NAC Appliance Configuration Question

Similar Messages

• NAC Appliance design question

  I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
  Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
  Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
  Thanks

  NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
  It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
  For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
  If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
  If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
  Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
  There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• Cisco NAC Appliance

  Hi
  I wanted to know if someone can give me some help on a Cisco NAC appliance.
  Honestly i've heard of them but i've never installed or worked on one before and i
  have a client who wants to have one installed.So i wanted to know can some here
  point me in the right direction as far as installation and configuration. Thanks for
  the help in advance and have a great evening.

  Hi
  Everything you need to get started:
  http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC Appliance for Wirelles In-Band Virtual Gateway

  Hi, People.
  Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
  Tks.

  Hi Wemerson,
  Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
  Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  Notes:
  - In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
  - For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
  - If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC ILO Configuration

  We'd like to configure out NAC Manager and Server to use ILO for configuration so we can separate the management from the operations piece.  Is there any documentation on how to do this?...I've looked through the NAC documentation we have on hand and it isn't really of any help.  Thanks.
  William

  Hi William,
  iLO is supported by the HW vendor, which for NAC appliance servers is HP.
  http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/47/hi_intro.html#wp67549
  See foot notes #2 and #3 of Table 1-2:
  NAC-3310 supports iLO (Lights Out 100i Remote Management). The default iLO "Administrator" account has default username/password: admin/admin. Defaults can be changed through the BIOS setup.
  NAC-3350 and NAC-3390 support iLO2 (Integrated Lights Out, version 2). See panel tags for admin account details.
  These are redirecting to the HP's guides for Lights Out 100i Remote Management
  http://h18000.www1.hp.com/products/quickspecs/12087_na/12087_na.HTML
  and Integrated Lights Out, version 2
  http://h18013.www1.hp.com/products/servers/management/iloadv2/index.html?jumpid=reg_R1002_USEN
  Customers can choose to leverage these features to provide additional hardware monitoring and diagnostic capability, but are not directly supported by Cisco.
  In other words, Cisco does not provide support on the configuration or use of these features, but we do not deny support for NAC Appliance features and functions if customers elect to use these capabilities for hardware monitoring and diagnostic.
  Hope this helps,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC OOB Configuration

  Hi!
  I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
  How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
  TKX
  Miguel

  Hi,
  Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  You have L2/L3 mode.
  You have OOB/InB mode.
  You have Real-Ip/Virtual gateway mode.
  You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
  The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
  You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• Is ACS required in NAC appliance.

  Hi,
  One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
  Thx in advance.
  Sonu

  NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
  THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
  The great thing about NAC Appliace is that it works for all four major use cases:
  1. VPN users
  2. WIFI users
  3. LAN/wired users
  4. GUest/vistors
  We can
  1. authenticate
  2. Posture assess (scan)
  3. Quarantine/
  4. Remediate
  You don't want users to have to learn three different ways to connect to the netowrk.
  802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
  I hope this helps.

• L2 or l3 switch with NAC appliance

  Hi,
  I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
  Regards,
  Mladen

  Thanks.
  The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
  "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
  So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
  If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
  Regards,
  Mladen

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• Cisco Wireless NAC Appliance - Design Practices ??

  Hi,
  I have a new Cisco WIreless NAC appliance, the purpose of which is to manage the Guest users access to network. I have been searching for some best practices related to the design of this appliance but havent found one.
  Can anybody help me in sharing his design experience or any docuement which would be guiding in deciding over the design / placement of this NAC device in network.
  Thank You.

  Hi,
  there is nothing such as "Wireless Nac appliance".
  The question is "do you have the NAC Guest Server" or the "Nac appliance Server and Nac appliance Manager (CAS/CAM)" ?
  Because those are just not the same at all.
  Then on the wireless side, do you have autonomous APs or a WLC ?
  Sorry to ask, but there's just so many possibilities you could be asking that we need to clarify.
  My bet is that you are either looking for this :
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  or for this :
  http://www.cisco.com/en/US/partner/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html#wp1092277
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• NAC Appliance and LDAP Lookup

  Hello,
  I have two CAM in HA and two CAS in HA.
  I configure the LDAP Lookup for create rule to role allocation.
  In this configuration are only one windows server to make find the user properties.
  There are one problem when this Windows servers is down. There are any configuration to mitigation when the server is not there.
  Thank you all.

  The LDAP lookup server configs state it uses the LDAP Authentication Provider. The LDAP Authentication Provider says you can have multiple entries in the single field
  LDAP
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158614
  You can add redundancy for LDAP Authentication servers by entering multiple LDAP URLs in the Server URL field separated by a space, for example:
  ldap://ldap1.abc.com ldap://ldap2.abc.com ldap://ldap3.abc.com

• Cisco NAC Appliance SSO AD by OU (Organization Unit) is posible?

  Hello, I have a question. it is posible implement NAC Appliance SSO AD VG/Real IP - L2/L3 for OU (Organization Unit), for example; if i have OU sales and OU market in the windows domain X. it is posible restrict the police and assign diferent network (10.1.1.0/24 for OU sales and 10.1.2.0/24 for OU market).
  Regards
  Alvaro

  Yes that is possible, first you will create a user role for the two seperate OU, then you assign a user role vlan to each role. then you will have to create a ldap lookup server. You will then create a attribute condition which will map users that are a memberOf xxx to user role yyy.
  this is for out of band scearios because the clients at first will get the same authenticaiton ip address but after the port is switched over then the ip address they get after will be based off the vlans they land on.
  let me know if you need anything else.
  Tarik

• NAC Appliance IPv6 Compatibility

  I read in the book "Cisco NAC Appliance: Enforcing Host Security with Clean Access" (published 2008) that the Real IP Gateway mode is only IPv4 compatible but that IPv6 compatibility will be provided in a future software update.
  Having searched around, I can't find any reference to the NAC Appliance being IPv6 compatible. Does anyone know what modes (if any) are IPv6 compatible?

  Hi,
  Even though IPv6 has been on the road map, currently it is not supported and there is no ETA for IPv6 support by NAC devices.
  HTH,
  Tiago
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• NAC Appliance reporting to MARS

  Can MARS be configured to received reports from NAC Appliance CAM/CAS? There isn't an option for for NAC under MARS devices.
  Thanks,
  -KK

  NAC Framework is not NAC Appliance and does not work the same way. Framework is based on 802.1x. CAM/CAS is based on either being inline or via SNMP Control of switches with no ACS involvment at present.
  NAC Appliance (CAM/CAS) is not currently supported under MARs as far as I know.
  You can syslog basic info out of the Appliance but it will tell you things like if the update succeede or failed for the CAS and various other information.
  Hopefully soon it will send out posture assessment messages into MARs or other SIM/SEM type products.
  What info do you want to get out of it.