NAC vs 802.1x

Similar Messages

• NAC-L2-802.1x with 7940 IP Phones and builtin swithport?

  Hi
  I've got the NAC Framework, NAC-L2-802.1x working in a test LAB with network hosts (PCs) connected directly to the L2 switch. In our production environment, we have Cisco 7940 IP phones on every desk, and the PCs connect to the switchport on the back of these phones. How would one configure NAC-L2-802.1x to work in a setup like this? I've done quite a bit of searching on Cisco and only found this reference to IP phones and NAC;
  IP Telephone and Device Mobility
  The computer connected to the PC port on an IP phone will get posture validated successfully.
  It does not help much...
  Thanks very much.
  Jason

  You have 2 choices:
  1) Ignore the phones based on CDP. You get this be just configuring 802.1X along with a VVID. Here's an example port config from a 3750:
  interface GigabitEthernet1/0/2
  description endpoints
  switchport access vlan 2
  switchport mode access
  switchport voice vlan 200
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape 10 0 0 0
  queue-set 2
  mls qos trust device cisco-phone
  mls qos trust cos
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip verify source
  ip dhcp snooping limit rate 10
  The config above will allow a Cisco phone in "for free" just b/c it can do CDP.
  2) Authenticate IP phones via 1X or MAC-Authentication for phones that cannot support 1X. This would be the same config as above, with the addition of this line:
  dot1x host-mode multi-domain
  And if your IP phone cannot do 1X (for example the 7940 cannot) then you'll need to check it's MAC for entry into the network by adding this line:
  dot1x mac-auth-bypass
  Hope this helps,

• NAC Framework - NAC-L2-802.1x without CSSC client?

  Hi
  I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
  Jason

  You can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.

• NAC Framework NAC-L2-802.1x with Wireless AP1242AG?

  Hi
  Can anyone provide some info on setting up NAC-L2-802.1x with a Wireless AP1242AG (not using the NAC Appliance, but the Framework). I cant seem to find the equivalent dot1x port control auto commands on the access-point. Thanks
  Jason

  NAC assesses the state, or posture, of a host to prevent unauthorized or vulnerable endpoints from accessing the network. Enforcement is performed through an authorization policy that is centrally defined on a single ACS server or delegated to multiple NAC posture validation servers

• NAC L2 802.1x (wireless)

  Can somebody advice me - where i can find information about configuring NAC L2 802.1x on wireless AP 1200 series? Or can somebody show me example of configuration file? I have found configuration guide only about wired solutions (configuring NAC L2 IP and NAC 802.1x on switch).
  Thank you in advance!

  For NAC implementation with wireless access points, the implementation is the same as the switch wired Layer 2 802.1x implementation for network admission control. The only difference is that you will need to use a third party NAC-enabled supplicant such as Meetinghouse for your wireless devices.
  sample config on AP
  aaa new-model
  aaa authentication eou default group radius
  aaa session-id common
  radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
  radius-server key cisco123
  radius-server vsa send authentication #Enable VSAs
  ip radius source-interface FastEthernet0/0
  ip admission name NAC-L2-IP eapoudp #Define NAC policy
  ip admission name NAC-L2-IP-Bypass eapoudp bypass #
  ip admission name NAC-L3-IP eapoudp1 list EoU-ACL #Define NAC trigger, routers only
  ip access-list extended EoU-ACL
  deny udp any any eq domain #allow DNS to bypass NAC
  deny tcp any host 10.100.100.101 eq www #allow HTTP to bypass NAC
  permit ip any any #all other traffic triggers
  ip access-list extended Interface-ACL
  permit udp any any eq 21862 #permit EAPoUDP
  permit udp any eq bootpc any eq bootps #permit DHCP
  Refer these links:
  http://www.cisco.com/en/US/netsol/ns617/netbr0900aecd80355b2f.html
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080606cbe.html#wp1072071

• NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

  Hi
  I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
  Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
  Cisco 1811 router (inter-vlan routing)
  Cisco Secure ACS (90 day trial) 4.2
  CTA 2.1.103
  CSSC 5.1.0.39
  Windows XP SP3 client machine
  So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
  Jason
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  dot1x system-auth-control
  Client port;
  interface FastEthernet0/1
  switchport mode access
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x reauthentication

  You can refer to the below URL for future reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

• Disabling NAC from 802.1x wired access authentication

  Hi all,
  I would like to disable NAC policy control from my ACS 4.0.
  I would like only 802.1x AAA on my switch ports.
  Also I'd like to assign a different VLAN to different MAB devices by RADIUS user attribute, in order to differentiate vlan for printers, clocks and so on.
  can anybody help me or suggest me a document for ACS 4.0?
  Thanks
  Johnny

