Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
5
Replies

cisco NAC profiler

Go to solution
saxenanitesh8522
Level 4
Level 4

‎06-08-2011 06:11 AM - edited ‎02-21-2020 04:22 AM

Hi,

I have few doubts if any1 can clear out it will be great. i have NAS OOB real ip gateway deployment in my network.

Assuming all the ports are Nac_controlled. Hence as soon as the client plugs in they will be in auth vlan.

now i have a cisco nac profiler in my network which i am going to configure for IP phones and printers.

for example if the port the ip phone is connected to it will be under auth vlan also.

hence as soon as ip phone as gets connected it, cisco profiler will see the profile and change the auth vlan to its respective vlan by mapping the profile with nac profile which we have mapped in the profiler and given the vlan in the NAC user profile for the ip phone.

please correct me if i am wrong, for the understanding of the working. I need to profile ip phones. i am not able to bridge the connection.

it would be great help if you can help me out.

thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Lovison
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎06-10-2011 04:56 AM

Hi Nitesh,

the NAC has no control over the voice VLAN, so this would be defined locally on each switch ports.

So, you don't assign the profiled IP Phone endpoint to any role, as the entry will be "ignored" and the phone will work on the locally configured voice VLAN bypassing NAC.

The IP Phone case is different than printers and ATM.. as in this case these devices are working on the access VLAN (that is controlled by NAC) and you don't expect to see any other devices (MAC Addresses) on the same port of a printer, ATM or other agentless endpoints. Given this, you can assign different endpoints profiles to different roles in this case.

I hope this answers your questions.

Regards,

Federico

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Lovison
Cisco Employee
Cisco Employee

‎06-10-2011 04:19 AM

Dear Nitesh,

The IP phones should be configured to work on the Voice VLAN; the NAC Manager on its OOB config can only manage the access VLAN for the switch port.

Given this, the correct config for the filters for the IP Phones is "ignore", as described here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1092789

The NAC Profiler can help to add these filters without manual intervention, so you should configure the Profiler with the appropriate NAC event that configures the filter for the IP Phone MAC address to "ignore".

This won't cause the port to change status NAC wise, as the NAC Manager will simply "ignore" the MAC notification for the IP Phone(s).

I hope this helps.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4
In response to Federico Lovison

‎06-10-2011 04:32 AM

thats correct.

but i need to map the NAC event to a role right? which has to be preconfigured for vlan.

my second problem is that they have multiple voice vlan. there is no one single voice vlan. they  have a different

voice vlan all across the network. so there is one issue. i was thinking of mapping ip to mac and then assigning the profile to a specific vlan.

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4
In response to saxenanitesh8522

‎06-10-2011 04:40 AM

i have many things to profile not just ip phones & atm.

atm will be doing as test bench but i need to make ip phones go into mulitple voice vlans. i think i will be doing that by ip address of dhcp server they are trying to contact.

0 Helpful

Go to solution
Federico Lovison
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎06-10-2011 04:56 AM

Hi Nitesh,

the NAC has no control over the voice VLAN, so this would be defined locally on each switch ports.

So, you don't assign the profiled IP Phone endpoint to any role, as the entry will be "ignored" and the phone will work on the locally configured voice VLAN bypassing NAC.

The IP Phone case is different than printers and ATM.. as in this case these devices are working on the access VLAN (that is controlled by NAC) and you don't expect to see any other devices (MAC Addresses) on the same port of a printer, ATM or other agentless endpoints. Given this, you can assign different endpoints profiles to different roles in this case.

I hope this answers your questions.

Regards,

Federico

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4
In response to Federico Lovison

‎06-10-2011 05:04 AM

oh.... now i get it..

alright.. so i will ignore it and leave the sw mo voice vlan configuration there... and when my ip phones connects it. the nac will bypass it as it will add automatically to filter it. excellent. excellent.. good.. but for printers and those things we have to map it. alright..

thanks you federico.. now if i get stuck i will get you a call!!! thanks you...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card