brksec-3040

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-304014355_04_2008_c2 2

TroubleshootingCisco NAC

BRKSEC-3040


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-304014355_04_2008_c2

Agenda

NAC Appliance Overview

NAC Appliance Process Flow

NAC General Troubleshooting

NAC OOB Troubleshooting

Single Sign On Troubleshooting


Cisco NAC ApplianceOverview


3


Please enter username:

devicesecurity

networksecurity

identity

Who is the user?Is s/he authorized?What role does s/he get?

NACNACIs MS patched? Does A/V or A/S exist?Is it running?Are services on?Do required files exist?

Plus

Is policy established? Are non-compliantdevices quarantined? Is remediation required?Is remediation available?

Plus

Using the network to enforce policies ensures that incoming devices are compliant.

SiSi SiSi

What Is Network Admission Control?


Cisco NAC Appliance Components

Cisco Clean Access Manager (CAM)Centralizes management for administrators,support personnel, and operators

Cisco Clean Access Server (CAS)Serves as enforcement point for networkaccess control

Cisco Clean Access Agent (CAA)Optional lightweight client for device-basedregistry scans in unmanaged environments

Rule-set UpdatesScheduled automatic updates for anti-virus,critical hot-fixes and other applications

MGR


4


Overview

Distributed architecture deployment

CAS is in Bridged (Virtual Gateway) or Routed (Real-IP Gateway) mode

Users are Layer 2 (L2) or Layer 3 (L3) adjacent to CAS.

CAS is Inline (IB) all the time or can be Out-of-Band (OOB). OOB CAS is Inline only during NAC Posture and remediation.


NAC Server Foundation:Virtual Gateway and Real IP Gateway

NAC Servers at the most basic level can pass traffic in one of two ways:

Bridged Mode = Virtual Gateway

Routed Mode = Real IP Gateway / NAT Gateway

Any NAC Server can be configured for either method, but a NAC Server can only be one at a time

Gateway mode selection affects the logical traffic path

Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band


5


NAC Server Foundation:Virtual Gateway

Direct Bridging: Frame Comes In, Frame Goes Out

VLAN IDs are either passed through untouched or mapped from A to B

DHCP and Client Routes point directly to network devices on the Trusted side

NAC Server is an IP passive bump in the wire, like a transparent firewall


NAC Server Foundation:Real IP/NAT Gateway

NAC Server is Routing, Packet Comes In, Packet Goes Out

VLAN IDs terminate at the Server, no pass-through or mapping

DHCP and Client Routes usually point to the Server for /30

NAC Server is an active IP router, can also NAT outbound packets* 2

* Be aware of NAT performance limitations


6


NAC Server Foundation:Edge and Central Deployment

NAC Servers have two physical deployment modelsEdge Deployment

Central Deployment

Any NAC Server can be configured for either method

Deployment mode selection affects the physicaltraffic path

Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band


NAC Server Foundation:Edge Deployment

Easiest deployment option to understand

NAC Server is logicallyinline, and Physically inline

Supports all Catalyst Switches

VLAN IDs are passed straight through when in VGW

10 10

Installations with multiple Access Layer closets can become complex


7


NAC Server Foundation:Central Deployment

Most common deployment option

NAC Server is logically inline, NOT physically inline

Supports 6500/4500/3750/3560

VLAN IDs are mappedwhen in VGW

110 10

Easiest installation

Most scalable in large environments

*3550 is not supported


NAC Server Foundation:Central Deployment

Virtual Gateway Mode3 Access Layer Closets, 6 VLANs

500 users per VLAN total 3000 users

3 VLANS per NAC Server

500 users each

Example Enterprise Central Deployment


8


NAC Server Foundation:Layer 2 Mode and Layer 3 Mode

NAC Servers have two client accessdeployment models

Layer 2 Mode

Layer 3 Mode


Deployment mode selection is based on whether the client is Layer 2 adjacent to the NAC Server


