NAC Framework vs NAC Appliance??? Cisco says, Appliance is 'easier'...

Hi
So I've recently been told by Cisco that I shouldn't be deploying the NAC framework and that they REALLY suggest the appliance instead. Can anyone provide me with some REAL reasons why I'd want to purchase more hardware from Cisco when I've already got all the necessary pieces for the Framework deployed on my network. Cisco, at this point, has not given me a good reason other than, the appliance is easier to deploy...and to me, that is a highly subjective statement. Please help. Thanks
Jason

Jason,
From my experience the appliances are the way to go. It is just like Colin said, the deployment is much easier. What's more the testing is much easier. For instance, in a typical out-of-band solution for a wired network you could test your configuration on a single port on a single switch. This is much less invasive than the NAC framework and much easier to tune.
Just my 2 cents. Hope this helps.
Paul

Similar Messages

  • NAC Framework and NAC Appliance in scenary WAN

    How will be the scenary of NAC appliance and NAC Framework in a topology WAN, for example i have my core and remote office and I want to implement NAC for all remote site and central site.
    which will be the solution?
    Best Regards

    Hello Daladen,
    Which is the solution for WAN topology in NAC Appliance?
    one NAS for Site? and the NAM in the Central?
    Thanks
    Álvaro

  • NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

    Hi
    I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
    Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
    Cisco 1811 router (inter-vlan routing)
    Cisco Secure ACS (90 day trial) 4.2
    CTA 2.1.103
    CSSC 5.1.0.39
    Windows XP SP3 client machine
    So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
    Jason
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    dot1x system-auth-control
    Client port;
    interface FastEthernet0/1
    switchport mode access
    dot1x port-control auto
    dot1x timeout reauth-period server
    dot1x reauthentication

    You can refer to the below URL for future reference:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
    http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

  • NAC Appliance - Cisco Clean Access v4.7.0

    Hi,
    I have a nac appliance (lite manager and server) version 4.7.0. Does these device support Windows 7? The last time I check it only support Win XP, 2k, Me, NT, 95, 98 and Vista. But I did not see Windows 7 OS. I want to upgrade the client workstation from Windows XP to Windows 7 but I'm not sure if its going to support by the NAc Appliance I have. Could somebody help me on this? Thanks in advance.
    Richard

    Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
    http://newsroom.cisco.com/dlls/2005/prod_101805.html

  • NAC Appliance & Cisco Trust Agent

    Hi,
    I have a requirement to implement NAC using the NAC Appliance (Cisco Clean Access). Does anyone know if this will work correctly with CTA in the same way that the NAC framework would do?? I am interested as I wish to use the Cisco Secure Services Client as an 802.1x supplicant and this interfaces directly with the CTA.

    Cisco is also introducing improved abilities to assess the security risk of unmanaged or agentless endpoints/devices, that do not support the CTA and are attempting to gain network access. This is accomplished through collaboration with a new auditing category of NAC partner program vendors. Vendors joining this new category include Altiris, Qualys, and Symantec (through the WholeSecurity acquisition). Collaboration with these vendor solutions helps the NAC framework dramatically improve its ability to assess the risk of agentless devices such as guest laptops, printers, PDAs, and Internet Protocol telephones. These devices can now be audited by this new category of partners. The audit results will then be communicated back to the network to enforce the proper network admission decision.
    http://newsroom.cisco.com/dlls/2005/prod_101805.html

  • Nac framewwork or nac appliance which is better

    hi all can someone just advise which is a better solution the nac appliance or the nac framework.
    regards
    sushil

    Hi Sushil,
    If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
    I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
    for wired users, and Central Deployment is the best use of your time and money.
    Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
    Hope this helps.
    Paul

  • Configuring NAC Framework ( NAC-L3-IP ), any guides or help?

    So I've been doing some research on the NAC Framework and the various modes of operation. So far, I've gotten NAC-L2-802.1x working great and I'd like to add on the NAC-L3-IP on our edge routers/firewalls, but I can't find any guides detailing how to do so...everything says to see the "NAC Implementation Guide" which I can't find anyplace. Can anyone direct me to a NAC-L3-IP guide? Thanks very much.
    Jason

    Hi,
    below is the link, On left had side you will find tech doc.
    http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
    The below link also will help more.
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html
    Hope this helps.
    Regards
    pravin

  • NAC Framework with TrendMicro Policy Server? External Posture Assessment?

    Hi
    I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
    I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
    What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
    https://win2k3std:4343/antibody
    And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
    I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
    Posture Validation Failure on External Policy
    Does anyone have any experience or help with this. Thanks very much.
    Jason Humes

    Please check the links for the Configuration and Troubleshoot of NAC
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

  • How to qualify for NAC Framework?

    Hi, we have been considering NAC for a while and have evaluated NAC Appliance. However, we have a requirement to use 802.1x for posture validation, authentication etc. I have looked at cisco trust agent and there is a statement about needing to be 'approved' to deploy CTA? Any one have any ideas about how to go about this and to be able to deploy NAC framework? We feel framework fits our situation much better than appliance. Many thanks for your time.

