NAC Appliance in IB VGW L3 mode - routing question

Hi!
I'm testing Clean Access in In-band VGW mode with clients that are *not* directly connected to the CAS (i.e. L3-adj. mode).
Can anybody tell me do I need to configure static routes on the CAS for user subnets? It seems that the CAS always send traffic via the trusted eth0 interface with the eth0 IP as the source. It doesn't use the eth1 IP (even if it is different than eth0 IP and the static route is pointing via the eth1).
So, it seems that eth1 (untrusted side) IP doesn't really matter and static routes are not used in VGW mode. Is my understanding correct?

Thanks a lot for the replay, however it doesn't help.
> The traffic destine for client will have to come in the trusted and out the untrusted. The return traffic has to come in the untrusted and out the trusted.
This is only correct from bridging point of view. This is *not* correct from routing point of view.
1. As you know static routes are used to route traffic, right? And the routing is needed for *VGW* CAS solely to communicate with clients and the CAM.
2. As you pointed out earlier "the CAS usually has the same IP address on trusted and untrusted interfaces", right?
3. This IP address is needed for CAM-CAS communications, right?
4. So, it must be from the same IP network as the CAS default gateway. For example, the CAS trusted (and untrusted) IP is 10.10.10.1, the default gateway for CAS is 10.10.10.2.
5. At the same time the remote users are coming from the untrusted side. The previous-hop router (on the CAS untrusted side) has the IP address 192.168.88.1 and the next-hop router (on the CAS trusted side) has the IP address 192.168.88.2. The user's network is 172.16.172.0. So far, so good?
6. What are you suggesting now: specify on the CAS the following IP route:
172.16.172.0/24 via 192.168.88.1 (via untrusted eth1)
7. The problem is that the untrusted (eth1) interface has the IP address 10.10.10.1 and the router has 192.168.88.1! They're on different subnets! Does this route make sense? It looks more like a shortcut than a normal route. Why not just use the default route pointing to the 10.10.10.2 to reach the 172.16.172.0? The traffic can reach user subnet 172.16.172.0 via the following path: 10.10.10.1(trusted intf)->10.10.10.2->192.168.88.2->192.168.88.1->172.16.172.x!
The only question is: which interface, trusted or untrusted, the CAS will use to communicate with clients in case it has the same IP on the untrusted and trusted interfaces and no other routes configured, except the default route?
I know for sure, if the VGW CAS has different IPs on the trusted and untrusted interfaces, it always use the trusted interface to communicate with clients!
Pretty clear, right?

Similar Messages

  • NAC Appliance design question

    I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
    Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
    Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
    Thanks

    NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
    It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
    For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
    If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
    If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
    Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
    There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

  • L2 or l3 switch with NAC appliance

    Hi,
    I am planning for deploying NAC appliance in OOBVG mode. For the access layer, L2 switches are selected (2960). If I change the L2 access switches with L3 (3560 or 3750) would this add more manageability to the access layer by NAC?
    Regards,
    Mladen

    Thanks.
    The document "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide" says:
    "In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port is changed from the Auth VLAN to the Access VLAN."
    So the clients will have to receive TCP/IP settings via DHCP twice, which I don't think is client satisfactory.
    If the NAC is in OOBVG mode, are there any NAC features, which are not supported (IP filtering rules, access policies, and any other traffic handling mechanisms)?
    Regards,
    Mladen

  • NAC Appliance IPv6 Compatibility

    I read in the book "Cisco NAC Appliance: Enforcing Host Security with Clean Access" (published 2008) that the Real IP Gateway mode is only IPv4 compatible but that IPv6 compatibility will be provided in a future software update.
    Having searched around, I can't find any reference to the NAC Appliance being IPv6 compatible. Does anyone know what modes (if any) are IPv6 compatible?

    Hi,
    Even though IPv6 has been on the road map, currently it is not supported and there is no ETA for IPv6 support by NAC devices.
    HTH,
    Tiago
    If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

  • NAC Appliance for Wirelles In-Band Virtual Gateway

    Hi, People.
    Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
    Tks.

    Hi Wemerson,
    Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
    Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
    Notes:
    - In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
    - For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
    - If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • IPS 45xx/43xx/42xx appliance and Catalyst 6500 Inline Mode issues