NAC Server Foundation:Layer 2 Mode

Client is Layer 2 Adjacent to the Server

MAC address is used asa unique identifier

Supports both VGWand Real IP GW

Supports both In Band andOut of Band

Most common deployment model for LANs


9


NAC Server Foundation:Layer 3 Mode

Client is NOT Layer 2 Adjacent to the NAC Server

IP Address is used as a unique identifier

Supports both VGW and Real IP GW

Supports InBand Mode

Needed for WAN and VPN deployments


NAC Server Foundation:In Band and Out of Band

NAC Servers have two traffic flow deployment modelsIn Band

Out of Band


Selection is based on whether the customer wants to remove the NAC Server from the data path

NAC Server is ALWAYS inline during Posture Assessment


10


NAC ApplianceProcess Flowand General Troubleshooting


Finding Where the Problem Is…

Know the type of deployment Virtual Gateway/Real-IP,In-Band/Out-of-band, Layer2/Layer3

Understand the process flowe.g. When does user get IP?, When does agent pop up?

Identify expected behaviore.g. Should the client get an IP in Access or Auth VLAN?

Determine the deviationList your problems. E.g. User not redirected to CAS login page

Isolate the problemUse logs/debugs/tools to narrow down issue

Don’t Know Where to Start!


11


THE GOAL

Intranet/Network

NAC Appliance Overview: Process Flow

NAC ApplianceServer

NAC Appliance Manager

1. End user attempts to access a Web page or uses an optional client

Network access is blocked until wired or wireless end user provides login information

AuthenticationServer

MGR


THE GOAL

Intranet/Network


2. User is redirected to a login page

NAC Appliance validates username and password, also performs device and network scans to assess vulnerabilities on the device

NAC ApplianceServer





MGR


12


THE GOAL

Intranet/Network




Device is noncompliant or login is incorrect

User is denied access and assigned to a quarantine role with access to online remediation resources

3a. QuarantineRole

NAC ApplianceServer





MGR


THE GOAL

Intranet/Network




Device is noncompliant or login is incorrect

User is denied access and assigned to a quarantine role with access to online remediation resources

3a. QuarantineRole

3b. Device is “clean”Machine gets on “certified devices list” and is granted access to network

NAC ApplianceServer





MGR


13


User Machine Server

Certified and Logged On

Process Flow—Protocol ExchangeManager

URL Redirect to Weblogin

DHCP Request

Connect via TCP (443)

UDP Discover (8905, 8906)

Agent Performs Posture Assessment

Download Clean Access AgentAgent download (80)

Download Policy to Agent Agent checks and rules, XML (443)

Pre-connect (1099)

User Login (443)

Report (443)

Connect request (1099)Connect Response (8955, 8956)

Server Performs Access Enforcement

Open Web browser (if no agent)

MGR


Checklist

Can you add CAS to the CAM?

Does user have an IP address?

Is user being redirected to login page?

Does the Clean Access Agent pop up?

Is Authentication/Login successful?

Does user pass/fail posture checks?

Can user access network resources?


14


Cannot Add CAS to CAM

Q- "Can CAM and CAS ping each other?"Check interfaces on CAM, CAS (eth0) and switch(es). Is shared secret between Manager and server correct ?

Verify matching hash (cat /root/.secret) on CAM and CAS

Check “Monitoring >> Event logs” for errors

Licensing Issue!! Typically means a server license file has not been loaded.

Connectivity Issue!! Firewall between CAM/CAS?.

Ensure TCP ports 443,80,1099 (CAS) and ports 443, 80, 8995 8996 (CAM) are allowed at minimum


End User Not Getting an IP Address

Q- "Is CAS the DHCP server (Real-IP G/W)?"Check /var/log/dhcplog for DHCP handshake

Is IP allocation based on incoming (Auth) VLAN?

CAS reads 802.1q tag for Auth VLAN, to dispense IP address

Check switch port for CAS Untrusted (eth1) and ensure that Auth VLAN is being tagged (not as native vlan)


15


End User Not Getting an IP Address

Q- "DHCP server is beyond the CAS (Virtual Gateway)?"Is the DHCP VLAN (Access VLAN) trunked to switchport for CAS Trusted Interface (eth0)?

Is VLAN mapping enabled and configured right?


