NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

Similar Messages

• NAC L3 OOB Virtual Gateway/Real-IP Gateway

  In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
  Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
  If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
  I didn't found a response for this in the documentation.
  Thanks in advance.

  Hi, Paul
  >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

• L3 Deployment OOB Virtual Gateway

  Hi Faisal,
  Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
  For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
  Richard

  I have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the  static route in the cas. What else do need in the configuration?
  In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment.

• NAC Appliance + OOB Virtual Gateway Trunking issues

  I have the following problem. When I connect the CAS eth0 to a trunk port in the core switch it disconnects from the CAM. When the port is in access mode, the CAM can connect to the CAS. The core switch is a 4500 with IOS 12.2(25)EW. What could be the problem?

  Hi prananth,
  I managed to resolve the issue. It was a HA issue. I had configured "Link failure detect" on the redundant CAS app. Apparently the CAS couldnt reach the pingable IP causing failover to take place many times between the two boxes causing the CAS not to communicate with the CAM.
  Kindly help me with the following problem I am now having:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf45d4/0#selected_message
  I will really appreciate. Thank you.

• Cisco Clean Access OOB with virtual gateway

  I have set the clean access OOB virtual gateway mode, i put managed subnet one of unused ip with unauthenticated vlan,some of the pc running with dhcp so i put ip refresh after successful authentication (this working fine), but some of them running with static so i cannot refresh the ip address,
  after authentication through clean access clean access manager changing Unautheticated vlan(44) authenticated vlan (4), but i can't access internet and any other application through network (even with static ip and dhcp (if i put refresh dhcp ip i can) ), in pc arp cache i can see the orginal gateway mac address if i clear the arp cache with arp -d command the moment it start working how can solve this issue please help me guys
  thank you

  This document describes how to configure the syslog settings in order to log the events to an external server in the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access (CA).
  http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a008085d6e9.shtml

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.

• NAC - OOB - Virtual IP - users lost connecti

  Hi.
  So my problem is the follow:
  I have i my customer a NAC OOB - Virtual Ip Gateway.
  So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
  TI -  auth vlan 585 -  access vlan 85
  ENGINEERING - auth vlan 586 - access vlan 86
  And works very very fine.
  BUT
  There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
  I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
  Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
  Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
  I tried to see any logs on the switch but could not see anything abnormal (yet).
  Other locations with others port profiles work normally.
  The uplinks on this switches and interfaces users dont have any CRC or errors.
  Could anyone help me? This is causing problems in my account.

  Hi,
  I understand then that the clients are not connecting through local or SSO mode, is that correct?
  I would suggest 3 things so far:
  1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
  * Vlan mapping enabled correctly
  * Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
  * The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
  2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
  3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
  Hope this helps,
  Regards,

• NAC - virtual gateway vs. real gateway

  Hi All,
  I don't have too much experience with NAC deployment. I want to go with L3 (because we have central site), OOB (for LAN) and IB (for wireless and VPN). but I don't know whether I should go with real gateway or virtual gateway. I know virtual gateway is easier than real gateway. but technically, which way is more popular and provide better security measures?
  any suggestion would be very appreciated.
  thanks
  Alex

  If your remote subnets are multiple hops away, RIP would be the option you should use. They both are equally popular, but for L3 subnets which are remote, RIP is the most often used design

• NAC Appliance for Wirelles In-Band Virtual Gateway

  Hi, People.
  Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
  Tks.

  Hi Wemerson,
  Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
  Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  Notes:
  - In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
  - For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
  - If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC Problem_In-Band Virtual Gateway deployment

  we deployed In-Band virtual gateway deployment..
  the users connected to untrusted Vlan and took IP address from DHCP where it configured on ASA that is connected to trusted interface but no one can reach to the gateway " IP address of the firewall" and when we open any browser not redirect to web login page and we don't have local DNS and we use global DNS..
  Note: we used HP switches..
  Please support me ASAP..
  BR,
  Saad Eid

  I have not found any either. You can use the one for VPN since it will be the same.
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

• NAC layer 3 Virtual Gateway Setup

  I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
  Thanks.

  Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
  Search "NAC Chalktalk"

