NAC with 6509

Similar Messages

• NAC with Linux client

  Hi,
  I have some Linux clients. When they connects to the trusted network in the first time, they are redirected to NAC login page and are required to download java runtime. I set policies so that linux client can download java and install it, but after that, the web browers (firefox) on linux client still not allow NAC login page to be loaded.
  What is the root cause in this case ?
  Any guy can help me!
  Best regards,
  NamNT

  Folks, the problem is due to the fact that there are no web agents available for linux at this time. You need to create a new user page for linux with all java options disabled ( such as the one for mac address checking , ip address refresh etc ) . Make this user page on the top of the list. Also, under clean access requirements, make sure 'require use of web agent' is disabled for linux. This way, there will be web redirection and authentication only for linux clients ( no posture possible for linux ).
  Thanks,
  Mani

• NAC with dialup

  Hi.
  Has anyone set up NAC on IOS for dialup?
  I am trying to authenticate users via PPP then do posture validation.
  Have set up 3 profiles, trying to filter on aaa:service=ip-admission and service-type!=10
  This works fine with ACS but not with IOS.
  Any ideas would be appreciated

  Hi Danielnunes,
  Thank you for your suggestion.
  @Faisal,
  I need to configure severity instead of cisco rules but having performance issue. I did as per the blog but nothing happened. Could you please suggest me what should I do for better performance?
  Thank you
  Laxman

• NAC with OOB and Wireless 802.1x

  Had Anybody any experience with
  integration NAC OOB and 802.1x?
  I have seen that there are some issues about it.

  Working pretty well.
  Check this out:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

• IPS 4270 with 6509 VSS in Promiscous mode

  Dear all,
  I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
  I have attached the LLD core datacenter design including the IPS physical placement in my network.
  The following points are my concerns in this design:
  Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
  Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
  I really appreciate your input on this matter guys.
  Cheers
  Mohammed Khair

  Hi,
  1.You can Connect the each IPS into Chasis A and B  That is Not  aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
  2.IPS Supports the Etherchannel while in promiscous mode as well.

• Cisco NAC with VPN Concentrators

  Looking at the deployment guidelines for NAC integration with VPN Concentrators:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
  Is it possible to define traffic which is exempt from NAC enforcement, for example traffic associated for LAN-to-LAN VPNs?

  NAC enforcements do not work for traffic types. Following links may help you
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_addSrv.html
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_cca.html

• NAC with NON-cisco wireless

  Hi there,
  I know that with WLC 5.1 and NAC 4.5 Cisco started to support OOB, NAC implementation. Now here is my question:
  A customer has CISCO environment except for the wireless which is another vendor. What are the options to bring wireless traffic into NAC server? Is OOB deployment possible?
  Thanks,
  rdianat

  So what is the solution for this scenario?
  remote site has non-cisco autonomous wireless AP. NAC is centralized. I can not use OOB since there is no support for non-cisco AP in OOB mode. As a result I use InBand mode. This means that local wireless trffic in remote site must travel to central site, go through NAC Server and go back to remote site. Is this correct?

• IPS 4255 with 6509/FWSM

  Is it possible to use a 4255 IPS inline on a 6509 with an FWSM?
  For example say the FWSM has 20 vlans with servers on them, is it possible to put it inline between the different vlans? Would vlan pairs work for this or vlan groups?

  you can use both vlan-pairs and vlan-groups in this scenario. In my opinion the vlan-pair setup is more simple then the vlan-group-setup, so I would look into that first.
  Here is a link describing the system with more that one sensor to scale the bandwidth:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080671a8d.shtml
  It's about an older version and has missing images, but still shows the concept of  a "sensor on a stick".
  Sent from Cisco Technical Support iPad App

• Port Channel 5548 with 6509

  My company just purchased a Nexus 5548.  I've been fooling around with the configurations and just getting familiar with this equipment.  I've already configured a port channel using 2 10gig ports on our 3850 and its working fine.
  Now, I'm trying to configure a second port channel with our 6509 1gig ports. Ports comes up. But I cannot communicate between these 2 devices.
  Show CDP Neigh shows the other devices. Show Etherchannel summary is blank
  This is the config on the 6509
  interface Port-channel22
   switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet9/7
    switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
   channel-group 22 mode on (I also tried using Active and desirable)
  Config on 5548
  Inteface Port-Channel 2
  switchport
   switchport mode trunk
   speed 1000
  interface ethernet1/32
   switchport mode trunk
   speed 1000
   channel-group 22 mode on
  I also have feature Lacp , interface vlan and vlan dot1q tag native enabled
  Any ideas why I cannot communicate between these devices? 

