NAC L3 OOB VGM Deployment examples

Similar Messages

• Configuring Switch for CCA is behind non-Cisco phone, NAC OOB VGW Deployment

  Hi,
  I need to configure the edge switch port to keep serving non-Cisco IP phone on deploying NAC as OOB VGW.
  I appreciate your advise, but make sure 802.1x solution as the last option.
  Thanks
  Mike

  Hi,
  Please look at the config guide:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC L2 OOB Auth and Access VLAN

  I'm new to Cisco NAC appliance.
  I wanted to deploy L2 OOB VGM for my wired userd.
  I wanted to check whether can I have multple Authentication to Access VLAN mapping.
  For example :
  Authentication VLAN - 111 Map to Trusted VLAN 311
  and
  Authentication VLAN - 112 Map to Trusted VLAN 312
  Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
  Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

  Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
  Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
  Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
  Choose User Management > User Roles, select the role (vencorp) and click Edit.
  Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
  Save the role.
  Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
  Change the Access VLAN to User Role VLAN and click Update.
  Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

• NAC Out-of-Band Deployment for wireless networks

  I am evaluating the NAC appliance for my wired and wireless users. I have read that the only way to deply NAC for wireless is in-band mode but it looks like the following link says that it is possible to deply NAC for wireless networks in-band or out-of-band mode:
  "NAC Appliance can be deployed for WLANs as an in-band deployment for full-time endpoint scanning or out-of-band within a central site for periodic scanning to confirm posture compliance. The NAC Appliance server performs authentication, posture assessment, and remediation. The server securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared, or per-user bandwidth, or using time-based sessions and heartbeat controls. (Figure 1)"
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_brochure0900aecd80355b2f_ps6128_Products_Brochure.html
  Does anyone know if it is possible to use NAC out-of-band deployment for wireless networks? If you can point me to some documentation it will be appreciated.
  Regards

  Thanks Robert.
  In my case I am planning to deploy a central NAC appliance at the main office to control some branch offices and local wired users at the main office. The NAC appliance will operate in out-of-band mode. But for wireless users at the main office I will need an aditional NAC appliance operating in in-band mode, is this correct?
  Regards

• Problem installing aJES 05Q4 ccording to deployment example - commadmin

  I have ran into problems installing JES 2005Q4 according to the deployment example. All goes smoothly until modifying mail and calendar domains with commadmin.
  When running
  /opt/SUNWcomm/bin/commadmin domain modify -D admin -w adminpass -X host.domain.net -n domain.net -p 80 -d domain.net -S mail,cal -H host.domain.net
  it just gives errors:
  Invalid value for login ID: admin
  Invalid value for login password
  Invalid value for login domain: domain.net
  and in amAuthentication.error log there's:
  "2005-12-07 21:44:45" "User Profile does not exist|module_instance|LDAP" LDAP AUTHENTICATION-270 o=domain.net,o=isp "Not Available" INFO "Not Available" "Not Available" "cn=dsameuser,ou=DSAME Users,o=isp "Not Available"
  Also amConsole session times out in like 5 seconds even through the time-out settings are ok.
  I'm running Solaris 10 with all the latest patches. The 05Q4 isn't patched.
  Any ideas how to go about solving this?

  one additional piece of information when examining the logs:
  config-commda installation log has one warning at the beginning, it says that "gethostname failed to return a fully qualified hostname".
  How can I check if I have my hostname configuration OK? hostname command returns just the plain hostname and "check-hostname" says that the fully qualified hostname is ok.
  Could this be somehow related to the problems I'm experiencing?

• NAC WLC OOB integration

  I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?

