NAC Version 4.6.1 - Now Available

NAC Appliance Version 4.6.1 was release yesterday.

Some of the new features:

Posture Assessment Support for 64-Bit Windows Operating Systems

The new NAC Agent can be installed and launched on 64-bit versions of Windows XP and Windows Vista, and can perform posture assessment and remediation on client machines. Earlier releases of Cisco NAC Appliance provided only authentication support for 64-bit client operating systems.

Agent Configuration XML File Upload Enhancement

This XML configuration file method of setting up Agents on client machines replaces the previous Clean Access Agent configuration schema requiring Windows registry setting manipulation for custom parameters. No more registry changes, hooray!

If you previously employed Windows registry settings to adjust Clean Access Agent behavior on client machines, you must specify the same settings in the XML Agent configuration file to preserve Agent behavior using the Cisco NAC Agent.
This upgrade has a ton of new agent features, as you can see in the above images, so make sure to check out the release notes and read for yourself.

4.6.1 Release Notes

And to configure these features, please reference the configuration guides:

NAC Manager Config Guide
NAC Server Config Guide

Cisco NAC Guest Server 2.0

NAC Guest Server has changed significantly with the latest 2.0 release. From External Portal Support to AD SSO, this revision has added some key enterprise features.

The features that have hit home the most for myself and my customers have been:

Active Directory Single Sign On

Cisco NAC Guest Server 2.0 can be joined to an Active Directory Domain and then automatically authenticate Internet Explorer browsers using Integrated Windows Authentication. This removes the need for sponsors to enter their username and password.

For details on configuration of ADSSO, see the Configuration of Active Directory Single Sign-On for NAC Guest Server Configuration Example

Credit Card Billing Support

Cisco NAC Guest Server 2.0 provides the ability for guests to purchase accounts via credit card support.

This means that you can now use NGS to provide ROI for guest internet access.

Management Reports

Management reports are enhanced to provide the following guest network usage information:

•Total Guest Accounts Created
•Total Authenticated Guests
•Total Cumulative Connect Time
•Sponsor Usage Reporting
•Access Summaries by Device

To See a list of all the new features in NAC Guest Server 2.0, please read the the release notes:

http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/20/gsrn20.html#wp65354

And to configure these features, please reference the configuration guide:

http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/nacguestserver.html

NAC NEWS UPDATES

The following is a list of new things out there in the Cisco NAC World. The NAC Market is continuing to grow in 2009 and with the growth the products will continue to evolve, get better and have more options.

Security Options Abound: New NAC Release

My friends over at TechWiseTV are a huge multi-media machine, producing video, audio and podcasts. Well this PodCast is on NAC 4.5, Alok Agrawal of the NAC Business Unit and Myself dive into some of the cool features of 4.5. All of the podcasts can be subscribed to through iTunes.

To access the NAC podcast go to:

http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns719/html_TW/tw_episode_198.html

And to get more information on all the great stuff coming from Techwise TV visit:
http://www.mytechwisetv.com/
or
http://cisco.com/go/interact

NAC Layer 3 Out of Band Design Guide That Uses VRF-Lite for Traffic Isolation

Cisco wrote a new configuration guide on using VRF-Lite for traffic isolation. This is a great configuration option for NAC, but with that said never re-design your network just for NAC. VRFs can become very complex and introducing new technology into the network should be carefully planned. Using VRFs in a enterprise network does make sense, but the reasons for moving to the new network design should be a combination of the added features/benefits for Security(NAC, Guest Access, Wireless, etc.) and Network managebility, throughput, and scalability.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a3a8a7.shtml

New NAC Profiler Release

Last month a new maintenance release of Cisco NAC Profiler came out. 2.1.8-38 brings a good list of BugFixes and minor enhancements.

One Minor Enhancement that made it was Endpoint and Directory Timeout Unified Into Endpoint Timeout, which gives us more control on how to age out endpoints out of the database.

Find all the Fixes and information in the Release Notes.

