Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2631
Views
3
Helpful
34
Replies

ASK THE EXPERT – NETWORK ADMISSIONS CONTROL 2 (NAC2)

ciscomoderator
Community Manager
Community Manager

‎11-28-2005 08:53 AM - edited ‎03-03-2019 12:56 AM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Reza Malekzadeh about Network Admission Control (NAC) which uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. Reza Malekzadeh is a product marketing manager for the Security Technology Group at Cisco Systems, focused on the Network Admission Control (NAC) initiative. Prior to joining Cisco, Mr. Malekzadeh was the co-founder of Twingo Systems, a provider of secure desktop solutions for untrusted computers. Twingo Systems was acquired by Cisco in 2004.

 

Remember to use the rating system to let Reza know if you have received an adequate response.

 

Reza might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 9, 2005. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
34 Replies 34

Federico Lovison
Cisco Employee
Cisco Employee
In response to Xiang Hong Angela YAN

‎10-28-2010 06:58 AM

Hi Angela,

your question is posted on an old NAC discussion (started in 2005).. I noticed it by chance.

I don't know if you already got an answer to this question.. if not, I would recommend to post it to the appropriate community on the Cisco Support Community forum:

https://supportforums.cisco.com/community/netpro/security/others

Anyway, the "twin" service on the NAC Guest server is the one taking care of the DB replication when you use the NGS in an High-Availability setup:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_replication.html

Please check the linked document and.. if you need for more answers, please ask your questions on the appropriate forum so that there will be higher chances to get an answer.

I hope this helps.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

0 Helpful

dperowne
Level 1
Level 1
In response to Federico Lovison

‎05-09-2011 04:02 PM

I had exactly the same issue with the twin service. I followed the configuration document to the word and it fails every time. There is no configuration on the devices except for the admin account and the IP address.

The following is in the twin_log:

2011-04-13 12:17:09 PDT LOG +-------------------------------------

2011-04-13 12:17:09 PDT LOG twin 1.2 starting up...

2011-04-13 12:17:09 PDT LOG log mode is 0

2011-04-13 12:17:09 PDT LOG local port=5432

2011-04-13 12:17:09 PDT LOG local database=gapdb

2011-04-13 12:17:09 PDT LOG log_table_max_size=1000

2011-04-13 12:17:09 PDT LOG sleeptime=1000

2011-04-13 12:17:09 PDT LOG use_timestamps=f

2011-04-13 12:17:09 PDT LOG done

2011-04-13 12:17:09 PDT LOG local config status is 0

2011-04-13 12:17:09 PDT FATAL application has not yet configured twin

2011-04-13 12:17:09 PDT LOG shutting down...

2011-04-13 12:17:09 PDT LOG shutdown complete

2011-05-01 15:56:34 PDT LOG +-------------------------------------

I managed to resolve this based on information I found in bug CSCth43152. Basically if you are running NGS version before 2.0.3 then you have to disable HTTPS and then it will replicate. They have fixed this in version 2.0.3 apparently so I will be upgrading my system.

0 Helpful

docmilligan
Level 1
Level 1

‎10-01-2010 09:32 AM

I have been attempting to get NAC deployed in the last month.  I have come up with a few issues.

I upgraded to 4.8 and that went smoothly.  I have an in-band deployment and will be using an ASA VPN connections

once I get everything working correctly.  A couple of the issues I've experienced are:

  • Windows NAC Agent.  I have the NAC Agent installed on a couple of virtual workstations and get no login option and the Agent just does not seem to be communicating with the server.  I can do a Web based check on systems but not using the Windows Agent.  I need to use the windows agent.  I've searched through the documentation and did not find too much information on how to t/s this.  There is SOME and I have checked out all of the suggestions with no luck.  Any ideas on what to check?
  • Check and Rule updates.  I have had updates running daily for about two weeks and only seem to get updates on virus signatures, etc.  There have been no checks pushed on operating system issues.  I know there have been some microsoft patches put out in the last couple of weeks but there is no sign of them in the checks.  Is there a configuration item I am missing or is it just that these updates only come once a month or so?....in our implementation we need to get all updates checked immediately.  I'd rather avoid having to manually create checks all the time....
  • Snapshots.  I am currently doing most of my work in a lab environment for testing.  I intend to deploy the appliances to one of our remote locations in the next couple of weeks.  We have additional NAC appliances which we are going to stand up in our home office location.  I attempted to take a snapshot from the appliance I am currently using and upload it to another.  Hard to tell if it works or not.  I get a warning that it must be a valid file...hit OK and I don't believe anything really happens.  I don't see any kind of entry in the event log.  What I would LIKE to happen is to be able to configure new rules, etc at our home office and be able to deploy this by some sort of upload rather than having to create them twice.  Is there a way to do this?

I have a few more questions but will save them for later.  Any assistance is greatly appreciated!

Liam

0 Helpful

Federico Lovison
Cisco Employee
Cisco Employee
In response to docmilligan

‎10-28-2010 06:53 AM

Hi Liam,

This discussion is pretty old, I would suggest to ask NAC related question under the "security / other security subjects" community, where NAC related discussions are hosted, otherwise your question may not get noticed and thus will remain unanswered:

https://supportforums.cisco.com/community/netpro/security/others

In any case, let me answer quickly your questions:

  • Windows NAC Agent.

For ASA/VPN connections (which is L3) you need to make sure that the traffic sent to the discovery host hits/crosses the CAS. The NAC agent will send both traffic to the discovery host IP address on port UDP/8906 (legacy UDP discovery) and on TCP/8905 (current discovery mechanism).

I saw several possible issues causing the agent not to pop-up, including: split-tunnel and discovery traffic not being sent through the VPN tunnel, personal firewall blocking the discovery traffic, or even wrong SSL certificate installed on the CAS.

Those are just examples but you can find more info about the client activity on the CAS logs (/perfigo/access/tomcat/logs/nac_server.log); you may need to increase the logging level for "SWISS" communication in order to get more details.

The agent logs are also very useful, but are encrypted, so you should open a TAC case to get them decoded and analyzed; however, you can check what happens by getting a sniffer trace on the client itself or the CAS untrusted interface, in order to see if the CAS receives and replies to the discovery traffic sent by the client.

  • Check and Rule updates.

The "cisco rules" checks for Windows updates are published on a regular basis but may not be published immediately after the

hotfix is available from Microsoft.

The way to address this is to use WSUS with "severity" check rather than "cisco rules"; by doing this the client will have to be able to communicate with the WSUS server (or the public Windows Update servers) in order to get the list of the available hotfixes, so make sure that this traffic is allowed on the CAS for the unauth and temp roles.

This is a bit slower, as it requires the client to poll the Windows Update servers, but as soon as the hotfix is available on the WSUS/WindowsUpdate servers you will be able to perform the check on that.

  • Snapshots.

If I understand correctly what you're asking, you may need to configure the policy import/export, exporting policies on the lab-test CAM and importing this info to the production CAM.

Read carefully the linked document in order to check if this applies to you:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1050935

I hope this helps.

Thanks,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

0 Helpful

Warawut Nateetarn
Level 1
Level 1

‎05-11-2011 06:52 AM

Hi,

I have implemented Cisco NAC OOB with SSO but some user account cannot access nework via SSO.

I try to access network with my account in the same OU that my account able to access network on the same client.

I used Windows 2003 Active Directory and Cisco NAC ver 4.7.0

Do you have any solution?

Thank you,

0 Helpful
Customers Also Viewed These Support Documents