NAC appliances compatibility

Similar Messages

• NAC Appliance IPv6 Compatibility

  I read in the book "Cisco NAC Appliance: Enforcing Host Security with Clean Access" (published 2008) that the Real IP Gateway mode is only IPv4 compatible but that IPv6 compatibility will be provided in a future software update.
  Having searched around, I can't find any reference to the NAC Appliance being IPv6 compatible. Does anyone know what modes (if any) are IPv6 compatible?

  Hi,
  Even though IPv6 has been on the road map, currently it is not supported and there is no ETA for IPv6 support by NAC devices.
  HTH,
  Tiago
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Will a NAC appliance work with Meraki WL

  Hi All,
  I have a customer that presently uses the cisco meraki wireless solution and would like to have a NAC appliance installed in there environment. Will Cisco NAC support the meraki for access control?

  Yes Sir.. Check this link for supported devices with Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

  Hi,
  I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
  After finishing the Installation, when i type "SETUP"... It gives me the below Error;
  # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
  # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
  Please advise....
  I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
  (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
  any idea...
  Regards,
  Mubasher Sultan

  Where did you get the recovery media? Did you download from cisco.com?
  Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
  Supporting link:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
  Jatin Katyal
  - Do rate helpful posts -

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• Is ACS required in NAC appliance.

  Hi,
  One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
  Thx in advance.
  Sonu

  NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
  THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
  The great thing about NAC Appliace is that it works for all four major use cases:
  1. VPN users
  2. WIFI users
  3. LAN/wired users
  4. GUest/vistors
  We can
  1. authenticate
  2. Posture assess (scan)
  3. Quarantine/
  4. Remediate
  You don't want users to have to learn three different ways to connect to the netowrk.
  802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
  I hope this helps.

• Nac framewwork or nac appliance which is better

  hi all can someone just advise which is a better solution the nac appliance or the nac framework.
  regards
  sushil

  Hi Sushil,
  If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
  I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
  for wired users, and Central Deployment is the best use of your time and money.
  Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
  Hope this helps.
  Paul

• Cisco NAC Appliance

  Hi
  I wanted to know if someone can give me some help on a Cisco NAC appliance.
  Honestly i've heard of them but i've never installed or worked on one before and i
  have a client who wants to have one installed.So i wanted to know can some here
  point me in the right direction as far as installation and configuration. Thanks for
  the help in advance and have a great evening.

  Hi
  Everything you need to get started:
  http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC Appliance design question

  I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
  Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
  Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
  Thanks

  NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
  It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
  For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
  If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
  If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
  Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
  There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• NAC Appliance remediation

  We are currently testing the NAC appliance before we roll it into production in an enviroment that does not have a software distribution system. I was just wondering various methods people use to have end users self-remediate their machines when using a file or link requirement with the CAS.
  The main requirement is that the CSA agent must be installed on the end users machine. The user can successfully download the CSA agent exe from the CAS. However, the installation requires admin rights, but because our users do not have this the installation fails and the user can not become compliant.
  Any suggestions on best practices or methodologies used in a production environment would be greatly appreciated.

  Following links may help you
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletin0900aecd805baf90.html
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agent.html

• L2 or l3 switch with NAC appliance

  Hi,
  I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
  Regards,
  Mladen

  Thanks.
  The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
  "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
  So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
  If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
  Regards,
  Mladen

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• NAC Appliance - Cisco Clean Access v4.7.0

  Hi,
  I have a nac appliance (lite manager and server) version 4.7.0. Does these device support Windows 7? The last time I check it only support Win XP, 2k, Me, NT, 95, 98 and Vista. But I did not see Windows 7 OS. I want to upgrade the client workstation from Windows XP to Windows 7 but I'm not sure if its going to support by the NAc Appliance I have. Could somebody help me on this? Thanks in advance.
  Richard

  Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
  http://newsroom.cisco.com/dlls/2005/prod_101805.html

• NAC Appliance & Cisco Trust Agent

  Hi,
  I have a requirement to implement NAC using the NAC Appliance (Cisco Clean Access). Does anyone know if this will work correctly with CTA in the same way that the NAC framework would do?? I am interested as I wish to use the Cisco Secure Services Client as an 802.1x supplicant and this interfaces directly with the CTA.

  Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
  http://newsroom.cisco.com/dlls/2005/prod_101805.html