End User Not Getting an IP Address (ARP Table)

CAS maintains its own ARP/Routing tables

Standard Linux ARP tables do NOT apply here

ARP entry will confirm whether the traffic is hitting the Untrusted interface of the CAS or NOT

ARP Tables: /proc/click/intern_arpq/table (Untrusted)


16


Users Not Redirected to Web Login Page

Q- "Does browsing to IP address of the CAM work ?"Check client DNS settings. Can client resolve DNS?

Isolate the problem - Connect PC to a port on Core switch where CAS is connected to check redirection.

Is there a SVI for the Auth VLAN?Auth VLAN must be a L2 only VLAN on all switches

Prune Auth VLAN from all other links except CAS Untrusted


Users Not Redirected to Web Login Page: L2 Client Mode

Q- "Only browsing to IP/name of CAS works?"Ensure Managed Subnets are configured correctly

“Managed subnets are configured with an unused IP from the Trusted subnet, but VLAN ID from Auth VLAN”

For L2 Subnets


17


Users Not Redirected to Web Login Page: L3 Client Mode

Q- "Only browsing to IP/name of CAS works? (L3 mode) "Ensure Static Routes are configured correctly

The Static route will be for the user subnet pointing to the next hop on the Un-trusted Interface

** Un-authenticated traffic should block traffic for redirect to happen


Agent Does Not Pop Up

Agent sends “Discovery packets” (small UDP packets) every 5 seconds to detect CAS

Agent first sends L2 discovery packet to default g/w on UDP 8905 hoping for a L2 CAS to respond

CAS responds when it sees any discovery packet passing “THROUGH” it

The response from CAS makes agent pop up

Failing L2 response from a CAS, agent sends L3 discovery packet to “Discovery Host” on UDP 8906

Q- "Is agent able to communicate with CAS ? "


18



“Discovery Host” is a configurable IP/hostname that agent gets from the following registry key on client PC

HKCU\Software\Cisco\Clean Access Agent\ServerUrl

Registry key + value gets configured during agent install based on the setting on CAM

It is an IP/name which is routable “through” the CAS

The response from CAS makes agent pop up



For L2 deployments, check Web redirection first.

Web redirection works, but Agent doesn’t pop up ?Check if agent is sending UDP 8905 packets to default G/W

Personal Firewall blocking discovery packets?

For L3 deployments, check the Discovery Host value on the client machine

Is Discovery Host value present in the registry key?

If discovery host is a name, can it be resolved in DNS?

Is it routable through CAS from client machine?

For OOB deployments, confirm that port is on Auth VLAN. CAS will only be reachable on Auth VLAN


19


Login/Authentication Fails

Q- "Does Auth Test from CAM succeed?"

Authentication/Posture is carried over SSL

Agent/browser posts credentials to CAS

CAS posts to CAM overSSL again

Except Single Sign On, all backend authentications are performed by CAM


Login/Authentication Unsuccessful

Q- "For name based certificates, DNS can resolve name ?"

HA certificates are based on Virtual IP/hostnames

Sync time on CAM/CAS to NTP (5 minutes lag)

Regenerate certificates and reboot

Check /perfigo/logs/perfigo-redirect-log0.log.0 on CAS


20



indicates connectivity issue between CAM and CAS

Indicates time on CAM/CAS are not in sync

CAS is posting to wrong IP. CAM certificate generated with wrong IP?

Example: /perfigo/logs/perfigo-redirect-log0.log.0 on CAS



Typically seen when the CAM has a CA signed certificate

Import the CAM’s CA root certificate into CAS as "Trust a non-standard CA" and restart CAS.

Indicates CAS does not trust CAM’s cert


21


User Not Being Postured Correctly

Check Online user for user’s role

Is Role mapping configured right?


Cannot Access Network After Login (IB)

Q- "Have you allowed access to the network under Traffic Control in the final role?"

