NAC Inband Layer 2 VG

Similar Messages

• NAC Inband RealIP-Gateway address

  Hi Experts,
  I want to configure NAC appliance in INBAND-CENTRAL DEPLOYMENT-REAL IP GATEWAY.
  In this scenario, my clients are in different VLANs say 2 & 3. To all my clients the default gateway should be the IP Address of NAC. Correct?
  Where I will configure this IP address in the NAC box so that this IP Address will be the default gateway for my clients.
  I know that the "managed subnet" option in the NAS is for ARP resolution only and not this IP can be used as default gateway for Clients.
  Do i have to create some virtual IP address in the NAC Ethernet card?
  Please help me by sharing your thoughts
  Sairam

  Hi Sairam,
  I put some configure samples about L2 IB for you:
  interface GigabitEthernet1/33
  description To Trusted
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 31,40,110
  switchport mode trunk
  interface GigabitEthernet1/34
  description To Untrusted
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport trunk allowed vlan 41,311,400
  switchport mode trunk
  There are some notes you should know:
  1) NAC server -> core sw: trunking (see details on the above configuration)
  2) Authen VLan: 311, 400 (these should NOT have SVI (Layer 3) interface anywhere on the network)
  Access Vlan: 31, 40
  You should map 311 -> 31, 400 -> 40 on NAC server.
  3) CAS is going to be the default gateway for users
  Hope this help!
  NamNT

• NAC Inband Trunk on Untrusted Interface

  Hi,
  I am query regarding inband implementation of NAC server.
  Is it possible to have multiple vlans to terminate on the untrusted interface of the NAS in real gateway mode?
  Is this is the case, how can  I add an IP address to each vlan ID on the untrusted interface.
  The aim is to implement the following deployment.
  The network architecture is a collapsed Core, Distribution/Core on the same 2 switchs with SVIs on the distribution switchs for all the vlans. Since the network may not have all cisco switchs, I am forced to use Inband deployment.
  I wanted to trunk required vlans to the NAC untrusted interface, remove the SVIs on the Distribution Switchs forcing vlan clients onto the NAC.
  The trusted NAC interface will be connected to a SVI vlan or L3 interface on the distribution switch.
  Since the NAC is in real gateway mode, DHCP pool or DHCP relays need to configure on the NAC server as well.
  As a summary, can you please advise if it is possible to create something like SVIs on the NAC untrusted port and define DHCP relay on those SVIs on the untrusted interface.
  Thanks,
  Ashley

  never mind,
  I didn't add VLAN 111 to the VLAN database.
  not it is working.
  thanks
  Alex

• NAC in Inband L2 Virtual mode

  Dear Experts,
  I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,
  As  i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,
  NAC in Inband L2 Virtual mode
  About my thinking for Implementation is :
  create authentication vlan on access switches,(no SVI for authentication vlan)
  Do authentication mapping and actual user vlan mapping in NAC,
  create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
  allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ???????   Correct me if i m wrong.
  Shift the users from actual vlan to authentication vlan,
  Configure managed subnet for the reply of DHCP request
  Enable L3 and setup static routes
  Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.
  The point above i have worte,, that is what i think NAC is  any other point's if i m missing please plese please advice me.or give proper guidance.

  Hi,
  1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network
  2. Okay
  3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks
  4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies
  5. You would map the users, and you do that by defining the VLAN mappings
  6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.
  7. You don't need static routes for L2 deployments
  8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.
  HTH,
  Faisal

