Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
4
Replies

NAC Server and Manager Failure with out failover

thedinuka
Level 1
Level 1

‎02-02-2009 04:01 AM - edited ‎02-21-2020 03:15 AM

Hi, I'm working on a NAC L2 OOB wired design with 1 CAM and 1 CAS. I've not included failover to the design for the obvious financial reasons, and want to figure out the affect that the network would have in the case of a failure.

1.)What would the users experience in the event of a CAS failure? both currently online users and new users

2.)What would the users experience in the event of a CAM failure? both currently online users and new users

3.) Are there any ideas on how to minimize the effect on the users in the event of a failure, w/o adding failover bundle ?

Many thanks for your valuable input in advance.

Din

0 Helpful
4 Replies 4

Daniel Laden
Level 4
Level 4

‎02-02-2009 08:02 AM

1.)What would the users experience in the event of a CAS failure? both currently online users and new users

- new users would not be able to authenticate. existing users would have access to the network.

2.)What would the users experience in the event of a CAM failure? both currently online users and new users

- Review the CAS Fallback Policy

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_addSrvr.html#wp1098561

0 Helpful

thedinuka
Level 1
Level 1
In response to Daniel Laden

‎02-02-2009 07:31 PM

Hi thanks for the informative response. CAS fall back policy really does the trick. Too bad they can't enable a similar feature on the event of a CAS failure.

In the event of a CAS failure, the new users are still in a certain VLAN right, they will recieve IP addresses for that VLAN. would we be able to figure out to provide at least a minimum access level for these users ?

0 Helpful

flitcraft33
Level 1
Level 1

‎03-09-2009 12:00 PM

If you are out OOB, then a CAS failure would not affect logged in, remediated users, anyone not logged in would be stuck because when the CAS fails, the connectivity to the CAM would be lost.

If the CAM fails, you will not be able to log in, do remediation or anything. VLAN settings on switches will be frozen where they are at the moment of CAM faiure. Not that you could easily connect to switches, change vlans to allow users onto the LAN and the CAM would accept that passively when restarted but if you use the Agent it will probably want to log in again, which is not a huge issue if you use AD SSO.

Dan Sichel

Dan S.

0 Helpful

flitcraft33
Level 1
Level 1

‎03-09-2009 12:02 PM

Cisco does not support this suggestion, but if you want to minimize the impact of a CAM failure, put it on an ESX VMWare server cluster. Then your CAM won't fail.

Dan S.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card