NAC Appliance and Novell

Does anybody know whether or not the Cisco NAC Appliance (CCA) will work with Novell authentication in any fashion.

We're starting a pilot now. We have to use MAC address authenication because there is no novell support.

Similar Messages

  • NAC Appliance and LDAP Lookup

    Hello,
    I have two CAM in HA and two CAS in HA.
    I configure the LDAP Lookup for create rule to role allocation.
    In this configuration are only one windows server to make find the user properties.
    There are one problem when this Windows servers is down. There are any configuration to mitigation when the server is not there.
    Thank you all.

    The LDAP lookup server configs state it uses the LDAP Authentication Provider. The LDAP Authentication Provider says you can have multiple entries in the single field
    LDAP
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158614
    You can add redundancy for LDAP Authentication servers by entering multiple LDAP URLs in the Server URL field separated by a space, for example:
    ldap://ldap1.abc.com ldap://ldap2.abc.com ldap://ldap3.abc.com

  • NAC Appliance and BigFix Automatic remediation

    Hi,
    I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
    Regards,
    Amit

    Hi,
    I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
    Regards,
    Amit

  • NAC appliance and IP Magic

    I have a Lightspeed device that I want to have access the Internet but I cannot find a way to exempt it from the NAC. The Lightspeed's ports are bridging my traffic just fine but I cannot open Internet Explorer to get out on the Internet without triggering the routine to install the Clean Access Agent...which I don't want to do.
    I've tried adding the MAC addresses of all ports on the Lightspeed to the Exempt list on the NAC but that has not worked. I presume the issue has something to do with the interfaces on the Lightspeed using IP Magic and not TCP/IP.
    Any thoughts on a workaround?

    There is an option to exempt MAC address on the NAC.Clean Access requirements are enforced to exempt devices form the network.Refer the following URL for more information
    http://www.cisco.com/application/pdf/en/us/guest/products/ps7120/c1626/ccmigration_09186a00805ec158.pdf

  • NAC Framework and NAC Appliance in scenary WAN

    How will be the scenary of NAC appliance and NAC Framework in a topology WAN, for example i have my core and remote office and I want to implement NAC for all remote site and central site.
    which will be the solution?
    Best Regards

    Hello Daladen,
    Which is the solution for WAN topology in NAC Appliance?
    one NAS for Site? and the NAM in the Central?
    Thanks
    Álvaro

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

  • CCA Agent debug - AD SSO NAC Appliance

    Hi,
    I'm investigating a HARD AD SSO issue on NAC appliance and checking the doc suggested by Prem (Troubleshooting Windows SSO)I don't understand how I can obtain the output in page 14 (title: Debug Logs from Agent).
    I've activated the event.log (adding registry key...) ad suggested but in that file I can see only a lot of exadecimal data....not easy to understand....
    can somebody help me ?
    thank, regards

    I think most of the hexadecimal characters are MAC addresses. In the following document go to chapter "error and event log messages" for understanding the messages
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca41/cam41ug.pdf

  • NAC Appliance reporting to MARS

    Can MARS be configured to received reports from NAC Appliance CAM/CAS? There isn't an option for for NAC under MARS devices.
    Thanks,
    -KK

    NAC Framework is not NAC Appliance and does not work the same way. Framework is based on 802.1x. CAM/CAS is based on either being inline or via SNMP Control of switches with no ACS involvment at present.
    NAC Appliance (CAM/CAS) is not currently supported under MARs as far as I know.
    You can syslog basic info out of the Appliance but it will tell you things like if the update succeede or failed for the CAS and various other information.
    Hopefully soon it will send out posture assessment messages into MARs or other SIM/SEM type products.
    What info do you want to get out of it.

  • What is a Cisco NAC appliance used for?

    We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
    From the documentation, the features of a 3310 NAC are,
    Recognize users, their devices, and their roles in the network
    Evaluate whether machines are compliant with security policies
    Enforce security policies by blocking, isolating, and repairing noncompliant machines
    Provide easy and secure guest access
    Simplify non-authenticating device access
    Audit and report whom is on the network
    What does enforce security polices by blocking, isolating, repairing really mean?
    "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
    I can get an report from my logging traps collector, Solarwinds.

    Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
    What does enforce security polices by blocking, isolating, repairing really mean?
    It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
    "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
    I can get an report from my logging t
    You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
    Sent from Cisco Technical Support iPhone App

  • CiscoWorks DFM and NAC appliance

    Can NAC appliances be monitored by CiscoWorks DFM ?

    Here's the supported device list for DFM:
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_device_fault_manager/2.0_IDU_2.0.6/device_support/table/dfm2_0_6.html
    If it's not on here then its not supported. Looks like NAC appliances aren't supported.

  • Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

    Hi,
    I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
    After finishing the Installation, when i type "SETUP"... It gives me the below Error;
    # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
    # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
    Please advise....
    I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
    (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
    any idea...
    Regards,
    Mubasher Sultan

    Where did you get the recovery media? Did you download from cisco.com?
    Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
    Supporting link:
    http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco ISE NAC agent and Microsoft roaming profiles

    Hi there,
    I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
    Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
    Regards,
    Henry

    Hello,
    I found the following from the cicso doc. Hope it helps!
    The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
    –ARP poisoning
    –Temporary loss of network connection between the client machine and the CAS
    –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
    Cisco offers the following recommendations to prevent this situation:
    –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
    –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
    For more information please refer to the following link:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

  • Integrate NAC Appliance with Active Directory

    We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
    The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
    The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
    Let say i've this situation:
    1. User A has been assign to Vlan 15 Employee
    2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
    3. Now user A has their on Vlan ID 15
    I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
    Has any one has been configured mapping rules user roles to Active directory?

    So you would create a mapping rule against your lookup server like so.
    Say the AD group membership is "Finance"
    for ADSSO you would apply the mapping rule to your LOOKUP Server
    where the expression is
    memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
    Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

  • Is ACS required in NAC appliance.

    Hi,
    One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
    Thx in advance.
    Sonu

    NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
    THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
    The great thing about NAC Appliace is that it works for all four major use cases:
    1. VPN users
    2. WIFI users
    3. LAN/wired users
    4. GUest/vistors
    We can
    1. authenticate
    2. Posture assess (scan)
    3. Quarantine/
    4. Remediate
    You don't want users to have to learn three different ways to connect to the netowrk.
    802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
    I hope this helps.

  • NAC VPN and ASA

    Hi
    I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
    http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
    That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
    Thanks
    Pat

    You can use a single ASA for internet access and NAC VPN.
    If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
    If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
    Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
    VGW Example
    NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
    Real IP example
    Integrating with Cisco VPN Concentrators
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
    Regards,
    Dan Laden

Maybe you are looking for

  • If I buy a new I pad how do I transfer all my stuff from the old one1ZW22A340368326157

    if I buy a new I pad how do I transfer all my stuff from the old one

  • How to call another directory java program?

    Hi All, For Example: My program is here in two directories.Let Think that directory names like A and B. Let Program names like Aprog(A directory) and Bprog(B directory). I want to call Aprog to Bprog method. How to call? Plz., help me ASAP. --Mohan  

  • 13" macbook pro can't detect tv

    So once again I am wondering if anyone can offer a solution for this problem; my 13'' macbook pro will not detect any tv that it is connected to.  I have tried both a 42'' Vizio and a 40" Samsung.  I got it to connect two times, and then nothing. Hel

  • Cancel Payment Run

    We accidentally generated a payment run for all vendors instead of the select few and did not realize it until the complete run was done.  The actual checks have not been cut yet and the file has not been sent to the bank.  We really don't want the c

  • Standby question

    Hi experts , i have a simple question ..Can we convert a logical standby to physical standby ? Yes or No, if yes how .. if no please let me.. please help