Unanswered Question
Oct 19th, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get tips for deploying NAC network module for Cisco Integrated Services Router (ISR) to enforce security policies at the branch. with Mahesh Naidu and Alok Agrawal. Mahesh is a product manager for Cisco NAC Appliance, where he is primarily responsible for Cisco NAC Network Module and Cisco NAC Profiler. He has worked at Cisco since 2001, holding engineering positions focusing on service provider technologies before moving to product management. Alok joined Cisco Systems Inc. as an engineer in the Technical Assistance Center (TAC) Lan switching group in September 2003. He is currently the technical marketing engineer for the Cisco NAC Appliance.

Remember to use the rating system to let Mahesh and Alok know if you have received an adequate response.

Mahesh and Alok might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 2, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
thomas.chen Mon, 10/22/2007 - 10:50

Hello -

Which Cisco routers support the NAC network module?

Thanks - Tom

manidu Mon, 10/22/2007 - 10:56

The Cisco NAC Network Module is supported on modular integrated services routers with a network module slot; that is, the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Router platforms. Note that the Cisco NAC Network Module is not supported on Cisco 3700 or 2600XM Routers.

b.hsu Tue, 10/23/2007 - 07:41


Can you tell me how many simultaneous users can the Cisco NAC Network Module support?

manidu Tue, 10/23/2007 - 08:29

Cisco NAC Network Module comes in 2 licensing options designed for branch office deployments. One is for supporting 50 users and other for 100 simultaneous users.

leon.mflai Tue, 10/23/2007 - 08:30


Does NAC Network Module need to work with NAC Clean Access Manager server?

And, I noticed before Cisco may release a product called "NAC-one". Can you tell something more about that?



manidu Tue, 10/23/2007 - 12:17

Yes NAC Network Module will be managed by NAC Clean Access Manager Server.

Kevin Xiong Tue, 10/23/2007 - 15:45

NAC-CAM site failover design scenario:

Customer has two DC - Main and DR. Redundant NAC-CAM is in the main data center, all remote office has a single NAC-NM. If they lost the main DC WAN connection, all remote will connect to the DR site. How to provide NAC-CAM redundant in this scenario? Use another CAM at DR site?

manidu Tue, 10/23/2007 - 16:08

i. For intermittent WAN connetivity loss, you can use "Fail-Open" option which will allow users to get onto remote network

ii. If main site goes down (or WAN link), option would be to use another CAM at the DR site.

Kevin Xiong Wed, 10/24/2007 - 08:20

What is the best option to deploy NAC for HQ + many remote sites with LAN and WLAN w/ H-REAP AP enabled.

option1: Central NAC L3-OOB for LAN, L2-IB for WLAN(WLAN need IB), not sure how WLAN H-REAP works here??

option2: Edge deployment NAC OOB for LAN and NAC IB for WLAN.

Does NAC-NM support both IB and OOB? if yes, we can only use either IB or OOB at a time, right?

alagrawa Wed, 10/24/2007 - 19:47

Hey Kevin,

Thanks for your post.

The NAC Appliance and the NAC NM can be IB or OOB, but not both at the same time.

For wireless, we have to do IB, for lan we can do OOB.

Both options above are valid, you can have a distributed model with a NAC server or NM at each remote site, or a central model.

With Hreap enabled, the wireless user traffic will be switched by the local AP instead of being tunneled back to the WLC. Hence this depends on where your NAC Server is connected, whether it is behind the WLC or logically behind all the APs.

hope this helps.



Kevin Xiong Thu, 10/25/2007 - 05:51

Thanks Alok for your reply!

I'm trying to put together all different scenarios to fit in different situations for LAN/WLAN access.

Here is another option--option3:

Central Deployment OOB for All LAN access(HQ+Remotes); And edge Deployment IB for ALL WLAN(HQ+Remotes). So we will have a big CAS-FB at HQ for all LANs+Remote LANs, a smaller CAS/or CAS-NM at edge for all WLANs+H-REAP.

Overall the 3 options above, which one would be a best?

From the WLAN deployment and performance perspective, do you think the Edge-IB deployment is easier/better than the Central-IB?

