NAC Appliance for Wirelles In-Band Virtual Gateway

Hi, People.
Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
Tks.

Hi Wemerson,
Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
Notes:
- In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
- For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
- If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
HTH,
Tiago
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • NAC Problem_In-Band Virtual Gateway deployment

    we deployed In-Band virtual gateway deployment..
    the users connected to untrusted Vlan and took IP address from DHCP where it configured on ASA that is connected to trusted interface but no one can reach to the gateway " IP address of the firewall" and when we open any browser not redirect to web login page and we don't have local DNS and we use global DNS..
    Note: we used HP switches..
    Please support me ASAP..
    BR,
    Saad Eid

    I have not found any either. You can use the one for VPN since it will be the same.
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

  • NAC question for In-band mode

    Hi All,
    I want to implement a NAC appliance for a small network of users that connect directly to non-Cisco switches.
    As I understand, my only option is to deply NAC in in-band mode, in this way it does not matter which switch I use because the traffic will just pass through and get to the NAC appliance, is this correct?
    Thank you!

    Correct. In in band mode (Real IP or Virtual Gateway) All traffic passes through the CAS (There is a good webcast on CCO detailing exactly how to setup both options)see link below.
    Regards
    Colin
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

  • NAC Appliance design question

    I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
    Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
    Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
    Thanks

    NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
    It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
    For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
    If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
    If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
    Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
    There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

  • NAC layer 3 Virtual Gateway Setup

    I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
    Thanks.

    Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
    Search "NAC Chalktalk"

  • NAC - virtual gateway vs. real gateway

    Hi All,
    I don't have too much experience with NAC deployment. I want to go with L3 (because we have central site), OOB (for LAN) and IB (for wireless and VPN). but I don't know whether I should go with real gateway or virtual gateway. I know virtual gateway is easier than real gateway. but technically, which way is more popular and provide better security measures?
    any suggestion would be very appreciated.
    thanks
    Alex

    If your remote subnets are multiple hops away, RIP would be the option you should use. They both are equally popular, but for L3 subnets which are remote, RIP is the most often used design

  • NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

    Hello,
    I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
    Core Switch:
    VLAN DB:
    vlan 10
    name VLAN_DEPT1
    vlan 11
    name VLAN_DEPT2
    vlan 20
    name VLAN_DEPT3
    vlan 26
    name VLAN_DEPT4
    vlan 27
    name VLAN_DEPT5
    vlan 28
    name VLAN_DEPT6
    vlan 29
    name VLAN_DEPT7
    vlan 30
    name VLAN_DEPT8
    vlan 32
    name VLAN_DEPT9
    vlan 50
    name VLAN_NetMGT
    vlan 51
    name VLAN_CAS_MGT
    vlan 52
    name VLAN_CAM_MGT
    vlan 210
    name VLAN_DEPT1_Auth
    vlan 211
    name VLAN_DEPT2_Auth
    vlan 220
    name VLAN_DEPT3_Auth
    vlan 226
    name VLAN_DEPT4_Auth
    vlan 227
    name VLAN_DEPT5_Auth
    vlan 228
    name VLAN_DEPT6_Auth
    vlan 229
    name VLAN_DEPT7_Auth
    vlan 230
    name VLAN_DEPT8_Auth
    vlan 232
    name VLAN_DEPT9_Auth
    Interface Configs
    interface GigabitEthernet3/41
    description "Link to Cisco CAM-PRI eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/42
    description "Link to Cisco CAM-FO eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/43
    description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/44
    description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/46
    description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet3/48
    description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet1/1
    description "Trunk link to DEPT1 Access SW"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    !------- Example of VLAN Interface --------
    interface Vlan10
    description "DEPT1 VLAN"
    ip address x.x.10.1 255.255.255.0
    ip helper-address x.x.50.5
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    !------- No VLAN Interface for AUTH VLAN 210 --------
    Access Switch Configuration
    interface GigabitEthernet0/1
    description "Trunk Link to Core Switch"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    no ip address
    interface GigabitEthernet0/6
    switchport access vlan 30
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    =========================================
    Is the above config correct?
    Thanks

    Hi,
    By bogus I assume you mean something like;
    interface Vlan700
    description "BIT BUCKET for unused ports"
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    shutdown

  • NAC L3 OOB Virtual Gateway/Real-IP Gateway

    In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
    Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
    If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
    I didn't found a response for this in the documentation.
    Thanks in advance.

    Hi, Paul
    >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

  • Error when installing virtual appliance for r12.2.4

    Hello
    I have downloaded Oracle Virtual Appliance for Oracle  E-Business r12.2.4 in a following step by step manner but I am running into an error.  As per the readme, I have gone through the Note:1928303.1 but it does not address the issue.
    That said, is there any comprehensive, step by step document that outlines installation and implementation of Oracle Virtual Appliance for r12.2.4?
    Below are steps I ran.
    Step 1:  Downloaded and Installed Oracle Virtual Box version 4.3.22.
    Step 2:  I want to install Oracle EBS r12.2.4 single node installation on My Windows 8.1 64 bit laptop with 1 TB of HDD and 8GB RAM.
    Step 3:  Downloaded following files for single node vision appliance.
    There are two zip files for each part, so I downloaded total 16 zip files.
    V52470-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 1 of 8) Linux x86-64
    V52471-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 2 of 8) Linux x86-64
    V52472-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 3 of 8) Linux x86-64
    V52473-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 4 of 8) Linux x86-64
    V52474-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 5 of 8) Linux x86-64
    V52475-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 6 of 8) Linux x86-64
    V52476-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 7 of 8) Linux x86-64
    V52477-01 Oracle E-Business Suite Release 12.2.4 Single Node Vision Install X86 (64 bit) (Part 8 of 8) Linux x86-64
    Step 4:  Unzipped these files
    Step 5:  After unzip, unzipped filename looked like following.  So I removed the last digit in the extension so that Oracle virtual box can recognize .ova extension.
    Unzipped file name:
    Oracle-E-Business-Suite-12.2.4_VISION_INSTALL.ova.01
    renamed to
    01_Oracle-E-Business-Suite-12.2.4_VISION_INSTALL.ova
    Step 6. In Oracle virtual box, attempted to import these ova files using "Import Appliance".   This is when I am getting following error.
    Oracle VM Virtual Appliances for Oracle E-Business Suite (Linux)
    Failed to import appliance C:\ova\EBS\INSTALLATION OPTIONS\Option 1 Single Node ALL\0_Oracle-E-Business-Suite-12.2.4_VISION_INSTALL.ova.
    Could not create the imported medium 'C:\Users\ova\VirtualBox VMs\Oracle-E-Business-Suite-12.2.4_VISION_INSTALL\Oracle-E-Business-Suite-12.2.4_VISION_INSTALL-disk1.vmdk'.
    VMDK: Compressed image is corrupted 'C:\Users\ova\Oracle-E-Business-Suite-12.2.4_VISION_INSTALL-disk1.vmdk' (VERR_ZIP_CORRUPTED).
    Result Code:  (0x80BB0004)
    Component: Appliance
    Interface: IAppliance {3059cf9e-25c7-4f0b-9fa5-3c42e441670b}
    This is happening with each and every file in above list. 
    Please advise what am I missing?  And if there is a comprehensive document somewhere that outlines details about implementation.  The above mentioned metalink note is not enough.
    Darsh

    You need to merge all of the downloaded files first, before importing into Virtualbox. Google for my blog for detailed steps.

  • Is there an associated Linux GUI Desktop available with the VM Virtual Appliances for Oracle E-Business Suite 12.2.4 64 bit or is it all command line?

    I have downloaded the 16 pieces of Oracle VM Virtual Appliances for Oracle E-Business Suite (12.2.4) for x86 64 bit V52470-01 Parts 1 & 2 thru V52477-01 Parts 1 & 2 and unzipped and created the .ova.
    I then imported that into VBox 4.3.22.
    I went thru and changed the passwords for root, oracle, and applmgr as requested and entered a static IP.
    I have not configured the DB or Applications yet.
    However, I want to know if there is a typical GUI Desktop that can be brought up.
    Thank you.

    I have not been able to find a GUI desktop - I believe it is disabled or not included in the media.

  • Is there any Ironport Virtual Appliance for Testing Purpose ?

    Hi Everyone,
    Advance Thanks to Every One.
    Is there any Ironport Virtual Appliance for Testing Purpose ?
    Regards,
    Bala Krishna G

    Looks like there are a couple of vendors who have virtual options. Here's one.
    http://www.ironportstore.com/VirtualEvalRequest.asp
    Also, IronPort has a 30-day free trial of their product.
    http://pages.ironport.com/evalrequest.html?source=eval_req
    Hope this helps.
    Brandon

  • What is a Cisco NAC appliance used for?

    We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
    From the documentation, the features of a 3310 NAC are,
    Recognize users, their devices, and their roles in the network
    Evaluate whether machines are compliant with security policies
    Enforce security policies by blocking, isolating, and repairing noncompliant machines
    Provide easy and secure guest access
    Simplify non-authenticating device access
    Audit and report whom is on the network
    What does enforce security polices by blocking, isolating, repairing really mean?
    "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
    I can get an report from my logging traps collector, Solarwinds.

    Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
    What does enforce security polices by blocking, isolating, repairing really mean?
    It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
    "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
    I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
    I can get an report from my logging t
    You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
    Sent from Cisco Technical Support iPhone App

  • Nac framewwork or nac appliance which is better

    hi all can someone just advise which is a better solution the nac appliance or the nac framework.
    regards
    sushil

    Hi Sushil,
    If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
    I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
    for wired users, and Central Deployment is the best use of your time and money.
    Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
    Hope this helps.
    Paul

  • L2 or l3 switch with NAC appliance

    Hi,
    I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
    Regards,
    Mladen

    Thanks.
    The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
    "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
    So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
    If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
    Regards,
    Mladen

  • Authentication NAC appliance with ACS

    I had deployed a L3 Virtual Gateway mode for NAC appliance. There is ACS for authentication. How can I add ACS to "Auth Servers". CAM settings do not need mapping rules. Every user just anthenticate oneself's account, then CAM can pass these info to ACS. What should I do, Thank you?
    Is there any configuration example, e-mail to [email protected]

    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00809b8e3b.shtml

Maybe you are looking for