ARE YOU GETTING THE IMPRRESSION THIS IS A DNS PROBLEM??? It looks like I do not have access to a DNS when using the host's wireless connection.
  On the host OS, the "Virtual PC Network Filter Driver" *IS* installed and selected under my "Wireless Network Connection Properties" settings.
  Below are the results of running ipconfig on the guest OS and then the host OS. Note that I am able to ping 192.168.1.254 from the host OS but not from the guest OS. I think this is the crux of the problem.
  Here's what I get from an ipconfig /all executed on the guest OS:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Win7_01
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Broadcast
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : gateway.2wire.net
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . : gateway.2wire.net
     Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Emulated)
     Physical Address. . . . . . . . . : 00-03-FF-5A-E5-8C
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::6452:ad20:724a:4d3a%11(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.75(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Friday, May 14, 2010 7:22:30 PM
     Lease Expires . . . . . . . . . . : Friday, May 21, 2010 7:22:30 PM
     Default Gateway . . . . . . . . . : 192.168.1.254
     DHCP Server . . . . . . . . . . . : 192.168.1.254
     DHCPv6 IAID . . . . . . . . . . . : 234882047
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-79-57-1A-00-03-FF-5A-E5-8C
     DNS Servers . . . . . . . . . . . : 192.168.1.254
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.gateway.2wire.net:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : gateway.2wire.net
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  And here's what I get when I do ipconfig /all on the host OS:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : LEONA
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Broadcast
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : gateway.2wire.net
  Wireless LAN adapter Wireless Network Connection:
     Connection-specific DNS Suffix  . : gateway.2wire.net
     Description . . . . . . . . . . . : Intel(R) WiFi Link 5300 AGN
     Physical Address. . . . . . . . . : 00-21-6A-59-E5-8C
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::94b0:4080:c30f:95da%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.78(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Friday, May 14, 2010 6:20:52 PM
     Lease Expires . . . . . . . . . . : Friday, May 21, 2010 6:20:53 PM
     Default Gateway . . . . . . . . . : 192.168.1.254
     DHCP Server . . . . . . . . . . . : 192.168.1.254
     DHCPv6 IAID . . . . . . . . . . . : 218112362
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-79-34-70-00-22-68-14-2F-CB
     DNS Servers . . . . . . . . . . . : 192.168.1.254
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Local Area Connection:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : gateway.2wire.net
     Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-22-68-14-2F-CB
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.gateway.2wire.net:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : gateway.2wire.net
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e74:3ca6:3214:b4fb:72d4(Preferred)
     Link-local IPv6 Address . . . . . : fe80::3ca6:3214:b4fb:72d4%13(Preferred)
     Default Gateway . . . . . . . . . : ::
     NetBIOS over Tcpip. . . . . . . . : Disabled

  Hello,
  I am not very familiar wth Microsoft Security Essentials, but believe that it just makes use of the existing Windows Firewall which is present with the operating system.
  To me it is odd that the guest OS reports 192.168.1.254 as the IP address for its gateway and DHCP server yet it cannot access them when pinged.  Let's try pinging from host to guest (and vice-versa)  and see what happens:
  From the host OS at 192.168.1.78, try pinging the guest OS at 192.168.1.75. 
  Then, from the guest OS at 192.168.1.75, trying ping the host OS at 192.168.1.78.
  Is each operating system able to ping each other?
  Regards,
  Aryeh Goretsky
  I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
  S230u (3347-4HU) • X220 (4286-CTO) • W510 (4318-CTO) • W530 (2441-4R3) • X100e (3508-CTO) • X120e (0596-CTO) • T61p (6459-CTO) • T43p (2678-H7U) • T42 (2378-R4U) • T23 (2648-LU7)
    Deutsche Community   Comunidad en Español Русскоязычное Сообщество

• Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

  Hi,
  I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
  After finishing the Installation, when i type "SETUP"... It gives me the below Error;
  # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
  # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
  Please advise....
  I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
  (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
  any idea...
  Regards,
  Mubasher Sultan

  Where did you get the recovery media? Did you download from cisco.com?
  Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
  Supporting link:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
  Jatin Katyal
  - Do rate helpful posts -

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

• Database DNS problem while uploading jsp's

  We create DNS while working with localhost on winodws machine but when we upload the jsp's and database then how do we manage the DNS problem do we have to create the DNS there too or there is some other way out

  Sorry for spelling mistake actually it was DSN data source that had been asked

• Is ACS required in NAC appliance.

  Hi,
  One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
  Thx in advance.
  Sonu

  NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
  THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
  The great thing about NAC Appliace is that it works for all four major use cases:
  1. VPN users
  2. WIFI users
  3. LAN/wired users
  4. GUest/vistors
  We can
  1. authenticate
  2. Posture assess (scan)
  3. Quarantine/
  4. Remediate
  You don't want users to have to learn three different ways to connect to the netowrk.
  802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
  I hope this helps.

• DNS problems on Lion

  Hello,
  Ever since I "upgraded" to Lion I have had DNS issues.
  I know it's a DNS problem because IP addresses work fine.  And I know it's not a browser issue, because I am running 'ping google.com' from the command line.
  The symptoms are non-responsive queries to DNS servers, in web browsers or the command line (using ping).  Currently I am using google's DNS servers:  8.8.8.8 and 8.8.4.4.  I'm absolutely sure that there is nothing wrong with those servers.  The request to the DNS servers eventually times out, and then I hit "Refresh" and the page loads fine.
  Also, if I recylce the network adapter, e.g.
  $ sudo ifconfig en1 down
  $ sudo ifconfig en1 up
  DNS starts working again, temporarily until the next time.  It happens again (randomly, not at regular intervals), I then run the ifconfig down/up again, and DNS works again, and so on.
  This started happening when I went to Lion.
  Thank you

  I have just purchased a brand new Mac Mini Server with Lion Server running. Managed to set up DNS service and 5 zones configured and running fine for 1 to 2 days.
  The DNS in Server Admin suddenly stopped loading the information and buttons are all greyed out last night, with no changes made since I was away at work. It keeps getting the same situation as thread starter mentioned. I have tried all possible means but it just stop loading zones information anymore.
  I would like to try John's approach but it seems I am unable to get 'root' access to perform those actions. Thus would appreciate some advice on how to proceed forward to resolve the issue.
  1. Tried the Directory Utility approach to "Enable Root" but when enter terminal, 'sudo root' does not seem to accept the password I have set. Is there any other means to enable an account to have sufficient access to perform those DNS related resolution steps?
  2. Is there any location to obtain a copy of the default named.conf?

• Nac framewwork or nac appliance which is better

  hi all can someone just advise which is a better solution the nac appliance or the nac framework.
  regards
  sushil

  Hi Sushil,
  If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
  I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
  for wired users, and Central Deployment is the best use of your time and money.
  Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
  Hope this helps.
  Paul