NAC Server

When I connect to our new guest wireless network and then open my IE browser the page redirects to our NAC server authorisation login page which fails due to DNS.
(doesn't work)
https:///internal.nac-srv.com/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=https%3A%2F%2F
(works when I use the internal IP of the NAC server)
https://10.1.1.1/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=https%3A%2F%2F
The trusted setup DNS servers are public hosted DNS servers (guest user access is only for the Internet), reason being internal.nac-srv.com is not resolvable.
Is there anyway I can make internal.nac-srv.com resolvable to the guest wireless user, is there a config parameter for this to change the redirection to the IP automatically?
Thanks

I understand that. They gave me a patch but they had to modify it on the fly so I don’t have the correct patch to share. But yes we would lose all connectivity with the server, luckily we had a terminal server where we kept the server that kept going out of sync we would just have to console into the server and hit enter a few times to get the prompt and it would go back in sync for a time.
Adam

Similar Messages

  • Cisco NAC server hang issue

    Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
    The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
    The CAS server was recovered after manually power cycle the hardware. 
    After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
    I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
    That will be great if any one can help me out for the same.
    Thanks,
    Eric

    Hi Bro
    This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
    If all else fail, then a hardware swap would seem like the next best thing.

  • NAC server is not available on the network

    I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I  try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

    Hi,
    I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
    The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
    the bug cisco provided me is related to "CSCuc70607".
    Hope this helps,
    Tarik Admani
    *Please rate helpful posts*

  • Wireless Guest with NAC Server

    Hi All,
    Anyone knows why Sponsor can't create a guest account with 1 month duration.
    Its a NAC running on 2.1 version in SNS-3415-K9.
    The current setup is WLC connected to NAC Server.
    Is it related to Account type?
    From the Account Type dropdown menu, you can choose one of the predefined options:
    Start End—Allows sponsors to define start and end times for account durations.
    From First Login—Allows sponsors to define a length of time for guest access from their first login.
    From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.

    When you say, "One MAC user" you mean every other client works except for this one MAC device?  If other MAC devices work, then it must be something on the client device that is having issues.  The only issue that I have ran into, is html code that might not be supported in certain browsers if you are runing a custom webauth page.

  • What happens when NAC Server License Exceeds ?

    Hi all,
    Got a simple question for which I could not find the explanations ?
    I know that licensing is run by the endpoints which are in Online User (posture assessed) list.
    Lets say I purchased a NAC server with 100 License. What happens if a client connects to the network as the 101th user ? Is there a flexible licensing option as in other security products of Cisco ?
    Also anyone has any info about the roadmap of licensing for Cisco NAC products ? Such as central management of licenses, license pools or etc. ?
    Thanks in advance.
    Any comments appreciated.
    Dumlu

    Thanks a lot.
    You said "BPEL developer should make sure unique value is supplied for correlation..",but I am confused,
    "BPEL developer" means business process developer(process caller) or bpel engine developer(process runtime enviroment developer) ?
    This afternoon,I installed oracle PM and did some tests. The bpel server creates two process instances which have the same correlation data.

  • NAC Server without NAC manager

    Hi,
    Would like to know whether NAC server (NAC appliance 3355) is enough to provide NAC functionality without NAC manager in the network for one location say Datacenter.
    Regards,
    Ashok

    Hi Ashok,
    You can use a single CAS in the network in a single location in case you have a centralized CAM for multiple locations but you would need atleast one CAM to manage all the CAS servers as all the settings and policies for CAS are stored in CAM.
    Moreover, the CAS product licenses are generated based on the eth0 MAC address of the CAM, so atleast one CAS is essential.
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp39625
    HTH!
    Regards,
    Sumir

  • NAC Server still in "Fallback: Allow All" state

    Hi Guys,
    i have a strange behaviour under my NAC Server.
    Today I saw that my NAC Server is in Fallback: Allow All state and the CAM is in Manager: DEAD but
    in the CAM web administration i can access that CAS.
    The CAS can ping the CAM too.
    there are two things that were changed in the last month.
    The CAM was moved to other city and they are using a 2MB link connection between them.
    The IP Address of the CAM was changed.
    I've checked my link connection between them because my CAM is in a different city  of the CAS but my link is in 50% load.
    Does anyone know any possibilitie to solve this?

