NAC ILO Configuration

Similar Messages

• NAC Switch Configuration

  Hi!!
       I have bought an NAC Server and a Nac Manager, to manage centraly the vlan where the users connect to based on the authentication.
       I have several sites, but the NAC server will be in the headquarters.
       When a remote user authenticates, the nac should configure the user switch port for the right vlan.
       Is this an out-of-band solution?
       Do i need an specific license for out-of-band?
  Best Regard's,
  Miguel Amaral

  Hi,
  You need at least 2 licenses:
  1 - CAM license -> This license is the one you install the first time you access the CAM WEB GUI.
  2 - CAS license -> This license needs to be installed so that you can add Clean Access Servers to the CAM.
  Did you installed the CAS license?
  If not, you need to get the Product Activation Key (PAK) you received allong with the CAs and go to the licensing web page https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet, and request a CAS license. Please note that you need to enter the Clean Access MANAGER eth0 mac address for the Clean Access Server (CAS) licence.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

  Hello,
  I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
  Core Switch:
  VLAN DB:
  vlan 10
  name VLAN_DEPT1
  vlan 11
  name VLAN_DEPT2
  vlan 20
  name VLAN_DEPT3
  vlan 26
  name VLAN_DEPT4
  vlan 27
  name VLAN_DEPT5
  vlan 28
  name VLAN_DEPT6
  vlan 29
  name VLAN_DEPT7
  vlan 30
  name VLAN_DEPT8
  vlan 32
  name VLAN_DEPT9
  vlan 50
  name VLAN_NetMGT
  vlan 51
  name VLAN_CAS_MGT
  vlan 52
  name VLAN_CAM_MGT
  vlan 210
  name VLAN_DEPT1_Auth
  vlan 211
  name VLAN_DEPT2_Auth
  vlan 220
  name VLAN_DEPT3_Auth
  vlan 226
  name VLAN_DEPT4_Auth
  vlan 227
  name VLAN_DEPT5_Auth
  vlan 228
  name VLAN_DEPT6_Auth
  vlan 229
  name VLAN_DEPT7_Auth
  vlan 230
  name VLAN_DEPT8_Auth
  vlan 232
  name VLAN_DEPT9_Auth
  Interface Configs
  interface GigabitEthernet3/41
  description "Link to Cisco CAM-PRI eth0"
  switchport access vlan 52
  switchport mode access
  spanning-tree portfast
  spanning-tree guard root
  no cdp enable
  no ip address
  interface GigabitEthernet3/42
  description "Link to Cisco CAM-FO eth0"
  switchport access vlan 52
  switchport mode access
  spanning-tree portfast
  spanning-tree guard root
  no cdp enable
  no ip address
  interface GigabitEthernet3/43
  description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 777
  switchport mode trunk
  switchport trunk allowed vlan 210,211,220,226-230,232
  interface GigabitEthernet3/44
  description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 777
  switchport mode trunk
  switchport trunk allowed vlan 210,211,220,226-230,232
  interface GigabitEthernet3/46
  description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  switchport trunk allowed vlan 10,11,20,26-30,32,50-51
  interface GigabitEthernet3/48
  description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  switchport trunk allowed vlan 10,11,20,26-30,32,50-51
  interface GigabitEthernet1/1
  description "Trunk link to DEPT1 Access SW"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  !------- Example of VLAN Interface --------
  interface Vlan10
  description "DEPT1 VLAN"
  ip address x.x.10.1 255.255.255.0
  ip helper-address x.x.50.5
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  no ip mroute-cache
  !------- No VLAN Interface for AUTH VLAN 210 --------
  Access Switch Configuration
  interface GigabitEthernet0/1
  description "Trunk Link to Core Switch"
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 700
  switchport mode trunk
  no ip address
  interface GigabitEthernet0/6
  switchport access vlan 30
  switchport mode access
  spanning-tree portfast
  spanning-tree guard root
  no cdp enable
  no ip address
  =========================================
  Is the above config correct?
  Thanks

  Hi,
  By bogus I assume you mean something like;
  interface Vlan700
  description "BIT BUCKET for unused ports"
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache
  no ip mroute-cache
  shutdown

• NAC Appliance Configuration Question

  Hi,
  I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.
  If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?
  Thanks for your assistance.

  Thanks Jesse,
  I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.
  Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN.  See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2.

