Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
476
Views
0
Helpful
3
Replies

NAC in Inband L2 Virtual mode

lambay2000
Level 2
Level 2

ā€Ž05-17-2010 01:04 PM - edited ā€Ž02-21-2020 03:57 AM

Dear Experts,

I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,

As  i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,


NAC in Inband L2 Virtual mode

About my thinking for Implementation is :

  1. create authentication vlan on access switches,(no SVI for authentication vlan)
  2. Do authentication mapping and actual user vlan mapping in NAC,
  3. create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
  4. allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ???????   Correct me if i m wrong.
  5. Shift the users from actual vlan to authentication vlan,
  6. Configure managed subnet for the reply of DHCP request
  7. Enable L3 and setup static routes
  8. Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.

The point above i have worte,, that is what i think NAC is  any other point's if i m missing please plese please advice me.or give proper guidance.

0 Helpful
3 Replies 3

Faisal Sehbai
Level 7
Level 7

ā€Ž05-17-2010 07:34 PM

Hi,

1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network

2. Okay

3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks

4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies

5. You would map the users, and you do that by defining the VLAN mappings

6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.

7. You don't need static routes for L2 deployments

8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.

HTH,

Faisal

0 Helpful

lambay2000
Level 2
Level 2
In response to Faisal Sehbai

ā€Ž05-21-2010 03:20 AM

hello  Faisal,

It seem that u r the real Expert for NAC,

I need ur help once more i have read integrating windows AD users with NAC but i m not confident.what are the proper steps i have to follow for integrating as it seem very difficult for me, and also i want a SSO for login.

Thanks

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to lambay2000

ā€Ž05-23-2010 05:56 AM

Hi,

Start here for AD SSO, assuming you're on 4.7.2: http://tinyurl.com/27rczx6

HTH,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card