Scenario related to NAC server with hight availabily

Hello
am looking for good scenario related to NAC server with hight availabily, mentioned the how it works,how the phisical coonection could be to each Core?what is the P-service..
Thanks for ur time

Hi,
Here's the documentation regarding the HA setup:
http://www.cisco.com/en/US/customer/docs/security/nac/appliance/installation_guide/hardware/47/hi_ha.html
http://www.cisco.com/en/US/customer/products/ps6128/products_configuration_example09186a00808fbc0f.shtml
HTH,
Faisal

Similar Messages

  • Issue listeneing queue from Weblogic Cluster server with multiple managed server

    Haveing issue listeneing queue from Weblogic Cluster server with multiple managed server.
    Weblogic Cluster structure is like
    Weblogic Cluster01
      --ManagedServer01(http://server01.myhost.com:7001)
      --ManagedServer02(http://server02.myhost.com:7001)
    JMS Servers
      JMSserver01 targeting: ManagedServer01
      JMSserver02 targeting: ManagedServer02
      JMSmodule
      ConnectionFactory01 targeting:JMSserver01,JMSserver02
      UDQueue01 targeting:JMSserver01,JMSserver02
    Uniform Distributed Queue in Monitoring tab showing like this
      mysystemmodule!JMSserver01@UDQueue01
      mysystemmodule!JMSserver02@UDQueue01
    So when I am sending message to any Host(by specifying the provider URL) its distributing equally on both server like
      mysystemmodule!JMSserver01@UDQueue01 10
      mysystemmodule!JMSserver02@UDQueue01 10
    But when try to listen message from these queue, it is listening from one server, for which URL given to connect.
      mysystemmodule!JMSserver01@UDQueue01 0
      mysystemmodule!JMSserver02@UDQueue01 10
    untill I connect to other server by giveing its URL, will not able to access other message left on the queue.
    Solutions that tried
      1) we have tried give both server URL coma sparated in provider URL
    we need to configur same scenario for 5 managed server with 3 listener on other servers.
    Do any one have solution for this.

    You need to have:
    1. Consumers connected to each UDQ member
    OR
    2. If no consumers in some of the members is expected, you can configure Forward Delay (specify the amount of time, in seconds, that a queue member with messages, but with no consumers, will wait before forwarding its messages to other queue members that do have consumers):
    http://docs.oracle.com/cd/E12839_01/apirefs.1111/e13952/taskhelp/jms_modules/distributed_queues/ConfigureUDQGeneral.html
    For example you can set it to 10 (10s)
    Additional Information here:
    http://docs.oracle.com/cd/E23943_01/web.1111/e13727/dds.htm#i1314228
    http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13951/mbeans/DistributedQueueBean.html?skipReload=true#ForwardDelay
    How Does JMS Load Balancing Work with Distributed Queues and Uniform Distributed Queues? (Doc ID 827294.1)
    I hope this helps
    Best Regards
    Luz

  • What happens when NAC Server License Exceeds ?

    Hi all,
    Got a simple question for which I could not find the explanations ?
    I know that licensing is run by the endpoints which are in Online User (posture assessed) list.
    Lets say I purchased a NAC server with 100 License. What happens if a client connects to the network as the 101th user ? Is there a flexible licensing option as in other security products of Cisco ?
    Also anyone has any info about the roadmap of licensing for Cisco NAC products ? Such as central management of licenses, license pools or etc. ?
    Thanks in advance.
    Any comments appreciated.
    Dumlu

    Thanks a lot.
    You said "BPEL developer should make sure unique value is supplied for correlation..",but I am confused,
    "BPEL developer" means business process developer(process caller) or bpel engine developer(process runtime enviroment developer) ?
    This afternoon,I installed oracle PM and did some tests. The bpel server creates two process instances which have the same correlation data.

  • Wireless Guest with NAC Server

    Hi All,
    Anyone knows why Sponsor can't create a guest account with 1 month duration.
    Its a NAC running on 2.1 version in SNS-3415-K9.
    The current setup is WLC connected to NAC Server.
    Is it related to Account type?
    From the Account Type dropdown menu, you can choose one of the predefined options:
    Start End—Allows sponsors to define start and end times for account durations.
    From First Login—Allows sponsors to define a length of time for guest access from their first login.
    From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.

    When you say, "One MAC user" you mean every other client works except for this one MAC device?  If other MAC devices work, then it must be something on the client device that is having issues.  The only issue that I have ran into, is html code that might not be supported in certain browsers if you are runing a custom webauth page.

  • NAC guest server with RADIUS authentication for guests issue.

    Hi all,
    We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
    The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
    https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
    -----START QUOTE-----
    Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
    •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
    •Self Service—This option allows guest self service. After selection proceed to Step 8.
    •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
    ----- END QUOTE-----
    Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
    Regards
    Kevin Woodhouse

    Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
    Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

  • NAC server is not available on the network

    I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I  try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

    Hi,
    I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
    The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
    the bug cisco provided me is related to "CSCuc70607".
    Hope this helps,
    Tarik Admani
    *Please rate helpful posts*

  • NAC Server and NAC Manager installation

    Hi experts,
    When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
    Is there anything I can do for solving this?
    I'm new for NAC Manager and Server installation.
    The version using is 4.8.2
    BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
    Thanks in advance!
    Regards,
    Daniel

    Hi Daniel,
    this is related to the certificate issue.
    just generate temp certificate in NAM and NAS.
    Export the certificate along with key and store it in different location.
    then in SSL option there is trusted certificate authority
    load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
    it will work.

