Wireless WLC with NAC appliance

Similar Messages

• L2 or l3 switch with NAC appliance

  Hi,
  I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
  Regards,
  Mladen

  Thanks.
  The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
  "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
  So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
  If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
  Regards,
  Mladen

• Wireless Guest with NAC Server

  Hi All,
  Anyone knows why Sponsor can't create a guest account with 1 month duration.
  Its a NAC running on 2.1 version in SNS-3415-K9.
  The current setup is WLC connected to NAC Server.
  Is it related to Account type?
  From the Account Type dropdown menu, you can choose one of the predefined options:
  Start End—Allows sponsors to define start and end times for account durations.
  From First Login—Allows sponsors to define a length of time for guest access from their first login.
  From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.

  When you say, "One MAC user" you mean every other client works except for this one MAC device?  If other MAC devices work, then it must be something on the client device that is having issues.  The only issue that I have ran into, is html code that might not be supported in certain browsers if you are runing a custom webauth page.

• NAC Appliance 3350 Server

  Hi ,
  Facing issue with NAC Appliance 3350 Server where we are trying to login via a user configured on newly migrated ADserver win 2008 .
  This AD server was on 2003 where on same NAC its working fine . I am not much in NAC so need your help .
  ========
  Thanks 4 reply

  Hello,
  NAC Appliance:
  • Offers Authentication, Authorization and Remediation
  • Covers Wireless, VPN and LAN.
  • Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
  • Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
  • Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
  • Can leverage Cisco Profiler or whitelist non-NAC capable devices.
  • Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
  • Can Leverage Cisco Guest server for advance guest access.
  • Comes in HP or IBM appliance formats.
  • IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
  • HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE
  ACS 5.X:
  • Offers 802.1x NAC features and device management (TACACS/RADIUS).
  • Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
  • Provides Authentication and Authorization. Does not offer remediation.
  • Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
  • 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

• Cisco Wireless NAC Appliance - Design Practices ??

  Hi,
  I have a new Cisco WIreless NAC appliance, the purpose of which is to manage the Guest users access to network. I have been searching for some best practices related to the design of this appliance but havent found one.
  Can anybody help me in sharing his design experience or any docuement which would be guiding in deciding over the design / placement of this NAC device in network.
  Thank You.

  Hi,
  there is nothing such as "Wireless Nac appliance".
  The question is "do you have the NAC Guest Server" or the "Nac appliance Server and Nac appliance Manager (CAS/CAM)" ?
  Because those are just not the same at all.
  Then on the wireless side, do you have autonomous APs or a WLC ?
  Sorry to ask, but there's just so many possibilities you could be asking that we need to clarify.
  My bet is that you are either looking for this :
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  or for this :
  http://www.cisco.com/en/US/partner/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html#wp1092277
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Will a NAC appliance work with Meraki WL

  Hi All,
  I have a customer that presently uses the cisco meraki wireless solution and would like to have a NAC appliance installed in there environment. Will Cisco NAC support the meraki for access control?

  Yes Sir.. Check this link for supported devices with Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Integrate NAC Appliance with Active Directory

  We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
  The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
  The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
  Let say i've this situation:
  1. User A has been assign to Vlan 15 Employee
  2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
  3. Now user A has their on Vlan ID 15
  I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
  Has any one has been configured mapping rules user roles to Active directory?

  So you would create a mapping rule against your lookup server like so.
  Say the AD group membership is "Finance"
  for ADSSO you would apply the mapping rule to your LOOKUP Server
  where the expression is
  memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
  Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

• Nac appliance deployment with 802.1x

  Hi,
  Is it possible to deploy a nac appliance solution and use 802.1x as protocol to discover users connection on a switch?
  We don't want to use snmp, I have a microsoft radius server in my deployment for user authentication.
  Thanks!
  Jocelyn

  My friend, i have a customer with whis configuration and worki fine.
  symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
  work fine wiht w2k and xp
  cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
  csa i don?t have experience.
  take care, it is hard to configure, if you need something more ask me to.
  Leo.

• Authentication NAC appliance with ACS

  I had deployed a L3 Virtual Gateway mode for NAC appliance. There is ACS for authentication. How can I add ACS to "Auth Servers". CAM settings do not need mapping rules. Every user just anthenticate oneself's account, then CAM can pass these info to ACS. What should I do, Thank you?
  Is there any configuration example, e-mail to [email protected]

  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00809b8e3b.shtml

• What is a Cisco NAC appliance used for?

