I need to start removing Cisco NAC from our environment. I thinking that I just need to change the switchport profile to "Default [uncontrolled]" and make sure the initial and current vlan are set to our Data vlan. I hoping that someone with experience with NAC could chime in and let em know if my thinking is correct. Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to remove Cisco NAC
- Thread starter Prizmm
- Start date
I assume you are talking about the configuration on the NAC for the NAC-managed switches? Then yes. There should also be SNMP configuration on the switches to send link-up/down traps to the NAC so it can do its thing, you might want to disable these also.
I am interested to know why you are removing NAC? I must admit it isn't something I am a fan of.
Andy
I am interested to know why you are removing NAC? I must admit it isn't something I am a fan of.
Andy
- Thread starter
- #3
I recently started in this position and the previous techs before me had done the installation. Unfortunately they had not really setup NAC for its full potential and it only really ended up causing grief for everyone. Once I started here I was tasked with tearing it all out.
I went into the CAM yesterday and found my switch and switch port (of the endpoint that I wanted to disable NAC) and I put it in "Default [Untrusted]" but then it said the system needed to write to the running config of the switch and that's where I stopped (I dont have access to the switches and the switching team had left for the night). I understand what it was trying to do, I just wasn't comfortable making the change when nobody was here to fix the switch if something had gone wrong.
I went into the CAM yesterday and found my switch and switch port (of the endpoint that I wanted to disable NAC) and I put it in "Default [Untrusted]" but then it said the system needed to write to the running config of the switch and that's where I stopped (I dont have access to the switches and the switching team had left for the night). I understand what it was trying to do, I just wasn't comfortable making the change when nobody was here to fix the switch if something had gone wrong.
jschreiner
Vendor
How big is your network and are you trying to slowly shut it down, or is it fairly small and you can tear it out in one change window?
The NAC manager should have the switch snmp info programmed into it so you would just uncontrol that port and it should write the changes to the switch for you.
The NAC manager should have the switch snmp info programmed into it so you would just uncontrol that port and it should write the changes to the switch for you.
- Thread starter
- #5
Thanks for the reply. Unfortunately it is a large network. Right now I am testing by changing a handful of ports back to the default (uncontrolled) setting in the NAC manager and that seems to be working. Our policy is set to push out every 1 week (on Tuesdays). I was wondering if I should also uncheck the "enable" button on that schedule?
- Status