×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco NAC features Support

Answered Question
Oct 7th, 2010
User Badges:

Hi,

I have a some question on Cisco NAC and not sure if it is able to support it:


1. Can NAC honor/trust qos packet when it is setup for inband/out of band?


2. For creation of lobby admin on management of local guest accounts(using clean access appliance); does the cisco nac appliance support

authentication of lobby admin via acs/external db? If not, would adding a guest server achieve it?


3. Does the nac appliance support non cisco wireless controller as well as mixture of cisco/non-cisco switches? If so, if the switch support snmp mib mac-notification/link up/link down; would that be sufficient?


4. Does Cisco NAC comes with a predefined set of AV rules to check that any of the support AV is running for posture check (example if NAC support 100 different virus product; can it check all 100 of the different product that may be installed on a PC for posture check). An example of this would be hotel/whereby there are people from with different antivirus products installed trying to access the network and the antivirus need to be running and installed and updated in order to access network). I do know that the default pre-confgiured rule can check for installation/definition however not sure on application/service status running.


Thanks.

Correct Answer by Faisal Sehbai about 6 years 10 months ago

HI,


For VGW setups, you have to have them in separate subnets. For RIP, they can be in same subnet without problem.


HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Faisal Sehbai Thu, 10/07/2010 - 08:59
User Badges:
  • Gold, 750 points or more

Hi,


1. No it doesn't

2. Guest server will have to do if the requirement is external DB

3. Assuming wireless OOB here? If so, only WLCs from Cisco and that too on specific versions are supported

4. Yes. You can configure an ANY AV rule. You will have to update your checks/rules to get the whole set of them though.


HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

CSCO10675262_2 Thu, 10/07/2010 - 17:41
User Badges:

Hi Faisal,

Thanks for the information. For item 3, may I check if the cisco clean access nac appliance would support other brand wireless controller such as Alcatel when running inband for wireless? The customer has appox 90% Cisco wired infrastructure, however their wireless are non-Cisco.If so, would there be a guide on the setup of it?


For item 4, may I ask on how it may be done; example do i need create checks for all the supported antivirus running(all A/V supported by Cisco) and followed by the rules creation for the different antivirus process/application running.


Thanks.

Lauren Sullivan Fri, 10/08/2010 - 10:58
User Badges:

For inband, there should be no problem running other brands of wireless devices.  You shouldn't have to do any setup on the wireless side - depending on the CAS setup, just trunk / force the traffic to the CAS the same way you would with users behind a switch.


For the AV, you'd create a single new AV rule.  One of the selections is "any supported vendor" - so you'd chose this.  Then, you'd associate that rule with your AV requirement.


HTH,

Lauren

CSCO10675262_2 Sat, 10/09/2010 - 08:23
User Badges:

Hi Lauren,

Thanks for the update on the support of the wireless.


I was wondering for non-cisco switches(Reason is that customer has some non cisco switches), would snmp mac address notification/link status notification be sufficient for support of either inband/out of band for wired clients?


Regarding the AV, I do understand that it is possible to create an AV rule to have "any" vendor for both installation and definition, however I was wondering if the default updates would have the support to check AV application running instead of the 3 default Symantec/Mcafee/Trend Micro application running?


Thanks.

Faisal Sehbai Sat, 10/09/2010 - 09:40
User Badges:
  • Gold, 750 points or more

Hello,


OOB setups require Cisco switches/WLCs. No other vendors are supported for OOB.


For the AV running, that's different than the Installation/Definition rules. You will have to create cusom rules for the running processes and identify what processes are associated with different AVs running.


HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

CSCO10675262_2 Mon, 10/11/2010 - 07:05
User Badges:

Hi Faisal,

Thanks for the information. last question, for nac deployment; would it be recommended that the nac manager and server (eth 0) be placed in the same subnet for layer 2/3? Would there be any disadvantage to put both of them in the same subnet compared to different subnet?


Thanks.

Correct Answer
Faisal Sehbai Mon, 10/11/2010 - 07:15
User Badges:
  • Gold, 750 points or more

HI,


For VGW setups, you have to have them in separate subnets. For RIP, they can be in same subnet without problem.


HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Actions

This Discussion