  We have a 5508 WLC in use already and have this 3310 lying around unused.  I am trying figure out if adding a 3310 would be of any benefit.
  From the documentation, the features of a 3310 NAC are,
  Recognize users, their devices, and their roles in the network
  Evaluate whether machines are compliant with security policies
  Enforce security policies by blocking, isolating, and repairing noncompliant machines
  Provide easy and secure guest access
  Simplify non-authenticating device access
  Audit and report whom is on the network
  What does enforce security polices by blocking, isolating, repairing really mean?
  "Provide easy and secure guest access"  I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds.  I can see the username, IP, MAC, AP location.
  I can get an report from my logging traps collector, Solarwinds.

  Well usually when I have deployed them back in the days, you had a NAC Appliance and another NAC Manager. But what you have read, that is exactly what it does.
  What does enforce security polices by blocking, isolating, repairing really mean?
  It will block and isolate the device if it doesn't meet the requirements that you have set, but the user has to manually repair the items.
  "Provide easy and secure guest access" I already have a public wireless ssid set on the wlc.
  I can recognize users in reports like Solarwinds. I can see the username, IP, MAC, AP location.
  I can get an report from my logging t
  You will not see any username or ap locations. I wouldn't use it as it might be more of a headache to implement unless you know what you are doing.
  Sent from Cisco Technical Support iPhone App

• WLC with ISE as radius and also external web server

  Hi friends,
  I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
  I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
  So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
  any suggestions would be higly appreciated guys!
  Regards,
  Mohit

  Hi mohit,
  Please make sure the below steps for guest auth thru ISE,
  1)Add the WLC in your ISE as netork devices.
  2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
      a. any to ISE
      b.ISE to any
      c.any to dns server
      d.dns to any
  3)The external redirect url will be 
  https://ip address:8443/guestportal/Login.action
  4)AAA server for that SSId would be your ISE ip with port number 1812.
  5)In advanced tab please choose the AAA override. No need of radius nac.
  6)Create appropriate authorization profile in ISE for guest.Example is below ,

• NAC Appliance for Wirelles In-Band Virtual Gateway

  Hi, People.
  Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
  Tks.

  Hi Wemerson,
  Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
  Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  Notes:
  - In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
  - For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
  - If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Restrict Access SSID with NAC

  Recently I deployed a NAC Appliance OOB with WLC 4402, everthing ok and works fine but to authenticate user on NAC I created a Groups on ACS just to authenticate this users but these users are be able to access other SSID on WLC.
  I want this users just make access on NAC SSID.
  Does anyone know how do this?

  Hi,
  Please check out this link,
  Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS Configuration Example
  http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Client Roaming Within Single WLC with Different AP Groups

  I am trying to setup a 4400 WLC with 2 different AP Groups mapped to its respective Dynamic Interfaces / Vlans. AP's are equally mapped to both the AP groups by Floor wise ex: First floor AP's connect to one AP group and the Second Floor AP's connecting to other AP group.
  Goal is to create separate Network policy for each Floor using ACL's and apply to their respective Vlans on Layer 3 Switch. Wireless Raoming should happen seamlessly between these Ap groups making the DHCP changes by not disconnecting and connecting every time user roam across the Floors.
  Problem is When Clients Roam between Floors i,e moving between AP Groups, they still maintain their old DHCP IP addresses when moved to new AP group even after Client re-authetication. This defies our goal of creating a Wireless Network Policy using single WLC.
  Knobs i have tuned in WLC to acheive our goal includes....
  1. WLAN Session Timeout - No use
  2. DHCP Proxy Disable - No Use
  3. ARP Time out - No use
  Looks like WLC is storing the IP address and MAC information of the Client unconditonally during roaming and clearing out untill a manual or forced disconnect or disassociation is done.
  Did anyone tried to implement this setup and made it running? Any help or suggestion would be higly appreciated.
  Thanks
  Guru

  abit late for a reply but....try going to the SSID>Advanced and ticking the "DHCP Addr. Assignment" Required checkbox and test again.
  What does the DHCP Required field under a WLAN signify?
  A. DHCP Required is an option that can be enabled for a WLAN. It       necessitates that all clients that associate to that particular WLAN obtain IP       addresses through DHCP. Clients with static IP addresses are not allowed to       associate to the WLAN. This option is found under the Advanced tab of a WLAN.       WLC allows the traffic to/from a client only if its IP address is present in       the MSCB table of the WLC. WLC records the IP address of a client during its       DHCP Request or DHCP Renew. This requires that a client renews its IP address       every time it re-associates to the WLC because every time the client       disassociates as a part of its roam process or session timeout, its entry is       erased from the MSCB table. The client must again re-authenticate and       reassociate to the WLC, which again makes the client entry in the table.

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit