Cisco NAC and Windows GPO

gilcintron · ‎02-02-2006

All-

I am in a lab environment working on a project that, among others, includes Cisco's NAC product.

We are responsible for providing basic network services, such as DHCP, WSUS, Anti-virus and Certificate Services. We have completely loaded and tested our configuration and have added Cisco NAC to the environment.

Currently, the computers that are not managed by an ACS work without a hitch. Computers managed by the ACS are not receiving Group Policy and thus, are not downloading updates from WSUS.

Could there possibly be a timing issue that is preventing GPO from being applied because the CTA and ACS are still sorting out whether the computer should even has access?

-When we disconnect those machines and plug them into switches with no knowledge of NAC they work fine.

-When we change the applicable ACLs to prmit ip any any, we still get no joy when the computers are being managed by ACS.

There is Cisco on-site support available, but not until Feb 7th. I would like to make some progress between now and then. Any help would be greatly appreciated.

GC

kdamisch · ‎03-14-2007

NAC 4.1 has GPO enhancements. Try this link:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6128/c1090/ccmigration_09186a008078529b.pdf

On page 19 and 20, it describes the issue of GPO not being applied to the clients after authentication. In 4.1, this is resolved. When a user is put into an access VLAN after the authentication/posture assessment, the 4.1.0.x agent will issue a gpupdate on the client to refresh the group policy.

Hope this helps. If so, please rate.

Thanks,

Kevin