Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Syed Ghayur how to configure the Network Admission Control appliance in different modes and troubleshoot the various configurations. Syed is a technical marketing engineer in the product marketing team for the Cisco Network Access Control (NAC) Appliance. He also works on global scalability of the product, documentation, partner training, and system engineer trainings. In addition, he works closely with the Cisco Technical Assistance Center (TAC) to resolve complex issues and product related bugs. Syed started his career in Cisco as an intern in CALO labs.
Remember to use the rating system to let Syed know if you have received an adequate response.
Syed might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 10, 2007. Visit this forum often to view responses to your questions and the questions of other community members.
I have successfully configured 2xCAM appliances and 2xCAS appliances in High avalability. Everything is working fine apart from "Traffic Controll". I have the following problem;
1. I have created a "Guest Role" under "Normal Login Role Type". I have tried to apply "IP Policies" to limit the guest user only to the internet (and deny access to network resources such as servers) but they dont work.
PROBLEM: When I click on the "Guest access" button on the web login page, the Guest user ends up having total access to the newtork & internet.
2. I have created a "Normal User Role" based on the "Normal Login Role Type". Basically, all users in this role should have full access to both network & internet but after being scanned using the CCA Agent.
PROBLEM: When a Normal User logs in through the web, he doent get scanned and goes directly to the network. I have made the CCA agent compulsory for Normal Users but it doesnt seem to be enforced.
- Users browse through a Squid web proxy on port 8080.
- I have done everything to the book/manual.
What am I doing wrong or right? How can I resolve the "Traffic Control" issues so as to give guests just internet and to give other users all rights but through CCA Agent.
How can I map Active Directory users to the "Normal User Role" based on the AD User Groups (Organizational Units/OU)?
I am using LDAP Auth Type connection to Windows AD 2K3.
hi am new to cisco nac. i would to know for deploying nac solution how many nac appliances i need to buy.
what is the minimum license we get with the appliance. or do we have to buy the license seperate .
For General Information on NAC, please visit
We have a chalktalk series on NAC on this site and I would recomend you to go through Chalktalk 1 (Cisco NAC Appliance Foundation Concepts)which will help you understand Cisco NAC
Here is the ordering guide on NAC
You need a minimum of 1 Clean Access Server (CAS) and 1 Clean Access Manager (CAM) to test NAC in a lab environment.
As per my knowlege, NAC is a process / service that runs on IPS. And if that is the case with you, it depends on how many devices you want to control that would determine the number of NAC you need.
Normally a single IPS with NAC running on it can control 10 interface on routers / switches (or PIX if using shun).
Let me know if this solves your querry.
raju shrivastav (firstname.lastname@example.org)
Can you elaborate on your setup? L2 Virtual Gaetway or L3 RealIP Out of band (there are more combinations I am just listing 2 examples)?
This will help aide the troubleshooting effort.
As it is the weekend, you may not get another post, so if you have a chance check out the Chalk and Talk on the NAC appliace product page:
The NAC chalk and Talks are some of the best VoDs on the Cisco site!
My setup is: OOB+VG
From the Chalk-Talks, I have seen that OOB doesn't support traffic control using the ACLs.
Now that OOB can't support ACLs, I am planning to use VACLs on the core switch. My only challenge is dynamically assigning VLANs to user roles.
From the Auth Server(LDAP)->Mapping Rules, I have created a rule+condition to map users coming from Access VLAN 20 to a Role called "Guest Role". Under User Roles->Guest Role, I have configured the "*Out-of-Band User Role VLAN" as VLAN ID: 20.
When I test the Auth, the test user ends up in the "Auth Server->Default Role" Role. which is different from the Guest Role.
I would like to assign guests (created on Active Directory LDAP not local users) to be thrown to a guest vlan which doesnt have access to the servers. I will use the same scenario to map different users to different vlans based on the 802.1q tags.
1. I am assuming this is an InBand setup. Couple of things to check here:
a. Make sure the user is logged into the Guest Role
b. If you have restricted only IP policies for the Guest Role, you should check host policies too. Those policies might be allowing the traffic
c. Sometimes, the traffic is not actually passing through the CAS. The way to verify is to block all the traffic in the Guest Role and then test the end user.
2. Under Device Management > Clean Access > General Setup > Agent Login, Select "Window ALL" for operating system and then check the box stating
"Use 'ALL' settings for the WINDOWS OS family if no version-specific settings are specified "
This will fix your Agent requirement for Normal users.
3. You can use role mapping to put the user in a specific ROLE according to the ldap attribute. Please see the link below for the chalk talk 8 on this subject.
Let me know if this helps,
My set up is OOB+VG.
I managed to resolve the Agent requirement. I saw in the chalk talks that OOB doesnt support ACLs in Normal Login Mode.
Packet received with my own MAC address (00:0A:B8:B0:6D:3F) as source on port Gi3/24 in vlan 230
I receive the above warning in my setup (OOB+VG). Gi3/24 is the untrusted interface on the CAS and VLAN 230 is the Auth/Untrusted vlan for VLAN 30 (trusted). According to this link
It seems I have a Spanning tree loop.
