I have the NGS (Version = 2.0.3) and Cisco NAC Manager/Server (Version = 4.8.2)...
I have been deployed the Wired and wireless users and using the different Authentication server (LDAP, Radius, VPN SSO, ADSSO) with their mapping roles. It seems working well so far.
My question is, how to best deployment of NGS with NAC Solution for the Wireless Users (having different SSID with unique Roles)
Currently for the Guest Users, i was creating the user accounts on NGS with the role "Wireless Guest", the same role was defined on NAC Manager. The NGS is creating the users on NAC Manager by using the API's.
When the Guest User connects to "Guest SSID", the login pager appears with the default Authentication Provider = Local DB. After Successfull authentication, the user gets the right "Wireless Guest"... So far, it seems working well....
But, now the customer wants another role from NGS to be created e.g., another Guest Role with some additional access to network which will be controlled by having ACL on Core switches. This role will be used another SSID / User subnet / Quarantine | Access VLAN.
After completing all pre-requisites, i came to know that users from both roles can connect to each other SSID's both roles are getting authenticating from Local DB and getting access in the network. For Example,,,
We are solving this by having multiple nac managers and nac appliances. The NAC appliance line doesn't seem to have the granularity or flexibility to handle these use cases.
Another thought would be to take this off the NAC appliance some how and do AAA override so that when they auth to the SSID, they get put in the correct VLAN. I can assume what your response will be, they are guests we can't have them auth becasue of the overhead.
This is exactly why we have come to the conclusion for each use case, a different nac manager is required to allow us to formulate different policies for users in different use cases.
For example, if we want to restrict a set of users, but allow another... Both users have to be tagged, and an attribute via LDAP (We will call it restricted attribute). One NAC appliance for the un-restricted SSID would look for the restricted TAG and block access to any user wtih a restricted TAG but allow everyone else.
Your 2nd NAC appliance / Manager would be utilized for SSID users who are restricted would connect to. It would look for the restricted flag and allow them, but block users who did not have a restricted flag.
If NAC Server is configured for IB VGW mode and is mapping ingress VLAN through to upstream gateway, then the access between SSIDs would appear to be occurring upstream. Of course you could also configure named ACLs on each WLAN interface of WLC to block traffic to/from the other WLAN subnet. If IB RIP mode deployed, then should be able to configure traffic filters on untrusted interface of each VLAN to deny traffic to other VLAN IP address space.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :