NAC Switch Configuration
Hi!!
I have bought an NAC Server and a Nac Manager, to manage centraly the vlan where the users connect to based on the authentication.
I have several sites, but the NAC server will be in the headquarters.
When a remote user authenticates, the nac should configure the user switch port for the right vlan.
Is this an out-of-band solution?
Do i need an specific license for out-of-band?
Best Regard's,
Miguel Amaral
Hi,
You need at least 2 licenses:
1 - CAM license -> This license is the one you install the first time you access the CAM WEB GUI.
2 - CAS license -> This license needs to be installed so that you can add Clean Access Servers to the CAM.
Did you installed the CAS license?
If not, you need to get the Product Activation Key (PAK) you received allong with the CAs and go to the licensing web page https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet, and request a CAS license. Please note that you need to enter the Clean Access MANAGER eth0 mac address for the Clean Access Server (CAS) licence.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)
Hello,
I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
Core Switch:
VLAN DB:
vlan 10
name VLAN_DEPT1
vlan 11
name VLAN_DEPT2
vlan 20
name VLAN_DEPT3
vlan 26
name VLAN_DEPT4
vlan 27
name VLAN_DEPT5
vlan 28
name VLAN_DEPT6
vlan 29
name VLAN_DEPT7
vlan 30
name VLAN_DEPT8
vlan 32
name VLAN_DEPT9
vlan 50
name VLAN_NetMGT
vlan 51
name VLAN_CAS_MGT
vlan 52
name VLAN_CAM_MGT
vlan 210
name VLAN_DEPT1_Auth
vlan 211
name VLAN_DEPT2_Auth
vlan 220
name VLAN_DEPT3_Auth
vlan 226
name VLAN_DEPT4_Auth
vlan 227
name VLAN_DEPT5_Auth
vlan 228
name VLAN_DEPT6_Auth
vlan 229
name VLAN_DEPT7_Auth
vlan 230
name VLAN_DEPT8_Auth
vlan 232
name VLAN_DEPT9_Auth
Interface Configs
interface GigabitEthernet3/41
description "Link to Cisco CAM-PRI eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/42
description "Link to Cisco CAM-FO eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/43
description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/44
description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/46
description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet3/48
description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet1/1
description "Trunk link to DEPT1 Access SW"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
!------- Example of VLAN Interface --------
interface Vlan10
description "DEPT1 VLAN"
ip address x.x.10.1 255.255.255.0
ip helper-address x.x.50.5
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!------- No VLAN Interface for AUTH VLAN 210 --------
Access Switch Configuration
interface GigabitEthernet0/1
description "Trunk Link to Core Switch"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
no ip address
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
=========================================
Is the above config correct?
ThanksHi,
By bogus I assume you mean something like;
interface Vlan700
description "BIT BUCKET for unused ports"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown -
Invalid switch configuration-oob error
Hi all,
We are using NAC in OOB Virtual Gateway mode only for wireless users.But we are facing an error on user PC stating that,
invalid switch configuration-OOB error:OOB client MAC ADD/IP ADD not
found. Please contact your network administrator.
Please contact your administrator if the problem persists.
Thanks in advance.Please check your snmp settings on the wlc and the manager. This is usually seen when the agent passes the mac address and clients ip address to the CAS but the CAM never receives the mac notification trap.
thanks,
Tarik -
OK; have been trying to setup a test VM based RDS deployment for a few days now with no luck.
this error mentioned above:
"Server <server name> either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error is driving me nuts!
I have removed and re-added the RD Virtualization Host role numerous times, each time having the "create a virtual switch" checkbox selected, but it did NOT create any virtual switch.
I created the external virtual switch manually and tried to create the desktop collection again, no luck with the same error.
a few questions:
1. you don't assign IP to a switch! you assign IP to Network Interfaces. why does the error puts it like this?! it is technically wrong.(yeah yeah I know all about how you'd assign IP to managed switches in real world to telnet into them and manage them.
you know better than me that it is not the case here!)
