11-28-2005 08:53 AM - edited 03-03-2019 12:56 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Reza Malekzadeh about Network Admission Control (NAC) which uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. Reza Malekzadeh is a product marketing manager for the Security Technology Group at Cisco Systems, focused on the Network Admission Control (NAC) initiative. Prior to joining Cisco, Mr. Malekzadeh was the co-founder of Twingo Systems, a provider of secure desktop solutions for untrusted computers. Twingo Systems was acquired by Cisco in 2004.
Remember to use the rating system to let Reza know if you have received an adequate response.
Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 9, 2005. Visit this forum often to view responses to your questions and the questions of other community members.
11-29-2005 11:01 PM
Hi,
I have been working on NAC for the last two months.The design phase is already complete.I know I'm testing me configuration.I used the following ressources.
www.cisco.com/application/pdf/en/us/ guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_white_paper0900aecd80234ef4.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book09186a00802335e2.html
Ok! I hope it will help. Good luck!
11-30-2005 06:29 AM
Hello,
CTA can be dowloiaded from the Cisco website at http://www.cisco.com/cgi-bin/tablebuild.pl/cta
Also, we are in the process of finishing up a NAC Deployment guide that will go into the details of configurations and deployment. It should be available in a few weeks on our site at http://www.cisco.com/go/nac.
regards
reza
11-29-2005 11:30 PM
Hi,
I'm working on NAC I,and I plan to implement NAC II right after the NAC I will end.But I have two concerns.
1. I had configured ACS v 3.3 on the windows 2000 server.The ACS should check the Cisco secure database or a Windows database(active directory) to authenticate users.I had enable PEAP and EAP-TLS on the ACS, with a self signed certificate. The certificate had been succesfully import on the client (Windows XP pro SP2) while installing Cisco Trust Agent v 1.0.55. I had also enable machine authentication with PEAP and EAP-TLS. But I still have the following error:"Auth type not supported by External DB". I would like to have some suggestion to fix that problem.I had attached the failled attemps log that I had.
2. I would like to know how the NAC I and NAC II fit toghter.Which directive I can follow to implement the NAC II when the NAC I is already working.
Regards.
11-30-2005 07:08 AM
Hello,
It appears that you might be having a separate issue from NAC with this error message. With NAC phase one, any user and/or machine authentication will be a completely separate operation from the actual NACing of the client. It appears that you have ACS set up for doing machine/user auth with certificates (EAP-TLS) and that your AD infrastructure does not do certs, but only AD credentials (EAP-MSCHAPv2). AD credentials are those long crypto numbers AD assigns to machines and users when they become members of an AD domain. This is probably an ACS config issue but not NAC related... I think.
For the second question, NAC2 expands the list of supported Network Access Devices but implementing NAC into our Catalyst Switches and Wireless Solutions. Nac2 can tie into your 802.1x deployment if you have one and be able to do NAC at Layer 2 on the Switch ports and Wireless APs.
regards
reza
12-06-2005 01:16 AM
It have verified that AD support EAP-TLS authentication.
Does it make sens to try to import the certificate that is installed on the ACS to the domain controller; assuming that EAP-TLS required the installation of the same certificete on the each of the machines that are involved in the authentication process.
Regards,
Stan.
12-06-2005 10:41 AM
Yes, you can try that. If that fails, please try to contact your Cisco sales engineer to put you in touch with an ACS specific guru. thanks.
reza
11-30-2005 12:49 AM
Hello,
We are busy implementating NAC phase two. Does this work with ACS 3.3 or do we need to upgrade to 4? We are using 802.1x wired client with CTA 2.0 to make things work with 2950 switches. It seems however that the CTA is not sending any data to our ACS. If an upgrade on ACS is needed I understand this otherwise what could be the problem? We level 15 logging on the CTA 2.0. The logfiles don't say much to me. The only error that I see now and then is:
"Failed to open Registry Key, error code 13"
Kind regards,
Rutger
11-30-2005 06:33 AM
Yes, for NAC 2, you will need to upgrade to ACS 4.0.
regards
reza
11-30-2005 08:39 AM
- Is there also an ACS 4.0 (final,eval?) download already available?
- Where can I find the TrendMicro AVP file for the ACS 4.0? At the TrendMicro website i can't find it. I use the following file (got it from the BETA ACS 4.0 documentation). The values dosen't appear at the ACS server logfile :(. On the new CTA 2.0.30 i can see in the log that the information is sent to the ACS.
[attr#0]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00001
attribute-name=Application-Posture-Token
attribute-profile=out
attribute-type=unsigned integer
[attr#1]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00002
attribute-name=System-Posture-Token
attribute-profile=out
attribute-type=unsigned integer
[attr#2]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00003
attribute-name=Software-Name
attribute-profile=in out
attribute-type=string
[attr#3]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00004
attribute-name=Software-ID
attribute-profile=in out
attribute-type=unsigned integer
[attr#4]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00005
attribute-name=Software-Version
attribute-profile=in out
attribute-type=version
[attr#5]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00006
attribute-name=Scan-Engine-Version
attribute-profile=in out
attribute-type=version
[attr#6]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00007
attribute-name=Dat-Version
attribute-profile=in out
attribute-type=version
[attr#7]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00008
attribute-name=Dat-Date
attribute-profile=in out
attribute-type=date
[attr#8]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00009
attribute-name=Protection-Enabled
attribute-profile=in out
attribute-type=unsigned integer
[attr#9]
vendor-id=6101
vendor-name=Trend
application-id=3
application-name=AV
attribute-id=00010
attribute-name=Action
attribute-profile=out
attribute-type=string
11-30-2005 01:04 PM
ACS 4.0 is shipping as of yesterday. The full version is available through Cisco Sales. It is not yet available in eval version but should be posted on our website soon.
For the Trend Micro file, you will need to contact Trend Micro directly.
regards
reza
11-30-2005 11:58 AM
I have a VPN 3005 concentrator running 4.7 code with ACS 4.0 as the RADIUS server, performing NAC with a test client running CTA 2.0 and Cisco VPN client 4.7. I had this working under ACS 3.3/CTA1.0 but with the new Network Access Profiles in ACS 4.0 I am having some difficulty with the Downloadable ACLs. I am using a group/password (preshared key) to connect to the IPSec session, followed by Windows Database authentication. This is working, as well as the Posture Validation which is checking Cisco:PA:PA-Version > 2.0.0.0. What I am encountering is that the Windows authentication occurs seperately from the Posture Validation, so I am essentially running through the Network Access Profiles twice, and being assigned a different Downloadable ACL each time. The effect is that I can not apply an ACL to a Group without it being overwritten by the ACL assigned to the Posture event. Is there a way to merge the events so that I can assign the ACL by a combination of Group and SPT?
12-05-2005 09:35 AM
Hello,
In theory, the NAC ACL will override the user ACL. The folks in the VPN3K team indicated that this has been the behavior since the introduction of the 4.7 code. I think you are hitting a bug that we would need to try to reproduce. Can you please open a case with Cisco TAC?
regards
reza
12-06-2005 06:01 AM
Good morning Reza Malekzadeh,
I have a very simple question. What would you recommand or what is todays most secure way of accessing devices such as routers, switches to be able to manage them ?
This by using telnet ? SSH ? TACAS ?
SNMP with Ciscoworks, is safe ? Should we be using something else than SNMP for management through CiscoWorks ?
Many thansk for your quick response.
12-08-2005 07:58 AM
Tricky question :) - It will depend on your setup and how much you trust the network to your access device. Obviously, SSH is much prefered over Telnet. I believe SNMP with CiscoWorks is safe.
hope this helps.
reza
08-03-2010 12:09 PM
Hi,
Just encountered this problem, when tried to replicated GUEST server, we received following messages:
get the message "An error
occured while configuring replication"
the application logs shows the following
2010-08-03 07:51:12 CDT LOG +-------------------------------------
2010-08-03 07:51:12 CDT LOG twin 1.2 starting up...
2010-08-03 07:51:12 CDT LOG log mode is 0
2010-08-03 07:51:12 CDT LOG local port=5432
2010-08-03 07:51:12 CDT LOG local database=gapdb
2010-08-03 07:51:12 CDT LOG log_table_max_size=1000
2010-08-03 07:51:12 CDT LOG sleeptime=1000
2010-08-03 07:51:12 CDT LOG use_timestamps=f
2010-08-03 07:51:12 CDT LOG done
2010-08-03 07:51:12 CDT LOG local config status is 0
2010-08-03 07:51:12 CDT FATAL application has not yet configured twin
2010-08-03 07:51:12 CDT LOG shutting down...
2010-08-03 07:51:12 CDT LOG shutdown complete
also I could not find what the twin is and how to config it.
Any help will be appreciated
- Angela Yan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide