NAC Switch Configuration

Hi!!
     I have bought an NAC Server and a Nac Manager, to manage centraly the vlan where the users connect to based on the authentication.
     I have several sites, but the NAC server will be in the headquarters.
     When a remote user authenticates, the nac should configure the user switch port for the right vlan.
     Is this an out-of-band solution?
     Do i need an specific license for out-of-band?
Best Regard's,
Miguel Amaral

Hi,
You need at least 2 licenses:
1 - CAM license -> This license is the one you install the first time you access the CAM WEB GUI.
2 - CAS license -> This license needs to be installed so that you can add Clean Access Servers to the CAM.
Did you installed the CAS license?
If not, you need to get the Product Activation Key (PAK) you received allong with the CAs and go to the licensing web page https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet, and request a CAS license. Please note that you need to enter the Clean Access MANAGER eth0 mac address for the Clean Access Server (CAS) licence.
HTH,
Tiago
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

    Hello,
    I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
    Core Switch:
    VLAN DB:
    vlan 10
    name VLAN_DEPT1
    vlan 11
    name VLAN_DEPT2
    vlan 20
    name VLAN_DEPT3
    vlan 26
    name VLAN_DEPT4
    vlan 27
    name VLAN_DEPT5
    vlan 28
    name VLAN_DEPT6
    vlan 29
    name VLAN_DEPT7
    vlan 30
    name VLAN_DEPT8
    vlan 32
    name VLAN_DEPT9
    vlan 50
    name VLAN_NetMGT
    vlan 51
    name VLAN_CAS_MGT
    vlan 52
    name VLAN_CAM_MGT
    vlan 210
    name VLAN_DEPT1_Auth
    vlan 211
    name VLAN_DEPT2_Auth
    vlan 220
    name VLAN_DEPT3_Auth
    vlan 226
    name VLAN_DEPT4_Auth
    vlan 227
    name VLAN_DEPT5_Auth
    vlan 228
    name VLAN_DEPT6_Auth
    vlan 229
    name VLAN_DEPT7_Auth
    vlan 230
    name VLAN_DEPT8_Auth
    vlan 232
    name VLAN_DEPT9_Auth
    Interface Configs
    interface GigabitEthernet3/41
    description "Link to Cisco CAM-PRI eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/42
    description "Link to Cisco CAM-FO eth0"
    switchport access vlan 52
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    interface GigabitEthernet3/43
    description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/44
    description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 777
    switchport mode trunk
    switchport trunk allowed vlan 210,211,220,226-230,232
    interface GigabitEthernet3/46
    description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet3/48
    description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    switchport trunk allowed vlan 10,11,20,26-30,32,50-51
    interface GigabitEthernet1/1
    description "Trunk link to DEPT1 Access SW"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    !------- Example of VLAN Interface --------
    interface Vlan10
    description "DEPT1 VLAN"
    ip address x.x.10.1 255.255.255.0
    ip helper-address x.x.50.5
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    !------- No VLAN Interface for AUTH VLAN 210 --------
    Access Switch Configuration
    interface GigabitEthernet0/1
    description "Trunk Link to Core Switch"
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 700
    switchport mode trunk
    no ip address
    interface GigabitEthernet0/6
    switchport access vlan 30
    switchport mode access
    spanning-tree portfast
    spanning-tree guard root
    no cdp enable
    no ip address
    =========================================
    Is the above config correct?
    Thanks

    Hi,
    By bogus I assume you mean something like;
    interface Vlan700
    description "BIT BUCKET for unused ports"
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip route-cache
    no ip mroute-cache
    shutdown

  • Invalid switch configuration-oob error

    Hi all,
    We are using NAC in OOB Virtual Gateway mode only for wireless users.But we are facing an error on user PC stating that,
        invalid switch configuration-OOB error:OOB client MAC ADD/IP ADD not
                       found. Please contact your network administrator.
                  Please contact your administrator if the problem persists.
    Thanks in advance.

    Please check your snmp settings on the wlc and the manager. This is usually seen when the agent passes the mac address and clients ip address to the CAS but the CAM never receives the mac notification trap.
    thanks,
    Tarik

  • "Server either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error driving me nuts!

    OK; have been trying to setup a test VM based RDS deployment for a few days now with no luck.
    this error mentioned above:
    "Server <server name> either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error is driving me nuts!
    I have removed and re-added the RD Virtualization Host role numerous times, each time having the "create a virtual switch" checkbox selected, but it did NOT create any virtual switch.
    I created the external virtual switch manually and tried to create the desktop collection again, no luck with the same error.
    a few questions:
    1. you don't assign IP to a switch! you assign IP to Network Interfaces. why does the error puts it like this?! it is technically wrong.(yeah yeah I know all about how you'd assign IP to managed switches in real world to telnet into them and manage them.
    you know better than me that it is not the case here!)
    2.the RDS Virtualization hosts are using their wifi card as the card for the virtual switch. could that be the reason? I even disabled their unplugged wired NIC just to make sure that the wifi is the only available option for the RDS wizard to use for the
    virtual switch creation; but it didn't use it and it didn't create any virtual switch automatically.
    3.if WIFI nic is indeed the reason, is it your suspension or an official documents is there somewhere stating so (that the WIFI NICS on a Virtualization hosts are not supported as the hub for a virtual switch).
    4.what are the properties of the virtual switch the RDS requires? does it have to be external? why can't it work even with my manually created external switch?
    5.how would I fix it?
    P.S: the environment is made up of 2 laptops, having windows 2012 R2 trial installed on them, using their wifi to connect to the out world. no cable is plugged into their wired NIC card.

    Hi,
    Thank you for posting in Windows Server Forum.
    The simplest short term solution was to connect each computer to a small switch that had no other connectivity. This brought up the link light on the external NIC and allowed the creation of the collection to complete. You need to use an external switch. You
    can create one external switch which might fix the problem.
    Please check below article for information.
    VDI Deployment Error About Virtual Switch
    In addition please referthis article for information regarding virtual switch.
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support

  • Switch configuration for AP's

    We are trying to install a 2106 controller with a few 1261 AP's which we have downgraded to Lightweight.
    We are getting our head around the 2106 config but am unsure as to what config to put on the switchport the AP's connect to.
    As far as our reading goes it is best practice to plug the AP's into a network swtich and trunk vlan's from the switch to the controller.
    Bit confused about the way the AP's connect to the switch.
    Thanks
    Roger

    Hi,
    As I understood ... you need to map existing vlan subnet with your wlan ...
    you will have interfaces which you first need to configure on your controller .
    1) Management IP of wlc
    2) AP- manager
    3) dynamic interface which will be used to map the vlan with respective wlan
    4) virtual
    procedure :
    1) if you do not have dhcp seperate configured , first you need to create vlan then configure svi interface with ip address and  dhcp pool for your ap to get ip address in your l3 switch which is connected to your controller with default-router command which will point to your switch
    2) login to your controller through console and configure the management IP address
    command  : WLC( config ) > interface address management ... ip address... mask .... gateway ( it will be your switch )
    configure AP-manager interface with above command with ap manager option ..
    Now switch side you configure the one port which is connected to your controller as a TRUNK
    connect ap to any port which will configured with above vlan which you have configured in l3 switch
    Now AP should get registered and then follow below procedure for getting client connected to respective WLAN
    3 ) once you configure login to gui of controller and configure dynamic interface with existing vlan subnet and give the dhcp server ip address if you have or else configure the dhcp pool for users also.
    4) go to " wireless " option
    5) select the respective wlan and map the vlan with respective dynamic interface
    check whether clients got ip address.
    please let me know ........ if you have doubt about it

  • Switch configuration distributed environment

    Hi
    I have ISE 1.2 and catalyst 2960
    Please I nedd a document of controller and switch configuration exemple in distributed environement (primary and secondary ISE MNT PSN)
    Thanks

    https://supportforums.cisco.com/docs/DOC-18325
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
    https://supportforums.cisco.com/docs/DOC-18121

  • IviSwitch looses value when sending, "configure switch" configuration = TRUE

    Hi all,
    we are currently evaluating Teststand 4.1 with a keithley 3706 system switch multimeter.
    After a first enthusiasm, thinking this tool together with the switch multimeter fits perfect our needs, real life seems some harder.
    Between several other problems, we need to tell the device, that the channel "s1com1" and "s1com2" are configuration channels.
    Configuring the teststand step : Edit IVI Switch Step -> IVI switching, Configure Switch : Channels "s1com1", Configuration = True
    leads to two actions observable in Ni Spy:
    GetAttributeViBoolean(...,"s1com1", _IS_CONFIGURATION_CHANNEL , VI_FALSE)
    SetAttributeViBoolean(...,"s1com1", _IS_CONFIGURATION_CHANNEL , VI_FALSE)
    manually calling this class functions from an interactive CVI fp works as expected (setting it to VI_TRUE)
    Does anybody have any hint what we could do wrong? Currently we are just before writing wrappers in cvi and skipping all the wonderful IVIStep Types in teststand.
    Looking forward to any feedback
    David Clus
    Solved!
    Go to Solution.

    David -
    This might the same problem that we recently discovered in our internal testing. For the problem that we found, we will likely include our fix in an upcoming maintenance release. Can you verify whether the problem still occurs if you change your regional settings to English in the control panel? If the problem no longer occurs, can you use this as a workaround for now?
    Message Edited by Scott Richardson on 10-06-2008 10:48 AM
    Scott Richardson
    National Instruments

  • Redundant Switch Configuration

    I'm trying to setup two Catalyst 3750X-48T-L switches to support redundant networking.  Most pieces of equipment will have two Ethernet interfaces, each on separate subnets.  
    So far, I've got the switches configured as separate VLANs, connected together with stack cables as shown below.  I can propagate Ethernet traffic in each subnet/VLAN independently.  However, I cannot get packets routed across the VLANs/subnets.
    I'm looking for guidance on what additional steps are needed.  Do I need to define each port as a trunk connection?

    If you want to route between the vlans then you need to have L3 vlan interfaces (SVIs) on the switches.
    So for each vlan you need to create an SVI and assign it an IP address from the IP subnet used for that vlan.
    Then you set the default gateway of the clients in that vlan to the be the SVI IP address.
    Note - if your switches are stacked you only need to create the SVIs on the stack master.
    Edit - haven't used 3750-X switches so you many also need to enable IP routing using the "ip routing" command.
    Jon

  • Sf300 switch configuration

    Hello , This is Shanker from India . can you tell me sf 300 switch configuration . how disable in traffic. . 
      my picture like i have ring network connect to my Gig port but i don't  want to input 1 to 24 port . 
    so tell me how configuration

    Hi Siva,
    Now it would be good idea to upgrade boot code and firmware to the latest one:
    firmware: 1.4.0.88
    boot code: 1.3.5.06
    to download:
    http://software.cisco.com/download/release.html?mdfid=283019670&softwareid=282463181&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest
    for boot code upgrade:
    http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=f1e39061efb14c94a570bcbd6582167b_Firmware_Upgrade_Troubleshooting_on_300_and_500_Series_Manag.xml&pid=4&fcid=&fpid=&slnid=6
    Regards,
    Aleksandra

  • How can I automate switch configuration

    I am looking for a way to automate switch configurations. I want to create a standard configuration that I can apply to all new switches. What methods (software, scripts etc) are available to automate the configuration process? Ideally, the system would download and install a standard image and then apply a baseline config, which I could modify as needed after initial install.
    Thanks

    Sorry, this is correct URL - http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca735.html
    Also search Cisco website for release notes for your specific product since there might be some differences in supported features (like auto save of configuration after auto-install finished etc.). Here is one of them:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5013/prod_bulletin0900aecd803fdc15.html
    Regards,
    iLya

  • Configuration Help 1130AG-VoIP-Vlans-Switch Configuration

    1130AG running c1130-k9w7-tar.124-3g.JA1, in autonomous mode.
    VoIP - Call manager 6x, Cisco phones only,
    Vlans - Open, secure data using WPA2, VoIP Vlan is using pre shared keys.
    Switch Configuration - C3548xl's, C356048ps, 6509 cores
    I have been looking for configuration examples to help me configure the interfaces from the 3546xl and the C356048ps switched to the 1130AG.
    Configuration between the C3548xl's, C356048ps, and 6509 cores on the trunk ports for QoS.
    The call Manager is on Vlan 210 and the Vlan for the wireless voice is 202.
    Any suggested links would be grate, I think I have found most of it but want to be sure.
    Thanks

