Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
10
Helpful
8
Replies

NAC Profiler integration - cant add filter list on CAM

Go to solution
m.imaduddin
Level 1
Level 1

‎12-14-2010 08:12 PM - edited ‎02-21-2020 04:11 AM

Hi All,

I have a problem regarding the Profiler - NAC integration for end point profiling.

Here is the situation:

I already created the integration based on the steps on the guide: Configuring Cisco NAC Appliance Integration. I think the configuration is correct because i can do database synchronization between Profiler and CAM. Here is the Profiler server log:

   NAC_SYNC: Task_Queue_Runner starting up
   NAC_SYNC: Profiler / NAC Synchronization END [add 0, upd 0, desc 0, rm 0]
   NAC_SYNC: Profiler / NAC Synchronization START
   INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)]  Getting MAC for eth0

I already created end point profile named "Admin" which is based on IP address. I also created NAC events based on the end point profile "Admin".

The NAC event is profiling "Admin" to a NAC role. The purpose for this event is to bypass "Admin" from NAC authentication so that the "Admin" can connect to network automatically to one NAC role.

However when "Admin" connect to network, it is still challanged by NAC. I dont see the "Admin" on the CAM filter list either.

This means that the end point profiling is still failed.

Is there anyone who have any experiences with this?

Thank you for the supports and comments

Imad

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to m.imaduddin

‎12-20-2010 12:52 AM

Hi,

You cannot add devices manually on the profiler.

The profiler has to detect them automatically (that is the concept of profiling).

The way that profiler detects the endpoints is using the collector modules.

Each module has different ways of detecting endpoints.

Please find the description of each collector module here:

http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_intro231.html#wp1062345.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Go to solution
Eduardo Aliaga
Level 4
Level 4
In response to m.imaduddin

‎12-21-2010 09:49 PM

The function of NetMap is to collect SNMP information from your network devices and to collect Active Directory information from your Domain Controllers.

So NetMap doesn't collect anything unless you add the network devices and/or Active Directory to your Profiler configuration.

Sadly, a prerequisite for collecting Active Directory information is that your NAC collectors have already captured DHCP information from your PCs.

NetMap can't collect DHCP information . On the other hand, NetInquiry and Netwatch do collect DHCP information, so I recommend you to enable either of those two services.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎12-15-2010 08:17 AM

Hi,

Did you checked if the endpoint was mapped to the profile you created?

Can you share screenshots of the config?

- profile rules, nac event.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
m.imaduddin
Level 1
Level 1
In response to Tiago Antunes

‎12-15-2010 08:28 PM

Hi Tiago,

Thank you for the reply.

Herewith the screen capture you asked for.

The first is the profile rule. I use the rule based on IP addressess

The second image below is the nac event. I map the profile rule to a NAC role. I tried to change the NAC access type to allow but the end point is still prompting NAC agent before connecting to network.

i tried to checked and uncheck the "allow only addition to Cisco NAC" but it still doesnt work

The below picture is pofile list for the profile i created. I wonder why the Active rule column shows "No". Is it normal?

Thank you,

Imad

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to m.imaduddin

‎12-16-2010 06:53 AM

Hi,

Ok, so the Profiler will only add devices to the CAM filter list, if a device fals into a profile for which a nac event is configured.

If there is no device on the profile -> No NAC event -> No device added to the CAM.

Is there any device that was assigned to that profile?

Regarding the Active Rule column, it is used to quickly  ascertain which Endpoint Profiles on a system (if any) contain an Active  Rule that will result in the Profiler system doing active collection if  one or more NetInquiry Collector component modules are enabled. Active  profiling rules and active profiling is described in detail in the "Configuration of Active Directory Data Rules" section: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_endpt_part231.html#wpxref59325.

HTH,
Tiago

Go to solution
m.imaduddin
Level 1
Level 1
In response to Tiago Antunes

‎12-17-2010 02:06 AM

Hi Tiago,

Its getting clearer now. It seem that the problem is we havent add the device yet.

Next question is,how do i add device on NAC profiler?

Can i add dekstop PC as a NAC profiler device?

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to m.imaduddin

‎12-20-2010 12:52 AM

Hi,

You cannot add devices manually on the profiler.

The profiler has to detect them automatically (that is the concept of profiling).

The way that profiler detects the endpoints is using the collector modules.

Each module has different ways of detecting endpoints.

Please find the description of each collector module here:

http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_intro231.html#wp1062345.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Go to solution
m.imaduddin
Level 1
Level 1
In response to Tiago Antunes

‎12-20-2010 07:41 PM

Hi Tiago,

Thank you for the explanation and the link to config guide. I understand now that profiler depend on the collector to do end point profiling using netmap, netwatch, nettrap, netinquiry, etc.

Currently i already add the collector module (NAC Server). I have installed the license profiler collector on NAC Profiler server, and i already run the service collector on NAC Server.

From the Profiler GUI, it seem that the Netmap and Forwarder is already run. Some of other services: netwatch, nettrap, netinquiry is stopped.

I still have problem to add my PC to be profiled for NAC role "PC-Admin" eventough the Netmap already running.

The profiler still doesnt know what my PC is, so it doesnt add the NAC event

0 Helpful

Go to solution
Eduardo Aliaga
Level 4
Level 4
In response to m.imaduddin

‎12-21-2010 09:49 PM

The function of NetMap is to collect SNMP information from your network devices and to collect Active Directory information from your Domain Controllers.

So NetMap doesn't collect anything unless you add the network devices and/or Active Directory to your Profiler configuration.

Sadly, a prerequisite for collecting Active Directory information is that your NAC collectors have already captured DHCP information from your PCs.

NetMap can't collect DHCP information . On the other hand, NetInquiry and Netwatch do collect DHCP information, so I recommend you to enable either of those two services.

0 Helpful

Go to solution
m.imaduddin
Level 1
Level 1
In response to Eduardo Aliaga

‎12-21-2010 11:14 PM

Hi Eduardo,

I currently add our LAN Distribution to the network device on Profiler and enter SNMP ro and rw for Netmap to work. It seem that there are many devices known by NAC Profiler now.

I can see my PC as Admin now, automatic profiling is now working.

The integration from profiler to CAM is working also, there is my PC on filter list that is generated by profiler.

I would like to thank Tiago for the assistances. Thank you also for you Eduardo for being helpfull.

Cheers

Imad

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card