  This is what is showing on the 5548
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-SPEED: Interface Ethernet1/32, operat
  ional speed changed to 1 Gbps
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_DUPLEX: Interface Ethernet1/32, op
  erational duplex mode changed to Full
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Etherne
  t1/32, operational Receive Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Etherne
  t1/32, operational Transmit Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-SPEED: Interface port-channel2, opera
  tional speed changed to 1 Gbps
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_DUPLEX: Interface port-channel2, o
  perational duplex mode changed to Full
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface port-ch
  annel2, operational Receive Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface port-ch
  annel2, operational Transmit Flow Control state changed to off
  2015 Mar 18 08:18:09 DC-5548-01 %ETH_PORT_CHANNEL-5-PORT_UP: port-channel2: Ethe
  rnet1/32 is up
  2015 Mar 18 08:18:09 DC-5548-01 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel2:
  first operational port changed from none to Ethernet1/32
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_UP: Interface Ethernet1/32 is up i
  n mode trunk
  2015 Mar 18 08:18:09 DC-5548-01 %ETHPORT-5-IF_UP: Interface port-channel2 is up
  in mode trunk
  My 6509 does not show anything. Now when I do  a show etherchannel summary on the 6509, the protocol is lacp.

• Replacing 7206VRX with 6509-E, Sup2T

  We are planning to implement the 6509-E with two Sup 2Ts and a few 48 ports switches. We also want to make this the router for our network and replace the 7206VRX.
  Any advise on this would be helpful.
  Thanks in advance!                  

  Depend on the line card you have you need to find out what ingress & egress queue structure it will support.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/qos_policy_based_queueing.html#wp1005968
  if it is any of the below cards, it will support 2q8t ingress & 1p3q8t egress direction.
  (WS-X6848-TX-2T , WS-X6748-GE-TX , WS-X6848-SFP-2T, WS-X6748-SFP, WS-X6824-SFP-2T, WS-X6724-SFP)
  Since you are using Gig port on the Sup2T itself, it has "Transmit is 1p3q4t and receive is 2q4t" as you already found.
  As you can see there is no PQ for ingress direction for any of these. Priority Queue is only available egress direction. It will be Queue# 4 (for 1p3q4t) or Queue#8 (1p7q8t) is the priority queue.
  Below shows two examples
  CR01#sh queueing interface g6/1  [for VS-SUP2T-10G]
  Interface GigabitEthernet6/1 queueing strategy:  Weighted Round-Robin
    Port QoS is enabled globally
    Queueing on Gi6/1: Tx Enabled Rx Enabled
  Trust boundary disabled
    Trust state: trust COS
    Trust state in queueing: trust COS
    Extend trust state: not trusted [COS = 0]
    Default COS is 0
      Queueing Mode In Tx direction: mode-cos
      Transmit queues [type = 1p3q4t]:
      Queue Id    Scheduling  Num of thresholds
         01         WRR                 04
         02         WRR                 04
         03         WRR                 04
         04         Priority            01
  CR01#show queueing interface t4/1 [for WS-X6816-10GE ]
  Interface TenGigabitEthernet4/1 queueing strategy:  Weighted Round-Robin
    Port QoS is enabled globally
    Queueing on Te4/1: Tx Enabled Rx Enabled
  Trust boundary disabled
    Trust state: trust COS
    Trust state in queueing: trust COS
    Extend trust state: not trusted [COS = 0]
    Default COS is 0
      Class-map to Queue in Tx direction
      Class-map           Queue Id
      VOIP-TRAFFIC              8
      NETWORK-CONTROL           7
      MULTIMEDIA-TRAFFIC        6
      CRITICAL-DATA             5
      BULK-DATA                 4
      SCAVENGER                 3
      class-default             1
      Queueing Mode In Tx direction: mode-dscp
      Transmit queues [type = 1p7q4t]:
      Queue Id    Scheduling  Num of thresholds
         01         WRR                 04
         02         WRR                 04
         03         WRR                 04
         04         WRR                 04
         05         WRR                 04
         06         WRR                 04
         07         WRR                 04
         08         Priority            01
  Through service policy configuration you will map which traffic needs to go to priority queue & other queues as well. Below shows example of these mapping (taken from Sup2T QoS at-a glance document)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• NAC with CA

