Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC quick question

Hi, just trying to confirm the behavior of a NAC solution without High Availability.

I belive that if there's no High availability configured:

1. IF the CAM fails (CAS and CAM are no longer able to communicate) all new connections will be denied, but users already certified will be allowed into the network.

2. If the CAS fails in In-band mode: All user traffic will be dropped as well as new connections

3. If the CAS fails in out-of-band mode: new connections will not be possible, but certified users will still have access.

Can someone tell me if this is correct?

Thanks and regards,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: NAC quick question

Hi there -

Let me see if I can help you:

1 - In general, yes.

2 - Yes - the CAS in-band is a network device that all traffic flows through.

3 - Yes - in Out-of-band mode, the CAM and CAS change the vlans as users enter/leave the network. If the CAM/CAS is unavailable, no vlan changes can occur. So ports remain on the vlan they are currently on.

Please let me know if you have follow up questions.

peter

Community Member

Re: NAC quick question

1- this depends on your fallback configuration. You have 3 modes:

*Ignore: already trusted users still have access to the network, new users are blocked. (this is the default behavior, if you don't change this setting, new users will be blocked)

*Allow All: already trusted users and new users are all allowed to access the network

*Block All: All users (trusted and non-trusted) are blocked (i believe this applies only in inband mode, in out of band it should behave like the ignore mode)

To change this setting go to Device Management --> CCA Servers --> Manage --> Filter --> Fallback

2 REPLIES
Cisco Employee

Re: NAC quick question

Hi there -

Let me see if I can help you:

1 - In general, yes.

2 - Yes - the CAS in-band is a network device that all traffic flows through.

3 - Yes - in Out-of-band mode, the CAM and CAS change the vlans as users enter/leave the network. If the CAM/CAS is unavailable, no vlan changes can occur. So ports remain on the vlan they are currently on.

Please let me know if you have follow up questions.

peter

Community Member

Re: NAC quick question

1- this depends on your fallback configuration. You have 3 modes:

*Ignore: already trusted users still have access to the network, new users are blocked. (this is the default behavior, if you don't change this setting, new users will be blocked)

*Allow All: already trusted users and new users are all allowed to access the network

*Block All: All users (trusted and non-trusted) are blocked (i believe this applies only in inband mode, in out of band it should behave like the ignore mode)

To change this setting go to Device Management --> CCA Servers --> Manage --> Filter --> Fallback

120
Views
5
Helpful
2
Replies
CreatePlease to create content