NAC Framework and NAC Appliance in scenary WAN
How will be the scenary of NAC appliance and NAC Framework in a topology WAN, for example i have my core and remote office and I want to implement NAC for all remote site and central site.
which will be the solution?
Best Regards
Hello Daladen,
Which is the solution for WAN topology in NAC Appliance?
one NAS for Site? and the NAM in the Central?
Thanks
Ãlvaro
Similar Messages
-
NAC Framework vs NAC Appliance??? Cisco says, Appliance is 'easier'...
Hi
So I've recently been told by Cisco that I shouldn't be deploying the NAC framework and that they REALLY suggest the appliance instead. Can anyone provide me with some REAL reasons why I'd want to purchase more hardware from Cisco when I've already got all the necessary pieces for the Framework deployed on my network. Cisco, at this point, has not given me a good reason other than, the appliance is easier to deploy...and to me, that is a highly subjective statement. Please help. Thanks
JasonJason,
From my experience the appliances are the way to go. It is just like Colin said, the deployment is much easier. What's more the testing is much easier. For instance, in a typical out-of-band solution for a wired network you could test your configuration on a single port on a single switch. This is much less invasive than the NAC framework and much easier to tune.
Just my 2 cents. Hope this helps.
Paul -
NAC Server and NAC Manager installation
Hi experts,
When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
Is there anything I can do for solving this?
I'm new for NAC Manager and Server installation.
The version using is 4.8.2
BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
Thanks in advance!
Regards,
DanielHi Daniel,
this is related to the certificate issue.
just generate temp certificate in NAM and NAS.
Export the certificate along with key and store it in different location.
then in SSL option there is trusted certificate authority
load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
it will work. -
NAC FRAMEWORK and Clean Access
could anyone please tell me whether cisco supports both of these now
Yes it supports these.
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps8788/prod_qas0900aecd806bfe39_ps6128_Products_Q_and_A_Item.html -
Configuring NAC Framework ( NAC-L3-IP ), any guides or help?
So I've been doing some research on the NAC Framework and the various modes of operation. So far, I've gotten NAC-L2-802.1x working great and I'd like to add on the NAC-L3-IP on our edge routers/firewalls, but I can't find any guides detailing how to do so...everything says to see the "NAC Implementation Guide" which I can't find anyplace. Can anyone direct me to a NAC-L3-IP guide? Thanks very much.
JasonHi,
below is the link, On left had side you will find tech doc.
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
The below link also will help more.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html
Hope this helps.
Regards
pravin -
NAC Framework Windows HotFixes
Hello,
I have implemented NAC Framework and i want know how i can manage the windows hotfixes. I want detect if the user have all hotfixes and if is missed return Checkup Posture-Token.
Regards.The following url has enough information ,
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html -
NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???
Hi
I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
Cisco 1811 router (inter-vlan routing)
Cisco Secure ACS (90 day trial) 4.2
CTA 2.1.103
CSSC 5.1.0.39
Windows XP SP3 client machine
So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
Jason
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
Client port;
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthenticationYou can refer to the below URL for future reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html -
Difference between NAC profiler/collector and NAC server
Hi,
could anyone tell me the difference between NAC collector and NAC server?
Thank you very much.
Best regards.
GiuseppeSorry edunn, but your description of the NAC Collector is not particularly helpful. If I may:
The NAC Profiler/collector is OEM'd from Great Bay Software. It performs automatic whitelisting of agentless devices, like IP phones and PBXs, printers, etc. In a NAC deployment without the profiler you'd have to go in to the NAC Server and manually enter the MAC addresses and/or IP addresses of devices that should bypass authentication and/or posture assessment. In a small environment that's not a big deal, but with multiple offices and/or subnets (with lots of phones or printers) this can be a hassle. Its also a big risk: If I know you're whitelisting by mac/IP I'll just go to a printer, print out its config page, set my NIC to have the same settings, and boom - I've just bypassed your $$ NAC solution, thankyouverymuch.
The nice thing about the NAC profiler is that its -not- static: every time a switchport goes up/down, or a new MAC address is detected, an SNMP trap gets sent to the profiler. You can also forward (via ip-helper) all DHCP requests to the profiler (it doesn't respond or issue an IP address, of course, but it does look at what options you requested.) It will look at the MAC vendor address, IP address, DHCP options, network traffic (via Netflow), SPAN port traffic, has an open port (eg. 9100 or 515 for printing) or a combination of the above, and dynamically whitelist agentless devices based on confidence level.
Its sort of like a reverse Turing test: if a device says its 'dumb' (no agent) AND acts the way its supposed to, it gets whitelisted. But if the Profiler starts seeing a supposed printer surf the Internet (or start receiving traffic on a port it should, or whatever), then it dynamically removes it from the whitelist, and now it will need to authenticate and pass posture.
You can define different profile groups and what parameters are required for each, and set which groups get whitelisted.
So basically the NAC Server is the gatekeeper, the NAC Manager is the global policy manager, and the NAC Profiler is the automatic whitelister. -
NAC Framework with TrendMicro Policy Server? External Posture Assessment?
Hi
I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
https://win2k3std:4343/antibody
And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
Posture Validation Failure on External Policy
Does anyone have any experience or help with this. Thanks very much.
Jason HumesPlease check the links for the Configuration and Troubleshoot of NAC
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860 -
Nac framewwork or nac appliance which is better
hi all can someone just advise which is a better solution the nac appliance or the nac framework.
regards
sushilHi Sushil,
If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
for wired users, and Central Deployment is the best use of your time and money.
Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
Hope this helps.
Paul -
How to qualify for NAC Framework?
Hi, we have been considering NAC for a while and have evaluated NAC Appliance. However, we have a requirement to use 802.1x for posture validation, authentication etc. I have looked at cisco trust agent and there is a statement about needing to be 'approved' to deploy CTA? Any one have any ideas about how to go about this and to be able to deploy NAC framework? We feel framework fits our situation much better than appliance. Many thanks for your time.
Exact statement would be
"The Cisco Trust Agent is available for download only by customers approved to deploy the NAC Framework solution. If you are not approved, please contact your Cisco account team about Cisco NAC solutions. Deprecated versions of Cisco Trust Agent - CLITE client may be found at http://www.cisco.com/cgi-bin/tablebuild.pl/cta-deprecated "
From the URL http://www.cisco.com/cgi-bin/tablebuild.pl/cta -
ISE and NAC wireless guest networks
I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
Sent from Cisco Technical Support iPad AppHello,
For your query regarding ISE and NAC following are my findings, which might help you in order to solve your query.
for your first question:-
ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
ISE is a 50% software discount for customers who have NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
for your second question:-
There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs. -
NAC Framework with 802.1x authentication
I am having trouble getting support and information on NAC framework. According to the cisco web NAC framework is in Phase 2 and is useable. According to Cisco representitives it is not supported yet. I have ACS 4.1, CTA 2.0, Symantec 10.1.4, and CSA 4.5. I can get NAC to work Layer 2, 802.1x to authenticate, but I cannot get both to work at the same time. Also, I have found no support for Symantec being checked even after I loaded the posture plugin, adf, etc. Is it time to give up on NAC framework? Thanks.
My friend, i have a customer with whis configuration and worki fine.
symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
work fine wiht w2k and xp
cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
csa i don?t have experience.
take care, it is hard to configure, if you need something more ask me to.
Leo. -
Hi
I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
Thanks
PatYou can use a single ASA for internet access and NAC VPN.
If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
VGW Example
NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Real IP example
Integrating with Cisco VPN Concentrators
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
Regards,
Dan Laden -
NAC Framework NAC-L3-IP, passing posture validation, but no ACLs downloaded
Hi
I've got the NAC Framework NAC-L3-IP setup using an 1800 router and Cisco ACS Server 4.2. When my client attempts to reach the internet (through our NAD configured for network admission), I get a popup saying the Posture is Healthy, the ACS server says its good, yet I never get any of my configured ACLs downloaded to the router. I think my problem is with my RADIUS AUthorization Components...what should the Healthy RAC look like? This is what I've currently got;
IETF Session-Timeout (27) 36000
IETF Termination-Action (29) RADIUS-Request (1)
Cisco IOS/PIX 6.0 cisco-av-pair (1) status-query-timeout=300
I've got that RAC tied to a NAP and a downloadable ACL also associated to it through the Network Access Profiles page.
Can anyone provide help with this. ThanksOoops, nevermind, I had to enable aaa authorization network default group radius and then the ACLs downloaded as expected. Thanks!
Jason
Maybe you are looking for
-
Does anyone share my problem with atv3 I can play films through iTunes without any problems. When I start playing music using the remote app on my iPhone 3GS after around 5 tracks in it just stops playing and seems to lose my connection. Hoping this
-
Can't open MOV files in FCP: "Searching for movie data in file..."
I know this has been posted before, but none of them seem to match up to what I'm all of a sudden dealing with. I have 4 MOV files that I'm converting to WMV. Movie 1 & 2 exported fine. Now, however, any time I try to open another MOV file, I get an
-
Deactivate the automatic interpolation of data in DIAdem
Bonjour! Nous sommes intéressés à désactiver l'interpolation que DIAdem fait automatiquement des données manquantes d'une base de données MySQL. En fait nous voudrions fixer une valeur de plage manquante à partir de laquelle l'interpolation des donné
-
"This form is not supported" with updated version on iMac.
I can view PDFs in Safari, but when I click save and open the document on my computer, the document states "Warning: This form is not supported with the current version of Acrobat or Adobe Reader. Upgrade to the latest version for full support." I am
-
Problem after downloading mountain lion
Ihave just downloaded mountain lion from the app store to my iMac which was running macOSX Lion. When I restarted the computer the Lion symbol comes up and after putting in my password the toolbar appears but then I am asked wheter I want to install