HP 3350 - Cisco NAC Appliance Spezifikationen Seite 254
- Seite / 681
- Inhaltsverzeichnis
- FEHLERBEHEBUNG
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
7-24
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 7 User Management: Configuring Authentication Servers
Adding an Authentication Provider
Cisco VPN SSO
Cisco NAC Appliance enables administrators to deploy the CAS In-Band behind a VPN concentrator, or
router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 In-Band deployment by
allowing the CAM and CAS to track user sessions by unique IP address when users are separated from
the CAS by one or more routers. With Layer 2-connected users, the CAM/CAS continue to manage these
user sessions based on the user MAC addresses, as before.
Note Cisco NAC Appliance supports Single Sign-On (SSO) for the following:
• Cisco VPN Concentrators
• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco Airespace Wireless LAN Controllers
• Cisco SSL VPN Client (Full Tunnel)
• Cisco VPN Client (IPSec)
You can configure Cisco NAC Appliance to perform VPN SSO via a Cisco ASA in a FIPS-compliant
network deployment. For detailed configuration information, see the “Configure VPN SSO in a FIPS
140-2 Compliant Deployment” section of the Cisco NAC Appliance - Clean Access Server Configuration
Guide, Release 4.9(x).
Cisco NAC Appliance provides integration with Cisco VPN concentrators and can enable SSO capability
for VPN users, using RADIUS Accounting information. The Clean Access Server can acquire the client's
IP address from either Framed_IP_address or Calling_Station_ID RADIUS attributes for SSO purposes.
• Single Sign-On (SSO) for Cisco VPN concentrator users—VPN users do not need to login to the
web browser or the Agent because the RADIUS accounting information sent to the CAS/CAM by
the VPN concentrator provides the user ID and IP address of users logging into the VPN
concentrator (RADIUS Accounting Start Message).
Note A CAS deployed as a Real-IP gateway supporting VPN SSO opens the Accounting port only
on the trusted (eth0) interface. For configuration information, see the “Integrating with
Cisco VPN Concentrators” chapter of the Cisco NAC Appliance - Clean Access Server
Configuration Guide, Release 4.9(x).
• Single Sign-On (SSO) for Cisco Airespace Wireless LAN Controller users—For SSO to work, the
Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's
IP address (as opposed to the Framed_IP_address that the VPN concentrator uses).
• Accurate Session Timeout/Expiry—Due to the use of RADIUS accounting, the VPN concentrator
informs the Clean Access Server exactly when the user has logged out (RADIUS Accounting Stop
Message). See OOB (L2) and Multihop (L3) Sessions, page 8-16 for additional details.
Figure 7-15 illustrates the login and posture assessment process for a VPN user using the Agent with
Single Sign-On. Note that the initial download of the Agent must be performed via the VPN connection.
- Manager Configuration Guide 1
- CONTENTS 3
- Contents 10
- OL-28003-01 10
- About This Guide 19
- Document Organization 20
- Document Conventions 21
- New Features in this Release 21
- Product Documentation 22
- Documentation Updates 23
- Introduction 25
- Chapter 1 Introduction 26
- Clean Access Manager (CAM) 29
- Clean Access Server (CAS) 29
- Client Login Overview 30
- Cisco NAC Appliance Agents 38
- Cisco NAC Web Agent 40
- Network Scanner 41
- Managing Users 44
- Publishing Information 47
- Admin Console Summary 48
- Servers, Adding Filters 51
- Global and Local Settings 59
- Adding Multiple Entries 62
- Figure 2-6 Endpoint Summary 69
- Configure Device Filters 70
- Figure 2-7 New Device Filter 71
- Test Device Filter Policies 75
- Configure Subnet Filters 77
- Limitations 79
- Map Endpoint Policies 83
- View Rules 85
- Edit Rules 85
- Delete Rules 86
- Order Rules 86
- Cisco ISE is not reachable 89
- Deployment 91
- In-Band Versus Out-of-Band 92
- Out-of-Band Requirements 92
- Flow for OOB VGW Mode 98
- Deployment Modes 100
- L3 Out-of-Band Deployment 103
- Configure Your Switches 104
- • Switch configuration level: 108
- CAT 2950 109
- Internet 109
- CAT 3550 109
- Switch Configuration 111
- CAM/CAS Configuration 111
- List of MIBs and OIDs 112
- Configure Group Profiles 118
- Add Group Profile 119
- Edit Group Profile 119
- Configure Switch Profiles 120
- Add Switch Profile 121
- Configure Port Profiles 123
- Add Port Profile 124
- Configure VLAN Profiles 130
- Add VLAN Profile 132
- Edit VLAN Profile 133
- Configure SNMP Receiver 134
- Advanced Settings 135
- To Change Default SNMP 136
- Add and Manage Switches 138
- Add New Switch 139
- Search New Switches 140
- Verify Devices 141
- Discovered Clients 142
- Manage Switch Ports 144
- Figure 3-34 Ports Tab 145
- • Profile (2) 150
- Config Tab 153
- Advanced 154
- Linkdown Traps 154
- Port Security 155
- Enabling Port Security 155
- Re-Enabling MAC Notification 156
- Figure 3-41 Config Group 157
- • L2 OOB Real IP Gateway 157
- Out-of-Band Users 158
- OOB Troubleshooting 161
- Troubleshooting SNMP 162
- Unknown User Name 163
- Wrong Digest 163
- Authorization Error 163
- Unsupported Security Level 163
- No Access 163
- OOB Client MAC/IP Not Found 164
- Additional Information 164
- Overview 165
- DHCP Bridging Mode 167
- SNMP Control 168
- SNMP Trap 183
- Discovered Wireless Clients 188
- Figure 4-22 Config > Group 190
- Wireless Out-of-Band Users 191
- User Login Page 193
- Proxy Settings 194
- Add Default Login Page 195
- Agent Login 198
- Web Login 198
- Customize Login Page Content 200
- Upload a Resource File 205
- Customize Login Page Styles 206
- Guest User Access 209
- Local Users 215
- Create User Roles 216
- User Role Types 217
- Normal Login Role 218
- Session Timeouts 220
- Default Login Page 221
- Traffic Policies for Roles 221
- Adding a New User Role 221
- Role Properties 223
- Editing an Existing Role 228
- Create Local User Accounts 229
- Local Authentication 233
- Providers 233
- Mapping Rules 233
- FIPS 140-2 Compliance 233
- Kerberos 235
- Set Up the IPSec Tunnel 239
- (Figure 7-8) 243
- Click Add 243
- Windows NT 245
- Multiple Domain SSL 251
- Windows NetBIOS SSO 252
- Cisco VPN SSO 254
- Add Cisco VPN SSO Auth Server 255
- Allow All 256
- AD/LDAP Configuration Example 259
- Configure Mapping Rule 262
- Add Mapping Rule to Role (B) 265
- Editing Mapping Rules 267
- Auth Test 269
- Authentication Successful 270
- Authentication Failed 270
- RADIUS Accounting 271
- Data Fields 273
- Logout Event Data Fields 274
- Figure 7-39 Login Events 276
- Figure 7-40 Logout Events 276
- Figure 7-41 Shared Events 276
- Schedule 277
- Traffic Policy Priority 278
- Global vs. Local Scope 279
- Add IP-Based Policy 280
- Edit IP-Based Policy 283
- Enable Default Allowed Hosts 285
- Add Allowed Host 286
- Control Bandwidth Usage 289
- Session Timer 291
- Heartbeat Timer 291
- In-Band (L2) Sessions 292
- Example Traffic Policies 300
- Microsoft Xbox 301
- Other Game Ports 301
- Unauthenticated Role 303
- Agent Temporary Role 303
- Quarantine Role 303
- Step 7 Click Update 311
- Configure Out-of-Band Logoff 312
- Network Requirements 313
- Feature Limitations 314
- Enable Out-of-Band Logoff 315
- Troubleshooting OOB Logoff 315
- View Current Updates 318
- Agent Distribution 324
- Installation Page 326
- • nac_logo.gif 339
- • nac_login.xml 339
- • nacStrings_xx.xml 339
- Agent Login Screen 340
- Cisco NAC Agent MSI Installer 343
- Role Mapping 346
- AV Rules and AS Rules 349
- Verify AV/AS Support Info 350
- Create an AV Rule 353
- Create an AS Rule 359
- Prerequisites 364
- Custom Requirements 377
- Custom Rules 378
- Custom Checks 379
- Copying Checks and Rules 379
- Configuration Summary 380
- Create Custom Check 380
- Registry Checks 381
- File Checks 382
- Service Check 383