• ILO configuration on MCS 7845H2 server

  Hi,
  I am planning to upgrade Callmanager on MCS 7845H2 remotely. This is in a production environment. I am not able to find the ILO IP address configured on this server.
  Is there a way to identify the ILO IP remotely or by logging into the console?
  If not, please let me know if there is any document which can guide to re-configure the ILO for this server. Is there any configuration required on MCS server like assignemt of IP address etc?
  Regards,
  Karthik

  That is easy, 
  -physically check waht switch port the iLO ethernet if. is connected to.
  -check the cam-table on the switch to find whcih MAC the iLO NIC it has
  -check the arp table on your L3 device for that MAC address.
   get your password and user ID and log in.
  If you find no IP address, than it is most likely not configured,.
  Thanks

• NAC Redundant Configuration

  Dear Pros,
  Could anyone suggest me the solution on how to design the redundant NAC server and NAC
  Manager and configuration. We are in process to implement the Redundant NAC config for the customer (2X NAC server + 2 x NAC manager)
  swami

  Hi,
  The heart beat interface has to be on a switched network not on a routed network, therefore if you have the primary appliance on one side and the secondary appliance on the other side of the building, make sure the interfaces are connected to the same vlan belonging to the same vtp domain...
  I hope this helps, please rate if it does...
  Regards,

• NAC OOB Configuration

  Hi!
  I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
  How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
  TKX
  Miguel

  Hi,
  Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  You have L2/L3 mode.
  You have OOB/InB mode.
  You have Real-Ip/Virtual gateway mode.
  You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
  The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
  You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• WLCM and NAC-NME configuration

  Has anybody deployed WLCM and NAC-NME in the same ISR3800 box? What's the best practise and is there any configuration example?
  customer has a small site where has one 3825, one WLCM(interface Integrated-Service-Engine1/0) and one NAC-NME(interface Integrated-Service-Engine2/0) are put in the 3825, GE0/0 of the 3825 connect to internal L3 switch, GE0/1 connect to internet. one WLAN had been configured in the WLCM(version 6.0.188) and will be protected by the NAC-NME(version 4.6.1).
  It is said that NAC-NME not support OOB mode, can only work in In-Band mode. Since real IP Gateway mode has a lot of limitation, so can the NAC-NME be configured in In-Band Virtual Gateway mode? If yes, then how to setup a Layer2 connection between the WLCM(interface Integrated-Service-Engine1/0)  and the untrusted interface(external G 0) of the NAC-NME?
  What I can think is:
  let me assume the quarantined Vlan of this WLAN is 310, real Vlan is 311, both the NAC-NME's untrusted interface(external G 0) and GE0/0 of the 3825 are connected to a 3750E L3 switch's G1/0/1 and G1/0/2, untrusted interface management vlan is 304, trusted interface management vlan is 303, then I can configure:
  1. For 3825:
  interface GigabitEthernet0/0.310
  encapsulation dot1Q 310
  bridge-group 1
  interface GigabitEthernet0/0.311
  encapsulation dot1Q 311
  bridge-group 2
  interface Integrated-Service-Engine1/0.310
  encapsulation dot1Q 310
  no ip address
  bridge-group 1
  interface Integrated-Service-Engine1/0.311
  encapsulation dot1Q 311
  no ip address
  bridge-group 2
  bridge 1 protocol ieee
  bridge 2 protocol ieee
  2. For 3750E:
  interface GigabitEthernet1/0/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 304,310,311
  switchport mode trunk
  interface GigabitEthernet1/0/2
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 310,311
  switchport mode trunk
  but how to configure interface Integrated-Service-Engine2/0 of the 3825 which is connected to the trusted interface of the NAC-NME?
  interface Integrated-Service-Engine2/0.303
  encapsulation dot1Q 303
  ip address x.x.x.x
  interface Integrated-Service-Engine1/0.311
  encapsulation dot1Q 311
  ip address y.y.y.y
  3. NAC-NME will configure VLAN mapping 310<-->311
  I have not tested these configurations(I don't have access the 3825 yet, will be able to access it next week), but I'm afraid since GigabitEthernet0/0.311 of 3825 had been configured as a bridge port, maybe Integrated-Service-Engine1/0.311 can't be  configured as a L3 port.
  Anything else need to configure? or is there any other better design and configuration example? Any input is highly appreciated!

  You got a defective unit. Open a TAC case to get a replacement.

• Warning by NAC when a new Pcs connecte to the network

  Hi All,
  I have a NAC is configured to authenticate users through the NAC by local BD and just use vlan mapping mac-address filter list.
  I  would like to control new Pcs connection to the network ; when a new  mac-address -- PC ,laptop or any other mac based device is connected ,  then The NAC Monitoring should be make an alert or a warning to the " Network admin ". Thereby the Network Admin is more active in monitoring whole network.
  Any good solutions, suggestions are many appriciations from my heart!!!

  Hi,
  if you are into the mac address monitoring I think the NAC profiler is made for you.
  It can recognize hundreds of kind of devices from their behavior (DHCP, ARP, ...) and it classifies any device you plug on the network. You can even make custom rules if you have very specific products.
  So you can determine "Cisco 9971 phones will go to this vlan" and any 9971 phone you bring in the future will be added in the NAC list.
  It can also do this "monitoring" you are talking about, you can put any new mac address in a special category. And from there Profiler shows you its location and current behavior (what profiler thinks it is).
  Nicolas
  ====
  Please rate answers that you find useful

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• What are the endpoints attributes collected by NAC Profiler through SNMP and DHCP?

  Hi Everyone,
  Please help on this.
  I want to know what are the endpoints attributes collected by NAC Profiler to discover and profile the endpoints.through SNMP protocol and DHCP protocol.
  Also if anybody can explain a simple used case on this.
  Please guide me on this.
  Thanks in advance.
  Thanks,
  Abuzar.

  Hi,
  SNMP
  =====
  NetMap queries network devices via SNMP for:
  System information
  Interface information
  Bridge information
  802.1X information (PAE MIB)
  Routing/IP information
  CDP MIB Information
  This information is used to Build and maintain a model of the network topology and endpoint discovery.
  NetMap uses SNMP Get, GetNext and GetBulk (when available) requests to  query the SNMP agents running on the network infrastructure devices to  gather specific Management Information Base (MIB) objects about their  status based on device type (Layer 2 or Layer 3).
  In addition to polling each network device for all MIB data at a regular  interval, NetMap may also be commanded to poll port-specific  information when the NAC Profiler system is notified that an endpoint  has joined or left the network via SNMP traps sent by devices at the  network edge, switches typically.
  Upon receipt and verification of a link state (link up, link down) or  MAC notification trap, NetTrap will notify the NAC Profiler Server that a  change has occurred on the network edge (endpoint joined or left a  network port). If the trapping device is in the NAC Profiler  configuration, the NetMap component module assigned to poll the device  that sent the trap will be commanded by the Server module to initiate a  poll of the device's port information to determine the change to the  endpoint topology that resulted in the trap being sent by the network  device.
  The information gathered by NetMap is processed by the Server  accordingly to update the network topology, noting the endpoint joining  or leaving a port. Note that NetMap SNMP polling of network devices  resulting from a trap is localized to the port specified in the trap.  This is unlike the regular polling that occurs at the frequency  specified for each device type (L2 and L3) which gathers all SNMP  information from the device used by the NAC Profiler system.
  DHCP:
  =====
  The NetWatch module listens for traffic including DHCP traffic.
  The module will collect all the DHCP information on the traffic collected, like mac address, ip address,  DHCP Vendor Class Identifier in DHCP request, host name in DHCP request, requested specified options in DHCP request (option 55) and full list of DHCP options supported by the DHCP client as specified in the DHCP request.
  All the endpointe data can then be used to map endpoints with profiles.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Problem of configuration the requirement output control ?

  Hi ,
  i am now in a very urgent situation that is the system does not create the message type after executing the transaction VL31N.
  In detail :
     I have used the transaction NACE to configure the "Requirements output control" and i have created 3 message type (Z1 , Z2, Z3)  ( type V6 : handling unit) and i have coded for each of them to check the requirements for creating the messsage type ( the message type will be created if the sy=subrc = 0 after the forms are executed.
  FORM KOBEV_Z1.
  Check condition from the structure  komkbv6
  if cond Ok
    sy-subrc = 0.
  endif.
  ENDFORM KOBEV_Z1.
    FORM KOBEV_Z2.
  Check condition from the structure  komkbv6
  if cond Ok
    sy-subrc = 0.
  endif.
    ENDFORM KOBEV_Z2.
    FORM KOBEV_Z3.
  Check condition from the structure  komkbv6
  if cond Ok
    sy-subrc = 0.
  endif.
    ENDFORM KOBEV_Z3.
  But in fact , even if i have put the sy-subrc = 0 for each of them or for all , the message type was not created as i need .
  Result :
    if the message type is created automatically after executing the KOBEV or KOBEV , a printing program will be called to print the SAPscript form , but till now , i can not do that , to print the form i have to created the message type by hand ..
  Is the something wrong in the system ? How can i configure them to run well ?
  Please help me .
  PS : I will reward immediately and i am waiting
  Thank you very much

  Hi,
  If you are supposed to bring across characteristic values to your target, then you will not be able to jump from the result line. The configuration expects that the values of the characteristic marked as being used in the jump are filled with unique values. When you use the result line as a source for your jump, the values in the result line will most likely be based on the sum of multiple characteristic values.
  Hth,
  -Jacob

• Macintosh clients, 802.1x and NAC.

  I'm prototyping a NAC setup which has to cater for Macintosh clients as well as Windows. I can get the Macs to authenticate via 802.1x (surprisingly easy using the built in software!) but what I can't do is setup a Posture Validation Rule to identify that the client is a Mac and not a Windows machine. I've tried using the Cisco:PA:OS-Version condition set specifying "contains" MAC. I've also tried "contains" 10 but it doesn't work. I think it probably doesn't work as the condition set depends on the CTA being installed on the Mac which it isn't (and it's not an option either).
  EDIT: Anyone tried installing the CTA on a MAC? It's horrific. Extract the files and run the install, OK so far. It then puts the config ini file in a directory no user (not even Admins) has permissions to so you can't modify it and BOY do you need to modify it!
  Any ideas?

  I'm on the home straight with this one. Essentially to get the CTA to work using the built in 802.1x supplicant on Windows or MacOS you need to run a mix of NAC L2 IP and NAC L2 802.1x. This requires a little extra config on the switch but nothing tragic (it's all in the (NAC Framework Configuration Guide).
  The reason for this is that the CTA requires a network channel to be open so it can run EAP over UDP (EOU) to do posture validation and the 802.1x part of the process gets the machine onto the network so the CTA can do it's stuff.
  With this setup in place and the CTA properly configured (as mentioned previously this is the permissions setup on the Mac created by the CTA install makes this far more difficult than it should be) the process works pretty well, popup messages work, browser launch and URL redirection work. Looks good.
  The fly in the ointment is wireless. The freebie CTA doesn't support it, no way. For a PC the answer is to buy the Cisco Secure Services Client which does support wireless and (I think) run that alongside the CTA (haven't fully worked this one out yet). If you have a wireless Mac, you're stuffed, Simple as that, which from my point of view is a real pain as the customer I'm developing this for wants posture validation for PCs and Macs, wired and wireless.
  Hope this helps someone somewhere avoid a little pain! : )

• Configuring cheque

  hi ppl,
           For PO we usually copy medruck to Zmedruck and assign this in nace and configure the output types.
      So for cheque as per our clients req i have copied f110_prenum_chck  to Zf110_prenum_chck and made some changes..now how i need to configure,where i need to assign this and what is the out type.

  Hi,
  Assigning Print Program to Corresponding Company Code Check :
  Execute SPRO
  à Expand Financial & Accounting
    àAccounts Receivable and Accounts Payable
      àBusiness Transactions
       àOutgoing Payments
        àAutomatic Outgoing Payments
         àPayment Media
          àMake settings for Classic Payment  Medium Program
            àAssign Payment Medium Program for Payment Method in Country Then Save
  For Form Configuration :
  Goto tcode FBZP
     Select Payment methods in Company code
        double click on payment mode
          under relevent company code
            click on Formdata
              provide your form name in the form  Then Save
  Must select payment method is 'C'
  Edited by: MR Venkat on Jun 1, 2009 10:02 AM

• NAC in-band vs out-of-band bandwidth management

  Hi,
  I am new to NAC. Would you please give me hints about bandwidth/traffic policy/QoS management when using out-of-band deployment of NAC? Is it possible NAC to configure the switch port with the appropriate bandwidth limiting template when it recognizes a certain user identity?
  Regards,
  Mladen

  Refer to NAC appliance configuration guide for more information
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_intro.html