  Is it necessary to use the CA with NAC.
  if we donot use it what is the impact on the users.
  Can we deply without CA without any problems

  Talha,
  Yes, it's possible to deploy NAC without CA. You can use the self-signed certs, or get a cert from a third party vendor (Verisign or Godaddy etc)
  HTH,
  Faisal

• NAC with security rtr

  hello
  we want to implement a NAC solution for people dialing from home to HO then going to internet via our internet router.
  this router contains the security feature and is NAC enabled (we can see this from web interface)
  however, one cisco partner suggests to use clean access server and not the security router.
  is there any advantage of using clean access servers or limitation for security rtr.
  note: we only need to check for windows updates and antivirus updates when computers access internet

  Well, both NAC Framework (NAC on your router) and NAC Appliance (Clean Access Server) will work. You can dial via PSTN/ISDN or via VPN using Cisco VPN Client. Also, you can purchase NME-NAC-K9 module for your router and it will work like Clean Access Server.
  To use NAC Framework you'll also need Cisco Secure Access Control Server (CS ACS) 4.0+ (4.1). This is commercial RADIUS server and isn't cheap.
  Also, to check for antivirus updates your antivirus product must be supported by either NAC Framework or Appliance. For a list of supported products take a look at:
  http://www.cisco.com/go/nac
  http://www.cisco.com/web/partners/pr46/nac/partners.html (NAC Framework)
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/416/416rn.html (NAC Appliance)
  For NAC Framework you'll need to integrate vendor .dlls into the Cisco Trust Agent (for all of your antivirus vendors!), then distribute CTA to all user PCs using some out-of-band mechanism (not an easy task). CTA is a must for NAC Framework.
  NAC Appliance automates this. This is a self-contained product (no .dlls). Clean Access Agent can check supported antivirus products by itself. It can be installed onto PCs via some out-of-band mechanism or downloaded from the Web Login page. Also, Java / ActiveX agent is supported and can check your PC for compliance as well.
  Checking for Service Pack number isn't
  difficult in both products. However, to check for Windows Hotfixes you'll have to create complex rules in NAC Framework. When a new hotfix is released by Microsoft you'll have to change your rules manually (not easy). NAC Appliance automates this. It can download rules from the Cisco website. But you'll have to buy tech support for this.
  In general, configuring and maintaining NAC Framework is not an easy task. However, you can buy additional products, integrate them into the Framework and they will automate many things for you. This is not cheap and easy. NAC Appliance is self-contained. You'll not need anything else.
  HTH

• NAC with Wireless LAN controller

  There are 10 VLANs coming out of wireless controller (trunk to L2 Switch).
  How do we implement NAC so that clients are forced to go to NAC instead of the L3 gateway?
  Thanks!
  Prasanna

  The CAS configurtaion guide will provide you more data related to your queries.Try configuring CAS which will resolve the issue.
  Refer the Clean Access Manager Installation and Configuration Guide present in the following url:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/413_cam_book.html
  Refer the Clean Access Server Installation and Configuration Guide present in the following url:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cas/413_cas.html

• NAC with EV SSL certs

  Does anyone know if the NAC appliance supports EV SSL certs; especially version v4.7.x.
  Any insight into older versions (4.1.3 and higher) for compatibility would be appreciated. Thanks!
  ben

  Hello! The higher key length is a problem on an older version (4.1.3), not 4.7.x; etc where you can specify it. 4.1.3 you cannot specify it and it's not strong enough.
  Ben

• NAC with servers

  Hi All,
  we are deploying NAC 3310. NAS is in OOB/RIP/L3. we have multiple servers in the network. all switch ports are controlled by NAC and initially they are in authentication VLAN. How can I filter server from not being inspected? our IT guys move cable connected to the servers to the different ports over time. But the problem is when the move cable from one port to another, new port is in authentication VLAN. is NAC automatically changing the VLAN when see server MAC address is in filter list? if not, what is the best solution for this scenario?
  any suggestion would be very appreciated.
  Alex

  Alex,
  Best solution is the simplest one. Put your servers on a switch and don't manage it. If your ethernet cables for the switches will move around, there's no way to tell the CAM to not NAC it.
  You could theoratically add the MAC addresses of the servers as IGNORE list, but this is not a good solution, in my humble opinion.
  HTH,
  Faisal