Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC issue

Nac policy is being enforced on a cisco switch.If a non cisco switch is connected to that cisco switch, can nac policy be implemented on the non cisco switch ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: NAC issue

you can do that only if you are deploying NAC in inband mode. You cannot enforce policies on non-cisco switches in out of band mode.

so if nac is deployed in inband mode, your answer is yes.

if nac is deployed in out of band mode, your answer is no.

Community Member

Re: NAC issue

snmp mac-notification and link up/down are used only in out-of-band.

For non-cisco switches you MUST go for inband. The idea is to force all the traffic coming from these switches to go through the NAC server. At all time (before and after being trusted), all the traffic will go through the NAC server.

You also have to note that a NAC server box can either work in inband mode OR out-of-band, but not the 2 at the same time. So you have to either go for inband for all your traffic coming from all your switches, or use 2 different NAC servers, 1 which will be configured in inband mode (for your non-cisco switches), and another one which will be configured in out-of-band mode (for your cisco switches).

you can find a step by step guide on how to configure nac in inband mode here: http://tools.cisco.com/cmn/jsp/index.jsp?id=55785

7 REPLIES
Gold

Re: NAC issue

need more info please.

in band? out of band? nac appliance?

Community Member

Re: NAC issue

Hello,

I am using NAC Appliance 3310 Server -max 500 users and NAC Appliance 3310 Manager -max 3 Servers in in band mode.

Community Member

Re: NAC issue

you can do that only if you are deploying NAC in inband mode. You cannot enforce policies on non-cisco switches in out of band mode.

so if nac is deployed in inband mode, your answer is yes.

if nac is deployed in out of band mode, your answer is no.

Community Member

Re: NAC issue

then assume i have Lynksys,3com,peabirdp or hp procurve switch how can i configure thoses switches for snmp mac-notification and link down for the switch to alert the nas ?

Community Member

Re: NAC issue

snmp mac-notification and link up/down are used only in out-of-band.

For non-cisco switches you MUST go for inband. The idea is to force all the traffic coming from these switches to go through the NAC server. At all time (before and after being trusted), all the traffic will go through the NAC server.

You also have to note that a NAC server box can either work in inband mode OR out-of-band, but not the 2 at the same time. So you have to either go for inband for all your traffic coming from all your switches, or use 2 different NAC servers, 1 which will be configured in inband mode (for your non-cisco switches), and another one which will be configured in out-of-band mode (for your cisco switches).

you can find a step by step guide on how to configure nac in inband mode here: http://tools.cisco.com/cmn/jsp/index.jsp?id=55785

Community Member

Re: NAC issue

Dear Sir,

We have Cisco NAC installed on our network and found  out that when in-band the access speed is half than that of out of band  speed.
Could you please highlight us on this issue as why this is happening. Any solution to this problem?

Thanks and Regards,

Re: NAC issue

Liyas,

In in-band mode all your traffic from all your clients is going through the CAS so CAS can become a choke-point. With OOB setups, the initial traffic goes through the CAS and after authentication/posture you are moved to the core network directly.

HTH,

Faisal

582
Views
0
Helpful
7
Replies
CreatePlease to create content