    Exact statement would be
    "The Cisco Trust Agent is available for download only by customers approved to deploy the NAC Framework solution. If you are not approved, please contact your Cisco account team about Cisco NAC solutions. Deprecated versions of Cisco Trust Agent - CLITE client may be found at http://www.cisco.com/cgi-bin/tablebuild.pl/cta-deprecated "
    From the URL http://www.cisco.com/cgi-bin/tablebuild.pl/cta

  • NAC FRAMEWORK

    Hello,
    I want to know if NAC FRAMEWORK is EOL/EOS what deployment can i use?
    Best Regards
    Álvaro

    I believe NAC Appliance is the one closest to NAC framework:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html
    regards,

  • NAC Framework NAC-L3-IP, passing posture validation, but no ACLs downloaded

    Hi
    I've got the NAC Framework NAC-L3-IP setup using an 1800 router and Cisco ACS Server 4.2. When my client attempts to reach the internet (through our NAD configured for network admission), I get a popup saying the Posture is Healthy, the ACS server says its good, yet I never get any of my configured ACLs downloaded to the router. I think my problem is with my RADIUS AUthorization Components...what should the Healthy RAC look like? This is what I've currently got;
    IETF Session-Timeout (27) 36000
    IETF Termination-Action (29) RADIUS-Request (1)
    Cisco IOS/PIX 6.0 cisco-av-pair (1) status-query-timeout=300
    I've got that RAC tied to a NAP and a downloadable ACL also associated to it through the Network Access Profiles page.
    Can anyone provide help with this. Thanks

    Ooops, nevermind, I had to enable aaa authorization network default group radius and then the ACLs downloaded as expected. Thanks!
    Jason

  • NAC Framework with 802.1x authentication

    I am having trouble getting support and information on NAC framework. According to the cisco web NAC framework is in Phase 2 and is useable. According to Cisco representitives it is not supported yet. I have ACS 4.1, CTA 2.0, Symantec 10.1.4, and CSA 4.5. I can get NAC to work Layer 2, 802.1x to authenticate, but I cannot get both to work at the same time. Also, I have found no support for Symantec being checked even after I loaded the posture plugin, adf, etc. Is it time to give up on NAC framework? Thanks.

    My friend, i have a customer with whis configuration and worki fine.
    symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
    work fine wiht w2k and xp
    cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
    csa i don?t have experience.
    take care, it is hard to configure, if you need something more ask me to.
    Leo.

  • NAC Framework Windows HotFixes

    Hello,
    I have implemented NAC Framework and i want know how i can manage the windows hotfixes. I want detect if the user have all hotfixes and if is missed return Checkup Posture-Token.
    Regards.

    The following url has enough information ,
    http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

  • Logging user commands in Cisco ACE appliance

    Good afternoon gentlemen
    I need to configure the same as shown below in Cisco ACE Appliance. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
    #IOS commands
    no logging console
    logging buffered 307200 informational
    service timestamps log datetime localtime show-timezone
    logging trap debugging
    login on-failure log
    login on-success log
    archive
       log config
          logging enable
          logging size 500
          hidekeys
          notify syslog contenttype plaintext
    If you guys have an idea please answear
    Regards
    Christian

    Hello Arun,
    we saw before the message you report, it's probably a symptom of:
    CSCtx03563
    or
    CSCue38032
    I would suggest opening a TAC case to get this properly investigated.
    Kind Regards,
    Francesco

  • Rename (Change of Hostname) of Cisco ISE Appliances !!!

    Hi,
    I am having the two Cisco ISE (Version: 1.1.1.268) appliances. These appliances are running in Failover with the internal CA signed certificates.
    The hostnames are 19 character long with Upper cases and Hypen. Boxes are joined to the domain but freqently used to disconnect after sometime. After some investigation, we came to know that AD can accept only the 15 characters long hostname... thats the reason, one of the appliance keeps disconnected. Also, sometimes, the authentications donesn't works properly.
    My question is that how to change the Cisco ISE Appliance hostnames without impacting the production and hassle?
    Send me the steps in detail, or it is just a matter to change the hostname and register with DNS with new names and regenerated the certificates...???
    Need expert opinion....
    Thanks,
    Regards,
    Mubasher

    Hello Mubasher-
    I recently had to do this and I want to warn you to be careful. I had to rename 4 hosts and out of 4 of them only 1 remained useable. The other hosts had to be re-built For some reason ISE nodes get very unhappy when trying to change certain things (Hostnames, timezone, etc) Also, keep in mind that even if the renaming goes well you will still impact the environment as the nodes will restart.
    Here is what I did when I made the change:
    1. Disjoin the ISE nodes from the domain
    2. Ensure that their computer name is removed from AD
    3. Update DNS records
    4. Ensure that DNS records have replicated
    5. Change names on ISE
    6. Join nodes to the domain
    Hope this helps
    Thanks for rating!

Maybe you are looking for

  • Open documents in same window (Adobe Reader 9)

    Dear forum, I would like to set up Adobe Reader 9, that it opens all documents in the same window. This is much easier to handle, when you have multiple documents opened. Does anybody know how to set up Adobe Reader 9 in this manner ? Thanks for your

  • Finding text and using it to extract other text

    Hello, I am trying to use the Acrobat SDK to write a Python script to do the following: 1. Search for a specific piece of text (say, "ABC"). This text is constant and will always be on the first page of the PDF document that I'm processing. 2. Next,

  • Lumia 2520 Windows RT 8.1 Tablet unable to activat...

    About a week or so ago, my Nokia Lumia 2520 tablet with Power Keyboard (purchased through Telstra in Australia) wouldn't start and took me to the Windows RT 8.1 Recovery options. After unsuccessfully trying to use the recovery options to do a refresh

  • Deployment: initiate same subdirectory's name for application in one cluste

    Hi all, In one (third-party) application is used one constant for Web-path that is referenced such as WEB-INF or META-INF directories. But after deployment of application to 2 nodes in cluster, WebLogic create subdirectories under $Domains/dmainname/

  • ASA 5512 ver8.6(1)2 Turning off Flood Protection for a UDP range

    Hello, I've got a client that's using a file transfer program that uses UDP range 30001-30021 for data and TCP22 for control. The program, Aspera, can have up to 2000 connections a second and is causing the ASA to think it is under attack. Is there a