    Hi,
    Are you using ip based certs or domain name? Also make sure when you do an nslookup that the CAS is able to resolve the ip address of the CAM. Also check your firewall and make sure that you are allowing all ip traffic between the CAS and the CAM.
    Also check yoru certs on the CAM and make sure that they havent expired. Are you using a standalone CAM and CAS setup are are they in failover configuration?
    Thanks,
    Tarik

  • NAC Server and NAC Manager installation

    Hi experts,
    When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
    Is there anything I can do for solving this?
    I'm new for NAC Manager and Server installation.
    The version using is 4.8.2
    BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
    Thanks in advance!
    Regards,
    Daniel

    Hi Daniel,
    this is related to the certificate issue.
    just generate temp certificate in NAM and NAS.
    Export the certificate along with key and store it in different location.
    then in SSL option there is trusted certificate authority
    load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
    it will work.

  • Question concerning NAC server

    Does the NAC server have the ability to provide bandwidth usage limiting on a per user or per device basis.  The feature list I have seen doesn't seem to list this option.
    Thank you

    It can do that yes.
    On the clean access server configuration page (through the manager), go to "filter" , "Roles", "bandwidth"
    You can set bandwidth restriction per role (so a kind of group of users). You can also chose to share the limitation between all the clients currently connected in that group, or to give that limitation to each client.
    Example if you restrict to 100Kb/s the user role "marketing", then you can either have the whole marketing department limited to 100kb/s regardless of the number of marketing users connected or say that each marketing employee is restricted to 100kb/s.
    I hope this answers.
    Nicolas

  • L3 OOB NAC Server loadbalanced by ACE

    Hi is there any documentation or information on NAC server loadbalance by cisco ACE? I want to know typically how is the setup like and what is the traffic flow? is there a way to configure NAC clients to talk to the NAC directly after being loadbalanced by the ACE? meaning traffic flow going
    users>ACE>NAC Server Untrusted interface>user <---- during authentication
    instead of
    user>ACE>NAC Server Untrusted interface>ACE>user.

    Adrian,
    I've seem some internal documents on this. Please ping your account team and they can possibly help you out with the design for this.
    HTH,
    Faisal

  • Cisco NAC Server

    Hello! Help me please!
    Im perform installation Cisco NAC Server 3315 ver. 4.8(2) but after that I cann't connect to Server by https - HTTP 403 Forbidden. And I can connect to NAC Server by ssh.
    What could be the reason?

    While rebooting , i am getting this:
    Starting nc_drivers:  /dev/nfastpci0
    [  OK  ]
    Starting nc_hardserver:  waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    nCipher server did not start; see /opt/nfast/log/hardserver.log
    [FAILED]
    Starting sshd:WARNING: initlog is deprecated and will be removed in a future release
    key_load_private_pem: RSA_blinding_on failed
    Could not load host key: /root/.perfigo/sec/tomcat.key
    Disabling protocol version 2. Could not load host key
    sshd: no hostkeys available -- exiting.
    [FAILED]
    Starting xinetd: [  OK  ]
    Starting console mouse services: [  OK  ]
    Starting nessusd: Loading the Nessus plugins...
    All plugins loaded                                  
    [  OK  ]
    Starting crond: [  OK  ]
    Starting anacron: [  OK  ]
    Starting atd: [  OK  ]
    Starting jexec:  Starting jexec services[  OK  ]
    Starting Ncipher services
    -- Running startup script 45drivers
    -- Running startup script 46exard
    -- Running startup script 50hardserver
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    waiting for nCipher server to become operational ...
    nCipher server did not start; see /opt/nfast/log/hardserver.log
    Starting perfigo:  click: starting router thread pid 2092 (f7b7d340)
    Failed execute command : CONNECTFORCE, Error : Connection refused
    BaseAgent process reconnecting...
    Failed execute command : ACTIVE, Error : Connection refused
    BaseAgent executes [ACTIVE] ...
    Link Detect Manager only operates when HA is enabled.
    NFastApp_Connect failed: ServerNotRunning
    And then in the hardserver log I am getting nCipher card not in operational mode. Please change the settings on the card.
    How to resolve the issue.
    Thanks
    Shalvi Yadav

  • Scenario related to NAC server with hight availabily

    Hello
    am looking for good scenario related to NAC server with hight availabily, mentioned the how it works,how the phisical coonection could be to each Core?what is the P-service..
    Thanks for ur time

    Hi,
    Here's the documentation regarding the HA setup:
    http://www.cisco.com/en/US/customer/docs/security/nac/appliance/installation_guide/hardware/47/hi_ha.html
    http://www.cisco.com/en/US/customer/products/ps6128/products_configuration_example09186a00808fbc0f.shtml
    HTH,
    Faisal

  • NAC Server Fallback Feature and OOB Deployment

    Hi,
    I would like to know how the Nac Server fallback feature works in an OOB deployment.
    The documentation says that there three option (ignore, allow all, block all).
    Whe you have the allow all option enable, does the NAC put the user in an access vlan or the user just access to the network through the authentication VLAN?

    Hi,
    Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
    HTH,
    Faisal

  • Three NAC server deployment

    Hello guys,
    Could you suggest a workaround to bypass the HA limitation of only two NAC servers. 
    The problem is we already had two NAC guest servers in active/active mode but now we have a third one at a new branch, which would need to share the same user DB.
    Is there a way to replicate the data from the cluster to this remote NAC server?
    The idea is achieving a scenario like working with multiple ACS servers distribuited worldwide and sharing the same user data.
    Thanks,
    Lucas

    Hi,
    Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
    HTH,
    Faisal

  • Difference between NAC profiler/collector and NAC server

    Hi,
    could anyone tell me the difference between NAC collector and NAC server?
    Thank you very much.
    Best regards.
    Giuseppe

    Sorry edunn, but your description of the NAC Collector is not particularly helpful. If I may:
    The NAC Profiler/collector is OEM'd from Great Bay Software. It performs automatic whitelisting of agentless devices, like IP phones and PBXs, printers, etc. In a NAC deployment without the profiler you'd have to go in to the NAC Server and manually enter the MAC addresses and/or IP addresses of devices that should bypass authentication and/or posture assessment. In a small environment that's not a big deal, but with multiple offices and/or subnets (with lots of phones or printers) this can be a hassle. Its also a big risk: If I know you're whitelisting by mac/IP I'll just go to a printer, print out its config page, set my NIC to have the same settings, and boom - I've just bypassed your $$ NAC solution, thankyouverymuch.
    The nice thing about the NAC profiler is that its -not- static: every time a switchport goes up/down, or a new MAC address is detected, an SNMP trap gets sent to the profiler. You can also forward (via ip-helper) all DHCP requests to the profiler (it doesn't respond or issue an IP address, of course, but it does look at what options you requested.) It will look at the MAC vendor address, IP address, DHCP options, network traffic (via Netflow), SPAN port traffic, has an open port (eg. 9100 or 515 for printing) or a combination of the above, and dynamically whitelist agentless devices based on confidence level.
    Its sort of like a reverse Turing test: if a device says its 'dumb' (no agent) AND acts the way its supposed to, it gets whitelisted. But if the Profiler starts seeing a supposed printer surf the Internet (or start receiving traffic on a port it should, or whatever), then it dynamically removes it from the whitelist, and now it will need to authenticate and pass posture.
    You can define different profile groups and what parameters are required for each, and set which groups get whitelisted.
    So basically the NAC Server is the gatekeeper, the NAC Manager is the global policy manager, and the NAC Profiler is the automatic whitelister.

Maybe you are looking for

  • Multiple VM's sharing the same vcpu's?

    Hey all, i'm new to Oracle VM... We have been using it for a little bit but I haven't been able to dive into its low level workings. I have a number of VM's on a server and most have between 2 and 4 vcpu's assigned. What I notice is that they all app

  • Adding SWF for pdf interactive

    Hi, I have a multi page indesign doc which is set to export for interactive pdf. I need to add two swf file in different pages and once I add them, they do not show once interactive PDF is exported. I have tried many different options with no success

  • Windows 7 64 bit won't resume after being locked

    Hello, My Windows 7 Pro computer will not resume after being locked. I use a Domain controller based on Windows server 2008 R2, and if I login with my username on any other PC, I do not have this Problem. When I lock it to go out for some reason, it

  • Importing Material Data step-by-step instructions

    Hi, I am using SAP MDM 5.5.24.06 and trying to import  Material data (XML / Idoc format) that was extracted from R/3 using Transaction MDM_CLNT_EXTR. I used MATMAS.MATMAS04.xsd schema and selected MATMAS04_R3 mapping but MDM IM returned errors for bu

  • Linking video files with Adobe Captivate

    Hi good people I am preparing a video for Youtube and I have two components. The first is a video of me talking to the camera in MOD format (which can be changed to a WMV file by changing the extension - this does not seem to affect the playing of th