The Release Notes can be found:
http://www.cisco.com/en/US/docs/security/nac/profiler/release_notes/218/218rn.html#wp101317

The new software can be download at:
http://www.cisco.com/cgi-bin/tablebuild.pl/nacprofiler-2.1.8 (Requires Valid Smartnet Contract)

NAC Version Matrix

In June of 2006, NAC Version 4.0.0 was released. Since then, Cisco has released numerous updates and features to the NAC Appliance line! Recently a member of the NAC Mailing List posted the following request:

Is there a feature matrix to compare the various versions/tracks of
Cisco NAC?

So that is exactly what this posts answers. It is long, but I know at least one person appreciates it!

I will explore 3 major lines of code.. 4.0.X, 4.1.X and 4.5.X. Realistically all new deployments should be using 4.1.X or 4.5.X, but I wanted to give a good overview for everyone on older codes.

4.0.X

4.0.0

• Support for Active Directory (Windows Domain) Single Sign-On (SSO)
• Corporate Asset Authentication and Posture Assessment by MAC Address
• Support for Layer 3 Out-of-Band (OOB) Deployment
• New Windows Update Requirement Type
• SMP Kernel Support for Super CAM
• Support for Assigning VLANs by VLAN Name in OOB Deployments
• Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
• Ability to Change Priority of Wildcard/Range Global Device Filters
• Ability to View or Search Active L2 Devices in Device Filter List
• Ability to Test MAC Addresses Against Device Filters
• Support for Relay IP Class Restrictions on DHCP Server
• Support for DHCP Global Actions
• New "service perfigo maintenance" CLI Command for CAS
• Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
• Support for Stub Installation/Update of the Clean Access Agent
• OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
• SNMP Enhancements for CAM
• CAS Host-Based Traffic Policy Enhancements for Proxy Servers
• Enhancements for DHCP Option Configuration Forms
• Authentication Cache Timeout

4.0.1

• Enable L3 Strict Mode
• OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
• Link-Failure Based Failover in CAS HA
• Upgrade Enhancements
• CAM Disable Serial Login
• CAM Admin Console Login Enhancements
• Client OS Detection Signature Lookup
• Start Timer Specification for Cisco Updates
• API Enhancements
• Enhancements for Windows XP Media Center Edition/Tablet PC

4.0.3

• Restricted Network Access Option for Clean Access Agent Users
• Daylight Savings Time Support

4.0.4

• Support for Windows Vista Operating System
• License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
• Improved Memory Footprint for Clean Access Agent Reports
• Broadcast ARP Server Management Option Removed
• Kernel Upgrade

4.0.6

• Debug Log Download Enhancement
• Syslog Configuration Enhancement

4.1.X

4.1.0

• CAS Policy Fallback
• Clean Access Agent/ActiveX/Applet DHCP Release/Renew
• Support for GPO Update Trigger
• Online Update to Retrieve Switch OIDs
• Qualified Remediation Program Launch
• Clean Access Agent for Mac OS X Authentication
• Clean Access Agent Installation Options
• Clean Access Agent Language Template Support
• Clean Access Agent Silent Auditing
• Searchable Clean Access Agent Reports
• Certified Devices Timer Enhancements for Periodic Assessment
• DHCP Renewal Enhancements
• DHCP Subnet List Enhancements
• DHCP Global Option Enhancements
• IE 7.0 Support
• Clean Access Agent Enhancements (4.1.0.0)
• Port Profile Management for OOB Users
• Enhancements to Check Parameters
• Daylight Savings Time Support
• Supported AV/AS Product List Enhancements (Version 42)
• Deprecated IPsec/L2TP/PPTP/PPP Features
• Deprecated Roaming Features

4.1.1

• Support for Windows Vista Operating System
• RADIUS Challenge-Response Support
• Layer 2 Traffic Policy Support
• Multiple Active Directory Server Support in AD SSO
• Restricted Administrator Web Console Options Hidden from View
• Proxy Server Basic/Digest/NTLM Authentication Support
• VLAN Profiles
• VLAN Pruning
• Event Logs Enhancement
• Agent Report Retrieval API Operation
• Out-of-Band IP Refresh Enhancement
• Switch Port Configuration Enhancements
• SNMP Receiver Settings Enhancement
• Support for Windows Vista Operating System
• Windows Update Upon Agent Login
• Agent Reports Show System and User Information
• Agent IP Address Refresh/Renew Enhancement
• CAS-Agent Discovery (SWISS) Enhancements
• 4.1.0.x Agent Support on Release 4.1(1)
• MAC OS RADIUS Challenge-Response Support
• MAC OS Automatically Close Message Dialog After Successful Login
• MAC OS IP Refresh Support for Out-of-Band Deployments
• MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time

