Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the new Cisco NAC Guest Server which works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the entire lifecycle of guest access with Cisco expert Syed Ghayur. Syed is a technical marketing engineer in the product marketing team for the Cisco Network Access Control (NAC) Appliance. He also works on global scalability of the product, documentation, partner training, and system engineer trainings. In addition, he works closely with the Cisco Technical Assistance Center (TAC) to resolve complex issues and product related bugs. Early this year, he joined the Security Technology Group (STG) as technical marketing engineer for NAC Appliance.
Remember to use the rating system to let Syed know if you have received an adequate response.
Syed might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 25, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
I am trying to generate a list of users from our Radius primary server. The steps I have is to:
net stop csauth
Type cd\ and press enter
Type cd program*\cisco*\utils and press enter
Type csutil -u
net start csauth
The csutil -u commnad is not generating the users.txt file that I am needing. Do you have any suggestiong on what I can do to get this file?
All I get back is a prompt:
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -u
CSUtil v3.0(3.6), Copyright 1997-2002, Cisco Systems Inc
C:\Program Files\CiscoSecure ACS v3.0\Utils>
I have a cisco router 2821 ready to be connected to a Siemens OTLE8 NT 4x2 Mbit/s Optical network termination Series in both end of point of a lease line, could you please which the right card should I use it
could you please explain the difference
VWIC2-2MFT-G703= Port 2nd Gen Multiflex Trunk Voice/WAN Int. Card - G.7032
HWIC-1CE1T1-PRI= port channelized T1/E1 and PRI HWIC
I have NAC 3310 CAM & CAS installed and configured am trying to test one pc with agent and getting error "Login failed! OOB can not find MAC address contact network administrator". I checked SNMP configs on edge and core switches it look fine. SNMP community strings also are same on CAM and switches.
Please let me know incase you have come across such situation...
"Login failed! OOB can not find MAC address contact network administrator".
SNMP Mac notification is not reaching to the CAM. Please check the SNMP trap config on the switch and corresponding SNMP receiver configuration on the CAM.
To verify, The mac address of the client machine should appear under
Switch Management > Devices > Discovered Clients
Thanks for reply i did same and it worked. SNMP receiver config need to be RW community string, i kept it earlier RO.
Now MAC address it's showing in Discovered clients and certified list.
I am using OOB VG for NAC implementation and integrated with AD. I want to apply requirements as per Active directory OU currently if i apply any requirements it is for everyone in AD how can i apply to group of users.
eg. if i want to apply Games check for finance group and google earth rule for sales.
Please see the link below for role mapping with Ldap.
If you are using ADSSO, then you need to do similar setting with ldap lookup:
-- When the user login, he will be mapped to a different ROLE based on ldap role mapping. Each role will be linked to a different requirement.
I have a question that when I use web to login NAC then switch vlan will change to role base vlan but if I use CCA to login, I could see the CAM online user log that show the current user is in access vlan, but switch vlan still in auth vlan, where I should notice?
you need to check Clean access agent default vlan option in CAM, you must have selected unauthenticated role. And when using web login NAC after successful authentication what is switch vlan status for that port?
after web login successful, switch port vlan will change to role_base vlan(access vlan) but CCA agent will stay in auth vlan, but in CAM online log both show online user was in access vlan status and also in authenticated role.
You might have overlooked the Managed Subnet setting. If it is misconfigured (OR not configured), the user doesn't get into CDL (you do see him in OUL though) and the VLAN is not changed after user logs in.
My Name is P.Nagpal i am a CISCO Partner at Jaipur
One of my customer want to setup the wireless network between the two buildings.
The distance between these building are 600 Mtr.
So please sugest me that which product will full fill the requirement of customer
I have a CAM intergrated with AD (Active directory) as external datbase, local users have limited access controled by AD and they can't run any excute file "company's policy".
here the disaster, I have enabled the wnidows update rule on the CAM but users aren't able to install the windows updates whenever required because of the privilege limitation. CAS/CAM require Administrative privilge to excute the files and this violate company's policy and unacceptable solution as well.
microsoft don't have a solution for such case to assign administrative privilege only to excute specific files.
what;s the best visible way to settle this issue from Cisco perspective!!
hi syed can u pls me what is advantage of using the nac appliance when we also have the nac framework which also has the same capabilites and much cheaper solution.
can u pls provide any document to specify the benefits of the nac appliance as compared to nac framework.
Sorry for not responding earlier. This forum is for NAC Guest Server. Please send me a request offlline and we can discuss on the advantages of NAC Appliance.
Look at the Stub agent option we have for these issues.
Hi there. We have a client here that is using BBSM and wanted to migrate into NAC Guest Server, my question is:
1. Would NAC Guest Server can provide hourly based restrictions just like BBSM (Access Codes)?
2. Would NAC Guest Server can provide billing just like BBSM?
3. Is there a way a guest users can auto provision itself?
I am a Helpdesk Tech and a Cisco Academy student. I have users that sometimes are asked to provide account credentials while connected to our network over the VPN. They are using vpn client 4.8 Why is this?
I assume that you are doing VPN SSO with NAC. We accomplish VPN SSO with NAC via Radius accounting packet. When the user connects via VPN successfully to ASA (or VPN concentrator), ASA generates a radius accounting start packet and send it across to NAC server.
You can check the entry on CAM by going to the
Device Management > Clean Access Servers > X.X.X.X > Authentication ... VPN Auth > Active Clients
First you have to verify that the entry of the user should exist in the active client list with the Client Assigned IP address.
If your students are using Anyconnect client, then you should check out this bug CSCsi75507.
I'm trying to get the NAC Applicane to manage a 4507 for a POC. The 4507 is "managed" by the NAC and it shows when the port is up and down via the web, but it never changes the VLAN membership (even to the AUTH vlan). I'm suspecting this is a SNMP write issue on the switch but all the configs look good. Any suggestions?