Real-IP Gateway?—CAS does not advertise routes, add static routes on next hop router for the Managed subnets


22


NAC ApplianceTroubleshootingOut-of-Band (OOB)


Out-of-Band Process Flow

Network

vlan 110

vlan 10,30Vlan Mapping v110 v10

dot1q trunkv10, v110

v10 or v110

DHCP Servervlan 10 scope

10.10.0.5 – 10.10.0.254

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

10.90.0.2

vlan 900

10.30.0.2

1. PC is attached to the network

2. Switch sends mac address via snmp to the CAM


23



Network

vlan 110



IP : 10.10.0.10DG: 10.10.0.1

v110


10.10.0.5 – 10.10.0.254

3. CAM verifies if PC is ‘Certified’If PC not certified, CAM instructs switch to assign port to Authentication Vlan

PC gets DHCP IP address in vlan 10subnet due to DHCP/DNS trafficpassing through the CAS using VlanMapping

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

vlan 900

10.90.0.2

10.30.0.2



Network

vlan 110



IP : 10.10.0.10DG: 10.10.0.1


10.10.0.5 – 10.10.0.254

4. All traffic from PC flows to the CAS, CAS enforces network access restrictions

5. PC goes through Authentication, Posture Assessment and Remediation

v110

vlan 900

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

10.90.0.2

10.30.0.2


24



Network

vlan 110



IP : 10.10.0.10DG: 10.10.0.1

v10


10.10.0.5 – 10.10.0.254

6. CAS informs CAM that PC is ‘Certified’

7. CAM instructs switch to assign port to ‘Access’vlan based on Port mapping or User Role Assignment

8. PC is allowed access to network

vlan 900

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

10.90.0.2

10.30.0.2


Port Not Being Moved to Auth VLAN?

Check snmp settings on the client switch. Ensure that mac-notifications are enabled and CAM is set to receive the MAC-notifications

Confirm that you can ping CAM from the switch and vice-versa

Add the “snmp-server trap-source <interface>”command to ensure that traps are being sourced with correct IP


25


Port Not Being Moved to Auth VLAN?Ensure SNMP Settings on CAM/Switch Are Matching



Check if user is already present in Certified Device list And the Online Users list

CAM will change the user port VLAN to Access VLAN if the user is already on the Certified Device List && Online User List


26



If the user is already present in Certified Device list But NOT in the Online Users List

Check the Port Profile Options and confirm which VLAN is selected for this scenario

CAM will change the user port to Access VLAN if port profile option is set to access VLAN


Switch Debugs and Cam Logs Are Handy

“debug snmpheaders” and “debug snmp packets can be used on test/lab switches

Do not use this on production switches


27


Switch Debugs and Cam Logs Are Handy

GotoAdministration >>CCA Manager >> Support Logs

Set Logging level to “All” as shown

Download support logs and look at /perfigo/logs/perfigo-log0.log.0


NAC ApplianceWireless/VPNSingle Sign On


28


Role of Radius Accounting

CAS acts as a Radius Accounting Server for ASA/WLC

Authentication is independent of Accounting

E.g. ASA could authenticate VPN users against LDAP, but still account using Radius

CAS trusts the Authentication performed by another network device (WLC, ASA etc) and uses the Accounting packet from them for SSO


Wireless Single Sign On (SSO) Process

WLC performs dot1x/LDAP

based Authentication

WLC sends Radius

Accounting to CAS


29


VPN SSO Process

User logs in using IPSEC or SSL VPN client

VPN server sends Radius Accounting packet to CAS

CAS performs SSO for that user based on the Accounting packet

CAS can optionally be configured to forward that Accounting packet to another Radius server


Is the CAS Receiving Accounting Packets?

Goto CCA Servers >> Manage (CAS IP) >> Authentication >> VPN Auth >> Active Clients and click “Show All”

START packet adds an entry, STOP packet removes it

User not added to Online User list until CAS sees traffic from actual user IP

Entry not seen here? Format of Radius packet is important


30


Packet Format

Radius Accounting packet must contain the following minimum fields to be added to Active List on the CAS

User-Name

Acct-Status-Type

Framed-IP-Address OR Calling-Station-ID checked in that order

Acct-Status-Type needs to be a START packet. Interim/Update packets will not be added to Active List.

Framed-IP-Address will be considered first. If not present, Calling-Station-ID will be considered.


View Radius Accounting Logs on CAS

Login to the CAS directly by pointing your browser to https://<CAS-IP-address>/admin

Navigate to Monitoring >> Support Logs

Set the level of logging for “Radius Accounting Proxy Server Logging” to “ALL”

To see Radius packet details, you will need to also set “CAM/CAS communication logging” to “ALL”


31


View Support Logs

To view support logs real-time, tail the following file:/perfigo/logs/perfigo-redirect-log0.log.0

Alternatively, you can download the support logs from Monitoring >> Support LogsApr 25, 2007 4:58:54 PM com.perfigo.wlan.radius.RadiusAccServer processPacketFINEST: Received radius packet? from /10.20.20.3:1026Apr 25, 2007 4:58:54 PM om.perfigo.wlan.jmx.admin.VPNUserManager$VPNAccHandleaccounting<------------------------------------------- DETAIL LOGGING ENABLED --------------------------------------------------FINEST: Received accounting request from /10.20.20.3:User-Name (1), Length: 8, Data: [jdoe], 0x68616D696E68NAS-Port (5), Length: 6, Data: [# 131072], 0x00020000Service-Type (6), Length: 6, Data: [# 2 (Framed)], 0x00000002Framed-Protocol (7), Length: 6, Data: [# 1 (PPP)], 0x00000001Framed-IP-Address (8), Length: 6, Data: [# 2887306241] / [IP 10.50.50.1], 0xAC18CC01Called-Station-Id (30), Length: 12, Data: [12.6.247.4], 0x31322E362E3234372E34Calling-Station-Id (31), Length: 16, Data: [157.130.22.122], 0x3135372E3133302E32322E313232Acct-Status-Type (40), Length: 6, Data: [# 1 (Start)], 0x00000001Acct-Input-Packets (47), Length: 6, Data: [# 33], 0x00000021Acct-Output-Packets (48), Length: 6, Data: [# 270], 0x0000010ENAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005NAS-IP-Address (4), Length: 6, Data: [# 184436253] / [IP 10.20.20.3], 0x0AFE461D


NAC ApplianceWindows SingleSign On


32


Windows Single Sign on Process

Phase 1: CAS—DC CommunicationThis phase is for the CAS to authenticate itself to the domain

Once authenticated, CAS starts the SSO service toserve clients

Phase 2: Client (Agent)—CAS CommunicationThis phase happens AFTER the service on CAS is started

This involves CAS asking the client (Agent) for a SSO Kerberos Service ticket in order to perform SSO


Phase 1: CAS-DC Communication

KTPASS is executed for Service Account on DC

CAS authenticates itself to DC first to enable Service

DC responds with AS-REP upon successful Auth


33


Phase 2: Client (Agent)—CAS Communication

CAS instructs Agent to get a Service Ticket (ST) for theSSO Service

Agent gets the ST from the DC and gives CAS

CAS performs SSO


Ensure Basics Are Covered!!

Windows SSO applies only to an Active Directory environment

Clean Access Agent is mandatory for Windows SSO

Requires the use of Clean Access Agent 4.0.0.0or above

CAM/CAS need to be running 4.0.0 or above as well

Domain Controller must be running Win2K+SP4, Win2K3+SP1 or Win2K3R2

Confirm domain login is complete and working without NAC before testing Windows SSO


34


Identify the Phase

Isolating the problem is half the battle!!!

First step is to identify whether your problem falls under Phase 1 (CAS—DC communication) or Phase 2 (Client—CAS) communication

Question to ask: Is the Service on the CAS started?No : Focus on CAS-DC Authentication problems

Yes : Focus on the client side. Client communication with DC and CAS are important here

Lets take a look at troubleshooting some of the common Phase 1 and Phase 2 issues!!


Cannot Start Service on CAS (Phase1)

When you try to enable the AD SSO Service on the CAS

Login to CAS at https://<CAS-IP-address>/admin

From Monitoring >> Support Logs, set logging level for “AD Communication Logging” to “INFO”

tail –f /perfigo/logs/perfigo-redirect-log0.log.0 on the CAS


35



Under CCA Servers >> Manage (CAS IP) >> Misc >> Time ensure time on CAS synchronized with DC.