For the H-REAP AP traffic at the Edge-CAS, we don't want to have the Guest SSID to hit the NAC-CAS, internal SSID only. The H-REAP AP is on a trunk port. So I guess the Edge CAS is logically behind the Central WLC. Will this topology works fine when Edge-CAS is a IB-VG mode. All cisco R/S in the design, no other vendors.


alagrawa Thu, 10/25/2007 - 05:55

Hey Kevin,

If your WLC is at the central site, then I would recommend a central OOB and a central IB NAC server.

If the wlc is local at the remote site, then you can go with option # 3.



Kevin Xiong Thu, 10/25/2007 - 08:01

We usually will see a mixed environment for WLC deployment. For large remote site, there's a local WLC, but for small remote site, NO local WLC there, it will be H-REAP APs. So in general, we should deploy NAC-CAS w/ Edge IB mode whenever there's a local WLC. if the site is in H-REAP AP(no WLC), we should use the Central NAC-CAS-IB for wireless user, is that a right approach?

thanks so much.


harinirina Wed, 10/24/2007 - 23:50

Hi all,

We're planning to implement NAC framework in a network.

There are users in LAN and in branch offices.

We have ACS server, switches, routers, Mcfee antivirus.

What's other components do we need for the implementation?

Would you like to give some information about things to do and configuration?

manidu Thu, 10/25/2007 - 07:45

This forum is for NAC Network Module and NAC Profiler questions, for generic questions pls use the existing aliases.

bert.lefevre Thu, 10/25/2007 - 00:26


Can we also ask questions regarding the NAC framework (especially the ACS Solution Engine / ACS Appliance)? Or is it just the NAC appliance that is discussed?

Thank you

manidu Thu, 10/25/2007 - 07:14

This forum is for NAC Network and NAC Profiler questions, for general questions pls use the existing aliases.

Kevin Xiong Thu, 10/25/2007 - 08:06

is there a low end profiler on the road map?

NAC3350-PROF-K9 is over killed for most SMB.

manidu Thu, 10/25/2007 - 21:48

Currently we do not have a SMB-type Profiler version, pls send your business case to the alias so that it gets on the roadmap.

nagel Thu, 10/25/2007 - 12:03

I have a CAM controlling 2 CASs. One CAS is IB the other OOB. I am not happy at all with OOB implementation and am planning on converting the OOB to IB. Are there any problems that you know of or any gotchas that I should be aware of in order to run multiple IB CASs?

manidu Thu, 10/25/2007 - 21:46

CAM is capable of handling the CAS in both IB and OOB mode, so there won't be any issues handling multiple IB CAS's.

venkatesh Gotur Fri, 10/26/2007 - 21:47

I have point to point connectivity. From router A i am able to ping all VLAN but from Router B i am no table to ping That vlan ip it reaches till Fa0/0

manidu Sat, 10/27/2007 - 09:02

pls use generic alias with more details regarding the issue.

Mauricio Martinez Sat, 10/27/2007 - 09:23

Hi there,

I have this scenario where granular control of the users accessing the net is needed: 1 HQ office (ISR 38xx), 7 Branches (28xx) and each branch has a varying # of satellite offices (87x). All the ISR's have the Adv IP services IOS. How would I propose a NAC scheme? Can branch offices, with NM-NAC, be used to control access to the network for users in their respective satellite offices? Which would be better? IB or OOB? Thanks in advance!

manidu Mon, 10/29/2007 - 11:36

Yes you can use NM-NAC in the branch offices, such that traffic from the satellite office goes through the NAC module in the branch office. IB would be recommended option.

Mauricio Martinez Mon, 10/29/2007 - 16:21

Thanks Mahesh. I have a variation here to my scenario: Probably, I won't be able to use the NM's as I'd have to support more than 100 users. Would you still recommend IB? And, in case I have to implement OOB and have users connecting directly to the switch ports of an ISR 877, will these switch ports play with NAC appliance? Or would I have to resort to compatible switches behind the routers?

sarfaraz1981 Tue, 10/30/2007 - 01:57


i would like to know that with the new cisco 2811 ISR series router serail wic come along with or i need to order the serail network module seperately. i will be thankfull to you for ur help.

manidu Tue, 10/30/2007 - 09:34

pls use existing (ISR) alias for the ISR specific questions.

manidu Tue, 10/30/2007 - 13:01

pls use the vpn aliases for this question, as this is a NAC forum and I am not a expert on VPN technology.

shalvin1979 Tue, 10/30/2007 - 20:26


I would like to know that is it possible to share i 1 meg connection from a sigle line to two building on a lan. i have bought a 1 meg connection from my isp and have got two sites to install. purchasing two 512 would be a little expensive. There are two servers located i need to give both servgers 512 each.