2.the RDS Virtualization hosts are using their wifi card as the card for the virtual switch. could that be the reason? I even disabled their unplugged wired NIC just to make sure that the wifi is the only available option for the RDS wizard to use for the
virtual switch creation; but it didn't use it and it didn't create any virtual switch automatically.
3.if WIFI nic is indeed the reason, is it your suspension or an official documents is there somewhere stating so (that the WIFI NICS on a Virtualization hosts are not supported as the hub for a virtual switch).
4.what are the properties of the virtual switch the RDS requires? does it have to be external? why can't it work even with my manually created external switch?
5.how would I fix it?
P.S: the environment is made up of 2 laptops, having windows 2012 R2 trial installed on them, using their wifi to connect to the out world. no cable is plugged into their wired NIC card.Hi,
Thank you for posting in Windows Server Forum.
The simplest short term solution was to connect each computer to a small switch that had no other connectivity. This brought up the link light on the external NIC and allowed the creation of the collection to complete. You need to use an external switch. You
can create one external switch which might fix the problem.
Please check below article for information.
VDI Deployment Error About Virtual Switch
In addition please referthis article for information regarding virtual switch.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
We are trying to install a 2106 controller with a few 1261 AP's which we have downgraded to Lightweight.
We are getting our head around the 2106 config but am unsure as to what config to put on the switchport the AP's connect to.
As far as our reading goes it is best practice to plug the AP's into a network swtich and trunk vlan's from the switch to the controller.
Bit confused about the way the AP's connect to the switch.
Thanks
RogerHi,
As I understood ... you need to map existing vlan subnet with your wlan ...
you will have interfaces which you first need to configure on your controller .
1) Management IP of wlc
2) AP- manager
3) dynamic interface which will be used to map the vlan with respective wlan
4) virtual
procedure :
1) if you do not have dhcp seperate configured , first you need to create vlan then configure svi interface with ip address and dhcp pool for your ap to get ip address in your l3 switch which is connected to your controller with default-router command which will point to your switch
2) login to your controller through console and configure the management IP address
command : WLC( config ) > interface address management ... ip address... mask .... gateway ( it will be your switch )
configure AP-manager interface with above command with ap manager option ..
Now switch side you configure the one port which is connected to your controller as a TRUNK
connect ap to any port which will configured with above vlan which you have configured in l3 switch
Now AP should get registered and then follow below procedure for getting client connected to respective WLAN
3 ) once you configure login to gui of controller and configure dynamic interface with existing vlan subnet and give the dhcp server ip address if you have or else configure the dhcp pool for users also.
4) go to " wireless " option
5) select the respective wlan and map the vlan with respective dynamic interface
check whether clients got ip address.
please let me know ........ if you have doubt about it -
Switch configuration distributed environment
Hi
I have ISE 1.2 and catalyst 2960
Please I nedd a document of controller and switch configuration exemple in distributed environement (primary and secondary ISE MNT PSN)
Thankshttps://supportforums.cisco.com/docs/DOC-18325
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
https://supportforums.cisco.com/docs/DOC-18121 -
IviSwitch looses value when sending, "configure switch" configuration = TRUE
Hi all,
we are currently evaluating Teststand 4.1 with a keithley 3706 system switch multimeter.
After a first enthusiasm, thinking this tool together with the switch multimeter fits perfect our needs, real life seems some harder.
Between several other problems, we need to tell the device, that the channel "s1com1" and "s1com2" are configuration channels.
Configuring the teststand step : Edit IVI Switch Step -> IVI switching, Configure Switch : Channels "s1com1", Configuration = True
leads to two actions observable in Ni Spy:
GetAttributeViBoolean(...,"s1com1", _IS_CONFIGURATION_CHANNEL , VI_FALSE)
SetAttributeViBoolean(...,"s1com1", _IS_CONFIGURATION_CHANNEL , VI_FALSE)
manually calling this class functions from an interactive CVI fp works as expected (setting it to VI_TRUE)
Does anybody have any hint what we could do wrong? Currently we are just before writing wrappers in cvi and skipping all the wonderful IVIStep Types in teststand.
Looking forward to any feedback
David Clus
Solved!
Go to Solution.David -
This might the same problem that we recently discovered in our internal testing. For the problem that we found, we will likely include our fix in an upcoming maintenance release. Can you verify whether the problem still occurs if you change your regional settings to English in the control panel? If the problem no longer occurs, can you use this as a workaround for now?
Message Edited by Scott Richardson on 10-06-2008 10:48 AM
Scott Richardson
National Instruments -
Redundant Switch Configuration
I'm trying to setup two Catalyst 3750X-48T-L switches to support redundant networking. Most pieces of equipment will have two Ethernet interfaces, each on separate subnets.
So far, I've got the switches configured as separate VLANs, connected together with stack cables as shown below. I can propagate Ethernet traffic in each subnet/VLAN independently. However, I cannot get packets routed across the VLANs/subnets.
I'm looking for guidance on what additional steps are needed. Do I need to define each port as a trunk connection?If you want to route between the vlans then you need to have L3 vlan interfaces (SVIs) on the switches.
So for each vlan you need to create an SVI and assign it an IP address from the IP subnet used for that vlan.
Then you set the default gateway of the clients in that vlan to the be the SVI IP address.
Note - if your switches are stacked you only need to create the SVIs on the stack master.
Edit - haven't used 3750-X switches so you many also need to enable IP routing using the "ip routing" command.
Jon -
Hello , This is Shanker from India . can you tell me sf 300 switch configuration . how disable in traffic. .
my picture like i have ring network connect to my Gig port but i don't want to input 1 to 24 port .
so tell me how configurationHi Siva,
Now it would be good idea to upgrade boot code and firmware to the latest one:
firmware: 1.4.0.88
boot code: 1.3.5.06
to download:
http://software.cisco.com/download/release.html?mdfid=283019670&softwareid=282463181&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest
for boot code upgrade:
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=f1e39061efb14c94a570bcbd6582167b_Firmware_Upgrade_Troubleshooting_on_300_and_500_Series_Manag.xml&pid=4&fcid=&fpid=&slnid=6
Regards,
Aleksandra -
How can I automate switch configuration
I am looking for a way to automate switch configurations. I want to create a standard configuration that I can apply to all new switches. What methods (software, scripts etc) are available to automate the configuration process? Ideally, the system would download and install a standard image and then apply a baseline config, which I could modify as needed after initial install.
ThanksSorry, this is correct URL - http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca735.html
Also search Cisco website for release notes for your specific product since there might be some differences in supported features (like auto save of configuration after auto-install finished etc.). Here is one of them:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5013/prod_bulletin0900aecd803fdc15.html
Regards,
iLya -
Configuration Help 1130AG-VoIP-Vlans-Switch Configuration
1130AG running c1130-k9w7-tar.124-3g.JA1, in autonomous mode.
VoIP - Call manager 6x, Cisco phones only,
Vlans - Open, secure data using WPA2, VoIP Vlan is using pre shared keys.
Switch Configuration - C3548xl's, C356048ps, 6509 cores
I have been looking for configuration examples to help me configure the interfaces from the 3546xl and the C356048ps switched to the 1130AG.
Configuration between the C3548xl's, C356048ps, and 6509 cores on the trunk ports for QoS.
The call Manager is on Vlan 210 and the Vlan for the wireless voice is 202.
Any suggested links would be grate, I think I have found most of it but want to be sure.
ThanksJust to expound upon the commands that were not working, I did use the /? switch to see available commands, so for example, the mls qos trust dscp command, I entered mls qos trust /? and the only option was cos.
I globally configured the switches with:
lldp run
no lldp tlv-select power-management
mls qos
network-policy profile 50
voice vlan 50 dscp 46
All of these commands worked fine. I was going to assign the network-policy 50 on each access port along with the commands of mls qos trust dscp, auto qos voip trust too, but did not get to that step. -
Update Switch Configuration from Switch Executive 2.1 to 3.5
Hi everybody,
I tried to update from Switch Executive 2.1 to 3.5 and had to find out, that my configurations have stoppped working. To me, it looks like 3.5 doesn't like my IVI configuration for the switching modules.