I have configured VLAN Mapping & Subnet Management for VLAN30/230. I still dont know why it says there is a loop. Users on VLAN 30 get an error "Could not parse server response" from the Cisco Clean Access Agent. Users on other VLANs connect well. What could be the problem?
This is only warning message. You are not subjected to spanning tree loop. It is ok to have same MAC address learned on two different ports as long as the ports are in different vlans.
Can you check the certificate on the CAS for the other problem you reported on the Agent. If you are using Name in the certificate for the CAS, it should be resolvable by DNS.
See the picture I have attached for the error message I am getting. It only happens on some machines in the network as others are authenticating well. The same machines that are failing can ping the CAS service ip so I am wondering why they cant communicate with the CAS. I am using IP address for the certificate.
Another pending issue is that I cant create "Source VLAN Role mappings" using Active Directory LDAP Auth Server. LDAP Attribute role mappings are working though. My setup still remains OOB+VG.
If I sort these 2 issues, then I can say my NAC deployment is good 2 go.
For the first issue,
Please turn on the agent debug. See the link below for the steps to enable the debugging.
Send me the agent logs from the machine which is having the problem. Also, make sure that the Managed subnet is configured correctly for the unauth vlan.
For the second issue, Can you go through this link
See the attached events.log file. I tried to have a look but it doesnt make sense to me.
For the second issue, I had gone through that tech note but still couldnt create the auth mappings.
Sorry for not responding early. I missed the notification on your response. I have gone through the logs but the debug level is NOT turned on which will help me narrow down the issue.
Can you confirm that the registery key is created under
HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\
Also, you have to exit out the agent from the system tray and restart the agent after enable the key. Here is the link with all the info on the log level of the CCA agent.
The event logs are encrypted. They are only used when troubleshooting with TAC. The logs are showing that the SSL communication with CAS is broken. We are not receiving the HTTPS response from CAS. The issue could be attributed to network conntectivity OR you can also clear the SSL state (tools>option>Content)on the client machine and try to logon again.
I will try and clear the SSL state and get back to you. I have seen this link and I hope it is what you mean.
Like I had told you, the client machines can actually ping the CAS so I don't think it is a network issue, not unless it is intermittent. The funny this is that, like on my laptop I can login when in one VLAN (e.g. VLAN20) but when I connect the laptop on specifically VLAN30, I get the error ... strange. But still, some laptops on the same VLAN30 can connect without a problem.
I am hoping you will be around after 10th :o)
One more thing to check is whether you can communicate to the DNS server on the machine where you are seeing this issue.
Have a look at this post to see the configs on the switches.
i have configure pix 506 for remote vpn, every thing is ok but when i try to connected clinet i am not able to access any thing neither internet nor remote server. but i am getting ip from pix.
This forum is specifically on Cisco NAC. Please post your question on Pix/ASA security forum.
From your problem description, it looks like you are missing appropiate NAT 0 statement.
My company is looking to implement the ASA 5500 UTM appliance, along with the MARS and CSA appliance and software. my questions is as follows. we currently have the pix 515E In place, would we need to deploy the ASA 5500 UTM for MARS and CSA to function correctly or for them to perform adequately?
This forum is on Cisco NAC. I would recommend you to post this question to ASA forum or visit www.cisco.com/go/ASA
I am using CCA (single CAS/CAM) in Inband VG mode. The CAS has the two interfaces attached to a 3560, CAM has the interface to the 3560. Two 3560 are used in high-availibility using HSRP. Everything seems work ok, but, the browser page is not displayed to download the CAA when I opened the explorer, so, I installed CAA manually.
The evaluation installation worked well when I tested in NAT VG Inband.
Worst of that, when the CAA is updated to 220.127.116.11(update mandatory is set), it is downloaded and try to install the update, but this is not completed (an error telling the version CCAAgent18.104.22.168 it is not found in a tempoal directory).
Thank you very much.
Couple of things to check.
1. Do you have admin rights on the end user machine ?
2. If you uninstall 4.1.1 agent and try to download the 4.1.2 from CAM, does it work?
I have already done two installations with NAC 4.0.1. everthing works fine. I have upgraded them to NAC 4.1.1 and there is no problem at all.
I am trying to install another NAC appliance with4.1.1 and this time I am facing the problem in the page redirection itself. the page redirection doesnt happen.
Is there any special thing needs to be configured for NAC 4.1.1
What type of deployment it is ? IB/OB L2/L3. Also, the CAS certificate was generated with IP or CAS Name. If this was generated with name, you should be able resolve the name on the end user machine. For that you have to make sure that the DNS traffic is allowed in un-authenticated Role.
1) Yes, I have admin rights on the user machine.
2) I unistalled 4.1.1 agent and the redirection page does not happen. I installed manually the 4.1.2 Agent.