  Hello,
  I would like to disable NAC policy control from my ACS 4.0.I would like only 802.1x AAA on my switch ports.
  Not sure what you mean by this... Can you egive more details about it?
  Also I'd like to assign a different VLAN to different MAB devices by RADIUS user attribute, in order to differentiate vlan for printers, clocks and so on.
  For this, you can separate the different devices per user groups, ie have one group for the printers, another for clocks, etc.
  Then you can configure each group with the needed RADIUS attributes to do vlan assignment:
  - 64 Tunnel-Type => VLAN
  - 65 Tunnel-Medium-Type => 802
  - 81 Tunnel-Private-Group-ID => "Vlan number"
  I hope this helps.
  Best regards,
  Bernardo

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• NAC L2 802.1X: Windows Logon Problem

  Using CTA 4.0.2, ACS SE 4.x, and Windows AD the following occurs:
  1. When login to WindowsXP using Local Account, then CTA prompts its login. I can then put the AD account. This process works!
  2. When login to WindowsXP using AD Account, the error msg "domain xyz is not available", so the CTA prompt never come-up
  3. When login to WindowsXP using "CACHED" AD Account, then CTA prompts its login. I can then put the AD account. This process works also!
  4. Using Single Sign-on with "Never Validate Server", #2 and #3 occured.
  Any input is very appreciated. Cisco TAC has been notified.
  thanks,
  Audie
  703-292-5316

  Hi all,
  I have the exact same problem.
  I have just upgraded my ACS to 4.1 but that didnt help on the problem.
  You write "CTA 4.0.2"....I suppose you mean 2.0.x ?
  Did you guys do anything extra on the ACS to get this to work ?
  Kind regards
  KDam

• NAC 802.1x: VLAN assignment via RADIUS

  I'm deploy a 802.1x NAC solution. Users authenticate ok but the VLAN is not assigned to the port.
  The RADIUS server send the attributes to the NAD (switch 3560). I see the following lines in the radius debug output:
  02:49:08: RADIUS: Received from id 1645/4 192.168.1.1:1645, Access-Accept, len 267
  02:49:08: RADIUS: authenticator AB 90 94 95 D0 86 04 E5 - D3 AC 43 21 C0 31 29 EB
  02:49:08: RADIUS: Session-Timeout [27] 6 3600
  02:49:08: RADIUS: Termination-Action [29] 6 1
  02:49:08: RADIUS: Tunnel-Type [64] 6 01:Unsupported [13]
  02:49:08: RADIUS: Tunnel-Medium-Type [65] 6 01:Unsupported [6]
  02:49:08: RADIUS: Tunnel-Private-Group[81] 10 01:"healthy"
  02:49:08: RADIUS: Vendor, Cisco [26] 29
  02:49:08: RADIUS: Cisco AVpair [1] 23 "posture-token=Healthy"
  I suppose that the error appears because the attributes 64 and 65 are "Unsupported". Is it right?
  In RADIUS server I configure:
  attribute 64 = VLAN (13)
  attribute 65 = 802 (6)
  Below I attach switch configuration. The "healthy" vlan is configured in this one.
  Any help would be appreciated.
  Thanks and regards.
  Mart?n.

  I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".
  Other user has the same problem, he posted the question with the following subject: "NAC L2 802.1x VLAN assignment".In this question the problem is better described.

• Macintosh clients, 802.1x and NAC.

  I'm prototyping a NAC setup which has to cater for Macintosh clients as well as Windows. I can get the Macs to authenticate via 802.1x (surprisingly easy using the built in software!) but what I can't do is setup a Posture Validation Rule to identify that the client is a Mac and not a Windows machine. I've tried using the Cisco:PA:OS-Version condition set specifying "contains" MAC. I've also tried "contains" 10 but it doesn't work. I think it probably doesn't work as the condition set depends on the CTA being installed on the Mac which it isn't (and it's not an option either).
  EDIT: Anyone tried installing the CTA on a MAC? It's horrific. Extract the files and run the install, OK so far. It then puts the config ini file in a directory no user (not even Admins) has permissions to so you can't modify it and BOY do you need to modify it!
  Any ideas?

  I'm on the home straight with this one. Essentially to get the CTA to work using the built in 802.1x supplicant on Windows or MacOS you need to run a mix of NAC L2 IP and NAC L2 802.1x. This requires a little extra config on the switch but nothing tragic (it's all in the (NAC Framework Configuration Guide).
  The reason for this is that the CTA requires a network channel to be open so it can run EAP over UDP (EOU) to do posture validation and the 802.1x part of the process gets the machine onto the network so the CTA can do it's stuff.
  With this setup in place and the CTA properly configured (as mentioned previously this is the permissions setup on the Mac created by the CTA install makes this far more difficult than it should be) the process works pretty well, popup messages work, browser launch and URL redirection work. Looks good.
  The fly in the ointment is wireless. The freebie CTA doesn't support it, no way. For a PC the answer is to buy the Cisco Secure Services Client which does support wireless and (I think) run that alongside the CTA (haven't fully worked this one out yet). If you have a wireless Mac, you're stuffed, Simple as that, which from my point of view is a real pain as the customer I'm developing this for wants posture validation for PCs and Macs, wired and wireless.
  Hope this helps someone somewhere avoid a little pain! : )

• NAC Framework with TrendMicro Policy Server? External Posture Assessment?

  Hi
  I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
  I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
  What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
  https://win2k3std:4343/antibody
  And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
  I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
  Posture Validation Failure on External Policy
  Does anyone have any experience or help with this. Thanks very much.
  Jason Humes

  Please check the links for the Configuration and Troubleshoot of NAC
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

• 802.1x switches as intermediaries

  While viewing the documentation for configuring 802.1x on Cat Series switches; there is a statement to the effect that certain switches (Cat 2940 through Cat 3750) can be used as intermediaries. What does this really mean? Is this the edge switch itself as the intermediary between the client and the authentication server?Does it mean if I am using the Cat 4506, THEN I can use the intermediary switch between the 4506 and the client to "pass-through" the 802.1x request to the 4506? Surely this means that the intermediary switches cannot be used as the edge switch on their own?
  I am assuming from the documentation that whatever switch is being used as the edge switch is the intermediary between the client and the authentication server.
  Any enlightenment will be appreciated.
  Diana

  Q: Is this the edge switch itself as the intermediary between the client and the authentication server?
  A: Yes
  Q: Does it mean if I am using the Cat 4506, THEN I can use the intermediary switch between the 4506 and the client to "pass-through" the 802.1x request to the 4506?
  A: Not necessarily. You can directly use Cat4500 as intermediary.
  Q: Surely this means that the intermediary switches cannot be used as the edge switch on their own?
  A: No, you can use them both as edge and intermediary.
  For 802.1x, the intermediary devices can be Cat4000 series, Cat3550, Cat2950 or wireless AP. In other words, they are edge devices.
  The intermediary here means that the device will act like a proxy or 'middle-man' between the client device requesting for access authentication (802.1x) and the authenication server, for example Cisco ACS server.
  Basically, what happened is, the switch will request credential information from the client (i.e username/password), then forward the info to ACS server. ACS Server will check & verify the ID, and will respond with PASS or FAILED response to the switch. The switch, in turn, will grant or deny access to the client, based on the info/response.
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8c4.html#xtocid2
  http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800ddb0d.html#1133261
  For NAC Layer2 + 802.1x, devices that can act as intermediaries are Cat6500 (depend on IOS ver), Cat4500, Cat3750, Cat3560, Cat3550, Cat2960/2970/2955/2950/2940, C7600 series router, Cisco Gigabit Ethernet Switching Module (CGESM) switches.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_configuration_guide09186a00805764fd.html#wp1202047
  Hope this helps. Pls rate useful post(s).
  AK

• Network Adminssion Control, 802.1x & Novell Clients to have a single login.

  Hi Sir,
  My customer would like to have OTP, if NAC and 802.1x come into picture. At the moment, they are running Novell client for Windows version 4.9SP2 authenticating to Novell LDAP server.
  How can NAC and 802.1x be integrated into one time password (OTP)? If not what is the alternative best solution can we propose to them ?

  With NAC Phase 1, which uses IOS Routers as the NAD, the Trust Verification occurs using EAP over UDP. User credentials are not part of the items passed by the CTA to the policy server. So however you log into the machine will be your authentication experience.
  With NAC Phase 2, which uses L2 switches as the NAD, the Trust Verification is planned to use EAP over 802.1x. The user will be authenticated and authorized by the switch by way of the ACS AAA server. The 802.1x supplicant that you use will dictate whether or not a single login occurs. Choices for supplicants include the embedded supplicant Microsoft offers and supplicants from 3rd parties, such as Funk.
  So you do not have to wait for NAC Phase 2 to take advantage of NAC today. While planning for NAC Phase 2, it would be a good idea to plan out your 802.1x strategy & even implement 802.1x to make sure it is ready to layer the NAC Trust Verification on top of it.
  Please let us know if you have any follow-up questions.
  thanks
  peter
  ps - pls rate these posts so we know if we have provided you with an answer that helps!

• Configuring NAC Framework ( NAC-L3-IP ), any guides or help?

  So I've been doing some research on the NAC Framework and the various modes of operation. So far, I've gotten NAC-L2-802.1x working great and I'd like to add on the NAC-L3-IP on our edge routers/firewalls, but I can't find any guides detailing how to do so...everything says to see the "NAC Implementation Guide" which I can't find anyplace. Can anyone direct me to a NAC-L3-IP guide? Thanks very much.
  Jason

  Hi,
  below is the link, On left had side you will find tech doc.
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
  The below link also will help more.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html
  Hope this helps.
  Regards
  pravin