Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1144
Views
0
Helpful
7
Replies

NAC issue

Go to solution
kolawole1
Level 1
Level 1

‎05-20-2009 11:32 AM - edited ‎02-21-2020 03:28 AM

Nac policy is being enforced on a cisco switch.If a non cisco switch is connected to that cisco switch, can nac policy be implemented on the non cisco switch ?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
halim.abouzeid
Level 1
Level 1

‎05-22-2009 01:18 AM

you can do that only if you are deploying NAC in inband mode. You cannot enforce policies on non-cisco switches in out of band mode.

so if nac is deployed in inband mode, your answer is yes.

if nac is deployed in out of band mode, your answer is no.

View solution in original post

0 Helpful

Go to solution
halim.abouzeid
Level 1
Level 1
In response to kolawole1

‎05-22-2009 02:41 AM

snmp mac-notification and link up/down are used only in out-of-band.

For non-cisco switches you MUST go for inband. The idea is to force all the traffic coming from these switches to go through the NAC server. At all time (before and after being trusted), all the traffic will go through the NAC server.

You also have to note that a NAC server box can either work in inband mode OR out-of-band, but not the 2 at the same time. So you have to either go for inband for all your traffic coming from all your switches, or use 2 different NAC servers, 1 which will be configured in inband mode (for your non-cisco switches), and another one which will be configured in out-of-band mode (for your cisco switches).

you can find a step by step guide on how to configure nac in inband mode here: http://tools.cisco.com/cmn/jsp/index.jsp?id=55785

View solution in original post

0 Helpful
7 Replies 7

Go to solution
srue
Level 7
Level 7

‎05-21-2009 10:39 AM

need more info please.

in band? out of band? nac appliance?

0 Helpful

Go to solution
kolawole1
Level 1
Level 1
In response to srue

‎05-22-2009 01:12 AM

Hello,

I am using NAC Appliance 3310 Server -max 500 users and NAC Appliance 3310 Manager -max 3 Servers in in band mode.

0 Helpful

Go to solution
halim.abouzeid
Level 1
Level 1

‎05-22-2009 01:18 AM

you can do that only if you are deploying NAC in inband mode. You cannot enforce policies on non-cisco switches in out of band mode.

so if nac is deployed in inband mode, your answer is yes.

if nac is deployed in out of band mode, your answer is no.

0 Helpful

Go to solution
kolawole1
Level 1
Level 1
In response to halim.abouzeid

‎05-22-2009 02:28 AM

then assume i have Lynksys,3com,peabirdp or hp procurve switch how can i configure thoses switches for snmp mac-notification and link down for the switch to alert the nas ?

0 Helpful

Go to solution
halim.abouzeid
Level 1
Level 1
In response to kolawole1

‎05-22-2009 02:41 AM

snmp mac-notification and link up/down are used only in out-of-band.

For non-cisco switches you MUST go for inband. The idea is to force all the traffic coming from these switches to go through the NAC server. At all time (before and after being trusted), all the traffic will go through the NAC server.

You also have to note that a NAC server box can either work in inband mode OR out-of-band, but not the 2 at the same time. So you have to either go for inband for all your traffic coming from all your switches, or use 2 different NAC servers, 1 which will be configured in inband mode (for your non-cisco switches), and another one which will be configured in out-of-band mode (for your cisco switches).

you can find a step by step guide on how to configure nac in inband mode here: http://tools.cisco.com/cmn/jsp/index.jsp?id=55785

0 Helpful

Go to solution
liyasmacosx
Level 1
Level 1

‎09-17-2010 06:31 PM

Dear Sir,

We have Cisco NAC installed on our network and found  out that when in-band the access speed is half than that of out of band  speed.
Could you please highlight us on this issue as why this is happening. Any solution to this problem?

Thanks and Regards,

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to liyasmacosx

‎09-20-2010 06:56 AM

Liyas,

In in-band mode all your traffic from all your clients is going through the CAS so CAS can become a choke-point. With OOB setups, the initial traffic goes through the CAS and after authentication/posture you are moved to the core network directly.

HTH,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card