  Faisal
  I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
  10.8.21.11/32           -               0 0
  10.8.21.1/32            -               1 0
  10.8.21.0/24            -               2 0
  0.0.0.0/0               10.8.21.1       1 0
  10.8.17.0/24            -               2 8
  10.8.15.0/24            -               2 8
  172.16.8.0/24           -               2 8
  10.8.21.10/32           -               0 2
  10.8.17.169/32          10.8.21.1       1 0
  10.8.17.152/32          10.8.21.1       1 0
  10.8.17.182/32          10.8.21.1       1 0
  10.8.17.128/32          10.8.21.1       1 0
  10.8.17.119/32          10.8.21.1       1 0
  10.8.17.137/32          10.8.21.1       1 0
  10.8.17.188/32          10.8.21.1       1 0
  10.8.17.200/32          10.8.21.1       1 0
  10.8.17.165/32          10.8.21.1       1 0
  10.8.17.124/32          10.8.21.1       1 0
  10.8.17.113/32          10.8.21.1       1 0
  10.8.17.197/32          10.8.21.1       1 0
  10.8.17.206/32          10.8.21.1       1 0
  Thanks
  Shaffeel

• NAC L3 OOB Virtual Gateway/Real-IP Gateway

  In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
  Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
  If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
  I didn't found a response for this in the documentation.
  Thanks in advance.

  Hi, Paul
  >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

• NAC L2 OOB VG ARP, DNS

  I am deploying a NAC 4.7.2 in-house to stage for a customer deployment, the deployment method I used is L2 OOB VG, I configured the switch, managed subnets, and vlan mapping. However, two problems arose:
  1. Arp replies from the trusted to the untrusted are not being bridged between the access vlan and authentication vlan
  2. dns replies are also not being forwarded from the trusted (access vlan) to the untrusted (authentication vlan)
  what's strange is that DHCP is working fine.
  I have tried to add an arp entry for the default gateway (client gets mac address of untrusted interface as the default gateway) which nac redirects and provided the login process and remaps my port to the access vlan but then I have to manually remove the arp entry for the switch to discover the real mac-address of the default gateway once the client is in the access vlan.
  is there anything else besides managed subnets, and vlan mapping for L2 OOB VG to work. from my understanding , DHCP, DNS, and arp should be bridged normally between the trusted <--> untrusted interfaces with no additional configurations.

  Hanny,
  Sorry I couldn't look at your diagram in detail before. So there's something wrong here.
  You claim in the PDF that VLAN 5 and 6 are untrusted, mapping to 15 and 16, for which you have the SVIs defined.
  You also claim that FA0/17 is the untrusted interface and FA0/13 is the trusted interface, yet your interface definitions are the inverse of your network diagram. Is it just as simple as you plugging in the interfaces wrong? Or the error is in the diagram? Or the interface definitions in the PDF?
  Please clarify. If you can also, please post the Network tab from your CAS, the Advanced tab from your CAS showing the managed subnets and the VLAN Mapping tab from your CAS. Also please post your sanitized show running-config from your switch and verify where each of the interfaces are plugged in?
  Thanks,
  Faisal

• NAC Appliance OOB L3

  Hi everyone,
  "i have a friend" ( :-) )to which i want to deploy the NAC OOB L3.
  Why this one? Because he has a central location and a few branches (a few more actually) and these branches are at 2 L3 hops prom the center. More specific, there is a L3 switch as a gateway to the branch LAN users and after that, a router that connects to the center (GRE/IPSec).
  The question is, and i did not manage to find or to realise by myself: it is mandatory to use a DHCP server for allocating ip-s to clients? (for all of their states: unauthenticated, authenticated, permited etc).
  If not how it should be done?
  Second: if is mandatory, should it work only with a centraly deployed DHCP server, or i can use the L3 switch in every branch as a dhcp server?
  Thank you for your patiance.

