Hi Faisal,

Thnx for the reply.

The problem with lab testing is that nac require integration with Active Directory, DHCP, DNS, switches etc. I can arrange all to test it accept DHCP and DNS and AD.

2nd during implementation i'll be testing it on a test vlan, if its successful, i'll than migrate all the rest vlans.

Please let me know in my case, will i require PORT PROFILES?

Also i will be providing the below features;

1. AD authentication, if passed, check windows/antivirus updats, if passed provide all previledges;
2. AD authentication, if failed, dont check any updats etc, and just allow it to internet, but dont allow it to specific servers subnet (eg 192.168.1.0/24).

I think this both options are doable without any issues??????? Please suggest???????

Abdul,

You'll require at least one port profile. For your other requirements, 1st one is easy, 2nd one tricky. If you want anyone who fails the authentication to have access to the internet, then you'll need to open access to the internet in the Unauthenticated role while blocking traffic to your servers. If however you're looking to do AD SSO, that requires having access to the servers also in the Unauthenticated role, so you might have to do AD authentication using LDAP.

HTH,

Faisal

Faisal,

I didn't get your point ragarding port profile. I read some where in the Cisco documentations that port profiles are only required for Real IP.

I even have done one project for OOB VG for Wireless users and i have not used the Port profiles.

Please Explain step by step and i appreciate if you can provide any link or example that will be helpful to me. In my case i have about 15 Authentication vlans and same 15 Access Vlans.

AND yes the 2 requirements are clear. For second i'll edit the unauthenticated role.

Regards

Majid

Thanks Faisal,

I really appreciate. Atleast some 1 on cisco forum is there who is responding to the NAC queries. Because NAC deployment usually is critical and challenging..

During implementation, if i get any issue, i'll post. Thanks.

Regards,

Majid

Majid,

You're quite welcome. I'd also suggest to keep your contract numbers and TAC's number handy since the response on the forum can be delayed at times.

Good luck on your rollout.

Faisal

Hi,

Please let me know if the below two points are supported in the NAC;

1.       The NAC should check the users if it is joined to the domain or not?

(My proposed solution was to check the username and passwords entered by users on the NAC agent with Active directory, If the user exist in the Active directory, we will assume that the machine is joined to the domain.

Issue: Suppose that user enter someone else credentials (that already exist in the Active directory), than in this case our propose solution will fail).

Please let me know if there is any NAC policy that can check for the machines if it is joined to the domain or not?

2.       All my Vlans (SVIs) are created on the FWSM (means the gateway of all the vlans is FWSM). Now while implementing NAC OOB VG, I will create additional vlans for NAC Manager and NAC server on the FWSM. Will the NAC OOB VG will still work without any issues (will the vlans that will be controlled by the NAC be still layer 2 adjacent to the NAC)?

Faisal,

I think changing register in an environment like University (3000 to 4000 users) will not be applicable and recommended.

Regarding opening a TAC case please let me know if we can open any generalize case with Cisco to help in multiple issues or design guidance. Usually these TAC engineers use to tackle one issue per TAC case.

Regards,

Majid

Majid,

TAC does have a policy of using one case per issue. This is for your benefit since it makes tracking, searching and ultimately solving your problems faster.

Regarding the registry key, you have to have something on the machine which you can make NAC search on. It can be a file or a registry key etc.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Hi faisal,

I perticularly asking for hlp as ,no one has replied me...

I am trying to implement NAC in my network in( L2 transparent mode)  mainly because i have I dont want to do chnages in otther devices, I  have  CAM(3315) & CAS(3315) i have completed licensing on CAM , I  see  license as (CAM Lite which supports 3 srvs),

pls suggest topology designs ....currently i m bit confiuse where to put CAS/CAM in network...?

I have gone through the initial configuration of CAM & CAS.(connected via cross cable)  >>> pls comment if wrong
Config <<
CAM(Eth0=192.168.200.15/24) &
CAS(Eth0=192.168.200.16/24 & Eth1=192.168.215.10/24),
preshared key : cisco, & allowed packets to flow from trusted to untrusted interface & vice -wersa. 

& , now i am trying to ping 192.168.200.16(CAS) from CAM(192.168.200.15) but not sucessful.
hence unable to have connectivity between them  I can take a webconsole of CAM &  tried to add CAS to CAM,

but it fails & gives error  { Failed to add server: Maximum limit  for Clean Access Servers supported has been reached. } strange ? as  this afresh device , Also i have reinstalled License at least 3-4  times...but no result...(dont know why this is so...)

I  have gone through the pdf's but there is  no guideline how to configure  from basic(like how to connect....which  interface shld be connected to  where..)

Kindly share your comments /documents for the same from basic.