  • Three NAC server deployment

    Hello guys,
    Could you suggest a workaround to bypass the HA limitation of only two NAC servers. 
    The problem is we already had two NAC guest servers in active/active mode but now we have a third one at a new branch, which would need to share the same user DB.
    Is there a way to replicate the data from the cluster to this remote NAC server?
    The idea is achieving a scenario like working with multiple ACS servers distribuited worldwide and sharing the same user data.
    Thanks,
    Lucas

    Hi,
    Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
    HTH,
    Faisal

  • I am using the "G Web Server" with Bridgeview 2.1. The problem I am having is that I have to

    restart the web server once every 2 to 3 days, or the web pages don't show the vi (images). Any ideas to trouble shoot - I dont know if the problem is related to my workstation hardware or a setting that needs to be tweaked on the G Web Server. Thank you.I am using a Pentium 233 machine/ Win 95. The PLC I am collecting info from is a GE Fanuc Series 9030 (?). Ethernet connection.

    restart the web server once every 2 to 3 days, or the web pages don't show the vi (images). Any ideas to trouble shoot - I dont know if the problem is related to my workstation hardware or a setting that needs to be tweaked on the G Web Server. Thank you.Hi,
    we are using the G Web Server with LabVIEW on a WinNT 4 machine. Up to now these works fine. Therefore I would recommend you to choose a more stable OS.
    Maybe you can try to programmatically restart the server every 2 days. Within LabVIEW you would do this by running "HTTP Server Control.vi". Unfortunatly all connections will be closed, thus be aware of that!
    Hope that helps
    chris

  • A server with the same hostname could not be found!

    Hi macusers,
    I saw that error on multiple threads but I found none related to my issue. So, before ignore it let's describe it:
    Two MAC Mini: one early 2009 and second late 2010. Both OS 10.9.1, MacKeeper installed, 6+Gb for RAM. Both uses the same router to connect the internet. Both are LAN connected not WiFi. I even changed the DNS addresses on router using Google DNS.
    On Mac 2009:
    1. Safari opens pages randomly. Sometimes a website is not open but when I create a new tab and select the website from bookmarks the website is opened while in previous tab still says: Safari cannot find the server .... All those websites are used in my daily work. I am not reseting Safari unless necesary.
    2. MAIL is showing online only Gmail acccount from 4 accounts. The rest of the accounts are not Gmail and appear as Offline. I restart MAIL and they appear online. I have to do that Open/Close MAIL several times a day.
    3. Sharefile and oDesk Team application cannot be opened because of that error: A server with the same hostname could not be found!
    4. Apple Store is displaying questions marks instead of the icons and I can barely see what softwares I have installed.
    Now the beauty. Only on MAC 2009 I am experiencing those issues. The other MAC is fine. So far.
    What I tried so far:
    A. Reboot in SafeMode and Repair Permissions, Repair Disk. Everything OK.
    B. PRAM Reset and SMC Reset.
    C. Scan for viruses. No virus detected.
    oDesk Team app is working fine on the other MAC and I managed to install it on Mac 2009 on Windows 7 partition as well. Is working fine.
    Here are some screenshots showing you some of the errors I am picking on my side.
    That one is taken while trying to connect to ShareFile. After three or four attempts it finally managed to connect.
    That was a beauty. While MacKeeper was showing me that I am Offline, I was talking on Skype with a friend.
    Still cannot access oDesk Team application. However, after several attempts it is logging but what is showing me is a real nightmare.
    If I choose to see my contracts (though in the upper corner there is not my account) they do appear:
    Any valuable entry will be highly appreciate it.
    Warm regards,
    Sebastian
    P.S. I just remembered that I saw on a post in here related to the same error that someone from Apple asked a guy to make a test in terminal using a command line. I do it on my MAC and here is the result:
    Message was edited by: sebdea

    Hi Grant,
    Here is what I did and so far seems it is wworking.
    1. I deleted oDesk and ShareFile. I removed them using MacKeeper (I found this application very usefull for uninstalling applications as MacKeeper looks for them all over the computer: cache, preferences, application support etc.) While for oDesk is simple as I can look myself for oDesk in any file names, whith ShareFile was a little tricky to amke it amnually as MacKeeper find files that contain Citrix name then ShareFile. I will not guess unless I would search the internet on how to manually remove sharefile from my system.
    2. I manually delete all cahe files and folders from ~Library and ~User/Library.
    3. After reboot I installed Onyx and order maintanance where I checked all its options, including but not limited to DNS caches, fonts caches, everything.
    4. After I reboot computer, I went in Disk Utility and Repaired permissions.
    Reboot again. Now seems to work fine. At least odesk Team is working properly. I will have a second thought for installing ShareFile.
    Some romanian mac users suggested to check my router connectivity and change some DNS in it. Looks like that was also a problem on some MACs. I recall the few weeks ago I had an issue with TP Link router. My computer wasn't connected to internet, though router showed that there is internet connection. I ping router from my computer and I received answer from ping. I ping google from computer, nothing. I ping google from router, was wroking. I connected the computer directly to internet without router, was wroking. When connected back through router, nothing. I contacted the guys from TP Link and they suggested to use google DNS instead of those my ISP provided. But since then I had not experienced any issue with router and internet, until now. The DNS are still those from google.
    I will keep you updated if any issues are appear again. So far, it is working perfectly as it supposed to work.
    Warm regards,
    Sebastian

  • Cisco NAC server hang issue

    Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
    The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
    The CAS server was recovered after manually power cycle the hardware. 
    After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
    I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
    That will be great if any one can help me out for the same.
    Thanks,
    Eric

    Hi Bro
    This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
    If all else fail, then a hardware swap would seem like the next best thing.

  • Starting managed server with nodemanager

    Hi there,
    Please help me with the weblogic server installation, i've studk with failed to start managed server with node manager. My scenario as below:
    (1) set up the main server and able to run the server successfully.
    (2) set up one managed server, set up one machine on same server as main server.
    (3) assign machine to created managed server.
    (4) after that i've tried to run that managed server and error giving as below:
    Error from main server terminal
    ===================
    <NodeManager> <BEA-300048> <Unable to start the server 'ManagedServer1': Exception while starting server 'ManagedServer1': java.io.IOException: Server failed to start up. See server output log for more details.>
    Error from Node Manager Termal
    ====================
    <Info> <MainServer> <'ManagedServer1'> <Server failed during startup so will not be restarted>
    <Dec 7, 2009 7:04:45 PM> <Warning> <Exception while starting server ''ManagedServer1'': java.io.IOException: Server failed to start up. See server output log for more details.>
    java.io.IOException: Server failed to start up. See server output log for more details.
    at weblogic.nodemanager.server.ServerManager.start(ServerManager.java:303)
    at weblogic.nodemanager.server.Handler.handleStart(Handler.java:542)
    at weblogic.nodemanager.server.Handler.handleCommand(Handler.java:119)
    at weblogic.nodemanager.server.Handler.run(Handler.java:66)
    at java.lang.Thread.run(Thread.java:619)
    Thanks in advance,
    Tim

    Sorry , i forgot to mention that the OS i am using is Solaris.
    Thx

  • Using Oracle 8i client, can I  access  oracle server with version 10g ?

    Hi ,
    I am a developer working with C++ and Oracle. In Oracle particularly I am new.
    I have some basic Question related to oracle.
    1. With Oracle 8i client Can I connect to Oracle server with version 10g?
    2. With Oracle 8i client Can I connect to Oracle server with version 9i?
    3. With Oracle 9i client Can I connect to Oracle server with version 10g?
    4. With Oracle 10g client Can I connect to Oracle server with version 8i?
    5. With Oracle 10g client Can I connect to Oracle server with version 9i?
    6. With Oracle 9i client Can I connect to Oracle server with version 8i?
    These are basic yes/no type question.
    Thanks & Reagards
    Ravi Bhushan

    All answers on Metalink Note:207303.1 - Client / Server / Interoperability Support Between Different Oracle Versions

  • How to migrate an existing Microsoft SSIS deployment if it is decided to replace SQL Server with an Oracle database?

    Hi Oracle Gurus!
    Currently, I am designing an ETL solution that transforms and loads a lot of data from flat files and sends it to an SQL Server 2008 R2 database for storage. However, at a future point of time, it may be decided to add or even replace SQL Server with an Oracle 11g database.
    Currently, I am writing script transforms in C# to dynamically generate SSIS packages to tansform and load the data into SQL Server. But considering that in future, an Oracle 11g or 12c database might be added to, or replace the SQL Server database, how do I make my script transforms (or whatever else I am developing currently for SQL Server) reusable to the extent possible?
    Or more precisely, what steps do I take, from an Oracle point of view, to ensure that any future migration of data to an Oracle database would be smooth to the extent possible?
    Looking up to my Oracle Gurus for enlightenment in this matter!
    Novice Kid

    When you're writing your on C# code to load data into the SQL Server you have to modify the routines so that they will work with Oracle.
    One approach is to use the extproc agent which would allow you to directly call external programs with all the logic in it to perform the load of your files and to put the data into the Oracle database. Another option would be to use utl_file package (or equivalents) which will allow you to open external files from your Oracle database and to directly read its content and then to pass it to the related tables.

  • Integrate NAC Appliance with Active Directory

    We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
    The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
    The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
    Let say i've this situation:
    1. User A has been assign to Vlan 15 Employee
    2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
    3. Now user A has their on Vlan ID 15
    I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
    Has any one has been configured mapping rules user roles to Active directory?

    So you would create a mapping rule against your lookup server like so.
    Say the AD group membership is "Finance"
    for ADSSO you would apply the mapping rule to your LOOKUP Server
    where the expression is
    memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
    Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

Maybe you are looking for