Solved: How to remove entire NAC solution?

lukeprimm · ‎05-07-2012

We recently received the request to work on removing the entire NAC implementation from our enterprise. The major problem is that the security team in place now was not around when it was implemented a few years ago. Any help on how the best way to tear it all out would be appreciated. Weve got about 1500 users, so its not going to be a small project to say the least. Fortunately for us, the team that set it up didn't do much with it. IT only really checks the user against AD and permits or quarantines the user/machine, that's it.

Version 4.7.2

Eduardo Aliaga · ‎05-12-2012

One question, what are you migrating to ? 802.1x ?

Anyway, I think best option is to remove the switchports from NAC by setting them to "uncontrolled ports". Please notice you have to configure the VLAN, because most of times the initial VLAN of NAC is configured to isolate the client PC.

Please rate if it helps

View solution in original post

Eduardo Aliaga · ‎05-12-2012

One question, what are you migrating to ? 802.1x ?

Anyway, I think best option is to remove the switchports from NAC by setting them to "uncontrolled ports". Please notice you have to configure the VLAN, because most of times the initial VLAN of NAC is configured to isolate the client PC.

Please rate if it helps

lukeprimm · ‎05-14-2012

Thank you for your response. We are not migrating to anything at this time. The short of it is that a team implemented this a few years back and didn't really finish the full installation. They have all since been removed and a new team has come on board to remove the installation all together.

Im trying to bulid an execution shcedule that will have the least impact on the end user of course so any tips are appreciated. Thanks again!

lukeprimm · ‎05-21-2012

Can I remove a couple ports at a time? I was thinking about running through a test case and changing a few port profile's back to default (uncontrolled) and also making sure the initial and current vlans are set to the data vlan. I want to make sure there will be no "collateral" damage by me making these small changes? Thanks

lukeprimm · ‎08-02-2012

I got all the ports throughout the campus set back to Default[Uncontrolled] so everyone is now removed from NAC authentication.

Can I now shutdown the servers? Do I need to do another step, like delete the SNMP strings between the switches and NAC?

The ultimate goal is to removal NAC completely from the campus with as little to no disruption as possible. Thanks

Tarik Admani · ‎08-02-2012

Luke,

If you have all the ports set back to the uncontrolled state and the vlans are now set back to the user vlans before NAC, then for proper clean up, it would be best to remove the snmp configuration so you are not still sending traps to the manager.

thanks,

Tarik Admani
*Please rate helpful posts*

lukeprimm · ‎08-02-2012

Excellent, thanks. Do you mean remove SNMP configuration from the switches? Or from the NAC servers? I do appreciate any help you can give me since I am quite a novice when it comes to NAC.

Tarik Admani · ‎08-02-2012

Here is the configuration guide for the switches when it comes to NAC integration:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_oob.html#wp1072163

Basically use one switch as an example and issue a "show run | inc snmp-server" and you should see the snmp-server hosts that are currently configured for the switch. If you only see one entry (which should be the manager) then you can remove the snmp configuration. I would leave the strings in and just remove the manager host entry, just in case things dont act to well and if there are some ports that may have been overlooked.

Thanks,

Tarik Admani
*Please rate helpful posts*

lukeprimm · ‎08-02-2012

Great, so once I do that, I can shut down the NAC servers without any disruption? Thanks

Tarik Admani · ‎08-02-2012

Right,

Shut the ports on them first before powering them off. Its much easier that way!

Tarik Admani
*Please rate helpful posts*