Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC APPLIANCE

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Alok Agrawal how to configure the Network Admission Control appliance in different modes and troubleshoot the various configurations. Alok joined Cisco Systems Inc. as an engineer in the Technical Assistance Center (TAC) Lan switching group in September 2003. He is currently the Technical Marketing Engineer for the Cisco NAC Appliance.

Remember to use the rating system to let Alok know if you have received an adequate response.

Alok might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 5, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

57 REPLIES

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

The NAC appliance is the Cisco ACS aplliance correct?

Patrick

Cisco Employee

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

No. The NAC Appliance is the Cisco Clean Access Server with is a component of the Cisco NAC appliance solution. Please see:

http://www.cisco.com/en/US/products/ps6128/index.html

for more information.

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Patrick,

Thanks for writing in. The NAC Appliance is the new name for Cisco Clean Access. The Clean Access Server and Clean Access Manager are components of the NAC Appliance. You can get more details at http://www.cisco.com/go/cca

Thanks

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hello. I have a cisco clean access server/manager 3.6.2 and would like to integrate with a vpn 3015 concentrator to check users connecting remotely. Are their any quick start guides that would help with choosing a mode, virtual gateway I would assume, and show physical layout for this setup. IP addressing of the CAS interfaces, and IP address considerations of the CAM. The concentrator's public interface is plugged into dmz on the pix. Private interface connects directly to our lan switch. I would like to go from private ip of the concentrator, to the untrusted cas interface, to our lan switch via the trusted interface of the cas. The cam would also be plugged into the same lan switch. I have read that the cam and cas must be in different subnets, would that be the case in this setup? Any help would be greatly appreciated.

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

hi alok. can u pls give a brief information abt what is the nac. what does it actually good and what are the components required for implementing it and the benefits of it in the cisco powered network. waiting for ur reply,

sebastan

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Sebastan,

Thanks for your interest in NAC. The link below gives a pretty good overview of NAC and NAC Appliance and talks about the benefits and the components required to implement NAC Appliance. The second link goes into more details on this.

http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1031/cdccont_0900aecd80201b33.pdf

http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1161/cdccont_0900aecd802da60d.pdf

Hope this help.

warm regards

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

hi alok i tried to refer to ur links but they are not opening. pls check it out. thanks

sebastan

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hi Sebastan,

Hmm, i just tried it out again and it worked for me. You may have to log in. On the top of the page there is a link to Log In. Can you try that and let me know if it works? I've attached both the docs along with this post too.

regards

-Alok

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey,

Thanks for your interest in the NAC Appliance.

We can do Single Sign on for the NAC Appliance with the VPN concentrator. The Clean Access Server will be deployed in Inband Virtual Gateway mode.

Public--[VPN]----[CAS]---[switch]---[router]

|

[CAM]

When using Virtual gatewway mode, the CAS and the CAM must be on different subnets.

Chapter 7 of the CAM config guide at the link below gives more details on integrating the NAC Appliance with Cisco VPN Concentrators

http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1626/ccmigration_09186a00805ec158.pdf

Please let me know if you have any more questions.

Thanks again.

regards

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

hi alok. can u pls give a brief information abt what is the nac. what does it actually good and what are the components required for implementing it and the benefits of it in the cisco powered network. waiting for ur reply,

sebastan

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Thanks for the response Alok. What if there is no router between the cam and the cas. How would I physically separate them so they reside in different subnets. Diagram, or example of the ip addresses needed on each interface would be a tremendous help.

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Joe,

If you have a flat network, then you would need to deply the CAS in Real IP gatewway mode. In the virtual gateway mode, we will need the cas and the cam to be in different subnets.

Both interfaces of the CAS can have the same IP address. The CAM should be on a different vlan / subnet.

Hope this helps.

warm regards

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

I hope this is the correct forum for this type of question as this is hte first time using this tool.

We are about to upgrade from 3.5.8 to 3.6.x. At the same time we are wanting to know if we can utilize CCA to place users by role into one IP range (RFC1918) then after authentication and validation, we want to issue real IP addresses.

Thanks,

Robert

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Robert,

Welcome!!

For the upgrade from 3.5.8 to 3.6.x, please do have a look at the upgrade procedure at the link below.

http://www.cisco.com/en/US/products/ps6128/prod_release_note09186a008053a3ed.html#wp111383

With the 3.6 code, we moved from kernel 2.4 to 2.6, hence the upgrade to 3.6 requires a little more work.

Currently are you using CCA in Inband mode or Out of Band mode? With the Out of Band mode, you can place users in the Authentication vlan and then after they are authenticated and after they go through posture assessment/remediation, they can be put in their user role vlan and get a real IP address.

More details on the deployment options are at the link below.

http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1161/cdccont_0900aecd802da60d.pdf

Please do let me know if you need more information on this.

Thanks

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

We are InBand. We have 4 'zones' and are moving to a 5th zone. If we can place users in an RFC1918 address until they are remediated, then we can use /30 networks and isolate each user in case they are infected.

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Robert,

If you configure the CAS in Real IP gateway mode, then you can use the CAS as the dhcp server and create the scopes accordingly.

Please let me know if this helps.

