NAC CAS HA question

Similar Messages

• NAC Appliance design question

  I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
  Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
  Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
  Thanks

  NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
  It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
  For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
  If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
  If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
  Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
  There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• NAC- CAS Requirements

  we have a main site that contains (1)CAM and (1) CAS and 250 users. we have 5 remote sites that connect to an ASA 5520 via DSL point to point VPN connections. There is no internet at these sites locally, they all access the internet through the main site. The remote sites have the same vlan setup as the main site. my core switch is a 3750 stack and all switches at remote sites are 3750's.
  my question is do I need to place a CAS at each one of these locations or is there a possiblity to use the CAS at the main site. also if you could give recommedation on IB or OOB for this deployment. thanks

  we have the main site. the main site has an asa for internet access. a cisco stack that contains our distrubution and access client. this is where our cam and cas connect. we have another ASA 5520 that is doing point to point connections to the 5 sites. those remote sites all have asa 5520's and are configured to use the vpn asa at the main site as thier default gateway.
  we swithed the nac to real IP mode from oob today to start attempting the remote sites tomorrow.
  That is exactly what we are planning, routing all traffic from the untrusted vlan to the main site CAS interface using PBR.
  is this going to work with the ASA's?
  what is the downside of doing it this way? do you see any issues or can you give any examples. some of these links are low bandwidth links.
  thanks for all your help

• NAC CAS & CAM version ?

  Ask a question
  If we use different version from CAS and CAM , is it work OK ?
  thanks

  No.
  Upgrade the CAS first.
  Please read the release notes for version 4.6 to see the latest information:
  "Starting from Cisco NAC Appliance release 4.1(6), the Clean Access Manager and Clean Access Server require encrypted communication. Therefore, you must upgrade CASs before the CAM that
  manages them to ensure the CASs have the same (upgraded) release when the CAM comes back online and attempts to reconnect to the managed CASs. If you upgrade the Clean Access Manager
  by itself, the Clean Access Server(which loses connectivity to the CAM during Clean Access Manager restart or reboot) continues to pass authenticated user traffic only if the CAS Fallback Policy specifies that Cisco NAC Appliance should “ignore” traffic from client machines."
  Hope this helps.

• Free cases issue + question

  I just watched the PC, and Steve said that we would receive free cases. He said that next week Apple would have a site up that allowed you to choose which case you wanted to get for free. Bumpers aren't the only ones that are being given away. There will be some other cases from other brands that will be available. This is due to the factory not being able to produce the bumpers quickly enough.
  Hope that clears up some questions.
  Here's a question of my own. Will we be able to input, say, an order number and be able to register for a case and have them send the case together with the phone or will we have to register after the phone is sent?

  Thanks for the info!! The cheap (|) case I have does not work very well as it
  comes off every time, but it works great as I haven't had too many dropped calls. Funny thing is most of my dropped calls is because I am in part of a crappy area for AT&T.

• Need Help on using Forge Config Manager and CAS. Questions listed in the content below

  Hi All,
  I have an existing Endeca pipeline implementation where we read the data sets (Product Catalog Information) from Oracle database using JDBC adapters. The data set undergoes a series of manipulation until it gets indexed to the Endeca system. We make use of PCI for dimensions and dimension values. However, we now want to extend PCI to also include the Product catalog information. The current implementation also does not make use of CAS adapters to consume the dimensions data in PCI. The next consideration is to implement PCI as close to Out of the Box provisions and standardize it. Therefore we are also considering to implement CAS.
  The questions are as below:
  1. What are the ideal parameters that should support the use of PCI implementation (Dataset + dimension + precedence Rules + schema information) ? Note: We DO NOT have any product catalog system (like ATG) between database and Endeca.
  2. Considering that we do not have any product catalog system to organize and maintain data, how feasible is it to read directly from database through CAS Adapters and process the data ?
  3. We also plan to introduce partial update pipeline in future releases. Keeping that in mind should CAS based approach help us to read from a record store at the time of partial updates ?
  4.in case we are limiting to a business case of implementing partial updates in the above explained existing design, should a custom CAS approach be a better design ? Custom CAS approach = writing the baseline output data to record store and later referring it at the time of partial updates.
  5. Will CAS based approach help to reduce the baseline timings ?
  6. What is the best way to export data to record store instance in the above design ? (Record store API / Command line utility / CAS crawl)
  Thanks,
  Nitin

  Hi Neeraj,
  You cam use both PI SLD and Solman Local SLD for LMDB synchronization. Now here you make to make sure that correct ranks are assigned to PI and Solman SLD. With the help of multiple sld, you can remove the cause of concern. Local SLD should always be of solman.
  For CR content. that you can do for solution manager system in a click.
  Divyanshu

