COME VISIT MY NEW BLOG:

Tuesday, November 18, 2008

NAC Support Logs in 4.5

Many people might be wondering what happen to the handy dandy support logs that used to be located in the "/perfigo/logs/" directory in previous NAC versions. Well in version 4.5 there were some enhancements to the logging and with those enhancements came new placement of the logs.

These logs are most commonly used to troubleshoot NAC during deployments. Please do not turn on advanced logging without reading the documentation fully or with the assistance of Cisco TAC.

The CAM log can be found at:

/perfigo/control/tomcat/logs/nac_manager.log

The CAS log can be found at:

/perfigo/access/tomcat/logs/nac_server.log

For those of you not familiar with what the logs contain, please feel free to reference the CAM and CAS Configuration Guides:

CAM Admin Guide - Support Logs
CAS Admin Guide - Support Logs

Thursday, November 13, 2008

NAC Version Matrix

In June of 2006, NAC Version 4.0.0 was released. Since then, Cisco has released numerous updates and features to the NAC Appliance line! Recently a member of the NAC Mailing List posted the following request:

Is there a feature matrix to compare the various versions/tracks of
Cisco NAC?


So that is exactly what this posts answers. It is long, but I know at least one person appreciates it!

I will explore 3 major lines of code.. 4.0.X, 4.1.X and 4.5.X. Realistically all new deployments should be using 4.1.X or 4.5.X, but I wanted to give a good overview for everyone on older codes.

4.0.X

4.0.0
  • Support for Active Directory (Windows Domain) Single Sign-On (SSO)
  • Corporate Asset Authentication and Posture Assessment by MAC Address
  • Support for Layer 3 Out-of-Band (OOB) Deployment
  • New Windows Update Requirement Type
  • SMP Kernel Support for Super CAM
  • Support for Assigning VLANs by VLAN Name in OOB Deployments
  • Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
  • Ability to Change Priority of Wildcard/Range Global Device Filters
  • Ability to View or Search Active L2 Devices in Device Filter List
  • Ability to Test MAC Addresses Against Device Filters
  • Support for Relay IP Class Restrictions on DHCP Server
  • Support for DHCP Global Actions
  • New "service perfigo maintenance" CLI Command for CAS
  • Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
  • Support for Stub Installation/Update of the Clean Access Agent
  • OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
  • SNMP Enhancements for CAM
  • CAS Host-Based Traffic Policy Enhancements for Proxy Servers
  • Enhancements for DHCP Option Configuration Forms
  • Authentication Cache Timeout
4.0.1
  • Enable L3 Strict Mode
  • OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
  • Link-Failure Based Failover in CAS HA
  • Upgrade Enhancements
  • CAM Disable Serial Login
  • CAM Admin Console Login Enhancements
  • Client OS Detection Signature Lookup
  • Start Timer Specification for Cisco Updates
  • API Enhancements
  • Enhancements for Windows XP Media Center Edition/Tablet PC
4.0.3
  • Restricted Network Access Option for Clean Access Agent Users
  • Daylight Savings Time Support
4.0.4
  • Support for Windows Vista Operating System
  • License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
  • Improved Memory Footprint for Clean Access Agent Reports
  • Broadcast ARP Server Management Option Removed
  • Kernel Upgrade
4.0.6
  • Debug Log Download Enhancement
  • Syslog Configuration Enhancement

4.1.X

4.1.0
  • CAS Policy Fallback
  • Clean Access Agent/ActiveX/Applet DHCP Release/Renew
  • Support for GPO Update Trigger
  • Online Update to Retrieve Switch OIDs
  • Qualified Remediation Program Launch
  • Clean Access Agent for Mac OS X Authentication
  • Clean Access Agent Installation Options
  • Clean Access Agent Language Template Support
  • Clean Access Agent Silent Auditing
  • Searchable Clean Access Agent Reports
  • Certified Devices Timer Enhancements for Periodic Assessment
  • DHCP Renewal Enhancements
  • DHCP Subnet List Enhancements
  • DHCP Global Option Enhancements
  • IE 7.0 Support
  • Clean Access Agent Enhancements (4.1.0.0)
  • Port Profile Management for OOB Users
  • Enhancements to Check Parameters
  • Daylight Savings Time Support
  • Supported AV/AS Product List Enhancements (Version 42)
  • Deprecated IPsec/L2TP/PPTP/PPP Features
  • Deprecated Roaming Features

4.1.1
  • Support for Windows Vista Operating System
  • RADIUS Challenge-Response Support
  • Layer 2 Traffic Policy Support
  • Multiple Active Directory Server Support in AD SSO
  • Restricted Administrator Web Console Options Hidden from View
  • Proxy Server Basic/Digest/NTLM Authentication Support
  • VLAN Profiles
  • VLAN Pruning
  • Event Logs Enhancement
  • Agent Report Retrieval API Operation
  • Out-of-Band IP Refresh Enhancement
  • Switch Port Configuration Enhancements
  • SNMP Receiver Settings Enhancement
  • Support for Windows Vista Operating System
  • Windows Update Upon Agent Login
  • Agent Reports Show System and User Information
  • Agent IP Address Refresh/Renew Enhancement
  • CAS-Agent Discovery (SWISS) Enhancements
  • 4.1.0.x Agent Support on Release 4.1(1)
  • MAC OS RADIUS Challenge-Response Support
  • MAC OS Automatically Close Message Dialog After Successful Login
  • MAC OS IP Refresh Support for Out-of-Band Deployments
  • MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time
4.1.2
  • Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
  • New Cisco NAC Network Module (NME-NAC-K9) Support
  • NAC Appliance Platform Type Display
  • Debug Log Download Enhancement
  • Active VPN Client Status Page Enhancement
  • WSUS Requirement Configuration Display Enhancement
  • New "service perfigo platform" CLI Command
  • Web Login Support Using Safari Browser for Mac OS
4.1.3
  • Windows Clean Access Agent Language Template Support Enhancement
  • Cisco NAC Web Agent
  • Support for Clients with Multiple Active NICs
  • Clean Access Server HA Heartbeat Link Enhancement
  • Clean Access Manager HA Configuration and Heartbeat Link Enhancements
  • Guest User Login and Registration Enhancements
  • LDAP Authentication Enhancement
  • Clean Access Server and WSUS Interaction Enhancement
  • Agent Restricted User Access Enhancement
  • Device Filter List Display and Import/Export Enhancement
  • Agent Report Information Display and Export Enhancement
  • VPN SSO Login Enhancement
  • VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
  • Syslog Configuration Enhancement
  • Debug Log Download Enhancement
  • cisco_api.jsp Enhancement
  • CSRF Protection
  • Proxy Support Enhancements
  • ARP Broadcast Packet Handling Improvement
  • Clean Access Server HA ARP Broadcast Enhancement
  • Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
  • Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
  • Clean Access Agent Auto Remediation
  • Delay Agent Logoff on CAM/CAS
  • 64-bit Windows Operating System Agent Support
  • Access to Authentication VLAN Change Detection Enhancement
  • SNMP Inform Notification Enhancement
  • SNMP "MAC Move Notification" Switch Port Configuration Support
4.1.6
  • Trusted Certificate Authority Enhancement for Production Environments
  • Enhanced CAM/CAS Web Console Features Certificate Warning Messages
  • Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
  • Enhanced Security with Server Identity Based Authorization
  • JMX Over SSL Secured with Mutual Authentication
  • HTTPS Connections Enhanced with Mutual Authentication
  • Features Optimized/Removed

4.5.X

4.5.0
  • Policy Import/Export
  • CAM/CAS SSL Certificate Management Enhancement
  • CAM/CAS Software Upload Page Enhancements
  • Database Snapshot Upgrade Enhancement
  • Clean Access Manager High Availability User Interface Enhancement
  • CAM/CAS Support Log Level Settings Enhancement
  • CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
  • Support for Wireless Out-of-Band Deployments
  • Assign Restricted VLAN for OOB Client Machines When Disconnected
  • Certified Device List/Online User List Enhancements
  • Out-of-Band Shield Enhancement
  • Out-of-Band Discovered Clients Cleanup
  • Pre-Login Banner
  • Strong Password Support for Root Admin Users
  • External Authentication Server Support for Web Administrator Login
  • Support for Cisco NAC Appliance/NME-NAC Platforms Only
  • Web Upgrade Support Removed
  • Default CAM Web Console Password Removed
  • Windows ME/98/NT OS Support Removed

Bottom Line, I recommend 4.1.6 for any new deployment that does require any of the features of 4.5.X