Cyber Sanbower

CAM Guide: http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html CAS Guide: http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/412_cas_book.html

Download is available here: Cisco NAC Appliance Software Download Page Requires a valid Smartnet contract in order to download 4.1(2) Documentation Page Some of the feature "enhancements" that i found interesting and useful: - NEW Cisco NAC Network Module (NME-NAC-K9) Support Release 4.1(2) introduces support for the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs). The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server (CAS) on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another. The integration of CAS capabilities into a network module for ISRs allows network administrators to manage a single device in the branch office for data, voice, and security requirements. The NME-NAC-K9 network module is available as a single ...

Cisco posted a new Configuration Guide on how to configure and troubleshoot ADSSO. This is relevant for any deployment using ADSSO and also has some great text on the common error messages and associated resolutions. NAC Appliance (CCA): Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

Background: One common design challenge in the past was how to deploy NAC for VPN Users when the VPN device is also a corporate firewall. This entry will hopefully help you understand the existing ways of deploying NAC for VPN Users and also help you understand how to design NAC for VPN Users with ASA 8.X. NAC For VPN Users with a standalone VPN Device: This is the typical deployment for VPN Concentrators, PIX/ASA (for vpn only), and IOS VPN Routers(for vpn only). The CAS is typically and preferred to be deployed in Virtual Gateway Mode. VG allows for zero IP Address changes and only requires the addition of 1 Authentication/Untrusted VLAN. For more information on how to configure NAC for Standalone VPN Devices please see the NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example Figure 1 - VPN Deployment with a Standalone VPN Device NAC For VPN Users with a 6.X/7.X Corporate Firewall/VPN Device without a DMZ: With this deployment you n...

Background: Great Bay Software Inc., the innovator of Endpoint Profiling for enterprise networks, today announced it has signed a worldwide OEM agreement with Cisco that adds the company's Beacon Endpoint Profiler solution to the award-winning Cisco Network Admission Control (NAC) product line. This agreement ensures that all network-attached endpoints, including non-PCs, meet the specified requirements for network access, creating the industry's most comprehensive NAC solution set. As part of the agreement, Cisco will rebrand and sell the Beacon Endpoint Profiler as Cisco NAC Profiler. The Endpoint Profiling and Behavior Monitoring functions provided by NAC Profiler combined with the Cisco NAC Appliance solution will ease deployments and improve the security management of endpoints unassociated with specific users, such as network printers, medical imaging devices, IP phones, HVAC sensors and wireless access points. NAC Profiler can improve the return on investment for a NAC...

Background: Cisco NAC Appliance is a great method of threat containment by ensuring users' identity and posture, but at what point do you want to ensure that the user whom has once been compliant is still indeed compliant? This is the reason why timers are such an important aspect of any NACA Deployment. This entry will help you to understand the different options within NAC and ensure that you configure what is needed for your deployment. The Options: Certified Device Timer Automatically Clear Certified Device List at specific intervals (X number of days) May clear devices based on particular CAS, User Role, Auth Provider May clear X amount of users at a time May create multiple timers to meet your needs Session Timer An Absolute Timer that is specific to the user role (X number of minutes) Applies to both IB & OOB Triggers after a preset time to kick users off the online user list Heartbeat Timer Number of minutes after which a user is logg...