• WLCM and NAC-NME configuration

  Has anybody deployed WLCM and NAC-NME in the same ISR3800 box? What's the best practise and is there any configuration example?
  customer has a small site where has one 3825, one WLCM(interface Integrated-Service-Engine1/0) and one NAC-NME(interface Integrated-Service-Engine2/0) are put in the 3825, GE0/0 of the 3825 connect to internal L3 switch, GE0/1 connect to internet. one WLAN had been configured in the WLCM(version 6.0.188) and will be protected by the NAC-NME(version 4.6.1).
  It is said that NAC-NME not support OOB mode, can only work in In-Band mode. Since real IP Gateway mode has a lot of limitation, so can the NAC-NME be configured in In-Band Virtual Gateway mode? If yes, then how to setup a Layer2 connection between the WLCM(interface Integrated-Service-Engine1/0)  and the untrusted interface(external G 0) of the NAC-NME?
  What I can think is:
  let me assume the quarantined Vlan of this WLAN is 310, real Vlan is 311, both the NAC-NME's untrusted interface(external G 0) and GE0/0 of the 3825 are connected to a 3750E L3 switch's G1/0/1 and G1/0/2, untrusted interface management vlan is 304, trusted interface management vlan is 303, then I can configure:
  1. For 3825:
  interface GigabitEthernet0/0.310
  encapsulation dot1Q 310
  bridge-group 1
  interface GigabitEthernet0/0.311
  encapsulation dot1Q 311
  bridge-group 2
  interface Integrated-Service-Engine1/0.310
  encapsulation dot1Q 310
  no ip address
  bridge-group 1
  interface Integrated-Service-Engine1/0.311
  encapsulation dot1Q 311
  no ip address
  bridge-group 2
  bridge 1 protocol ieee
  bridge 2 protocol ieee
  2. For 3750E:
  interface GigabitEthernet1/0/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 304,310,311
  switchport mode trunk
  interface GigabitEthernet1/0/2
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 310,311
  switchport mode trunk
  but how to configure interface Integrated-Service-Engine2/0 of the 3825 which is connected to the trusted interface of the NAC-NME?
  interface Integrated-Service-Engine2/0.303
  encapsulation dot1Q 303
  ip address x.x.x.x
  interface Integrated-Service-Engine1/0.311
  encapsulation dot1Q 311
  ip address y.y.y.y
  3. NAC-NME will configure VLAN mapping 310<-->311
  I have not tested these configurations(I don't have access the 3825 yet, will be able to access it next week), but I'm afraid since GigabitEthernet0/0.311 of 3825 had been configured as a bridge port, maybe Integrated-Service-Engine1/0.311 can't be  configured as a L3 port.
  Anything else need to configure? or is there any other better design and configuration example? Any input is highly appreciated!

  You got a defective unit. Open a TAC case to get a replacement.

• NAC CCA - Designated Period

  Hello,
  I'm running a NAC solution (L2 OOB VG). I'm fine tuning the CCA section configuration on the CAM. I've selected 'audit' for my enforce type in the Requirements section, because I want to see all the reports whether my users are certified or not. Is it possible to configure the CAM to give my users a designated period (lets say 2wks) to get everything updated to get there PCs certified, if not they would be lock from getting access to the internal network?
  -K

  I think this Release Notes for Cisco NAC Appliance (Cisco Clean Access), clear your doubts for NAC/CCA issues.

• NAC 4.7.2 OOB SNMP issues

  Hello,
  I am setting up a NAC CAM and CAS 4.7.2 OOB setup in a test environment (NAC failover for CAM and CAS), and I am seeing some strange SNMP issues.  I am testing with a 3750 switch (12.2(53)SE1) using SNMP v2 and v3 since v3 and accessing the switch port configuration in the NAC manager is extremely slow.  I click OOB Management -> devices -> switch XXX and it takes several minutes for the port listing to display.  Then sometimes it comes up quickly but a 'show debug snmp' on the switch shows that it isn't polling the switch so it apparently starts pulling the ports page from cache, but I can see now logic in how it does this.
  Q1) When and why does the ports page pull cached info?
  Q2) Why is SNMP queries operating so slowly with NAC 4.7.2 OOB?
  Here is my test switch/NAC SNMP config (with pseudo names and fake passwords):
  snmp-server community switch_read ro   (matches OOB Management -> Profiles -> Device -> SNMP Read v2 settings)
  snmp-server view v1default iso included
  snmp-server user switch_write switch_group v3 auth md5 <my-password>  (matches OOB Management -> Profiles -> Device -> SNMP Write v3 settings)
  snmp-server group switch_group v3 auth read v1default write v1default
  snmp-server user cam_notify cam_group v3 auth md5 <my-password>
  snmp-server host 10.200.11.100 traps version 3 auth cam_notify mac-notification snmp  (matches OOB Management ->  Profiles -> SNMP Receiver v3 settings)
  snmp-server group cam_group v3 auth read v1default write v1default notify v1default
  What is wrong with my setup?  Any help is appreciated.

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

• How to Configure Multiple Relays / Mail Gateways

  Platform: Sun Solaris 8
  Software: iMS 5.2
  How to Configure two MX ( relay / Gateway servers) records in imta config file..? Our requiorement is to have two gateways defined ..for example "xyz.net" and "xyz.com". All emails destined to email addresses ending with ".net" should use the "xyz.net" gateway and rest of them should use the "xyz.com" gateway. and the configuration should be flexible enopugh to accomodate future additions to our gateways.
  An Early Response would be appriciated.
  Thanks
  Arun Addepalli

  Well, To point the outside mail servers to your gateways just put MX entries for each domain into DNS and point dns to the correct host for that domain.
  To make the mail server recognize the domain just create it in the ida and put the users under that domain. The users mailhost attribute will take care of letting the gateways know where to forward the mail so it will go to the correct host.
  If you need to do domain aliasing with the same users for both domains that is a bit different. Do you need to do this?