The Verify function in MAX tells me that the PXI cards are not accessible. The frontpage of the switch configuration shows no configurations / terminal blocks.
Since the configuration consists of nine matrix cards with a lot of hardwires, I'd really appreciate a way to properly import the old configurations (xml files are available)
Any ideas?
Cheers
Oli
Programming languages don't create bad code, programmers create bad code....
Solved!
Go to Solution.Hey Oli,
Background:
By default, NISE 3.5 and later use the DAQmx API (instead of IVI) to directly control switch modules. This is different from previous versions, which required setting up an IVI session for each NI Switch module. You can still use IVI with NI Switch modules in NISE 3.5 and later, but this is not the default behavior.
The KB Sebastian referenced lists three different upgrade paths to use exported IVI Virtual devices in NISE 3.5 and later. As you've discovered, NISE 2.1 has fewer export formats, so we'll need to take the following steps:
Assumptions:
You have virtual devices created in NISE 2.1 (file format doesn't matter).
IVI Sessions and Logical names haven't been setup on your NISE 3.5 machine:
Action items:
Create IVI sessions and logical names. You could manually create the IVI sessions (as mentioned in the KB), but there's a MUCH easier method:
Right click on the NISE Virtual Devices tab and select 'Create New':
Click the 'auto create IVI devices' button. A dialogue will pop up... just click yes:
The NISE Create Virtual device window should now look like this:
Notice that we now have IVI devices. Sweet! So now just click cancel (yes, cancel)... we only used this dummy virtual device to simplify the IVI creation process.
If you look in MAX, it'll appear as if there still aren't any IVI devices:
Fear not, all we need to do is refresh. To do this, hit F5, and voila!:
So now all you need to do is change the IVI Logical name to whatever your old IVI Logical name was and then import as normal.
At this point, you should be operational using IVI devices in NISE 3.5 (if not, post up). If you'd like to go one step further and upgrade to purely DAQmx calls, just follow the steps in the 'Upgrading from IVI to NI-DAQmx' section. Note that once you've upgraded to DAQmx, you'll only be able to use exported Virtual devices with NISE 3.5 and later.
Have a great day!
-John Sullivan
Analog Engineer -
NAC Appliance Configuration Question
Hi,
I am building a new VPN implementation for a customer using a Cisco ASA 5550 and a NAC 3350 appliance. Due to the availability of switch ports, my customer is inquiring to see if the ASA can be cabled directly to the untrust interface on the CAS. I plan to implement the CAS in VGW mode.
If this is possible, how would the VLAN Mapping work in VGW with this implementation? Do I need to configure a trunk on the ASA to pass the VLAN tags to the CAS to MAP the untrust to the trusted VLAN?
Thanks for your assistance.Thanks Jesse,
I do agree having this configuration will limit them on redundancy and most likely we will go with a switched approach. If we have both the untrusted and the trust interfaces connected to the same switch with an edge deployment do I need VLAN mapping configured or can the NAC bridge the two vlans without the mapping? I suspect without mapping we would introduce loops.
Based on the examples I've seen on cisco.com with VPN concentrators, VLAN mapping is used with 4 vlans. 2 are native vlans and a untrusted and an untrusted VLAN - this was the same approach I was going to use. Also note that the ASA will not be used for Internet access, only VPN. See below image - the ASA would connect to the switch as an access port on VLAN3. The customers internal lan would connect to VLAN2. -
Dear Pros,
Could anyone suggest me the solution on how to design the redundant NAC server and NAC
Manager and configuration. We are in process to implement the Redundant NAC config for the customer (2X NAC server + 2 x NAC manager)
swamiHi,
The heart beat interface has to be on a switched network not on a routed network, therefore if you have the primary appliance on one side and the secondary appliance on the other side of the building, make sure the interfaces are connected to the same vlan belonging to the same vtp domain...
I hope this helps, please rate if it does...
Regards, -
WLCM and NAC-NME configuration
Has anybody deployed WLCM and NAC-NME in the same ISR3800 box? What's the best practise and is there any configuration example?
customer has a small site where has one 3825, one WLCM(interface Integrated-Service-Engine1/0) and one NAC-NME(interface Integrated-Service-Engine2/0) are put in the 3825, GE0/0 of the 3825 connect to internal L3 switch, GE0/1 connect to internet. one WLAN had been configured in the WLCM(version 6.0.188) and will be protected by the NAC-NME(version 4.6.1).
It is said that NAC-NME not support OOB mode, can only work in In-Band mode. Since real IP Gateway mode has a lot of limitation, so can the NAC-NME be configured in In-Band Virtual Gateway mode? If yes, then how to setup a Layer2 connection between the WLCM(interface Integrated-Service-Engine1/0) and the untrusted interface(external G 0) of the NAC-NME?
What I can think is:
let me assume the quarantined Vlan of this WLAN is 310, real Vlan is 311, both the NAC-NME's untrusted interface(external G 0) and GE0/0 of the 3825 are connected to a 3750E L3 switch's G1/0/1 and G1/0/2, untrusted interface management vlan is 304, trusted interface management vlan is 303, then I can configure:
1. For 3825:
interface GigabitEthernet0/0.310
encapsulation dot1Q 310
bridge-group 1
interface GigabitEthernet0/0.311
encapsulation dot1Q 311
bridge-group 2
interface Integrated-Service-Engine1/0.310
encapsulation dot1Q 310
no ip address
bridge-group 1
interface Integrated-Service-Engine1/0.311
encapsulation dot1Q 311
no ip address
bridge-group 2
bridge 1 protocol ieee
bridge 2 protocol ieee
2. For 3750E:
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 304,310,311
switchport mode trunk
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 310,311
switchport mode trunk
but how to configure interface Integrated-Service-Engine2/0 of the 3825 which is connected to the trusted interface of the NAC-NME?
interface Integrated-Service-Engine2/0.303
encapsulation dot1Q 303
ip address x.x.x.x
interface Integrated-Service-Engine1/0.311
encapsulation dot1Q 311
ip address y.y.y.y
3. NAC-NME will configure VLAN mapping 310<-->311
I have not tested these configurations(I don't have access the 3825 yet, will be able to access it next week), but I'm afraid since GigabitEthernet0/0.311 of 3825 had been configured as a bridge port, maybe Integrated-Service-Engine1/0.311 can't be configured as a L3 port.
Anything else need to configure? or is there any other better design and configuration example? Any input is highly appreciated!You got a defective unit. Open a TAC case to get a replacement.
Maybe you are looking for
-
Yoga 2 Pro can't authenticate when mapping drive to NAS share
I have a Qnap TS-219 NAS(Linux/Samba) which I have all my computers connected to as part of a Windows Workgroup. I have set up a share on the NAS with an ID/password. My new y2p will not allow authentication to the share. I can see the share in exp
-
30EA2 code insight completion odities
update statements seem not to be supported by code insight completion for table name: For example for table 'table_name': type 'update table_' and press ctrl-space does not complete table name. When table name is typed, completion for field names wor
-
Install Admin Server as a Service
We are using: WLS - 10.3.6 (64 bit) SOA- 11.1.1.7 Windows Server 2008 R2 64 bit When I try to install Admin server as a service, I run into errors with the values assigned to java.protocol.handler.pkgs. The script generates a value of: oracle.mds.n
-
Dropshadow Added in PS Elements but won't import into FCP
Whenever I add a shadow in PS Elements everything works fine, but when I import the file into FCP the shadow doesn't appear. Does anyone have any suggestions? Other than buying the real PS. ; )
-
Javascript problem on Mountain Lion
Since i installed OS X Mountain Lion, every website that uses javascript simply doesnt open! It keep loading forever! I can only use Facebook, for example, in incognito mode or with javascript disable in the browser settings. The problem its the same