  DHCP is required for L3 OOB real-ip gateway since the system will need to get a new address when it is switch to the authorization VLAN and then again after the posture process when it is switched back to its "normal" VLAN.
  As for the DHCP server, you can use either a central server, have a local switch provide the addresses or a combination of both.
  In our install, the local switch is the DHCP server for the auth VLAN and a local server is used for the access VLAN.
  Mike

• NAC L3 OOB VGW possible?

  is it possible to do L3 NAC OOB with VGW.
  The documentation does not say that it is not possible, but i see some technical difficulties.
  In VGW deployment, the Auth IP = Access IP and only the vlan id changes. But on the other end of an L3 link I cannot see vlan id's and there for cannot distinguish between Auth and Access.
  So is it correct that OOB L3 VGW is not possible?

  It is my understanding that the IP address of the client must change when it moves from auth to access.
  It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.
  Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.
  Once auth is successful, the CAM switches the port to the access vlan.

• Unable to deploy example 'banking' application on weblogic, please help...

  Hi,
  I have downloaded the example 'banking.zip' and have installed it.
  I have followed all given steps in the tutorial, but I am unable to
  see the login page.
  I am also not able to see the ejb and web application descriptor file
  from the admin console.
  I have copied the banking directory to
  '$WEBLOGIC\config\mydomain\applications'.
  There are 3 directories under it
  (1) ejb (containing meta-inf and examples directory. Meta-info
  contains the descriptor .xml files)
  (2) web (containing web-inf and html,jsp and image files. Web-inf
  contains weblogic.xml and web.xml)
  (3) Meta-Inf (containing the application.xml)
  I get the 'Error 404--Not Found' error when I go to
  http://localhost:8001/banking/login.html. (my server is running on
  8001 port, i hope this doesn't matter)
  When I try to edit the web application descriptor I get the following
  error
  java.lang.NullPointerException
       at weblogic.management.console.utils.MBeans.getMBeanClassFor(MBeans.java:860)
       at weblogic.management.console.actions.internal.ActionUtils.getAreaFor(ActionUtils.java:142)
       at weblogic.management.console.actions.mbean.MBeanDescriptorFramesetAction.perform(MBeanDescriptorFramesetAction.java:133)
       at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:167)
       at weblogic.management.console.actions.internal.ActionServlet.doGet(ActionServlet.java:91)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2456)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2039)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  Could someone please help me ? I am trying to deploy this in the
  exploded form. My server is running in the development mode.
  - Thanks in advance,
  Sonali

  Hi,
  I was able to successfully deploy after installing
  weblogic 6.1 SP2 (earlier I had SP1). Also, I had to make
  changes in the BankAppServlet code since it tries to find the
  bean with a different name than one specified in jndi-name.
  - Thanks,
  Sonali
  [email protected] (Sonali Kale) wrote in message news:<[email protected]>...
  Hi,
  I have downloaded the example 'banking.zip' and have installed it.
  I have followed all given steps in the tutorial, but I am unable to
  see the login page.
  I am also not able to see the ejb and web application descriptor file
  from the admin console.
  I have copied the banking directory to
  '$WEBLOGIC\config\mydomain\applications'.
  There are 3 directories under it
  (1) ejb (containing meta-inf and examples directory. Meta-info
  contains the descriptor .xml files)
  (2) web (containing web-inf and html,jsp and image files. Web-inf
  contains weblogic.xml and web.xml)
  (3) Meta-Inf (containing the application.xml)
  I get the 'Error 404--Not Found' error when I go to
  http://localhost:8001/banking/login.html. (my server is running on
  8001 port, i hope this doesn't matter)
  When I try to edit the web application descriptor I get the following
  error
  java.lang.NullPointerException
       at weblogic.management.console.utils.MBeans.getMBeanClassFor(MBeans.java:860)
       at weblogic.management.console.actions.internal.ActionUtils.getAreaFor(ActionUtils.java:142)
       at weblogic.management.console.actions.mbean.MBeanDescriptorFramesetAction.perform(MBeanDescriptorFramesetAction.java:133)
       at weblogic.management.console.actions.internal.ActionServlet.doAction(ActionServlet.java:167)
       at weblogic.management.console.actions.internal.ActionServlet.doGet(ActionServlet.java:91)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:265)
       at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:200)
       at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:2456)
       at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2039)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  Could someone please help me ? I am trying to deploy this in the
  exploded form. My server is running in the development mode.
  - Thanks in advance,
  Sonali

• Flex Builder 2 Deployment Examples

  Hello,
  I'm a newbie and am wondering if anyone can point me to
  examples for deploying Flex 2 apps to a public web server.
  I am wanting to start with the simplest case, with no server
  side scripting or database connectivity and then add that later.
  Specifically, I was wanting to know if I simply need to copy
  my project folder up to the server via FTP and that should work. I
  think I read that there is a wrapper that has to be
  generated/created but after doing that, is that all I
  "theoretically" need to do??
  Thanks,
  Bob

  After you compile your file. Flex 2 should produce a .swf and
  html files. Theoretically all you have to do is upload those 2
  files to your server and that will produce the most basic web app.
  Those two files should be normally located in the bin folder in
  your project

• NAC L3 OOB not working accross WAN

  I am setting up a proof of concept lab for a NAC installation.
  I am using Cisco Catalyst 3550 and 2950 switches (the actual environment is using 3750 and 2960 and 2950 switches) and have the NAC set up in central L3 OOB configuration. In this configuration i have a single NAS and NAM at the "MAIN_SITE" and then two branch sites "BRANCH1" and "BRANCH2".
  At the main site, the OOB works fine and when a user logs on, the port is moved from the unauthenticated VLAN (290) to the role based VLAN (200) However, at the "branches" the switches are not placing the port into the role based VLAN, nor if a port is in VLAN 200 and a PC is plugged into that port does the port switch to VLAN 290 (unauthenticated).
  Sniffing the traffic with Wireshark i see the SNMP sets being sent by the NAM to the switch telling it to place the port into VLAN 200, but the switch is not doing it.
  My write strings are set up correctly and the NAM is able to set up the initial commands on the switch for the NAC ("snmp trap mac-notification added" commands to the ports).
  Can anyone say what is wrong?
  Sachin

  I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
  Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
  Sachin

• NAC L3 OOB VoIP

  I've configured a CAM and CAS as both L2 OOB and have enabled L3 support with Real IP. I have a remote site that uses Avaya 4610SW VoIP phones. Both the CAM and CAS reside locally with no CAS at the remote site.
  I'm able to get full functionality with VoIP phones and clients connected to the phones from a Layer 2 perspective, however when I try and get the remote office VoIP phone/client combo, it doesn't work. When I remove the phone and plug the client machine directly to the switchport, it works, so I'm sure the PBR and GRE configs are correct.
  From my readings, I know that you need to exclude the mac addresses of the phones, and when I have done testing from a Layer 2 perspective, it works without a problem. The problem that I am seeing is that the mac address of the phone is not being picked up by the NAC. I'm aware that mac addresses are stripped off for L3, but I have no idea how to get this to work. The profile has been set up to not bounce the port, mac address notification vs linkup/down, etc.
  Any ideas would be greatly appreciated.
  Thanks
  Jeff

  Jeff,
  In this scenario, the L3 stripping off the MACs doesn't apply. If you are controlling the switch on the remote site with CAM and sending MAC-Notifications to the CAM, those notifications would include the MAC of your phone.
  You have to make sure that the MAC addresses of those phones are in the "IGNORE" filter on your CAM and not ALLOW filter. This essentially tells the CAM that when the switch reports a new MAC on the switchport, and if it's in the IGNORE filter, to ignore that MAC and now switch the port back to AUTH vlan.
  HTH,
  Faisal

• NAC - L3 OOB

  Hi all,
  We would like to authenticate users L3 adjacent to the NAC appliance server. The NAC is setup as OOB virtual gateway.
  Is that possible, what should be the configuration ?

  I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
  Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
  Sachin