- Create a Custom Rule 384
- Validate Rules 386
- Create a Custom Requirement 387
- Map Requirements to Rules 397
- Validate Requirements 400
- Figure 9-48 Requirement List 401
- Downgrading the Agent 408
- Configure Agent Auto-Upgrade 409
- Uninstalling the Agent 410
- Uninstall Cisco NAC Agent 411
- Uninstall Mac OS X Agent 411
- Versioning 413
- Cisco Updates 413
- Cisco NAC Agent Download 415
- Cisco NAC Agent 416
- Figure 10-2 Login Page 417
- System Requirements 439
- Mac OS X Cisco NAC Agent 457
- Mac OS X Agent Prerequisites 458
- Mac OS X Agent Restrictions 462
- CAM/CAS Restrictions 462
- CCAAgent.app (Figure 10-76) 476
- Viewing Agent Reports 480
- Exporting Agent Reports 484
- Manage Certified Devices 489
- Add Exempt Device 491
- Add Floating Devices 495
- Report Settings 497
- CCA Servers 499
- Managed Switches 499
- Authentication Servers 500
- Custom Reports 501
- Figure 11-20 Generate Reports 502
- Generating a Report 503
- Scheduling Report Generation 504
- View Saved Templates 505
- View Executive Summary 505
- Configuration 506
- User Activity Log Files 506
- Online Users list 507
- Interpreting Active Users 508
- View Online Users 509
- In-Band Users 510
- Log Users Off the Network 513
- Display Settings 514
- Agent Troubleshooting 515
- Cisco NAC Web Agent Logs 516
- Client Cannot Connect/Login 517
- AV/AS Rule Troubleshooting 519
- Background 520
- Workaround 520
- Option 2 521
- Configuring Network Scanning 522
- User Page Summary 525
- Configure the Quarantine Role 527
- Uploading Plugins 528
- Deleting Plugins 529
- Configure General Setup 530
- Apply Plugins 531
- Configure Plugin Options 533
- Test Scanning 537
- View Scan Reports 538
- Monitoring Event Logs 546
- Interpreting Event Logs 549
- Table 13-2 Log Viewer Page 550
- Event Log Example 552
- Configuring Syslog Logging 554
- Cisco NAC Appliance Log Files 556
- Enable SNMP Polling/Alerts 558
- Add New Trapsink 560
- SNMP on Individual CAS 562
- Add New Trapsink to CAS 563
- Administering the CAM 564
- Failover 567
- Set System Time 568
- Manage CAM SSL Certificates 570
- Viewing Trusted CAs 580
- Removing Trusted CAs 581
- System Upgrade 587
- Licensing 588
- Remove Product Licenses 590
- Remove Legacy License Keys 590
- Policy Import/Export 591
- Example Scenarios 592
- Before You Start 593
- Configure the Master 595
- Configure the Receiver 598
- Perform Policy Sync 599
- Perform Manual Sync 600
- Perform Auto Sync 601
- View History Logs 602
- Support Logs 605
- Agent Logs 609
- Admin Users 610
- Figure 14-33 Admin Groups 611
- Figure 14-34 New Admin Group 612
- Login/Logout an Admin User 614
- Add an Admin User 614
- Edit an Admin User 615
- Active Admin User Sessions 616
- Manage System Passwords 619
- Backing Up the CAM Database 621
- Database Recovery Tool 627
- API Support 628
- Error and Event Log Messages 630
- CAM Event Log Messages 631
- Authentication Requirements 637
- Device Filter Operations 638
- Appendix B API Support 639
- User Operations 644
- Guest Access Operations 647
- Report Operations 649
- MIB Support 658
- Table C-1 CLEAN ACCESS - MIB 659
- Table C-2 SNMPv2-MIB 660
- Table C-3 RFC1213-MIB 660
- Table C-4 IP-MIB 661
- Table C-4 IP-MIB (continued) 662
- Ta b l e C - 5 U D P - M I B 664
- Table C-6 HOST-RESOURCES-MIB 664
- Appendix C MIB Support 665
- Ta b l e C - 7 M TA- M I B 666
- Table C-8 IF-MIB 666
- Table C-9 DISMAN-EVENT-MIB 667
- Table C-8 IF-MIB (continued) 667
- Table C-12 UCD-DLMOD-MIB 670
- Table C-13 NET-SNMP-AGENT-MIB 671
- Table C-16 SNMP-MPD-MIB 671
- Table C-17 SNMP-TARGET-MIB 672
- OpenSSL/Open SSL Project 674
- Original SSLeay License: 675
Verwandte Produkte und Handbücher für PC / Workstation Barebones HP 3350 - Cisco NAC Appliance
(136 Seiten)
(8 Seiten)
(175 Seiten)
(158 Seiten)© 2020, manymanuals.de. Alle Rechte vorbehalten. | 1.401 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern