NAC Appliance & Cisco Trust Agent

Similar Messages

• Cisco ACS / Trend Micro Office / Cisco Trust Agent

  We currently utilize Cisco ACS Server and Trend Micro OfficeScan and would like to deploy Cisco Trust Agent 2.0 on a few laptops.  Has anyone been involved with such a deployment?  If so, any suggestions, documentation, suggestions?
  Thanks,

  CTR uses the admin shares to connect to a windows server.
  Depending on how you configured it: It will try a nmap fingerprint scan, use static OS mappings or perform a level 2 scan by using the admin shares.
  If you are using it through firewalls, the fingerprinting does not work properly.
  You will also notice that since version 2.0.3 there hasn't been any new agents developed for it. Also 2.0.5 started to upgrade all port scans etc whereas before it didn't.
  I would look to speaking to your cisco account team about the next version of Cisco IPS instead.

• Cisco Trust Agent - Any way to force the client to always be enabled?

  We have begun to roll out dot1x configuration on our fleet of switches to support a basic authentication and posture check for our NAC Framework deployment. Previous to this, we spent a couple of months deploying the Trust Agent. In the time between deploying the client, and turning dot1x on the switch ports, some users have un-checked the "Enable Client" option available to them in the system tray icon, and the Wired Client. Obviously when dot1x is applied to the port, the supplicant forwards the authentication request to the client, and waits forever for a response, leaving users trying to login waiting for 20 - 30 mins for the login process to complete. My question is thus, is there any way (registry setting, config file setting) to force the client to always be enabled?
  Thanks,
  Michael

  Z-index Guide:
  http://www.smashingmagazine.com/2009/09/15/the-z-index-css-property-a-comprehensive-look/
  Nancy O.

• NAC Appliance - Cisco Clean Access v4.7.0

  Hi,
  I have a nac appliance (lite manager and server) version 4.7.0. Does these device support Windows 7? The last time I check it only support Win XP, 2k, Me, NT, 95, 98 and Vista. But I did not see Windows 7 OS. I want to upgrade the client workstation from Windows XP to Windows 7 but I'm not sure if its going to support by the NAc Appliance I have. Could somebody help me on this? Thanks in advance.
  Richard

  Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
  http://newsroom.cisco.com/dlls/2005/prod_101805.html

• Nac appliance - clean access agent report

  Hi,
  I have been searching a lot, and I don't find any good explanation about how the clean access agent report works. I experienced that not all agent activity will be reported. Sometimes it showed up report about the "passed" and "failed" agent, but not at another time. Would someone give me explanation about when the agent will show up reports and it will not ? or did it show bugs ?
  Thanks in advance.

  Hi,
  does anybody experience this ? or Everything is going fine on your NAC ? I am using NAC 4.1.3.1.
  Thanks.

• NAC appliance(security policy/update-files)

  Does anyone know something concerning to the following issues?
  Please teach me what I can refer to on the WEB,if possible.
  1. Is there any way to apply the policy(checking OS/AV) to the kind of client devices which CAA hadn't been installed such like guest user?
  2. Is it possible that NAC appliance does clients only "port-scanning" (not checking OS/AV)?
  3. If user-company already has their own "Anti-Virus Server" or "Windows-update Server", can CAM refer to their servers(not Cisco's policy-update-server) to get current update files?
  4. How long does it take the update-files become available via Cisco's policy-update-server after each OS/AV-vender had released them?
  Regards

  No, we should install Cisco Trust agent S/W in order to collect the information about the OS versions, AV versions etc to the Policy server. And based on the security policy of the organisation, we can communicate with the AV vendors like symmntac, Mcafee servers directly for the latest patches and updates.

• CCA Agent debug - AD SSO NAC Appliance

  Hi,
  I'm investigating a HARD AD SSO issue on NAC appliance and checking the doc suggested by Prem (Troubleshooting Windows SSO)I don't understand how I can obtain the output in page 14 (title: Debug Logs from Agent).
  I've activated the event.log (adding registry key...) ad suggested but in that file I can see only a lot of exadecimal data....not easy to understand....
  can somebody help me ?
  thank, regards

  I think most of the hexadecimal characters are MAC addresses. In the following document go to chapter "error and event log messages" for understanding the messages
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca41/cam41ug.pdf

• Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

  Hi,
  I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
  After finishing the Installation, when i type "SETUP"... It gives me the below Error;
  # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
  # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
  Please advise....
  I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
  (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
  any idea...
  Regards,
  Mubasher Sultan

  Where did you get the recovery media? Did you download from cisco.com?
  Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
  Supporting link:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
  Jatin Katyal
  - Do rate helpful posts -

• Cisco NAC Appliance

  Hi
  I wanted to know if someone can give me some help on a Cisco NAC appliance.
  Honestly i've heard of them but i've never installed or worked on one before and i
  have a client who wants to have one installed.So i wanted to know can some here
  point me in the right direction as far as installation and configuration. Thanks for
  the help in advance and have a great evening.

  Hi
  Everything you need to get started:
  http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• Cisco Wireless NAC Appliance - Design Practices ??

  Hi,
  I have a new Cisco WIreless NAC appliance, the purpose of which is to manage the Guest users access to network. I have been searching for some best practices related to the design of this appliance but havent found one.
  Can anybody help me in sharing his design experience or any docuement which would be guiding in deciding over the design / placement of this NAC device in network.
  Thank You.

  Hi,
  there is nothing such as "Wireless Nac appliance".
  The question is "do you have the NAC Guest Server" or the "Nac appliance Server and Nac appliance Manager (CAS/CAM)" ?
  Because those are just not the same at all.
  Then on the wireless side, do you have autonomous APs or a WLC ?
  Sorry to ask, but there's just so many possibilities you could be asking that we need to clarify.
  My bet is that you are either looking for this :
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  or for this :
  http://www.cisco.com/en/US/partner/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html#wp1092277
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• What is a Cisco NAC appliance used for?

  We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
  From the documentation, the features of a 3310 NAC are,
  Recognize users, their devices, and their roles in the network
  Evaluate whether machines are compliant with security policies
  Enforce security policies by blocking, isolating, and repairing noncompliant machines
  Provide easy and secure guest access
  Simplify non-authenticating device access
  Audit and report whom is on the network
  What does enforce security polices by blocking, isolating, repairing really mean?
  "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
  I can get an report from my logging traps collector, Solarwinds.

  Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
  What does enforce security polices by blocking, isolating, repairing really mean?
  It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
  "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
  I can get an report from my logging t
  You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
  Sent from Cisco Technical Support iPhone App

• Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?

  Hello, I have a question. it is posible implement NAC Appliance SSO AD VG/Real IP - L2/L3 for OU (Organization Unit), for example; if i have OU sales and OU market in the windows domain X. it is posible restrict the police and assign diferent network (10.1.1.0/24 for OU sales and 10.1.2.0/24 for OU market).
  Regards
  Alvaro

  Yes that is possible, first you will create a user role for the two seperate OU, then you assign a user role vlan to each role. then you will have to create a ldap lookup server. You will then create a attribute condition which will map users that are a memberOf xxx to user role yyy.
  this is for out of band scearios because the clients at first will get the same authenticaiton ip address but after the port is switched over then the ip address they get after will be based off the vlans they land on.
  let me know if you need anything else.
  Tarik

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• NAC Appliance remediation

  We are currently testing the NAC appliance before we roll it into production in an enviroment that does not have a software distribution system. I was just wondering various methods people use to have end users self-remediate their machines when using a file or link requirement with the CAS.
  The main requirement is that the CSA agent must be installed on the end users machine. The user can successfully download the CSA agent exe from the CAS. However, the installation requires admin rights, but because our users do not have this the installation fails and the user can not become compliant.
  Any suggestions on best practices or methodologies used in a production environment would be greatly appreciated.

  Following links may help you
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletin0900aecd805baf90.html
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agent.html