• NAC web agent question

  Hi,
  I need to know when can i use the NAC web agent???  is it used for guests or visitors only????
  If i used NAC web agent for guests , can i perform posture assessment for the guest users ( i mean check windows update , AV/AS or certain services)?? or network scanning will be only applied to the guests who are using NAC web agent???? 
  i read the userguide of 4.7.1 of CAM and CAS but i have some conflicts regarding the above topic , so please i need your help.
  Mohamed

  Mohamed,
  You can use it for any kind of users (guest/regular) and can do posture assessment, but no remediation. Remediation requires the full agent. The other limitation is that the web agent is only valid on Windows machines and cannot run on Mac/Linux etc.
  HTH,
  Faisal

• NAC Appliance Configuration Question

  Hi,
  I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.
  If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?
  Thanks for your assistance.

  Thanks Jesse,
  I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.
  Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN.  See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2.

• PC 2.5: Delete cases/survey questions

  Hi all,
  In order to test some functionalities of PC I scheduled some surveys a few month ago.
  I'm trying to delete all the questions, surveys and cases that I have created.
  I tried to use program RHRHDL00 but I didn't find these attributes as parameters.
  Note: i have customized lots of master data that i don't want to loose.
  Any idea?
  Best regards,
  Julien

  Julien,
  I assume you are talking about a dev or QA system.  It is my understanding you can't delete a question if it is in a survey and you can delete a survey if it has been used (a key control for audit purposes).  That said you could go into the IMG under administration programs and "Execute Administration programs for PC workflows" and go into 'delete cases and workflows".  You should be able to find whatever you want to delete in here and in theory you should be able to delete subsequent objects.  I haven't done this so I'm not exactly sure if it will work.  You will have to delete everything for each survey.  Depending on your environment, this could be a very difficult task.
  Personally, I would just mark the survey(s) and/or questions inactive and just forget about them.  There are so many interdependencies on the backend that performing these types of changes might turn out to cause more trouble than they are worth.  You could quickly find that other, unanticipated things go "sideways" after making manual backend workflow/case changes (like performing signoff).
  Matt

• Case Escalation Question

  I was informed (after 7 months of various support tickets and 2 depot center repairs) that our case would finally be escalated. I was told I would be contacted early this week. It is now Thursday, and I haven't heard a peep from Lenovo since the call that resulted in the escalation last week. When do I start to worry? Is there a seperate department I should contact regarding this? We have 9 of these laptops all with the same issue and it makes us look very incompatent to our employees that are still, after 7 months, having to use these "faulty" laptops. I have heard many a horror story about Lenovo's escalation process. Any advice would be greatly appreciated. 
  Thanks!

  Hi fat_apollo,
  I hope you are doing well.  I just wanted to check in and see if you still need assistance.
  Please let me know and I will do all that I can to help.
  All the best,
  Josh Mason
  Lenovo Social Media Customer Service
  Want to know how to send a PM?  Please go here.
  Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
  Follow @LenovoForums on Twitter!
  How to send a private message? --> Check out this article.
   English Community 

• CAS (array) questions redux

  I have a single Exchange server, where Get-Mailboxdatabase reports that the RPCClientAccessServer is servername.domain.local
  I'm currently having a certificate mismatch due to using a wildcard certificate, this only manifests as an error popup when you first start Outlook. Mail works fine, as do calendars - but I want to get rid of that pop-up.
  I'm already doing a split-brain DNS for EWS and so forth - mail.domain.com resolves to an internal IP internally and an external IP externally through a "real" DNS entry that's Internet-facing, and this way neither users internally or externally
  get certificate errors and everything works - EAS, OWA etc. So it's just this internal issue left.
  The question I have is that  I read something about it being a bad idea to use the same DNS name for CAS if the same address is externally resolvable (which it would be in this case). Does setting RPCClientAccessServer affect external clients too?
  Should I create a second split brain DNS entry instead, like mail-internal.domain.com and point that at servername.domain.local just to use for CAS?
  The second part of this question - can I just do: Set-MailboxDatabase MailboxDatabaseName -RpcClientAccessServer “mail.domain.com” and  walk away, ie skip the CAS array creation entirely if I were to choose that, assuming mail.domain.com resolves internally
  to servername.domain.local?
  Or should I definitely create the array and use that instead even though this is a single-server environment?
  Thanks.