Thanks

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Today i checked my router by using dial-peer voice command i found in "dial-peer voice 1000 voip" interface there are 43 failed calls, disconnect cause is-10 and disconnect test is "normal call clearing(16)" what may be reason for that. sometimes it take 3 to 4 times to call a number.

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey,

Thanks for your post. This particular session is for the NAC Appliance product, hence it will probably be best if you post your question on the Voice over IP forum at

http://forum.cisco.com/eforum/servlet/NetProf?page=main

Thanks

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hi Alok

My name is Saif , i am currently helping to setting up the NAC phase 2 for one of my customer . My problem currently is eventhough the authentication on the ACS passed ( meaning under the ACS Passed Authentication logging the Message-Type " Authen OK " and under the User-Name column i can see the username and the correct Group-Name but under the PEAP/EAP-Fast-Clear-Name column i got "anonymous" what could be the problem ? I have raised a TAC case for the almost 2 weeks but until now the problem is still not resloved . For your reference the TAC case number is 603361227

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hi Saif,

Thanks for writing in. This session is focussed more on the NAC Appliance, hence it will probably be best to post this query on the Security>General forum to widen the audience. I will try to contact the ACS TME and see if he has any quick suggestions.

Thanks

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hi Alok. Two questions regarding rules and requirements.

Lets say that users have many different types of anti-virus software installed on their pc's. When they connect, I would like everyone to be placed into one role.

If I create new AV rules for each vendor, and then assign those rules to one role, will the clean access agent just look for the installed virus software, and then allow access to the network.

Question 2 - Is there a built-in rule to force the windows automatic update to be turned on. I see that you can force updates, but I did not see a setting to enable automatic updates.

As usual, your replies are greatly appreciated.

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hi Alok, How well can the NAC appliance fit in a infrastructure where have Layer 3 routing to the IDFs.

Can we integrate NAC in such a case..? If yes, how?

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Venkataramanaiah,

Thanks for joining in. The NAC Appliance can currently do L3 in Inband mode. In May, we will be able to do L3 Out of Band also.

User will connect PC to switch, will be placed in the authentication/quarantine vlan, go through authentication, posture assessment/remediation and then will be placed in its user vlan. I will post more details on this once we FCS the code.

regards

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Dear Alok, Thank you for the clarification..

When it gets out of band, whatz the mechanism going to be contol the Vlan membership on the access ports..?

Is it going to be 802.1x or SNMP or both? Please advise..

Regards

-Venkat

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Then, i had another question on the impact of L3 campus design in deploying NAC in both in-band or out-of-band...

Well, with the routing capabilities available at the access layer these days, we had been designing our customer's networks with L3 routing till the access layer. Obviously, the motivation behind this is to avoid STP loops.

Can NAC appliance fit in such networks.. I am sure Inband, it may not work.. How about out-of-band? Even

outofband, i see quarantine vlan is still in-band..

So how is this being addressed?

Should we then stick the old design of L3 only upto the distribution..? if we need to accomodate NAC? or is there a better solution...? Please advice...

Thanks again.

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Venkat,

We can deploy CCA both in Inband and Out Of Band (with 4.0 release) in the L3 campus design.

For Inband, the requirement is that user traffic always flows through the CAS. Hence at the Access Layer, you can configure PBR or VRFs such that the user traffic is directed to the untrusted port of the CAS. You will have to configure the CAS in Real IP gateway mode.

For OOB, the user traffic will be inline with the CAS only for authentication, posture assessment and remediation. With OOB, when the user first connects to the network, he will be put into the authentication/quarantine vlan. You will configure PBR/VRF on the auth/quarantine vlan such that all user traffic coming in on this auth/quarantine vlan will be directed to the CAS. Once the user is certified to be complaint, CCA will change the vlan on the end user switch port to the normal access vlan. No PBR/VRF will be configured for this vlan, hence the layer3 switch will forward traffic based on the global routing table. Please note that Layer 3 OOB will be supported from code 4.0 onwards.

Please let me know if you have any further questions on this.

regards

-Alok

New Member

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Alok, Appreciate your detailed responses to our queries..

Well, just one clarification on the Inband, Guess we will not need PBR in this case, because all traffic effectively need to go via NAC, may be the default route for the entire MDF will be pointing towards the Untrusted i/f of the NAC.. Hope your agree :-)

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hey Venkat,

We use SNMP to change the vlan on the ports.

We support snmp v1,v2c for read and snmp v1,v2c,v3 for write.

warm regards

-Alok

Bronze

Re: ASK THE EXPERT – CONFIGURING AND TROUBLESHOOTING CISCO NAC

Hi Joe,

There are two ways we can do this. In the preconfigured AV list, we have the option for "Any" Anti-virus vendor. You can select this option, if the users will have AV applications that are included in the preconfigured AV list.

Second way of doing this is configuring custom checks for specific AV applications and then creating a rule, which does a "logical OR" of all the checks. Hence what you'll do is create an individual check for each AV vendor. Then create a New Rule. In the Rule Expression, you can put down all the checks that you've configured and then use the Logical OR operand between the checks. With this, the NAC Appliance will give network access only if the user passes one of those checks.

2. There is a built in check to check if the windows auto update service is running or not. The check is called "pc_AutoUpdateCheck". You will see this under Rules>Check List section.

warm regards

-Alok

509
Views
35
Helpful
57
Replies
CreatePlease to create content