NAC Appliance and BigFix Automatic remediation

Hi,
I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
Regards,
Amit

Hi,
I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
Regards,
Amit

Similar Messages

  • NAC Appliance and LDAP Lookup

    Hello,
    I have two CAM in HA and two CAS in HA.
    I configure the LDAP Lookup for create rule to role allocation.
    In this configuration are only one windows server to make find the user properties.
    There are one problem when this Windows servers is down. There are any configuration to mitigation when the server is not there.
    Thank you all.

    The LDAP lookup server configs state it uses the LDAP Authentication Provider. The LDAP Authentication Provider says you can have multiple entries in the single field
    LDAP
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158614
    You can add redundancy for LDAP Authentication servers by entering multiple LDAP URLs in the Server URL field separated by a space, for example:
    ldap://ldap1.abc.com ldap://ldap2.abc.com ldap://ldap3.abc.com

  • NAC Appliance and Novell

    Does anybody know whether or not the Cisco NAC Appliance (CCA) will work with Novell authentication in any fashion.

    We're starting a pilot now. We have to use MAC address authenication because there is no novell support.

  • NAC appliance and IP Magic

    I have a Lightspeed device that I want to have access the Internet but I cannot find a way to exempt it from the NAC. The Lightspeed's ports are bridging my traffic just fine but I cannot open Internet Explorer to get out on the Internet without triggering the routine to install the Clean Access Agent...which I don't want to do.
    I've tried adding the MAC addresses of all ports on the Lightspeed to the Exempt list on the NAC but that has not worked. I presume the issue has something to do with the interfaces on the Lightspeed using IP Magic and not TCP/IP.
    Any thoughts on a workaround?

    There is an option to exempt MAC address on the NAC.Clean Access requirements are enforced to exempt devices form the network.Refer the following URL for more information
    http://www.cisco.com/application/pdf/en/us/guest/products/ps7120/c1626/ccmigration_09186a00805ec158.pdf

  • NAC Framework and NAC Appliance in scenary WAN

    How will be the scenary of NAC appliance and NAC Framework in a topology WAN, for example i have my core and remote office and I want to implement NAC for all remote site and central site.
    which will be the solution?
    Best Regards

    Hello Daladen,
    Which is the solution for WAN topology in NAC Appliance?
    one NAS for Site? and the NAM in the Central?
    Thanks
    Álvaro

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • CCA Agent debug - AD SSO NAC Appliance

    Hi,
    I'm investigating a HARD AD SSO issue on NAC appliance and checking the doc suggested by Prem (Troubleshooting Windows SSO)I don't understand how I can obtain the output in page 14 (title: Debug Logs from Agent).
    I've activated the event.log (adding registry key...) ad suggested but in that file I can see only a lot of exadecimal data....not easy to understand....
    can somebody help me ?
    thank, regards

    I think most of the hexadecimal characters are MAC addresses. In the following document go to chapter "error and event log messages" for understanding the messages
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca41/cam41ug.pdf

  • NAC Appliance reporting to MARS

    Can MARS be configured to received reports from NAC Appliance CAM/CAS? There isn't an option for for NAC under MARS devices.
    Thanks,
    -KK

    NAC Framework is not NAC Appliance and does not work the same way. Framework is based on 802.1x. CAM/CAS is based on either being inline or via SNMP Control of switches with no ACS involvment at present.
    NAC Appliance (CAM/CAS) is not currently supported under MARs as far as I know.
    You can syslog basic info out of the Appliance but it will tell you things like if the update succeede or failed for the CAS and various other information.
    Hopefully soon it will send out posture assessment messages into MARs or other SIM/SEM type products.
    What info do you want to get out of it.

  • What is a Cisco NAC appliance used for?

    We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
    From the documentation, the features of a 3310 NAC are,
    Recognize users, their devices, and their roles in the network
    Evaluate whether machines are compliant with security policies
    Enforce security policies by blocking, isolating, and repairing noncompliant machines
    Provide easy and secure guest access
    Simplify non-authenticating device access
    Audit and report whom is on the network
    What does enforce security polices by blocking, isolating, repairing really mean?
    "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
    I can get an report from my logging traps collector, Solarwinds.

    Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
    What does enforce security polices by blocking, isolating, repairing really mean?
    It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
    "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
    I can get an report from my logging t
    You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
    Sent from Cisco Technical Support iPhone App

  • NAC Appliance remediation

    We are currently testing the NAC appliance before we roll it into production in an enviroment that does not have a software distribution system. I was just wondering various methods people use to have end users self-remediate their machines when using a file or link requirement with the CAS.
    The main requirement is that the CSA agent must be installed on the end users machine. The user can successfully download the CSA agent exe from the CAS. However, the installation requires admin rights, but because our users do not have this the installation fails and the user can not become compliant.
    Any suggestions on best practices or methodologies used in a production environment would be greatly appreciated.

    Following links may help you
    http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletin0900aecd805baf90.html
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agent.html

  • CiscoWorks DFM and NAC appliance

    Can NAC appliances be monitored by CiscoWorks DFM ?

    Here's the supported device list for DFM:
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_device_fault_manager/2.0_IDU_2.0.6/device_support/table/dfm2_0_6.html
    If it's not on here then its not supported. Looks like NAC appliances aren't supported.

  • McAfee Antivirus automatic remediation

    Hello All,
    I'm having an issue with McAfee Antivirus remediation. I'm using Cisco NAC 4.8.2 and it seems that automatic remediation is not working.
    Could someone help?
    Is there a webpage where we can check which AV can do automatic remediation?

    Hello,
    Here are the links to the Windows and MacOS supported AV/AS on NAC 4.8.2:
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers86.pdf
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/MacOSXAV-AS-ver9.pdf
    Regards.

  • Nac Agent do not execute remediation

    Hi to all,
    in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
    My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
    I have admin right on both pc.
    Why I can solve the problem?
    Thanks for help

    There is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
    Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
    "•Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
    If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
    Hope that helps, rate if it does.
    Cheers,
    Tim

  • ISE Automatic Remediation

    Hi,
    We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.
    In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.
    And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.
    Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.
    Can you help us with this issue? Thanks!
    Best regards,
    Carlos Morais

    Hi,
    No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:
    "If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."
    Best regards,
    Carlos Morais

  • Is ACS required in NAC appliance.

    Hi,
    One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
    Thx in advance.
    Sonu

    NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
    THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
    The great thing about NAC Appliace is that it works for all four major use cases:
    1. VPN users
    2. WIFI users
    3. LAN/wired users
    4. GUest/vistors
    We can
    1. authenticate
    2. Posture assess (scan)
    3. Quarantine/
    4. Remediate
    You don't want users to have to learn three different ways to connect to the netowrk.
    802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
    I hope this helps.

Maybe you are looking for

  • Function Module Changing Status of ECR

    Hello, Is there any function module/ BAPI to change the status of ECR? If i take the transaction cc32, click on status button. A user has options to do the following Actions Check ECR                      ECR Checked                  Approve ECR     

  • Page not reloading even if page is marked as no cache

    Web pages will not reload on visit even if the meta information specifies: <meta http-equiv="Pragma" content="no-cache" /> and <meta http-equiv="Expires" content="0" /> Page shown is last visit from cache instead.

  • My iPad hang and i can't restart it. how to solve it?

    my iPad hang and i can't restart it. how to solve it?

  • Problem with restoring an Image to Dell Optiplex 745

    Hello, i try to restore my image to my new Dell Optiplex 745 machines. I am using ZFD4.01IR7 with the boot-cd from zenimaging.info which uses the zfd7 imaging engine. I am able to restore the image but unfortunately my local (and only...) Administrat

  • Triggering of idoc in FB60

    Hi All,    I am using transaction FB60 to park the FI vendor invoice. Now my requirement is when user park the document it should trigger the custom outbound function module which will generate the idoc of type FIDCCP02.    so my task is to create th