NAC Manager

Hi All ,
I would like to deploy the NAC Appliance for 1500 users on my network,just wanted to get clarity as to why do i need the NAC manager for 20 NAC Appliances if am only deploying one NAC Appliance.
Thanks in advance

At one CAS-1500 you require a standard NAM.
The standard hardware also includes the SSL accelerator card due to the performance needs.
http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd805d0358.html
If you had 3 CAS 500s then you should be able to get away with a NAM Lite. And really you would be better off performance wise if you used the standard hardware.

Similar Messages

  • Configuring NAC MANAGER HA - link failure detection

    Hello,
    I'm configuring HA in NAC Manager and want to enable "eth0 link failure detection based failover". Is this possible in version 4.1.2.1 ?
    Where can i configure this in NAC Manager?
    See my configurations for the Primary HA on pic attached.
    kind regards,
    Daniel Stefani

    Hi Daniel,
    It doesn't look like that's an option in the 4.1.2 line.  You can configure this in 4.1.3 line, however - see the configuration guide here: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_ha.html#wp1040221
    HTH,
    Lauren

  • NAC Server without NAC manager

    Hi,
    Would like to know whether NAC server (NAC appliance 3355) is enough to provide NAC functionality without NAC manager in the network for one location say Datacenter.
    Regards,
    Ashok

    Hi Ashok,
    You can use a single CAS in the network in a single location in case you have a centralized CAM for multiple locations but you would need atleast one CAM to manage all the CAS servers as all the settings and policies for CAS are stored in CAM.
    Moreover, the CAS product licenses are generated based on the eth0 MAC address of the CAM, so atleast one CAS is essential.
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp39625
    HTH!
    Regards,
    Sumir

  • NAC Server and NAC Manager installation

    Hi experts,
    When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
    Is there anything I can do for solving this?
    I'm new for NAC Manager and Server installation.
    The version using is 4.8.2
    BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
    Thanks in advance!
    Regards,
    Daniel

    Hi Daniel,
    this is related to the certificate issue.
    just generate temp certificate in NAM and NAS.
    Export the certificate along with key and store it in different location.
    then in SSL option there is trusted certificate authority
    load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
    it will work.

  • Cisco NAC: How to configure the NGS as Radius Server & NAC Manager as Raidus Clients !!!

    Hi,
    Kindly let me know that how to configure the NGS (Version 2.0.3) as a Radius Server while NAC Manager (Version 4.8.2) as a Radius Client...
    Moreover,
    1) I want to Create the two User Roles (Guest1 & Guest2) on NGS.
    2) When sponsor will create the users, user will belong to either of roles.
    3) NAC Manager will have an authentication provider (Radius) with the default Role "Deny Role" but users belongs to "User Role = or Group = Guest1" will fall into "Guest1" Role while User Role = or Group = Guest2" will fall into "Guest2" Role.
    I need an assistance to configure this scenario....
    Please advise me.
    BR,
    Mubasher Sultan

    Hi,
    Any idea or suggestion...
    BR,
    Mubasher Sultan

  • NAC manager doesn't change auth vlan to access vlan

    Hi,
    I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.
    The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user
    is authenticated and all CAA requirements have been met.
    I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping
    configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in
    to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not
    in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still
    in authentication vlan.
    What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out
    of band users list) and CCA says successfully logged in to network, and all requirements are met too.

    Faisal,
    thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed
    subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally
    inaccessible.
    What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?
    I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access
    works fine, but I cannot reach server from my PC.

  • Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

    Hi There
    I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
    Regards,
    Ram
    +6-012-2918870

    Hi,
    That is not possible.
    You cannot push ACLs into the NAC manager.
    If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
    Using Radius attributes you can then map users to Roles.
    Please take a look into this:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Cisco NAC Manager for 40 Servers

    The NAC Super Manager is capable of up to 40 NAC Servers. What happens when I add the 41st NAC Server?
    Is there a way to cluster NAC Managers?
    Thanks!
    Tom

    The no.of servers managed by the CAM (inband or outband) depends on the CAM software (manager lite, standard manager and super manager). The licenses dont differentiate between Inband and OOB licenses. For adding more servers you need to purchase more license.

  • NAC Manager Not Reachable

    Hi Everyone,
    I have a NAC setup with one CAM and 3 CAS.
    We had a power failure last weekend, and since then I can't access the CAM. Not even via console cable. But I can console to the CAS. The CAM is ON as I can see the LEDs (all green).
    I would like to restart the CAM and check. But I don't know whether it will have any affect on the network, like does my users  still  can have access to the network even if I switch off the CAM, as the CAS is still working.
    Thank you in advance.

    Hi,
    I will appreciate any suggestion you guys have. 

  • NAC Manager High Availability Peer CAM DEAD

    Hi,
    I have two NAC Managers with High Availability and  i have used both sides eth1 interface as a Heartbit link.  
    I have done following Steps for High Availability.
    1) Synchronize the times between two CAMs.
    2) Generate a Temporary SSL certificate in both CAMs and done export-import procedure in each other.
    3) Make One CAM as a  Primary and another as Seconday.
    But after all this configuration done i can see the status in Monitoring> Reports as--------Primary CAM is up in both the servers and Redundant CAM is down.
    Also in Failover Tab i can see ------Local CAM - OK [Active] and   Peer CAM :- DEAD.
    I have also attached some screenshots so you can find out the same.
    Your help will highly appreciated.
    Thanks 

    Try the following steps and verify that all the steps were followed :
    http://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/99945-NAC-CAM-HA.html

  • NAC Manager high memory issue

    Hi guys, I have a CAM´s failover installed. I had seen high utilization of the ram memory in the 2 appliances. The utilization is higher than 80%. Anyone knows what is the cause for this memory use?
    Also, I have a NAC Profiler integrated with these CAM's.
    Regards
    Gerard

    Gerard,
    Your system looks fine. Linux utilizes the free/unused memory to cache data, and hence the free memory reported might seem very low, but it's being used by the kernel to actively use it for caching. As/When it's needed, the kernel releases memory for the processes to use, so this is normal. If you want to look at what processes are using the most memory try this command:
    ps auwwwx | awk '{print$4"\t"$11'} | sort | uniq -c | awk '{print $2" "$1" "$3}' | sort -nr
    The output will show you the process with the most memory being used. For example on a test CAM here was the output of the command listed above:
    14.3 1 /usr/java/jdk1.6.0_12/bin/java
    0.8 1 /usr/sbin/httpd.worker
    0.7 1 /usr/sbin/httpd.worker
    0.6 1 /usr/sbin/httpd.worker
    0.6 1 postgres:
    0.5 1 postgres:
    0.5 1 heartbeat:
    Meaning Java was taking the most memory.
    HTH,
    Faisal

  • Firewall Ports Required for NAC manager to manage/add Cisco switch

    Hi,
    I am trying to add cisco switches to the NAM, however i am not able to add the switch as I am getting the error "unable to control switch" I have tried to open ports 161-162 on the firwall; if i was to allow any traffic between the NAM and switch, the cisco NAM is able to add/manage the switch.
    Not sure what other ports may be required for cisco NAM to manage the switch?
    Thanks.

    Hi,
    AFAIK, only the UDP ports 161-162 for the SNMP communication need to be open.
    Please make sure you have configured the correct port on the switch:
    (config)# snmp-server host 172.16.1.61 traps version 2c cam_v2 udp-port 162 mac-notification snmp
    If still not working i would check the logs on the firewall for any blocked traffic between the CAM and the switch.
    HTH,
    Tiago
    If  this helps you and/or  answers your question please mark the question  as "answered" and/or rate  it, so other users can easily find it.

  • NAC Discovery host

    I have  one query,  I am running in OOB mode, I have multiple servers running in OOB  mode for the branches. How can I add their IP address if you an tell me it will  be great? Should I put them in the DNS sever? For example
    172.16.28.241  –HQ.nas.com
    172.16.28.247  – xyz.nas.com
    172.16.28.XXX  – abc.nas.com
    In  discovery host put *.nas.com will this work? Because I know I am not able to put  multiple ip address there.
    will this work as a wildcard for nas servers??
    how should i go with it???

    Hi,
    I have already gone through that document. The problem is,
    I got two options in order to redirect the NAC agents traffic from the small offices to the NAC server which is located at HQ.
    Using PBR
    Using ACL and Discovery Host Field
    We prefer the second approach. PBR is difficult to manage for the customer.
    So we will put the central NAC Servers' IP address onto Discovery Host Field. (By the way, in NAC Manager GUI it is already said that this setting applies to L3 users)
    The thing is, the endpoints with NAC agents usually hang out at small offices, however, from time to time, they visit the regional offices. So when they are in the regional offices, if the setting above would cause any problems. In regional offices the NAC agent traffic has to go through NAC server since that is gonna be a L2 OOB deployment. But since we did not test this, I have doubts if the NAC agent has its Discovery Host Field populated with central NAC server IP, and its traffic going through regional office local NAC server ... If this is gonna work smoothly.
    Or are you saying that, even with the second approach I mentioned above, I could still leave the discovery host field as the NAC manager IP ? Cause when the client is at small office and has NAC manager ip in its discovery host field, then when its traffic tries to reach NAC manager IP that traffic would not be going through the central NAC server at all.
    Dumlu

  • NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

    Hi,
    We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
    The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
    Is there any way to make it automatic?
    Regards,
    Mubasher

    Hi Mubashir,
    I faced the same problem with cisco ISE and Tiago's response actually helped see below.
    " You can also distribute the NACAgentCFG.xml file with that value set.
    Please find here detailed info regarding this file:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
    In that link, read the section: Agent Customization Settings
    From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
    C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
    IP of PDP node or ISE standalone server
    Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
    Regards,
    Henry

  • ISE and NAC Agent

    Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

    Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

Maybe you are looking for

  • Wifi works at home but not when away from home

    My Wifi works at home but not when away from home, what is wrong?  I thought with a phone plan I didn't need to have a wifi connection.

  • I can't see my iPod in iTunes

    I knew this has been asked thousand times and I read the anwser and follow all steps. I uninstall and resintall, I reset my iPod, i change to another USB port, I run iPod updater. I have done all these but still, it isnt show up in iTunes nor Windows

  • Problems with query on a non-database field

    Hi, Hopefully I am in the correct section... I have some problems. I wanna query a non-database field but it does not work for one of them. I have tried the following... declare vsNewDefaultWhere varchar2(4000); vbFirstWhere boolean; cursor curArea i

  • Compiling Form...

    Hi friends, I have an easy doubt: I have a form which calls a procedure (myproc) placed in package (mypck) inside a library (mylib.pll). mylib.pll is attached to my form. In a form trigger (in e: post-query) I call the procedure: begin myproc; end; I

  • Need CSS help Coda-Slider 2

    I'm having trouble setting the width of the <ul> in this Coda-Slider tab set up. I'd like all the tabs across the top to display in one line rather that wrap to two. http://www.cidigitalmedia.com/coda-slider-2.0/index.html You'll see the last tab wra