    Just to expound upon the commands that were not working, I did use the /? switch to see available commands, so for example, the mls qos trust dscp command, I entered mls qos trust /? and the only option was cos.
    I globally configured the switches with:
    lldp run
    no lldp tlv-select power-management
    mls qos
    network-policy profile 50
    voice vlan 50 dscp 46
    All of these commands worked fine.  I was going to assign the network-policy 50 on each access port along with the commands of mls qos trust dscp, auto qos voip trust  too, but did not get to that step.

  • Update Switch Configuration from Switch Executive 2.1 to 3.5

    Hi everybody,
    I tried to update from Switch Executive 2.1 to 3.5 and had to find out, that my configurations have stoppped working. To me, it looks like 3.5 doesn't like my IVI configuration for the switching modules.
    The Verify function in MAX tells me that the PXI cards are not accessible. The frontpage of the switch configuration shows no configurations / terminal blocks.
    Since the configuration consists of nine matrix cards with a lot of hardwires, I'd really appreciate a way to properly import the old configurations (xml files are available)
    Any ideas?
    Cheers
    Oli
    Programming languages don't create bad code, programmers create bad code....
    Solved!
    Go to Solution.

    Hey Oli,
    Background:
    By default, NISE 3.5 and later use the DAQmx API (instead of IVI) to directly control switch modules.  This is different from previous versions, which required setting up an IVI session for each NI Switch module.  You can still use IVI with NI Switch modules in NISE 3.5 and later, but this is not the default behavior.
    The KB Sebastian referenced lists three different upgrade paths to use exported IVI Virtual devices in NISE 3.5 and later.  As you've discovered, NISE 2.1 has fewer export formats, so we'll need to take the following steps:
    Assumptions:
    You have virtual devices created in NISE 2.1 (file format doesn't matter).
    IVI Sessions and Logical names haven't been setup on your NISE 3.5 machine:
    Action items:
    Create IVI sessions and logical names.  You could manually create the IVI sessions (as mentioned in the KB), but there's a MUCH easier method:
    Right click on the NISE Virtual Devices tab and select 'Create New':
    Click the 'auto create IVI devices' button.  A dialogue will pop up... just click yes:
    The NISE Create Virtual device window should now look like this:
    Notice that we now have IVI devices.  Sweet!  So now just click cancel (yes, cancel)... we only used this dummy virtual device to simplify the IVI creation process.
    If you look in MAX, it'll appear as if there still aren't any IVI devices:
    Fear not, all we need to do is refresh.  To do this, hit F5, and voila!:
    So now all you need to do is change the IVI Logical name to whatever your old IVI Logical name was and then import as normal. 
    At this point, you should be operational using IVI devices in NISE 3.5 (if not, post up).  If you'd like to go one step further and upgrade to purely DAQmx calls, just follow the steps in the 'Upgrading from IVI to NI-DAQmx' section.  Note that once you've upgraded to DAQmx, you'll only be able to use exported Virtual devices with NISE 3.5 and later.
    Have a great day!
    -John Sullivan
    Analog Engineer

  • NAC Appliance Configuration Question

    Hi,
    I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.
    If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?
    Thanks for your assistance.

    Thanks Jesse,
    I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.
    Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN.  See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2.

  • NAC Redundant Configuration

    Dear Pros,
    Could anyone suggest me the solution on how to design the redundant NAC server and NAC
    Manager and configuration. We are in process to implement the Redundant NAC config for the customer (2X NAC server + 2 x NAC manager)
    swami

    Hi,
    The heart beat interface has to be on a switched network not on a routed network, therefore if you have the primary appliance on one side and the secondary appliance on the other side of the building, make sure the interfaces are connected to the same vlan belonging to the same vtp domain...
    I hope this helps, please rate if it does...
    Regards,

  • WLCM and NAC-NME configuration

    Has anybody deployed WLCM and NAC-NME in the same ISR3800 box? What's the best practise and is there any configuration example?
    customer has a small site where has one 3825, one WLCM(interface Integrated-Service-Engine1/0) and one NAC-NME(interface Integrated-Service-Engine2/0) are put in the 3825, GE0/0 of the 3825 connect to internal L3 switch, GE0/1 connect to internet. one WLAN had been configured in the WLCM(version 6.0.188) and will be protected by the NAC-NME(version 4.6.1).
    It is said that NAC-NME not support OOB mode, can only work in In-Band mode. Since real IP Gateway mode has a lot of limitation, so can the NAC-NME be configured in In-Band Virtual Gateway mode? If yes, then how to setup a Layer2 connection between the WLCM(interface Integrated-Service-Engine1/0)  and the untrusted interface(external G 0) of the NAC-NME?
    What I can think is:
    let me assume the quarantined Vlan of this WLAN is 310, real Vlan is 311, both the NAC-NME's untrusted interface(external G 0) and GE0/0 of the 3825 are connected to a 3750E L3 switch's G1/0/1 and G1/0/2, untrusted interface management vlan is 304, trusted interface management vlan is 303, then I can configure:
    1. For 3825:
    interface GigabitEthernet0/0.310
    encapsulation dot1Q 310
    bridge-group 1
    interface GigabitEthernet0/0.311
    encapsulation dot1Q 311
    bridge-group 2
    interface Integrated-Service-Engine1/0.310
    encapsulation dot1Q 310
    no ip address
    bridge-group 1
    interface Integrated-Service-Engine1/0.311
    encapsulation dot1Q 311
    no ip address
    bridge-group 2
    bridge 1 protocol ieee
    bridge 2 protocol ieee
    2. For 3750E:
    interface GigabitEthernet1/0/1
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 304,310,311
    switchport mode trunk
    interface GigabitEthernet1/0/2
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 310,311
    switchport mode trunk
    but how to configure interface Integrated-Service-Engine2/0 of the 3825 which is connected to the trusted interface of the NAC-NME?
    interface Integrated-Service-Engine2/0.303
    encapsulation dot1Q 303
    ip address x.x.x.x
    interface Integrated-Service-Engine1/0.311
    encapsulation dot1Q 311
    ip address y.y.y.y
    3. NAC-NME will configure VLAN mapping 310<-->311
    I have not tested these configurations(I don't have access the 3825 yet, will be able to access it next week), but I'm afraid since GigabitEthernet0/0.311 of 3825 had been configured as a bridge port, maybe Integrated-Service-Engine1/0.311 can't be  configured as a L3 port.
    Anything else need to configure? or is there any other better design and configuration example? Any input is highly appreciated!

    You got a defective unit. Open a TAC case to get a replacement.

Maybe you are looking for

  • Yoga 2 Pro can't authenticate when mapping drive to NAS share

    I have a Qnap TS-219 NAS(Linux/Samba) which I have all my computers connected to as part of a Windows Workgroup. I have set up a share on the NAS with an ID/password.  My new y2p will not allow authentication to the share.  I can see the share in exp

  • 30EA2 code insight completion odities

    update statements seem not to be supported by code insight completion for table name: For example for table 'table_name': type 'update table_' and press ctrl-space does not complete table name. When table name is typed, completion for field names wor

  • Install Admin Server as a Service

    We are using: WLS - 10.3.6  (64 bit) SOA- 11.1.1.7 Windows Server 2008 R2 64 bit When I try to install Admin server as a service, I run into errors with the values assigned to java.protocol.handler.pkgs.  The script generates a value of: oracle.mds.n

  • Dropshadow Added in PS Elements but won't import into FCP

    Whenever I add a shadow in PS Elements everything works fine, but when I import the file into FCP the shadow doesn't appear. Does anyone have any suggestions? Other than buying the real PS. ; )

  • Javascript problem on Mountain Lion

    Since i installed OS X Mountain Lion, every website that uses javascript simply doesnt open! It keep loading forever! I can only use Facebook, for example, in incognito mode or with javascript disable in the browser settings. The problem its the same