Friday, October 20, 2006

CS-MARS NAC Reporting and Functionality

MARS supports the Cisco NAC Framework by storing and reporting on NAC based events generated by the various reporting devices on your network.

I`m not going to go into how to set NAC up, or how to configure your NAC implementation in MARS, since this can be found in the MARS Userguides.

What i will try to demonstrate here, is how MARS can aid you in reporting on your Network Admission Control setup.

Consider MARS has started to alert us to P2P traffic in the network.

Drilling down into the incident, will give us the Source and Destination IP Addresses.

And clicking on an internal Source Address will give us more information about the host. Now we nearly always have some Static Info available to us, but in a NAC environment we have Dynamic Info, which could be continually changing.

Static vs Dynamic Info for a 802.1X Reported Host.

And the same again if we choose to try and mitigate the host, since we are mitigating an 802.1X host, we get more info.

The information you get on these screens will obviously depend on what authentications you are performing in your 802.1X setup, with the above performing anonymous machine authentication.

You get similar dynamic info for a host performing L2/L3_IP NAC assessment.

Now onto REPORTING, this is where MARS overcomes some of the short falls with Cisco ACS.

Out of the box, MARS comes with some ready to go NAC reports as shown below...

I have run a couple of the reports below, for 802.1X and L2IP Top Tokens and Sessions.

802.1X NAC Report - Number of Healthy/Unhealthy Tokens over the last hr

802.1X NAC Report - Healthy/Unhealthy Sessions Listed by Time over the last hr

L2IP NAC Report - Number of Healthy/Unhealthy Tokens over the last hr

L2IP NAC Report - Healthy/Unhealthy Sessions Listed by Time over the last hr

There is also a Detailed NAC Report that can be run over time, that gives far more information including Posture States, NAS Port and CTA Versions reported by Hosts.

There will be a demo of this on the demolabs website shortly, so you can see this on a live network.

I think in the later versions of MARS, this reporting functionality will become far better, and a few of the niggly MAC reporting issues will be fixed.


Akram said...

looking on the flash demo of mars, i found this link :

Is it open for public? because I want to see the different layout and maybe it would be a good idea and cheaper to make live demo for a customer.

So if yes what are the credentials?

Chris said...

Hi Akram

As far as i am aware, the webite you mention is for Cisco Internal Use only.

There is a MARS demo box on the Cisco E-Partner Learning environment (login with your CCO account), that you can schedule access to.