11-28-2005 08:53 AM - edited 03-03-2019 12:56 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Reza Malekzadeh about Network Admission Control (NAC) which uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. Reza Malekzadeh is a product marketing manager for the Security Technology Group at Cisco Systems, focused on the Network Admission Control (NAC) initiative. Prior to joining Cisco, Mr. Malekzadeh was the co-founder of Twingo Systems, a provider of secure desktop solutions for untrusted computers. Twingo Systems was acquired by Cisco in 2004.
Remember to use the rating system to let Reza know if you have received an adequate response.
Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 9, 2005. Visit this forum often to view responses to your questions and the questions of other community members.
10-28-2010 06:58 AM
Hi Angela,
your question is posted on an old NAC discussion (started in 2005).. I noticed it by chance.
I don't know if you already got an answer to this question.. if not, I would recommend to post it to the appropriate community on the Cisco Support Community forum:
https://supportforums.cisco.com/community/netpro/security/others
Anyway, the "twin" service on the NAC Guest server is the one taking care of the DB replication when you use the NGS in an High-Availability setup:
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_replication.html
Please check the linked document and.. if you need for more answers, please ask your questions on the appropriate forum so that there will be higher chances to get an answer.
I hope this helps.
Regards,
Federico
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
05-09-2011 04:02 PM
I had exactly the same issue with the twin service. I followed the configuration document to the word and it fails every time. There is no configuration on the devices except for the admin account and the IP address.
The following is in the twin_log:
2011-04-13 12:17:09 PDT LOG +-------------------------------------
2011-04-13 12:17:09 PDT LOG twin 1.2 starting up...
2011-04-13 12:17:09 PDT LOG log mode is 0
2011-04-13 12:17:09 PDT LOG local port=5432
2011-04-13 12:17:09 PDT LOG local database=gapdb
2011-04-13 12:17:09 PDT LOG log_table_max_size=1000
2011-04-13 12:17:09 PDT LOG sleeptime=1000
2011-04-13 12:17:09 PDT LOG use_timestamps=f
2011-04-13 12:17:09 PDT LOG done
2011-04-13 12:17:09 PDT LOG local config status is 0
2011-04-13 12:17:09 PDT FATAL application has not yet configured twin
2011-04-13 12:17:09 PDT LOG shutting down...
2011-04-13 12:17:09 PDT LOG shutdown complete
2011-05-01 15:56:34 PDT LOG +-------------------------------------
I managed to resolve this based on information I found in bug CSCth43152. Basically if you are running NGS version before 2.0.3 then you have to disable HTTPS and then it will replicate. They have fixed this in version 2.0.3 apparently so I will be upgrading my system.
10-01-2010 09:32 AM
I have been attempting to get NAC deployed in the last month. I have come up with a few issues.
I upgraded to 4.8 and that went smoothly. I have an in-band deployment and will be using an ASA VPN connections
once I get everything working correctly. A couple of the issues I've experienced are:
I have a few more questions but will save them for later. Any assistance is greatly appreciated!
Liam
10-28-2010 06:53 AM
Hi Liam,
This discussion is pretty old, I would suggest to ask NAC related question under the "security / other security subjects" community, where NAC related discussions are hosted, otherwise your question may not get noticed and thus will remain unanswered:
https://supportforums.cisco.com/community/netpro/security/others
In any case, let me answer quickly your questions:
For ASA/VPN connections (which is L3) you need to make sure that the traffic sent to the discovery host hits/crosses the CAS. The NAC agent will send both traffic to the discovery host IP address on port UDP/8906 (legacy UDP discovery) and on TCP/8905 (current discovery mechanism).
I saw several possible issues causing the agent not to pop-up, including: split-tunnel and discovery traffic not being sent through the VPN tunnel, personal firewall blocking the discovery traffic, or even wrong SSL certificate installed on the CAS.
Those are just examples but you can find more info about the client activity on the CAS logs (/perfigo/access/tomcat/logs/nac_server.log); you may need to increase the logging level for "SWISS" communication in order to get more details.
The agent logs are also very useful, but are encrypted, so you should open a TAC case to get them decoded and analyzed; however, you can check what happens by getting a sniffer trace on the client itself or the CAS untrusted interface, in order to see if the CAS receives and replies to the discovery traffic sent by the client.
The "cisco rules" checks for Windows updates are published on a regular basis but may not be published immediately after the
hotfix is available from Microsoft.
The way to address this is to use WSUS with "severity" check rather than "cisco rules"; by doing this the client will have to be able to communicate with the WSUS server (or the public Windows Update servers) in order to get the list of the available hotfixes, so make sure that this traffic is allowed on the CAS for the unauth and temp roles.
This is a bit slower, as it requires the client to poll the Windows Update servers, but as soon as the hotfix is available on the WSUS/WindowsUpdate servers you will be able to perform the check on that.
If I understand correctly what you're asking, you may need to configure the policy import/export, exporting policies on the lab-test CAM and importing this info to the production CAM.
Read carefully the linked document in order to check if this applies to you:
I hope this helps.
Thanks,
Federico
--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
05-11-2011 06:52 AM
Hi,
I have implemented Cisco NAC OOB with SSO but some user account cannot access nework via SSO.
I try to access network with my account in the same OU that my account able to access network on the same client.
I used Windows 2003 Active Directory and Cisco NAC ver 4.7.0
Do you have any solution?
Thank you,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide