Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
5
Helpful
2
Replies

NAC quick question

Go to solution
Daniela Herrera
Level 1
Level 1

‎05-11-2009 09:32 AM - edited ‎02-21-2020 03:27 AM

Hi, just trying to confirm the behavior of a NAC solution without High Availability.

I belive that if there's no High availability configured:

1. IF the CAM fails (CAS and CAM are no longer able to communicate) all new connections will be denied, but users already certified will be allowed into the network.

2. If the CAS fails in In-band mode: All user traffic will be dropped as well as new connections

3. If the CAS fails in out-of-band mode: new connections will not be possible, but certified users will still have access.

Can someone tell me if this is correct?

Thanks and regards,

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pcomeaux
Cisco Employee
Cisco Employee

‎05-15-2009 07:08 AM

Hi there -

Let me see if I can help you:

1 - In general, yes.

2 - Yes - the CAS in-band is a network device that all traffic flows through.

3 - Yes - in Out-of-band mode, the CAM and CAS change the vlans as users enter/leave the network. If the CAM/CAS is unavailable, no vlan changes can occur. So ports remain on the vlan they are currently on.

Please let me know if you have follow up questions.

peter

View solution in original post

0 Helpful

Go to solution
halim.abouzeid
Level 1
Level 1

‎05-22-2009 01:32 AM

1- this depends on your fallback configuration. You have 3 modes:

*Ignore: already trusted users still have access to the network, new users are blocked. (this is the default behavior, if you don't change this setting, new users will be blocked)

*Allow All: already trusted users and new users are all allowed to access the network

*Block All: All users (trusted and non-trusted) are blocked (i believe this applies only in inband mode, in out of band it should behave like the ignore mode)

To change this setting go to Device Management --> CCA Servers --> Manage --> Filter --> Fallback

View solution in original post

2 Replies 2

Go to solution
pcomeaux
Cisco Employee
Cisco Employee

‎05-15-2009 07:08 AM

Hi there -

Let me see if I can help you:

1 - In general, yes.

2 - Yes - the CAS in-band is a network device that all traffic flows through.

3 - Yes - in Out-of-band mode, the CAM and CAS change the vlans as users enter/leave the network. If the CAM/CAS is unavailable, no vlan changes can occur. So ports remain on the vlan they are currently on.

Please let me know if you have follow up questions.

peter

0 Helpful

Go to solution
halim.abouzeid
Level 1
Level 1

‎05-22-2009 01:32 AM

1- this depends on your fallback configuration. You have 3 modes:

*Ignore: already trusted users still have access to the network, new users are blocked. (this is the default behavior, if you don't change this setting, new users will be blocked)

*Allow All: already trusted users and new users are all allowed to access the network

*Block All: All users (trusted and non-trusted) are blocked (i believe this applies only in inband mode, in out of band it should behave like the ignore mode)

To change this setting go to Device Management --> CCA Servers --> Manage --> Filter --> Fallback

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card