  Indeed!
  http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx is what Will is referring to.
  No, it is not that simple of just changing it and walking away. 
  Is this Outlook 2013 by any chance?
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• NAC-CAS vs. NAC-NM

  Hi,
  I have central site with 50 users, without branches. Can I deploy just NAC-NM instead of CAS and if I use NAC-NM in 2811 ISR is there any bandwidth limitation when it is compared to CAS solution? In general, what is throughput for CAS (3310) and what for NAC-NM ???

  I don't think I can answer that because I don't see anything out there that says "throughput is this".. It's all about simultaneous users. I did find something that referencecs the fact that the module does connect over HIMI feature which is a gig connection to the router from the service module.
  http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps8788/prod_qas0900aecd806bfe39_ps6128_Products_Q_and_A_Item.html
  You can check this article on 2811 performance..
  http://www.smbdesignweb.co.uk/bbt/download/CiscoISR_2811_v1.pdf
  HTH
  -C

• Vaja case ivolution question

  Anyone have this case. I stumbled upon vaja's website and their ivolution looks pretty cool. I have some questions regarding that.
  1. Speaker, I'm concerned when making phone calls, that hearing the conversation will be more difficult, you're ear is now farther away from speaker. I googled the ivolution for the iPhone and saw one or two complaints
  2. Dust, will dust get inbetween the material and the phone? I have the incase slider now, and I take it off to clean the dust off by the seam of where the phone and the case meet
  3. Pocket use, I keep the phone in my pocket, does the form factor of the iVolution inhibit this, is it too bulky?
  Its a bit pricey, but its a sharp looking case, so if anyone has any thoughts or suggestions I would greatly appreciate the feedback.

  I have owned Vaja cases for other products but not the iPhone. I will tell you that any case adds bulk and you will notice it. This case looks thicker then other leather cases of the past - as thick as some hard shell plastic cases.
  I would think sliding it in and out of a pocket would be hard to do. You will definitely get dust around the edges and have to take it out to clean it - especially if you are slipping it into a pocket. Pockets seem to hold lint and dust.
  I don't think hearing would be a problem though. Vaja makes a fine case, but i decided on none. I have gotten tired of buying accessories for every new phone that add up to more then the phone.

• Case saving question!

  Hi guys:
  what is the parameter IM_NEW_VERSION(Generate New Version of Record (X: Yes/space=default: No)) of IF_SCMG_CASE_API~SAVE.  Normally do we need to set the parameter?
  thanks and best regards
  Eric

  I have two pieces of advice:
  #1 Invest in some 80mm, 92mm. or 120mm case fan filters.  From the pics it looks like you've got a little bit of dust in there.  The filters are only like $2-$4 each at your local computer parts store (or directron.com or frozencpu.com) and you should mount them over every fan/air-intake hole in your case.  The build up of excessive dust will lead to premature fan failure, I know from experience.
  #2 As far as your question goes... measure twice, cut once .
  [EDIT] Added URLs to filter sites.

• CASE Expression question

  Hi,
  I am wondering how to implement case logic where THEN statement would be written only once for many WHEN's.
  This example is from the oracle documentation, I extended it a bit.
  SELECT cust_last_name,
  CASE credit_limit
  WHEN 100 THEN 'Low'
  WHEN 200 THEN 'Low'
  WHEN 5000 THEN 'High'
  ELSE 'Medium'
  END
  FROM customers;
  As you see we select 'Low' for both values 100 and 200.
  What I am really looking for is something like:
  SELECT cust_last_name,
  CASE credit_limit
  WHEN 100
  WHEN 200 THEN 'Low'
  WHEN 5000 THEN 'High'
  ELSE 'Medium'
  END
  FROM customers;
  OR
  SELECT cust_last_name,
  CASE credit_limit
  WHEN 100 OR 200
  THEN 'Low'
  WHEN 5000 THEN 'High'
  ELSE 'Medium'
  END
  FROM customers;
  But both of selects are not valid in oracle (tested on 10g Rel2)
  Maybe it is very simple and I am witting it wrong, or it is working only the way I have to repeat the THEN to every WHEN.
  Thanks in advance!
  let's say I would like to perform the same step

  Hello
  What about
  tylerd@DEV2> SELECT
    2      CASE
    3          WHEN dummy IN('X','Y','Z') THEN
    4              'Dummy is X, Y or Z'
    5          WHEN dummy LIKE 'A%' THEN
    6              'Dummy is like A'
    7          ELSE
    8              'Dummy is something else'
    9      END
  10  FROM
  11      dual
  12  /
  CASEWHENDUMMYIN('X','Y'
  Dummy is X, Y or ZTHTH
  David