NAC In-band Real IP Gateway process

Hi all,
I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P
How does In-band Real-IP Gateway work?
What is the point of the /30 subnets?
Are there access/auth VLAN pairs in in-band configurations?
How does quarantining work?
I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
Can you do role-mapping with in-band configurations?
Any help with any or all of these questions would be GREATLY appreciated!
Thanks much =]
~ Xavier.

Hi Xavier,
let me try to answer your questions
1.How does In-band Real-IP Gateway work?
The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes
2. What is the point of the /30 subnets?
The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.
Check here for some explaination:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889
3. Are there access/auth VLAN pairs in in-band configurations?
If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.
4. How does quarantining work?
When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.
So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.
5. I  read that the NAC Server can only send traffic out the untrusted port  in one VLAN and that you aren't allowed to trunk that port. Does this  mean that there's no support for multiple untrusted VLANs mapped to a  single NAC Server?
The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.
You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.
This is also mentioned here:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938
The Clean Access Server can manage one or more  subnets, with its untrusted interface acting as a gateway for the  managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.
6. Can you do role-mapping with in-band configurations?
Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.
Check for instance here for more details:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231
In a nutshell, irrespective of the use of InBand vs. OutOfBand:
- the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.
The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:
- in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);
- in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.
I hope this answers your questions.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Similar Messages

  • NAC OUT OF BAND REAL IP GATEWAY

    Hello,
    I have NAC 4.8 and setup as Out of Band Real IP Gateway.
    Is it possible to integrate it with WLC5508(Wireless)?
    thank you

    Hello!
    Yes, I'd say you just have to wait for NAC OOB Real-IP with Wireless.. :-)
    In any case, it's perfectly fine to use ACS 5 to authenticate the Wireless users on the CT5508.
    Just a note, if you're actually using ACS 5.0 (and not 5.1 or 5.2), make sure that you also install the latest patch.
    In any case, if you're indeed on 5.0, I'd strongly recommend to go to 5.2.
    If what you're looking for is 802.1x authentication, you can refer to this document for a config example with the PEAP method:
    http://www.cisco.com/en/US/customer/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
    If you want to authenticate users through web-auth, then you can refer to this other document:
    http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
    The above example refers to ACS 4.x, however, you can achieve the same goal on ACS 5... for that, just make sure you have good understanding of the policy model in ACS 5 .. you can find all the details on the config guide:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/policy_mod.html
    I hope this helps!
    Regards,
    Federico

  • NAC L2 Inband Real IP Gateway

    Hi Experts,
    I was just reading the cisco press book for NAC, and i came to the following para can any body explain me the L2 Inband Real Ip Gateway mode steps from the start
    If you use  Real IP Gateway mode on NAC Appliance Server, you will have to make changes. The default gateway of clients has to be changed to be NAC Appliance Server, not the distribution switch .
    Thanks

    Hi Experts,
    I was just reading the cisco press book for NAC, and i came to the following para can any body explain me the L2 Inband Real Ip Gateway mode steps from the start
    If you use  Real IP Gateway mode on NAC Appliance Server, you will have to make changes. The default gateway of clients has to be changed to be NAC Appliance Server, not the distribution switch .
    Thanks

  • NAC L3 OOB Virtual Gateway/Real-IP Gateway

    In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
    Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
    If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
    I didn't found a response for this in the documentation.
    Thanks in advance.

    Hi, Paul
    >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

  • NAC.OOB.L2.Real IP GW.dhcp-relay issue.

    Hello.
    I have CAM (manager) which is configured as L2 OOB real-ip gateway. central deployment.
    ethernet 0 (trusted) is L3. (ip add x.x.x.x)
    ethernet 1 (untrusted) is .1q and several authentication vlans (a,b,c,d) are connected to it.
    of cause managed subnets are configured for auth vlans on eth1.
    Manager is configured as dhcp-relay.
    Is it ok that manager changes dhcp packets to the dhcp server so that it's ethernet 0 ip address (x.x.x.x) becomes the source address of the requests to the dhcp server?
    how can dhcp server recognize auth vlan a from auth vlan b if all packets have the single source (x.x.x.x)???
    Where could be my mistake?
    Regards

    Hello varnavsky!
    You have to configure vlan mapping (at the CAM) for all authentication vlan! After the authentication and posture validation, the NAC client won't give a new IP address, so the client has to have an IP address from the proper access vlan. When you configure these vlan mappings CAS always acquire an IP address from the proper range.
    By(e) Miki

  • 10 band real time equalizer from mic to earphones

    Hi. I would like to do script to do 10 band equalizer which would change sound from microphone dynamicly (in real time) and result play in earphones (also realtime) with small time lag.
    Is that possible? Maybe some paid library? I would like to get 15 band EQ.
    I found something like this:
    http://www.blixtsystems.com/2008/05/simple-3-band-eq-with-flash-player-10/
    but i don`t know how to scale it to get 10 or 15 bands.
    Would it work on mobile air apps or only on desktop & flash apps?

    I found something like this:
    http://philippseifried.com/blog/2011/10/20/dynamic-audio-in-as3-part-3-robot-voice/
    I would like to change it get EQ band corrector to set some bands (f.e. 10 different frequences in hearing range from 125Hz to 8000Hz) volume level up anddown. 
    Something like this:
    band125hz.volume +=1;
    band200hz.volume +=5;
    band400hz.volume +=0;
    band800hz.volume +=1;
    I would like volume up and down by frequencies. This script after change should strengthen (boost) or weaken (cut) the energy of specific frequency bands as in this process:
    http://en.wikipedia.org/wiki/Equalization

  • NAC Problem_In-Band Virtual Gateway deployment

    we deployed In-Band virtual gateway deployment..
    the users connected to untrusted Vlan and took IP address from DHCP where it configured on ASA that is connected to trusted interface but no one can reach to the gateway " IP address of the firewall" and when we open any browser not redirect to web login page and we don't have local DNS and we use global DNS..
    Note: we used HP switches..
    Please support me ASAP..
    BR,
    Saad Eid

    I have not found any either. You can use the one for VPN since it will be the same.
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

  • Error in XML Gateway Processing - java.lang.OutOfMemoryError

    Hi All,
    We have B2B Customizations for Processing Orders in our Applications .
    While an Inbound Document(ORDERSTATUS Document) got processed in our Application, we could find the Document being errored out in XML gateway with the following errors:
    (Note: Partners are on E2Open Gateway and we dont use Webmethods)
    1) ORA-29532: Java call terminated by uncaught Java exception: java.lang.OutOfMemoryError- ECX_INBOUND_NEW.PROCESS_XML_DOC
    2) ORA-29532: Java call terminated by uncaught Java exception: java.lang.OutOfMemoryError - ecx_utils.INITIALIZE:
    The Error has occured only twice (one in the month of May and the other in June) and its not replicable.
    We verified all the Trending aspects (If the Issue is due to XML Document content, Specific to a particular Partner etc).
    But we didnt find any clue about the occurence of this error.
    Kindly provide your views on the occurence of the error.
    Thanks in Advance,
    Mangala.

    Hi Mangala,
    This error comes when JVM runs out of memory. Few cause may be -
    1. You are trying to operate on a very large file (comparing to your system's primary memory)
    2. You are trying to parse an xml, use SAX parser for best performance
    3. Your JVM_OPTIONS value is not sufficient
    You may consider increasing your JVM_OPTIONS value to some appropriate limit.
    Are you working with Matthew Sullivan/Richard's team?
    Regards,
    Anuj

  • NAC in-band vs out-of-band bandwidth management

    Hi,
    I am new to NAC. Would you please give me hints about bandwidth/traffic policy/QoS management when using out-of-band deployment of NAC? Is it possible NAC to configure the switch port with the appropriate bandwidth limiting template when it recognizes a certain user identity?
    Regards,
    Mladen

    Refer to NAC appliance configuration guide for more information
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_intro.html

  • Garage band real instruments

    When I plug in my studio link to record my bass and guitar on garage band it does not pick them up at all.
    I have done everything suggested on the garage band help.
    Any idea what to do?

    they're all just Cables with different types of connectors.
    every one I've seen is, yeah, and it really ticks me off that they continue to advertise them as if they'll just magically work. it is simply not true for most people.
    I agree. For most people, it's really false or at least misleading advertisement.
    Unfortunately, we have seen several cases of similar behavior on the part of manufacturers and retailers.
    WH

