topic Re: NAC Switch Configuration in Network Security

NAC Switch Configuration

mamaral — Fri, 21 Feb 2020 12:09:51 GMT

Hi!!

I have bought an NAC Server and a Nac Manager, to manage centraly the vlan where the users connect to based on the authentication.

I have several sites, but the NAC server will be in the headquarters.

When a remote user authenticates, the nac should configure the user switch port for the right vlan.

Is this an out-of-band solution?

Do i need an specific license for out-of-band?

Best Regard's,

Miguel Amaral

Re: NAC Switch Configuration

Eduardo Aliaga — Fri, 19 Nov 2010 17:41:02 GMT

Hello. You don't need an specific license for out-of-band. You just configure you NAC Manager to tell each NAC server to work as out-of-band or as in-band.

About your scenario, it seems logical to use out-of-band, but take into account that when the user is authenticating and remediating the traffic will always go through NAC Server (no matter if you have chosen out-of-band or in-band). The term "out-of-band" applies only after the user was authenticated and the pc was remediated. Then (and only then) the traffic of that user won't go through NAC server. Hope that helps

Re: NAC Switch Configuration

mamaral — Tue, 07 Dec 2010 13:40:22 GMT

Hi !

Tkx for the reply.

I still have an problem. When i try to add an NAC server, i do not have the option of out-of-band.

Do you have any hint (i'm using version 4.8).

regards,

Miguel

Re: NAC Switch Configuration

Tiago Antunes — Tue, 07 Dec 2010 13:53:00 GMT

Hi,

You need to have an Out of Band license in order to be able to use Out of band features and add the Clean Access Servers as Out-of-band servers.

Without OOB license you will also not have the device administration menu on the left side of the GUI.

This is needed to configure the switches for OOB.

HTH,
Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Re: NAC Switch Configuration

Eduardo Aliaga — Tue, 07 Dec 2010 14:34:55 GMT

Hello Tiago

In very old version there were specific out-of-band and in-band licenses. But in new versions you don't need an specific Out-of-band license

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html

I just installed version 4.8. As I mentioned before, my licenses let me choose inband or out-of-band behavior (but not both simultaneously for a single NAC server).

You just go to "Device Management> Clean Access Servers" click en New Server . There you type the IP address and you choose Server Type from a drop-down list. You have to choose "Out-of-band virtual gateway". To finish you click "Add Clean Access Server".

Re: NAC Switch Configuration

mamaral — Tue, 07 Dec 2010 14:42:26 GMT

Hi Eduardo,

My problem is that when i do that, the option of Out-Of-Band does not show up in the list-box ,

and when i go to the license page, it does not show up the OOB license.

Did you had to do anything to activate the OOB?

My NAC came with the version 4.1, and i have upgraded to the verions 4.8, but neither one had the OOB option.

regards,

Miguel

Re: NAC Switch Configuration

Tiago Antunes — Tue, 07 Dec 2010 17:42:11 GMT

Hi,

You need at least 2 licenses:

1 - CAM license -> This license is the one you install the first time you access the CAM WEB GUI.

2 - CAS license -> This license needs to be installed so that you can add Clean Access Servers to the CAM.

Did you installed the CAS license?

If not, you need to get the Product Activation Key (PAK) you received allong with the CAs and go to the licensing web page https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet, and request a CAS license. Please note that you need to enter the Clean Access MANAGER eth0 mac address for the Clean Access Server (CAS) licence.

HTH,
Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Re: NAC Switch Configuration

mamaral — Thu, 09 Dec 2010 11:15:33 GMT

Hi Tiago,

TKX in advanced for your help.

I have recieved with the CAM an license for 20 CAS, but nothing more.

The CAS server's did not bring any PAK.

This CAM and CAS were bought two years ago by my client, but just now he asked me to install it.

Do you know if two years ago the licensing was diferent?

TKX

Miguel

Re: NAC Switch Configuration

Tiago Antunes — Thu, 09 Dec 2010 11:20:13 GMT

Hi,

It is the same schema: Yo uneed 2 licenses, one for CAM and one for CAS.

The one for CAM defines how many CASes you can add.

The one for CAS defines how many users are supported.

So either the CAS PAK was lost, or was never bought.

In either case you will need to get in touch with the entitiy that sold the devices and request for the CAS PAK.

HTH,

Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.