• NAC Design question

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Hi,
  Looking for some advice on Implementing NAC across the enterprise. The environment uses laptops, desktops and thin-clients (Vmware VIEW, VDI) which connect to ESX servers where the actual machines reside (running Windows 7 and Windows XP operating systems).
  So the question is can I use NAC server to posture assess/authenticate the thin-clients users?
  This is what I am thinking:
  ·        NAC – OOB would not be supported in this design since the ESX connection to the switch would be a trunk link. Also the thin-client connection to the switch also always stays up.
  ·        NAC – Inband would be supported but could potentially be a bottle neck because the customer has a 10 gig backbone network.
  I am thinking if I can use two different NAC appliances as part of the solution.
  ·        Use one appliance in Inband mode and use it for the ESX servers. Use the profiler to exempt the thin-clients from authentication since they basically have nothing running on them and they cannot authenticate to the NAC server.
  ·        The second NAC appliance will be configured as Out of Band and all the remaining regular users (with physical laptops, desktops) gets authenticated to this NAC server.
  This way the NAC bottleneck would only be limited to the thin-clients users who connect to the VM’s running on the ESX server.
  Is this a viable option for NAC’ing the VM clients running on ESX servers.

  Hello,
  As long as the thin clients are seen as standard physical clients by the CAS (so VMware is not doing anything special with MAC/IP addresses), then what you mentioned could be a valid design option.
  The NAC Profiler in particular can be a good plus to categorize your thin clients and automatically manage the filters on the CAM.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Error with GPOs on Cisco NAC

  I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?

  I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule
  Allow TCP *:* Server/255.255.255.255: 88
  Allow UDP *:* Server/255.255.255.255: 88
  Allow TCP *:* Server/255.255.255.255: 389
  Allow UDP *:* Server/255.255.255.255: 389
  Allow TCP *:* Server/255.255.255.255: 445
  Allow UDP *:* Server/255.255.255.255: 445
  Allow TCP *:* Server/255.255.255.255: 135
  Allow UDP *:* Server/255.255.255.255: 135
  Allow TCP *:* Server/255.255.255.255: 3268
  Allow UDP *:* Server/255.255.255.255: 3268
  Allow TCP *:* Server/255.255.255.255: 139
  Allow TCP *:* Server/255.255.255.255: 1025

• NAC L3 OOB VGM Deployment examples

  Greetings,
  Currently my customer has a L2 OOB VGM deployment for the users inside the campus network.
  The customer is opening new branch offices and wants to use the same NAC server for those office (NAC centrally deployed).
  I would like to get some example and guidance on how to configure the NAC in Layer 3 OOB VGM, since I wouldn't like to change my network topology in order to accomodate for Real-IP mode.
  I have only found examples for Real-IP Layer 3.

  Yes i agree with you. I asked because the NAC can be configured that way, and also Cisco's documentation suggests it is possible.
  The only way I thought that could accomplish L3 OOB VGM is by having a second interface in the WAN router connected to the unauthenticated VLAN, and redirecting traffic to that interface (PBR).

• NAC layer 3 Virtual Gateway Setup

  I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
  Thanks.

  Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
  Search "NAC Chalktalk"

• NAC in Inband & Outband

  Hi,
  Please let me know whether anybody has configured single NAC appliance to function in both Inband and Outband simultaneously.
  I Have one NAC appliance. I want this to function in inband mode for wireless users and outband for wired users.
  please tell me whether it is possible and how to do?
  R.B.Kumar

  Thank you Rob,
  I appreciate you effort in explaining the concept. I also have one setup here for which i am going to configure the NAC. Can you please explain how it works.
  REQUIREMENT:
  I am configuring NAC Appliance. The following is the deployment scenario.
  I am establishing this in a campus LAN environment.
  I have a Cisco 4510R Layer 3 switch as the Core switch.
  I have Cisco 3550 Layer 3 switch as the distribution switch
  I have some unmanaged and managed switch as the Access layer Switches. All Desktop computers are connected in this access swtich only.
  Distribution Switch and core switch is connected in the Routed backbone (Trunking is not configured between Distribution and Core)
  Since I have unmanaged switches at the access layer and Core to Distribution is Routed backbone (Layer 3) i have decided to configure the NAC appliance in the following setup:
  Layer 3 Inband Virtual Gateway
  I request you to provide solution and configuration steps to achieve the following:
  1. What will be the VLAN the ETH0 & ETH1 of CAS will be in.
  2. Users/Desktop computers should authenticate by username/password & Mac Address/IP address to get into the network. If the Users/Desktop computers do not match the IP address with MAC Address combination configured in the NAC appliance they should be in quarantine role.
  regards

• Layer 2 NAC OOB in HA

  Can somebody
  suggest me switch configurations for layer 2 OOB virtual gateway Haigh availability between distribution and
  access layer switch. I use 5 different vlans in 156 subnet ..which are
  user vlans and for authentication I used 10.x.x.x series vlans.....
  series are 3355 and 3315 as servers and 1 NAC manager in 4.7.2

  Thank you for feeding information back to the community to benefit others.
  That is the spirit...
  PK

• NAC for wireless layer 3 oob

  Hi,
  Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.
  What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.
  Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??
  The test cas/cam are ugraded to ver 4.8.2.
  Regards
  Joachim

  Everyone can do a mistake and it seems I did a big one :-)
  l3 wireless OOB was not supported until last version :
  §Wireless L3 OOB RIP has been introduced in 4.8.2.
  §In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.
  §The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.
  §There are no ports in WLC hence Port profile is not required
  §WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.
  §iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.
  §The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

• NAC L2 Inband Real IP Gateway

  Hi Experts,
  I was just reading the cisco press book for NAC, and i came to the following para can any body explain me the L2 Inband Real Ip Gateway mode steps from the start
  If you use  Real IP Gateway mode on NAC Appliance Server, you will have to make changes. The default gateway of clients has to be changed to be NAC Appliance Server, not the distribution switch .
  Thanks

  Hi Experts,
  I was just reading the cisco press book for NAC, and i came to the following para can any body explain me the L2 Inband Real Ip Gateway mode steps from the start
  If you use  Real IP Gateway mode on NAC Appliance Server, you will have to make changes. The default gateway of clients has to be changed to be NAC Appliance Server, not the distribution switch .
  Thanks

• Cisco NAC Layer 3 OOB Support for Wireless

  We are currently using NAC 4.7.2 and I am curious if Layer 3 OOB for Wireless users is on the roadmap. We have a WISM and 5500 controllers. Thanks.

  Hello,
  I know it's being worked on, but isn't in the near releases coming out soon. 4.8 is expected very soon and it's not in that release.
  So long story short, don't know, but it will be there eventually.
  HTH,
  Faisal

• NAC 4.9 CAS inband with ASA 8.6

  We are working on a new deployment. The user logs in, the agent pops, and posture assessment happens. The screen for posture assessment closes at the test laptop. It acts like all is working. When we look at the inband user it shows as not having transitioned frm the auth the access VLAN. This is a simple install and the VLAN mapping is definitely there. Ideas?

  Steve,
  Here is a configuration guide for the ASA to CAS, its not the latest and greatest but this should work:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  When referrring to L2 and L3 adjacent this is different with respect to VGW and RIP.
  L2 and L3 refers to how the clients are positioned with respect to the CAS (not the CAM), are they being routed to the CAS untrusted interface or are they available on a vlan that the CAS can be a part of.
  VGW and RIP refers to the operation of the CAS, this is similar to the operation of the ASA, when it comes to transparent vs routed mode (you can use both the on same CAS), VGW bridges the two networks together, and RIP routes the traffic around and requires static routing since the CAS does not support dynamic routing protocols.
  You can use VGW by setting the group policy to route all tunneled traffic to an ip that is present on the trusted side of the CAS, also you can use the vlan attribute in the group-policy configuration to assign the remote users to a vlan which forces their traffic to flow through the CAS.
  http://cisconac.blogspot.com/2007/07/vpn-deployments-with-asa-80.html
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Layer 2 OOB NAC Issue

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I had a weird problem last week we moved one of our servers from Layer 2 in-band to Layer 2 OOB mode Virtual Gateway.  We set up 9 VLANS on the server and 3 of them worked perfectly the other six did not.  Clients would get a valid IP address but our web splash page would not show up on the others.  All 9 were set up the same way, works on my test server.  We are running 4.7.0 on our Manager.  Any suggestions or anyone had this problem before?

  Thank you for feeding information back to the community to benefit others.
  That is the spirit...
  PK