  • Ical server mail gateway process

    I have an issue with the ical gateway application on OSX SL 10.6.5. The replyto addresss being displayed by the receiving invitee is borked. Has anyone seen this issue and if you could you point me in the right direction. here is a sample of a generic email sent to a bogus domain so I could view the contents..
    ============================================
    H??Date: Thu, 18 Nov 2010 16:42:06 -0600
    H??From: Test User <[email protected]>
    H??Reply-To: [email protected]
    H??To: [email protected]
    H??Message-ID: <[email protected]>
    H??Subject: Event invitation: New Event
    H??x-scalix-Hops: 1
    H??MIME-Version: 1.0
    H??Content-Type: multipart/mixed;
    boundary="===============5380330019174830680=="
    Message was edited by: emb3dd3d

    fixed the issue.. i trapped all ical.server+ messages and forwarded it to the ical server account on my mail server. The account config in the email settings for ical logs in via imap and pulls the messages just fine. I see a lot of people saying that you have to use the local email server in order for this to work but that doesn't appear to be the case for my setup.
    thanx for helping.
    Message was edited by: emb3dd3d

  • NAC In-band problem

    I'm working about a solution in-band.
    The topology is INET(untrust)-Router-CAS-SW_level3-CAM and servers(trust).
    My problem is that the users in untrust network have access to the trust network, they don't authenticate and don't apply any rule. The end users are windows XP and don't exist any filter in the CAS.

    For this you will need to create policies for the untrusted role.
    Sounds like you have it allowing all traffic from untrusted to trusted.
    Cheers
    Matt

  • NAC, PBR but no redirect webpage

    Hi guys...
    I need some assistance....We set up the NAC as Out-of-Band Real-IP Gateway...We have PBR set up, and we are able to get ip address (authentication vlan), but no redirect webpage...
    any assistance would be greatly appreciated...

    You will need to do some packet captures along the path between the client and CAS to see exactly where the traffic is being dropped. You may need to add a static route in the NAC device to get the traffic back to the auth vlan.

  • NAC Agent issues

    Hi guys,
    We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

    Hi Guys,
    I have deployed  NAC as  OOB REAL IP gateway mode and it is working fine over LAN.
    Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
    But NAC pop up is not reflecting to supply the username and password.
    A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
    Note- No ACL is configured till yet
    I have perform following task to fix it;-
    1. Restared NAC agent services.
    2.Checked proxy settings.
    Could you please help me out to resolve this issue?
    Thanks & Regards,
    Azeem Khan

  • Checkpoint SecureRemote and Clean Access solution

    I am trying to implement the Clean Access solution (NAC In-Band Real-IP) with Checkpoint SecureRemote VPN clients and wondering whether it is possible to setup single-sign-on? If yes, can I use VPNSSO or do I need to configure ADSSO?
    Thanks for your time and help.

    Please open a TAC case for a timely response on code versions and matrix compatability. We did not use clean access in our PCI Solution for Retail so I do not have a reference for you.

Maybe you are looking for

  • Multiple text boxes with click box verification

    I have seen issues similar to mine but they do not address my problem specifically.  To minimize file size I have two text entry boxes on the same slide.  The user is instructed to enter text then click the submit button.  The user is allowed 1 try. 

  • How do I retrieve my deleted ringtones?

    I deleted my ringtones from itunes but when I received the question "send to recycle bin or keep" I hit keep.  How do I retrieve them now?

  • Check Priting___FBZ5

    Dear Gurus, Whenever i am trying to print a check with a payment document number in the reansaction code FBZ5, then one error is coming,i.e. "LINE ITEM FOR OUTGOING PAYMENTCANNOT BE DETERMINED; CHECK. MESSAGE NO. F5474. PLEASE HELP ME TO SOLVE THE AB

  • Caching configuration (Times Ten - Oracle 10g)

    Hi all, I have managed to setup Times Ten and get a cache group configured against a table in an oracle 10g instance. That all works so great. My question is how do I define a set of cache groups and get Times Ten to load them in automatically all to

  • HT201272 Hi I puchased a few songs and for some reason they have been deleted from my computer.  Can you help me

    I purchased  Karma yoga by yoga specialists from the pure yoga moods album,  Om by Wade Irme Morrissette,  Sattvam on Asana 2,  Ganesh Mahatmantra on Sacred morning chants.   They have all be errased from my computer.  Is there any way someone can he