NAC Framework NAC-L3-IP, passing posture validation, but no ACLs downloaded

Similar Messages

• NAC Framework NAC-L2-802.1x with Wireless AP1242AG?

  Hi
  Can anyone provide some info on setting up NAC-L2-802.1x with a Wireless AP1242AG (not using the NAC Appliance, but the Framework). I cant seem to find the equivalent dot1x port control auto commands on the access-point. Thanks
  Jason

  NAC assesses the state, or posture, of a host to prevent unauthorized or vulnerable endpoints from accessing the network. Enforcement is performed through an authorization policy that is centrally defined on a single ACS server or delegated to multiple NAC posture validation servers

• NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

  Hi
  I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
  Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
  Cisco 1811 router (inter-vlan routing)
  Cisco Secure ACS (90 day trial) 4.2
  CTA 2.1.103
  CSSC 5.1.0.39
  Windows XP SP3 client machine
  So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
  Jason
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  dot1x system-auth-control
  Client port;
  interface FastEthernet0/1
  switchport mode access
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x reauthentication

  You can refer to the below URL for future reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

• Configuring NAC Framework ( NAC-L3-IP ), any guides or help?

  So I've been doing some research on the NAC Framework and the various modes of operation. So far, I've gotten NAC-L2-802.1x working great and I'd like to add on the NAC-L3-IP on our edge routers/firewalls, but I can't find any guides detailing how to do so...everything says to see the "NAC Implementation Guide" which I can't find anyplace. Can anyone direct me to a NAC-L3-IP guide? Thanks very much.
  Jason

  Hi,
  below is the link, On left had side you will find tech doc.
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
  The below link also will help more.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html
  Hope this helps.
  Regards
  pravin

• NAC Framework - NAC-L2-802.1x without CSSC client?

  Hi
  I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
  Jason

  You can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.

• Podcast feed validated but can't download or listen to the podcast

  new to submitting podcast to iTunes. I used the feedvalidator.org to validate the RSS feed and tested using Subscribe to podcast in iTunes. I can see the podcast but cannot download/get/play the episodes.
  heres the feed: http://www.imf.org/external/images/itunesfeed.xml
  Hope that you can offer some suggestions or advise - thanks!

  I noted the URL for one of your episodes and downloaded it. It wouldn't play and indeed claimed to be ASCII text. Opening it in a text editor produced this:
  [Reference]
  Ref1=http://www-media.imf.org/2009/boughton_031209.mp3?MSWMExt=.asf
  Ref2=http://204.180.229.30:80/2009/boughton_031209.mp3?MSWMExt=.asf
  Actually trying to open it in a browser appeared to be connecting to the second URL listed there - I didn't want to wait for it to download.
  It looks as if you are using some sort of redirection process, which I don't know enough to comment on: the URLs given in the 'enclosure' tags in the feed must be actual URLs of mp3 files, not any sort of redirection process.

• NAC Framework with TrendMicro Policy Server? External Posture Assessment?

  Hi
  I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
  I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
  What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
  https://win2k3std:4343/antibody
  And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
  I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
  Posture Validation Failure on External Policy
  Does anyone have any experience or help with this. Thanks very much.
  Jason Humes

  Please check the links for the Configuration and Troubleshoot of NAC
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

• ACS / NAC phase 2 / posture validation with symantec AV

  Hi,
  We encounter problem to implement NAC phase 2 with symantec.
  ACS is an appliance one, version 4.0
  We?ve installed the Symantec AV pair on the ACS : that?OK.
  The following softwares are installed on the client PC:
  - Cisco CTA : ctasetup-win-2.0.1.14.exe
  - Aegis SecureConnect 2KXP-4_0_4.msi
  - Symantec client security posture plug-in.msi together with the associated setup.exe
  Moreover, client PC is configured to use EAP-FAST with mschapv2.
  We?ve defined an internal posture validation on the ACS.
  The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
  When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
  The default rule is associated with another authorization component that returns the quarantine vlan.
  Problem is that we don?t manage to match on this posture.
  It?s as if the client doesn?t send the parameters.
  Logs on the ACS indicates the following:
  - message type : authen failed
  - authen failure code : posture validation failure (general)
  - eap type name : EAP-FAST
  - reason: no matched required credential types in any posture validation rule
  - cisco:PA:OS-type : OK, well retrieved (windows XP professional)
  - cisco:Host:ServicePack: OK, well retrieved (service pack 2)
  - but none of the Symantec AV could be retrieved.
  Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
  So external posture validation isn?t possible in our case.
  Only internal posture validation should work.
  But no way to retrieve Symantec information from CTA.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi.
  Please examine the following directory of client pc. Is Plugins File of Symantec installed?
  \Program Files\Common Files\PostureAgent\Plugins
  \Program Files\Common Files\PostureAgent\Plugins\Install
  Plugin Installation and Upgrade
  Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
  Plugins for Windows environments are installed in this directory:
  \Program Files\Common Files\PostureAgent\Plugins\Install
  When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
  " If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
  " If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
  " If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
  http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
  best regards,
  sahase

• How to qualify for NAC Framework?

  Hi, we have been considering NAC for a while and have evaluated NAC Appliance. However, we have a requirement to use 802.1x for posture validation, authentication etc. I have looked at cisco trust agent and there is a statement about needing to be 'approved' to deploy CTA? Any one have any ideas about how to go about this and to be able to deploy NAC framework? We feel framework fits our situation much better than appliance. Many thanks for your time.

  Exact statement would be
  "The Cisco Trust Agent is available for download only by customers approved to deploy the NAC Framework solution. If you are not approved, please contact your Cisco account team about Cisco NAC solutions. Deprecated versions of Cisco Trust Agent - CLITE client may be found at http://www.cisco.com/cgi-bin/tablebuild.pl/cta-deprecated "
  From the URL http://www.cisco.com/cgi-bin/tablebuild.pl/cta

• NAC Framework with 802.1x authentication

  I am having trouble getting support and information on NAC framework. According to the cisco web NAC framework is in Phase 2 and is useable. According to Cisco representitives it is not supported yet. I have ACS 4.1, CTA 2.0, Symantec 10.1.4, and CSA 4.5. I can get NAC to work Layer 2, 802.1x to authenticate, but I cannot get both to work at the same time. Also, I have found no support for Symantec being checked even after I loaded the posture plugin, adf, etc. Is it time to give up on NAC framework? Thanks.

  My friend, i have a customer with whis configuration and worki fine.
  symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
  work fine wiht w2k and xp
  cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
  csa i don?t have experience.
  take care, it is hard to configure, if you need something more ask me to.
  Leo.

• NAC Framework Windows HotFixes

  Hello,
  I have implemented NAC Framework and i want know how i can manage the windows hotfixes. I want detect if the user have all hotfixes and if is missed return Checkup Posture-Token.
  Regards.

  The following url has enough information ,
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

• NAC Framework and NAC Appliance in scenary WAN

  How will be the scenary of NAC appliance and NAC Framework in a topology WAN, for example i have my core and remote office and I want to implement NAC for all remote site and central site.
  which will be the solution?
  Best Regards

  Hello Daladen,
  Which is the solution for WAN topology in NAC Appliance?
  one NAS for Site? and the NAM in the Central?
  Thanks
  Álvaro

• NAC Framework vs NAC Appliance??? Cisco says, Appliance is 'easier'...

  Hi
  So I've recently been told by Cisco that I shouldn't be deploying the NAC framework and that they REALLY suggest the appliance instead. Can anyone provide me with some REAL reasons why I'd want to purchase more hardware from Cisco when I've already got all the necessary pieces for the Framework deployed on my network. Cisco, at this point, has not given me a good reason other than, the appliance is easier to deploy...and to me, that is a highly subjective statement. Please help. Thanks
  Jason

  Jason,
  From my experience the appliances are the way to go. It is just like Colin said, the deployment is much easier. What's more the testing is much easier. For instance, in a typical out-of-band solution for a wired network you could test your configuration on a single port on a single switch. This is much less invasive than the NAC framework and much easier to tune.
  Just my 2 cents. Hope this helps.
  Paul

• NAC FRAMEWORK

  Hello,
  I want to know if NAC FRAMEWORK is EOL/EOS what deployment can i use?
  Best Regards
  Álvaro

  I believe NAC Appliance is the one closest to NAC framework:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html
  regards,

• Posture validation in SOHO - Extended wireless from corporate

  Hi,
  I have a customer moving from Cisco NAC based solution to Cisco ISE.  NAC should be provided to wireless and the SOHO users(wireless).  We implemented airspace ACL on the Cisco ISE, which will push the ACL to wireless Aps(flexconnect acl) based on the posture validation. If the posture validation fails, ACL specific to a particular end point will be pushed into AP.
   However, the same airspace ACL is not working on the VPN routers(800 series). VPN routers integrated wireless solution doesn’t understand the airspace ACL av:pair and don’t think we can configure flexconnect ACLs on the SOHO routers. Do you think of anyother idea where we can enforce the ACL based on the posture validation?. Downloadable acl works on an interface. I don’t think it can be enforced on per-user basis.
  Is there any way to push the ACL? Do posture validation & remediate the end point with limited access?
  Pardon me for my gmail account. I  havnt received the BT id yet.
  Thanks,
  Ramesh

  Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.
  I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.
  Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.