Point CAS to a Time server running NTP

Alternatively you can point CAS to the DC itself (lab setups) for Time server

May 2, 2007 5:59:13 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCINFO: GSSServer - SPN : [ccasso/[email protected]]SEVERE: startServer - SSO Service authentication failed. Clock skew too great (37)

Typically means that CAS/DC times are not synchronized.



Verify that the account (ccasso) name for CAS exists on the DC

Ensure that the correct account name has been defined on CAS

May 2, 2007 5:57:31 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCINFO: GSSServer - SPN : [ccasso/[email protected]]May 2, 2007 5:57:31 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCSEVERE: startServer - SSO Service authentication failed. Client not found in Kerberos database (6)

Typically means that Username is wrong or does not exist in AD.


36



KTPASS command on DC was not run with correct parameters

The Active Directory Server (FQDN) info on CAS in incorrect

The Account Password for CAS is incorrect

May 2, 2007 5:59:13 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCINFO: GSSServer - SPN : [ccasso/[email protected]]May 2, 2007 5:59:13 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDCSEVERE: startServer - SSO Service authentication failed. Pre-authentication information was invalid (24)

This is a generic error and it usually means one of these



ktpass -princ ccasso/[email protected] -mapuserccasso –pass Cisco123 -out c:\test.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

User Account Properties Control Panel -> System

CONVERTTO CAPITALS


37


Cannot Start Service on CAS (Phase1)Control Panel -> System

CONVERTTO CAPITALS

** KTPass.exe version known to work correctly is 5.2.3790.0


Service Starts, but SSO Fails (Phase 2)

Focus on client communication with DC and CAS

Confirm that ports are open to the appropriate DCs in the Unauthenticated Role

For testing, open complete access to DCs. Once you get SSO working you can tie it down to specific ports


38



Disable Lookup Server and testLookup servers are for Role mapping—Independent of SSO

Ensure that client is logged into domain and not local PC

net time /set can confirm client PCs communication with DC



Use Kerbtray to check if client PC has Service Ticket for CAS

Kerbtray is a free tool available through Microsoft Support tools

Get agent logs, Get CAS logs and work with TAC

How to collect agent logs:

http://www.cisco.com/en/US/products/ps6128/prod_release_note09186a00807bb9f3.html#wp113880


39


NAC ApplianceCommon Issues


Common Issues

Connecting CAS to my core switch bringsnetwork down

In Virtual Gateway Central deployment, configure Vlan Mapping before connecting untrusted interface (eth1) to switch (No longer an issue with VLAN pruning option enabled on CAS by default)

CAM cannot get updatesEnsure CAM can resolve DNS. Make sure CAM can reach http://www.perfigo.com on port 80. From CAM CLI,

curl http://www.perfigo.com/clean_machine_1/version-se.txt

Agent login keeps loopingEnsure managed subnets are configured correctly. Confirm port gets moved to Access VLAN after authentication


40


UI Errors

Check Certificate on the CAS and CAM

If using FQDN, make sure DNS can resolve it

Regenerate certs and reload CAM/CAS

Typically a network issue.

Seen because Agent does not see CAS response

Check network connectivity


UI Errors

Check SNMP settings on switch

Make sure switch is sending MAC notifications to CAM IP

Ensure that community strings for Mac-notification is correct on both CAM and switch

Means CAM Has Not Received a MAC Notification for This MAC Address


41


UI Errors

This is a browser issue

"Check for server certificate revocation" checkbox in IE

Details available in Release Notes on this error

User pages is not configured

Goto Administration >> User Pages and add a new login page


Finding Where the Problem Is…

I Know the type of deployment Virtual Gateway/Real-IP, In-Band/Out-of-band, Layer2/Layer3

I understand the process flowe.g. When does user get IP? When does agent pop up? Where is the DHCP server located?

I'll ensure basics are coverede.g.

1) Ensure Manual login is working before configuring VPN/Wireless SSO or AD SSO

2) In OOB, VLAN is changing correctly after manual login

I Know Where to Start!


42


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


43


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


brksec-3040

Documents

cisco systems

cisco publicbrksec

nac posture

real ip gateway nac

c2cisco nac applianceoverview

real ip gateway nat

bridged virtual gateway

time gateway mode selection