Can you please tell me that is it possible with a cisco router and a managed switch.

Please revert at your eariest.

Regards - Salveen

manidu Thu, 11/01/2007 - 10:29


This forum is for NAC Network Module, pls use appropriate alias for your question.



orbanattila Wed, 10/31/2007 - 07:58


Is it possible to deploy NAC in branch offices using central CAS, CAM?



manidu Thu, 11/01/2007 - 10:27

Yes, you have various deployment options which include having a NAC Network Module at the remote-branch or deploying CAS centrally (in case if you have very few end-users in the remote-branch).

arturo_servin Thu, 11/01/2007 - 10:35

Thanks. One more question. The NAC can communicate directly with Active Directory or do I need a radius server (possibly an ACS server) as well?

Thanks again,


manidu Thu, 11/01/2007 - 12:28


NAC works with most of the existing authentication infrastructure which includes Active Directory, Radius, etc.



orbanattila Fri, 11/02/2007 - 00:54

In case of central CAS (oob) and branch offices with 5-10 users what are the supported tunneling methods over WAN to handle the traffic before the authentication. Any tipps, links are welcome.

arturo_servin Thu, 11/01/2007 - 03:25

Hello Mahesh and Alok,

Our branch offices are connected to high speed LAN links, so they do not really look as WAN branch offices, so I do not if this question is appropriate for this forum (we are not using routers in our branches). We have deployed there Cisco Catalyst 3560 as distribution and 2960 as access. In some places there is only one 2960 or 3560. We want to deploy authentication to the network in each site (there are no routers in the branches, only switches) and the NAC appliance looks like the only option. I wonder if we could use central NAC appliances to enforce the security policies in the branches instead of having in each place a NAC appliance (there are places with only 20 PCs and we think is not worth to install an appliance there). If it were possible, what would we need for a pilot of one branch with around 50 PCs? I guess is the NAC appliance and the Cisco switch(es) only, I am missing something?

Also, I forgot to mention that we are using active directory.



manidu Thu, 11/01/2007 - 12:27


Yes Centralised NAC deployment would be the way to work based on your description and it will achieve needed authentication functionality. For pilot, you would need a NAC Appliance Manager (CAM) and NAC Appliance Server (CAS) and NAC appliance works with the Active directory.

Also for doing a Secure Guest Access

and for headless devices



ciscors Thu, 11/01/2007 - 16:07

This is actually a NAC appliance question but I'm hopeful one of you will answer it

What do the traffic policies under the 'authenticated role' do?

a) Should anything be configured here?

b) Do the policy rules configured here apply to all normal login roles?

I can't find anything in the documentation about this



manidu Thu, 11/01/2007 - 16:20


I believe you are asking abt "unauthenticated role",

a. yes typically you need to allow access to DNS,DHCP,Active Directory. Basically access to critical resources when a user gets onto the network.

b. Policies configured in a certain role are applicable while user is in that particular role. e.g. when user gets onto network they start off in the unauthenticated role and then move to let's say temporary role, which might have different policies for e.g. access to remediation resources. let me know if this answers your questions.



ciscors Thu, 11/01/2007 - 16:32

No I'm actually asking about the 'authenticated role'. I've already configured the unauthenticated role for things like AD login. But when I logged onto my CAM, I see the auth role and all tcp and allow udp and allow all traffic defined there by default and I'm curious about this default role and what it's used for

manidu Thu, 11/01/2007 - 16:48

Did someone configure Authenticated role on your CAM ? you can check the local users and in Auth Server -> Mapping, to see if this is user-defined role.



ciscors Thu, 11/01/2007 - 17:14

looks like you're right. There is a local user mapped to this role. Since this role isn't being used, I'm going to delete it

Sorry about the confusion


juancarlosorellana Fri, 03/12/2010 - 14:57

hello, I want to do an implementation  L3 OOB, I have a headquarter and a branch, both separated by a router, I  have the CAS headquarter is possible in an implementation that has the  CAS in the headquarter and the customers of the branch can do NAC in the CAS process the headquarter, which  implementation is best for this event, or real IP VGW, who leads I  follow.


This Discussion