    Hello to everyone!
    We have recently got our new IPS 4510 appliance and for now there is a task to develop a connection scheme to our backbone multilayer switch (Catalyst 6500).
    There are several server's and user's VLANs connected to 6500.
    6500 performs inter-vlan routing.
    The main task is to "insert" IPS appliance between traffic path from any VLAN to server's VLANs.
    The additional task is to provide failover in "fail-open" manner (We have only one 4510 appliance. So if 4510 fails then traffic should continue passing without inspections).
    As I understood from this document https://supportforums.cisco.com/docs/DOC-12206 the only way to implement Inline Mode when using multilayer switch is to "take out" default gateway address for inspected subnet on the other VLAN's SVI.
    If we replace IDSM-2 with IPS appliance I suppose we can use hardware bypass feature as a failover measure (in case if IPS fails then traffic between bridged VLANs will still be forwarded).
    But what if there are several VLANs that should be monitored?
    As I understand in such schema we will need to use addtional interface-inline-pair for each monitored VLAN.
    But what if we have 20 VLANs for servers and 50 VLANs for users?
    Can using of VLAN-group mode handle this problem?
    I am not sure but using of VLAN-groups cannot provide bridging between two different VLANs. Am I right?
    And will using of VLAN-group make hardware-bypass feature useless?
    I tryed to simulate the first scenario in Cisco Packet Tracer (i used a bridge to simulate an IPS appliance in interface-pair inline mode):
    May be this is a bug of Packet Tracer but traffic went through IPS only if it was sent from VLAN 10 to VLAN100.
    The return traffic from VLAN 100 to VLAN 10 went through the Catalyst directly.
    When Catalyst recieved the frame it said:
    "The frame destination MAC address matches the MAC address of the active VLAN interface."
    After that it decapsulates the PDU from the Ethernet frame and send IP packet directly to VLAN 10.
    Does it mean that there is a need to change SVI's mac address?
    Thanks for any advice in advance.

    Here is my guess of how to realise my scenario:
    Config on Cat6k should looks something like this:
    ip routing
    interface Ge1/0
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10-12,110-112
    switchport mode trunk
    switchport nonegotiate
    switchport vlan mapping enable
    switchport vlan mapping 110 10
    switchport vlan mapping 111 11
    switchport vlan mapping 112 12
    interface Ge1/1
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10-12
    switchport mode trunk
    switchport nonegotiate
    interface vlan 2
    ip address 10.0.2.1 255.255.255.0
    interface vlan 3
    ip address 10.0.3.1 255.255.255.0
    interface Vlan4
    ip address 10.0.4.1 255.255.255.0
    interface Vlan110
    ip address 10.0.10.1 255.255.255.0
    interface Vlan111
    ip address 10.0.11.1 255.255.255.0
    interface Vlan112
    ip address 10.0.12.1 255.255.255.0
    no interface Vlan10
    no interface Vlan11
    no interface Vlan12
    IPS should operate in VLAN-group inline mode. We could separate traffic by VLAN tag to inspect with different virtual sensors or we use one VS for all trunk traffic.
    Traffic routed from any VLAN to VLANs 10-12 should go through IPS.
    In case if IPS gets powered off - hardware-bypass feature should provide bridging between trunk ports.
    In theory it should work.
    Remained to test it in practice
    Thoughts / suggestions?    

  • Authentication NAC appliance with ACS

    I had deployed a L3 Virtual Gateway mode for NAC appliance. There is ACS for authentication. How can I add ACS to "Auth Servers". CAM settings do not need mapping rules. Every user just anthenticate oneself's account, then CAM can pass these info to ACS. What should I do, Thank you?
    Is there any configuration example, e-mail to [email protected]

    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a00809b8e3b.shtml

  • Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

    Hi,
    I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
    After finishing the Installation, when i type "SETUP"... It gives me the below Error;
    # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
    # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
    Please advise....
    I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
    (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
    any idea...
    Regards,
    Mubasher Sultan

    Where did you get the recovery media? Did you download from cisco.com?
    Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
    Supporting link:
    http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
    Jatin Katyal
    - Do rate helpful posts -

  • NAC Appliance and BigFix Automatic remediation

    Hi,
    I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
    Regards,
    Amit

    Hi,
    I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
    Regards,
    Amit

  • Integrate NAC Appliance with Active Directory

    We try to implement on our customer, NAC appliance integrating with Active Directory Single sign on.
    The NAC configured with L2 OOB. User first connect to switch and got the authentice Vlan, then the user will be authenticate using their domain account login, if success the user will be mapping to the Vlan assign to them.
    The agent SSO installed on Active Directory is running well, and at the CAS also the service SSO started.
    Let say i've this situation:
    1. User A has been assign to Vlan 15 Employee
    2. User A plug to switch and got dummy vlan and will authenticate using Domain account on AD, If succeded than, the port will be bounce, the user running an cisco agent on background
    3. Now user A has their on Vlan ID 15
    I've created the Authentication server on CAM for the Active Directory, but i've find it's so difficult to config mapping rules between user roles to Active directory. The guidance pdf how to implement NAC i've downloaded from cisco, not mention it how to mapping user roles to Active Directory...
    Has any one has been configured mapping rules user roles to Active directory?

    So you would create a mapping rule against your lookup server like so.
    Say the AD group membership is "Finance"
    for ADSSO you would apply the mapping rule to your LOOKUP Server
    where the expression is
    memberOf contains CN=Finance and apply it to role employee if VLAN 15 is your employee vlan then you would designate vlan 15 in your Employee role under user role configuration
    Now you cant test this with ADSSO with the test auth function so what I like to do is create an AD authentication server and test against that as long as you have some form of mapping configured the auth results will return all memberships for the userename you login with so you can get the syntax exactly right.