4.1.2

• Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
• New Cisco NAC Network Module (NME-NAC-K9) Support
• NAC Appliance Platform Type Display
• Debug Log Download Enhancement
• Active VPN Client Status Page Enhancement
• WSUS Requirement Configuration Display Enhancement
• New "service perfigo platform" CLI Command
• Web Login Support Using Safari Browser for Mac OS

4.1.3

• Windows Clean Access Agent Language Template Support Enhancement
• Cisco NAC Web Agent
• Support for Clients with Multiple Active NICs
• Clean Access Server HA Heartbeat Link Enhancement
• Clean Access Manager HA Configuration and Heartbeat Link Enhancements
• Guest User Login and Registration Enhancements
• LDAP Authentication Enhancement
• Clean Access Server and WSUS Interaction Enhancement
• Agent Restricted User Access Enhancement
• Device Filter List Display and Import/Export Enhancement
• Agent Report Information Display and Export Enhancement
• VPN SSO Login Enhancement
• VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
• Syslog Configuration Enhancement
• Debug Log Download Enhancement
• cisco_api.jsp Enhancement
• CSRF Protection
• Proxy Support Enhancements
• ARP Broadcast Packet Handling Improvement
• Clean Access Server HA ARP Broadcast Enhancement
• Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
• Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
• Clean Access Agent Auto Remediation
• Delay Agent Logoff on CAM/CAS
• 64-bit Windows Operating System Agent Support
• Access to Authentication VLAN Change Detection Enhancement
• SNMP Inform Notification Enhancement
• SNMP "MAC Move Notification" Switch Port Configuration Support

4.1.6

• Trusted Certificate Authority Enhancement for Production Environments
• Enhanced CAM/CAS Web Console Features Certificate Warning Messages
• Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
• Enhanced Security with Server Identity Based Authorization
• JMX Over SSL Secured with Mutual Authentication
• HTTPS Connections Enhanced with Mutual Authentication
• Features Optimized/Removed

4.5.X

4.5.0

• Policy Import/Export
• CAM/CAS SSL Certificate Management Enhancement
• CAM/CAS Software Upload Page Enhancements
• Database Snapshot Upgrade Enhancement
• Clean Access Manager High Availability User Interface Enhancement
• CAM/CAS Support Log Level Settings Enhancement
• CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
• Support for Wireless Out-of-Band Deployments
• Assign Restricted VLAN for OOB Client Machines When Disconnected
• Certified Device List/Online User List Enhancements
• Out-of-Band Shield Enhancement
• Out-of-Band Discovered Clients Cleanup
• Pre-Login Banner
• Strong Password Support for Root Admin Users
• External Authentication Server Support for Web Administrator Login
• Support for Cisco NAC Appliance/NME-NAC Platforms Only
• Web Upgrade Support Removed
• Default CAM Web Console Password Removed
• Windows ME/98/NT OS Support Removed

Bottom Line, I recommend 4.1.6 for any new deployment that does require any of the features of 4.5.X

Cisco NAC Appliance 4.5 Released

The time has come.... 4.5 is here

It can be downloaded here! (Require Valid Smartnet Contract)

As with all NAC releases, be sure to read the RELEASE NOTES before upgrading!

CAM/CAS Configuration Guides:

• Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5 New!
  
• Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5 New!

Bottom line is that 4.5 brings way too many features to list. That is why the release notes will help!

Looks for future posts on new features and benefits!

Configuration Example - Wireless Out Of Band - New NAC 4.5 Feature

The following is a configuration guide that was posted to explain how to configure NAC 4.5 with Wireless LAN Controller 5.1 for NAC Wireless OOB support.

NAC Out-Of-Band (OOB) Wireless Configuration Example

Wireless OOB is a feature we all have been waiting for. Some of the great benefits that I see are:

- No need for a second Clean Access Server(CAS) just for wireless. If you are a smaller organization wireless and wired can be performed on a single CAS.
- Bandwidth benefits for larger wireless infrastructures. With 10Gbps network backbones and large central wireless deployments(lots of clients), having a OOB wireless deployment is a no brainer.

This is one of a few great features coming out with NAC release 4.5.

Coming Soon - Cisco NAC Release 4.5

Cisco is preparing for NAC Release 4.5 which will include great features like Wireless OOB, Mac Posture Assessment Support and CAM import/export of policies.

The first piece of documentation has been published:

Cisco NAC Appliance Release 4.5 - Video Data Sheet

Keep a lookout for posting on all the new features and when the download becomes available.

NAC Updates

Windows Clean Access Agent Version 4.1.7 Released - Sept 30th

In this release their are a few minor resolved caveats:

- Symantec AntiVirus 10.x not fully compatible with CCA Agent
- Vista Agent does not detect MAC Address of Wireless NIC
- AVG Anti-Virus Free 8.x support for Virus Definition check

As with all upgrades, it is highly recommended to read the release notes before upgrading. Also, on a side note, remember that upgrades should be done for a purpose, either to fix a caveat or to gain new features.

Download 4.1.7 Windows Agent

Release Notes


3 NEW Configuration Examples posted to CCO

- NAC Appliance (CCA): Configure High Availability (HA) for the Clean Access Manager (CAM)
29/Sep/2008

- Deploy NAC Profiler in an Existing Out-of-Band NAC
02/Sep/2008

- Importing SSL Certificates to NAC Profiler
02/Sep/2008


To see all the previous Configuration Examples and TechNotes


How to Block Operating Systems with CCA

A friend of mine, Rob Chee, writes a blog on network security and had a great post on how to block operating systems using User Pages with CCA.

Make sure you check out his Post.

NEW NAC Version 4.1(6)

4.1.6 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download



4.1(6) Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1(6) CAM Installation & Configuration Guide

4.1(6) CAS Installation & Configuration Guide

Cisco NAC Guest Server 1.1.1

On June 9th, Cisco posted an update to NAC Guest Server.



Version 1.1.1 comes with a few new features:

Guest Role Support
Guest Role Support provides the ability for Sponsors to create guest accounts with different privileges. This includes provisioning into different roles on the Clean Access Manager, returning different RADIUS attributes to RADIUS clients or only allowing access from specified networks.

Additional NTP Server
The 1.1.1 release introduces the ability to configure two NTP servers instead of a single NTP server in 1.1.0.

FTP Backup Directory
The 1.1.1 release allows a directory to be specified as part of the scheduled FTP backup, prior versions placed the backup in the default directory of the FTP user account.

As with all NAC related upgrades make sure to read the RELEASE NOTES before upgrading!

The NAC Guest Server Installation & Configuration Guide 1.1.1 can be used for reference of the new features.

Finally to download the new version go to the NAC Guest Server Download Page. (Requires Valid CCO Login)

NAC Updates

I want to apologize for the lack of posts over the past couple of months. I have been out performing NAC Deployments non-stop.

I thought I would kick things off by offering some updates on the latest software release. Look for more custom check and best practice posts soon. Also, if anyone has any requests on something they would like to see posted about let me know!

Cisco Clean Access Agent 4.1.3.2
Some updates to the original 4.1.3.0 Agent has been made, refer to the release notes for all enhancements, bug fixes, etc.

Cisco NAC Profiler 2.1.8-37
On April 7th, Cisco released an upgrade to NAC Profiler.
Release Notes | Documentation

Cisco NAC Guest Server 1.1.0
Cisco released an upgrade to the Guest Server. Check out the documentation for all enhancements/fixes
Release Notes | Documentation

NEW 4.1(3) Feature - Cisco NAC Web Agent

Background:

One of the much waited for features in the NAC 4.1(3) release is the NAC Web Agent. "The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list."

In short, it is a temporary agent that gives the ability to have a detailed posture assessment performed on a machine that it is not desired to or can't install software on.

Figure 1 – Cisco NAC Web Agent

The Spotlight:

The NAC Web Agent is a great addition to the capabilities of Cisco NAC Portfolio. The following is a functionality to agent type(CAA vs. Web Agnet) comparison. It includes some of the major benefits of each agent type to give everyone a better idea of where the new NAC Web Agent fits into their deployment.

Cisco Clean Access Agent

- Favorable end user experience - After the CAA is installed, the user does NOT have to open up a web browser every time NAC has to perform Authentication and Posture Assessment.

- Active Directory SSO - Without the CAA, internal users cannot perform ADSSO.

- Automatic Remediation - CAA walks users step-by-step through what they need to do to become compliant.

Cisco NAC Web Agent

- No Administrative Rights Required - The Web Agent only requires the rights to run Java or Active-X by the browser for it to successfully install and perform posture assessment. Some guests/visitors do not have the administrator rights necessary to install the full blown CAA, which makes the Web Agent very attractive.

- No permanent software installation - Using the Web agent takes away any chance of someone complaining of the software they downloaded at your location is the reason their computer crashed.

- Detailed Posture Assessment - The Web Agent can perform the same exact checks(Registry, File, Service, and Application) as the CAA. The only caveat is that the remediation is a manual process. The administrator may present a link to the user, but after remediation the user must click "Re-Scan" to be permitted access.

- Scan cannot be blocked by a personal firewall - As basic as this sounds, the Network Scanning capability is used a lot in the field to perform scans of guests and contractors. The problem is that a majority of users today are running some form of personal firewall rendering the network scanning useless. The NAC Web Agent is run locally on the machine to enforce posture assessment, which puts network scanning on the back burner.

Configuring Cisco NAC Web Agent:

The good news is if you have ever configured posture assessment for the CAA, then you have already configured posture assessment for the Cisco NAC Web Agent. For more information on configuring Posture Assessment, check out the CAM Installation & Configuration Guide or Cisco NAC Chalk Talk 5. The only background that should be mentioned is when creating requirements for the Web Agent it is a best practice to use a Link type requirement, so that the end user can click on the appropriate link to remediate.

The first step to enabling the web agent is to create a or modify your existing User Page. The most important option is the "Web Client (ActiveX/Applet)" setting which tells NAC which type of web agent to use or prefer. e.g. Active X or Java

The next step is to require the use of the Web Agent for the relevant Roles.

Figure 2 – Require the use of the Cisco NAC Web Agent

The final step is to assign requirements to the roles that requires the web agent.

The end user experience:

Figure 3 – Cisco NAC Web Agent end user process flow

Summary:

The Cisco NAC Web Agent is definitely going to be a highly used feature in most Cisco NAC deployments. It is fairly straight forward to understand and configure. I encourage everyone to check it out along with all the great new features in 4.1(3).

Sources: 4.1(3) Release Notes; 4.1(3) CAM Installation & Configuration Guide

NAC Version 4.1(3)

4.1.3 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download
























4.1.3 Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1.3 CAM Installation & Configuration Guide

4.1.3 CAS Installation & Configuration Guide

Enhancements in Release 4.1(3)

General Enhancements

• Cisco NAC Web Agent

• Support for Clients with Multiple Active NICs

• Clean Access Server HA Heartbeat Link Enhancement

• Clean Access Manager HA Configuration and Heartbeat Link Enhancements

• Guest User Login and Registration Enhancements

• LDAP Authentication Enhancement

• Clean Access Server and WSUS Interaction Enhancement

• Agent Restricted User Access Enhancement

• Device Filter List Display and Import/Export Enhancement

• Agent Report Information Display and Export Enhancement

• VPN SSO Login Enhancement

• Syslog Configuration Enhancement

• Debug Log Download Enhancement

• cisco_api.jsp Enhancement

• CSRF Protection

• Proxy Support Enhancements

• ARP Broadcast Packet Handling Improvement

• Clean Access Server HA ARP Broadcast Enhancement

• Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature

• Previously-Deprecated Features Removed from CAM/CAS Web Console Pages

• Supported AV/AS Product List Enhancements (Version 67)

Out-of-Band Enhancements

• Access to Authentication VLAN Change Detection Enhancement

• SNMP Inform Notification Enhancement

• SNMP "MAC Move Notification" Switch Port Configuration Support

Clean Access Agent Enhancements

• Clean Access Agent Auto Remediation

• Windows Clean Access Agent Version 4.1.3.0

• Mac OS X Clean Access Agent Version 4.1.3.0

Look out for more detailed explainations and configuration examples from the new features and functionality.

NAC Version 4.1.2

Download is available here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1(2) Documentation Page

Some of the feature "enhancements" that i found interesting and useful:

- NEW Cisco NAC Network Module (NME-NAC-K9) Support

Release 4.1(2) introduces support for the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs).

The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server (CAS) on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another. The integration of CAS capabilities into a network module for ISRs allows network administrators to manage a single device in the branch office for data, voice, and security requirements. The NME-NAC-K9 network module is available as a single hardware module with 50-user and 100-user license options, and supports a maximum of 100 online, concurrent users.

Once initially installed, the Cisco NAC network module is managed in the CAM web console like any other Clean Access Server, and a single CAM can manage both CAS appliances and NAC network modules. To add the Cisco NAC network module to your network, at least one Clean Access Manager appliance (Lite, Standard or Super) must be already installed and configured.

Cisco ISR platforms need to run Cisco ISO software Release 12.4(11)T or later (IP Base image or above) in order to support the Cisco NAC network module.

If introducing the Cisco NME-NAC-K9 network module to an existing Cisco NAC Appliance network, you must upgrade all CAM/CAS appliances to release 4.1(2) for compatibility.

Look out for an upcoming blog entry to show how to deploy the Network Module

- NAC Appliance Platform Type Display

Now that we have Network Modules, this gives us the ability to tell whether we are looking at a NM or an Appliance. Two ways to do this:

UTILIZE THE GUI:

CAM web console:
Device Management > CCA Servers > Manage [CAS_IP] > Network > IP | new Platform field featuring either "APPLIANCE" or "NME-NAC"

CAS web console:
Administration > Network Settings > IP | new Platform field featuring either "APPLIANCE" or "NME-NAC"

UTILIZE THE CLI:

The CAS CLI includes the new service perfigo platform command in release 4.1(2). The command allows you to determine whether the CAS is a standard Clean Access Server appliance or a new Cisco NME-NAC-K9 network module installed in a Cisco ISR router chassis. The command output includes either "APPLIANCE" or "NME-NAC" as the platform setting.

- Debug Log Download Enhancement

Beginning with release 4.1(2), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. Previously, debug logs compiled to download to technical support included all recorded log entries in the CAM/CAS database. The default setting is one week (7 days).

- As always... New AV/AS Support List

To review all enhancement, caveats and upgrade procedures please read the following release notes:

Cisco NAC Appliance 4.1(2) Release Notes

Please note that it is best practice to follow the upgrade procedures to the "T" when upgrading your NAC Managers and Servers.

For those of you just getting into the land of NACA, there is a very good presentation on the features that came about in Release 4.1(0) located on CCO called "What's New in Cisco NAC Appliance 4.1" that should catch you up on the latest and greatest features.

NACA Version 4.1.1

Version 4.1.1 was posted to CCO for download on April 30th.

Some of the feature "enhancements" that i found interesting and useful, but not too geeky are:

- Support for Windows Vista
This is something that has been around in the 4.0.X train but not 4.1.X, so customers should really enjoy this feature

- Multiple Active Directory Server Support in ADSSO
Previously, you could only define a single AD Server for ADSSO. Now with 4.1.1 you are able to authenticate to an entire "Domain". This greatly enhances the availability of ADSSO.

- Restricted Administrator Web Console Options Hidden from View
Now when you can take away even Read-Only rights to certain aspects of the CAM. This makes it less tempting for the help-desk staff to go in and look through private event data, etc.

- VLAN Prunning
This works in conjunction with a Virtual Gateway CAS using VLAN Mapping to ensure that only known VLAN ID packets are allowed to traverse the internal network. This should prevent any broadcast/loop issues that might have previously happened.

- WSUS Support
Now we are playing ball with the introduction of WSUS support. This release tightly integrates updates through WSUS, to ensure users have the proper patches.

This is only a few of the many new enhancements in 4.1(1). To review all enhancement, caveats and upgrade procedures please read the following release notes:

Cisco NAC Appliance 4.1(1) Release Notes

Please note that it is best practice to follow the upgrade procedures to the "T" when upgrading a NACA deployment.

For those of you just getting into the land of NACA, there is a very good presentation on the features that came about in Release 4.1(0) located on CCO called "What's New in Cisco NAC Appliance 4.1" that should catch you up on the latest and greatest features.