I'm a little confused. Thank you for providing the link.
I am interested in the following. I read somewhere that you need to configure switch or router AAA authorization, or that either associated with the radius, whether you want to do this?
My master's work involves innovation that I'll be using both asymmetric and symmetric encryption packages. In addition to encryption, NAC, wanted to use a vpn, with a different encryption. But my supervisor said it was stupid. How do you think ?

Hi Max

YES VPN can be used with NAC.

https://supportforums.cisco.com/thread/237738

You might have heard about the Cisco secure ACS which understands radius and tacacs+ for authentication and authorization.

You have mistaken something here, NAC- Network Admission Control is all about End-Point security and ACS is Identity management and security .

Yes NAC can have an ACS as an external database from where you can authenticate and even Authorize using another Radius Server Behind ACS.

So the flow goes this way. NAC--> ACS--> Radius Server.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html

any doubts !

Regards

Eddy

Thanks for the replies.I Have any more questions.

When installing the server, the following questions arise:
At the beginning of the server's configuration:
Please enter the IP address for the interface eth0
This address is connected to the manager server?

The default gateway should point to a manager or a router that provides Internet access?

Next. Vlan Id Passthrough for packets from eth0 to eth1 is disabled. Would you like to enable it?

What this question means? Do I need to enable it?

Same question.

Management VLAN Tagging for egress packets of eht0 is disabled. Would you like to enable it?

What this question means? Do I need to enable it?

Please enter the IP addresses for the name servers.

This item requests that enter the DNS server?

After installing the server, do I needed any further configure it?

People often ask me how to check Agent operating systems. If the Windows everything is clear, then how is checked on unix systems?

Is there a program for smartphones, android, windows mobile ...?

Regarding VPN, I want to use a single server based on Microsoft Windows 2008. I plan to do a double encryption package, one encrypts CIsco, second server VPN.
That scheme is that you gave me with the VPN, supported CIsco, which in this scheme, there are pros?
Maxsim

Regards

The eth0 of the CAS is connected to the trusted side of your network, it could be a switch for Eg.

It is not connected to the CAM. In VG setup the CAM and the CAS have to be in Different VLANs.

In REAL-IP Setup Theycould be connected in Same VLANs.

Router Should be the default gateway.

dont Enable VLAN ID passthrough.

InVG you will do VLAN Mapping and in Real-IP you will do routing so no nee for the pass through option.

You would like to enable management VLAN Tagging for the eth0 but not the eth1.

bacause you always manage the devices through eth0.

It just asks for the DNS server ip.

if you are using DNS resolution later when you setup, you would want to configure it.

Windows is checked well by the agent.

In MAC you can check the antivirus only.

Linux and other Mobile devices might just be authenticated and not checked for Antivirus,etc.

Support for Other OS is being worked by the DEVs.

VPN traffic can be made to pass through NAC and checked.

2 ways- j

1)just traffic passing through.

flow-remote user-->NAC-->internal network-->ASA(vpn termination point)

2)Termination and VPN SSO

flow-remote user-->ASA-->NAC-->internal network

Install guide:http://www.cisco.com/en/US/docs/security/nac/appliance/installation_guide/hardware/48/hi_instal.html

Regards

eddy

I do not technically get spread CAS and CAM in different VLAN. Can I use one adressnoy network. For example:
CAS 172.16.0.1
CAM 172.16.0.2
Default Gateway (router) 172.16.0.3?

Max ,you need to use different subnets for assigning addresses to CAM and CAS and then assign them different vlans on the switch they connect to.you

can use /30 subnets so that you save ip addresses.

I Have attached a drawing, Is this what you are planning to make.

I also want to know which setup mode you want to deploy your CAS in ?

VG or Real-ip.

Regards

eddy

Sorry, What is VG?

I made ​​a diagram of my network. Here is the configuration of Server and Manager.

CAM:
Please enter the IP address for the interface eth0 []: 172.16.0.3
You entered 172.16.0.3 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 172.16.0.1
You entered 172.16.0.1 Is this correct? (y/n)? [y]
Please enter the hostname [localhost.localdomain]:
You entered localhost.localdomain Is this correct? (y/n)? [y]
Please enter the IP addresses for the name servers [172.16.0.2] :
You entered 172.16.0.2 Is this correct? (y/n)? [y]
After date and time ...
Enter fully qualified domain name or IP: 172.16.0.2
Enter organization unit name: Hotel
Enter organization name: Cisco
Enter city name: Odessa
Enter state code: Ukraine
Enter 2 letter country code: UA
Is this correct? (y/n)? [y]
New Unix password
Install has completed. Press to reboot.

CAS:
Please enter the IP address for the interface eth0 []: 172.16.0.1
You entered 172.16.0.1 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 172.16.0.2
You entered 172.16.0.2 Is this correct? (y/n)? [y]
[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]
[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]
Please enter the IP address for the untrusted interface eth1 []: 192.168.100.2
You entered 192.168.100.2 Is this correct? (y/n)? [y]
Please enter the netmask for the interface eth1 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
Please enter the IP address for the default gateway []: 192.168.100.1
You entered 192.168.100.1 Is this correct? (y/n)? [y]
[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n]
[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]
Please enter the hostname [localhost.localdomain]:
You entered localhost.localdomain Is this correct? (y/n)? [y]
Please enter the IP address for the name server: []: 172.16.0.2
You entered 172.16.0.2 Is this correct? (y/n)? [y]

Given your previous answer, How better rewrite subnet?

These two options are still on the virtual machines, VMware. I have to test, including machines with Windows XP, set the IP 172.16.0.2, and I can not ping not 172.168.0.1, not 172.168.0.3. Although yesterday, I installed the CAS and the CAM, but not as written above in the configuration, and I was able to enter the administration panel. But today I can not do it, and even goes ping. In what may be the problem?

Regards

Maxsim

First of all,

VG- Virtual gateway mode

It is the mode that the CAS functions in if you want it to act as a bridge or a bump in a wire. It will just map the VLANs from untrusted to the trusted side.

CAM and CAS cannot be in the same subnet.

CAM gateway as you have mentioned is 172.16.0.1.

which is the CASs IP....., you have to create an SVI on the switch which will be the gateway for the CAM.

Similarly for the CAS, an SVI on the switch will be the default gateway for the trusted eth0 of CAS.

Hostname is used if you have DNS configured properly, you can configure it here, but when you do High Availabilty or When you open the GUI of the CAM using we browser, use the hostname only if you have DNS configured.

Maybe the new ips may have left you out of the box,

try doing service perfigo config again if you can go into the root access of the device,

or else re-image it on VMWARE.

If i missed something here, kindly requote them in the next post.

Regards

eddy

Firstly I want to thank you for such complete answers. I hope you explain to me until the end that I could make a fully working model.
From the above described positions, not understand for me a few things:
1. If I do not have DNS, then how can I when you install CAS indicate that I do not use DNS server?
2. I realized that the CAM need to specify the gateway CAS. And for the CAS in eth0 need to specify the gateway to himself CAM?

3. When I specify during the installation of CAS local name, I must already be running a DNS server?
In the near future, I will install as you suggested to me, and report the results. I hope soon to begin setting up of the CAM via the web interface. For me, this part of the setup is hard. because I do not really understand the principle of setting.

Regards

Maxsim

the answers are below.

From the above described positions, not understand for me a few things:
1. If I do not have DNS, then how can I when you install CAS indicate that I do not use DNS server?

ans-no need to indiacte, use the ip to access the cas, for now
2. I realized that the CAM need to specify the gateway CAS. And for the CAS in eth0 need to specify the gateway to himself CAM?

CAM cannot be the CAS gateway vice versa. Tehgateway for CAS on eth0 should be the next hop which will help reach the CAM and vice versa.

3. When I specify during the installation of CAS local name, I must already be running a DNS server?
In the near future

No nedd for DNS initially, You can give a name, it is locally significant.

In future DNS would be useful.

Hi Max,

Your initial setup on the CAS and CAM is fine.

From your setup as you have different setup has different subnets on both sides of the CAS(eth0 and eth1) i deduced that you are deploying your CAS in Real-IP(routed) mode.

As you are doing the router on a still model, it should work fine.

I am not 100 percent sure about the switch configuration.

As per your setup you are doing In-Band setup.

I can give you the basic configuration of the switch in that mode and you can check.

You can tell your email-ID and i might be able to help you on that.

Because looking at the whole switch from my perspective is a bit difficult.

You will able to look at it in the right angle.

I will give you a sample config and you can double check with it.

how does that sound?

I did not understand the last line of your Post.

regards

eddy

Well. id-email it's mean just email? I have a odesskia@gmail.com

I agree that it is difficult to configure.

What can you say about the ping. Should ping CAS?