  • Is ACS required in NAC appliance.

    Hi,
    One of our clients have decided to implement NAC. They need to know what the various options are especially the NAC appliance (3310 etc). I read that the appliance is a device like a server which has hard disks, cd roms etc. But the documents dont say much about the configuration of the server , whether ACS is required to be installed on the server etc? Can we do port based 802.1x with the help of this device (like dynamically assigning a host to a particular vlan is OS/anti virus is not update?
    Thx in advance.
    Sonu

    NAC appliance willl work with many authentication methods. NAC Framework requires ACS. Getting back to the NAC appliance.... You can use ACS/RADIUS/LDAP/etc.. to authenitcate the users.
    THe Appliance will work with Patch Management (after authentication) to insure that tthe right apoplications and patch levels are met. We work with Altiris/BigFIX/Patch Link/SMS and more.
    The great thing about NAC Appliace is that it works for all four major use cases:
    1. VPN users
    2. WIFI users
    3. LAN/wired users
    4. GUest/vistors
    We can
    1. authenticate
    2. Posture assess (scan)
    3. Quarantine/
    4. Remediate
    You don't want users to have to learn three different ways to connect to the netowrk.
    802.1x is working for WIFI today and for LAN conections we use one user per port so they get the whole pipe. In the future we will support subdivision of a Access Switch port for multiple devices and users.
    I hope this helps.

  • Nac framewwork or nac appliance which is better

    hi all can someone just advise which is a better solution the nac appliance or the nac framework.
    regards
    sushil

    Hi Sushil,
    If you are taking a poll, please count me in for the appliance over the NAC framework. I've done both and there are more variables in the framework than when you use the appliances. From my experience, the more variables the harder it is to troubleshoot. Your mileage may vary.
    I would also add that doing an implementation which employs a Virtual Gateway, Out-of-Band
    for wired users, and Central Deployment is the best use of your time and money.
    Of course, if you are using NAC for VPN and Wireless users you still need dedicated CAS devices for these require In-band deployments.
    Hope this helps.
    Paul

  • Cisco NAC Appliance

    Hi
    I wanted to know if someone can give me some help on a Cisco NAC appliance.
    Honestly i've heard of them but i've never installed or worked on one before and i
    have a client who wants to have one installed.So i wanted to know can some here
    point me in the right direction as far as installation and configuration. Thanks for
    the help in advance and have a great evening.

    Hi
    Everything you need to get started:
    http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • NAC Appliance remediation

    We are currently testing the NAC appliance before we roll it into production in an enviroment that does not have a software distribution system. I was just wondering various methods people use to have end users self-remediate their machines when using a file or link requirement with the CAS.
    The main requirement is that the CSA agent must be installed on the end users machine. The user can successfully download the CSA agent exe from the CAS. However, the installation requires admin rights, but because our users do not have this the installation fails and the user can not become compliant.
    Any suggestions on best practices or methodologies used in a production environment would be greatly appreciated.

    Following links may help you
    http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletin0900aecd805baf90.html
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agent.html

  • Does Cisco NAC Appliance deployment require CS-ACS?

    I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
    If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
    I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
    Anybody have any ideas on that?
    Thanks!

    Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
    Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
    Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
    Hope this helps.

Maybe you are looking for

  • LINK TO OXIP PRODUCT DOCUMENTATION NOT WORKING

    On page http://www.oracle.com/technology/products/id_mgmt/oxp/index.html In Documentation box on the right most corner links to - Oracle Xellerate Identity Provisioning (9.0.0) and - Oracle Xellerate Identity Provisioning (8.5.3) Don' work and they g

  • Fake Adobe 24/7 help tech's

    Hi:    This is a warning. I posted an issue here on Friday and was contacted on Saturday via e:mail. The claimed to be with Adobe24/7 help requested to connect on Skype messaging. The icon on the  Skype was Adobe helps.     This tech and one that pho

  • Error displayed

    Hello Experts, I get the follwoing error, please help. E:The data object "TRAN_STRUCTURE" has no component called "AG_CGEND1", but there is a component called "/BIC/AG_CGEND1". And this I get when I am trying to write a routine in update rule of an O

  • 2 Problems with MSI NX8800GT Video

    I have 2 problems with my newish (4-5 weeks old) computer.... I built the computer using all parts from Newegg.com... My signature should say all the pertinent parts but please ask me if you need addtl info. 1st problem - When watching movies/videos

  • Why am i getting PLS-00306 here ??

    Hi, I am on Oracle 10.1 on Solaris. I am running a very simple code, set serveroutput on size 1000000 begin for i in ( select index_name from user_indexes where table_name='BALANCES' ) loop dbms_output.put_line ( i ) ; end loop ; end ; Why should I g