NAC L2 Inband Real IP Gateway

Similar Messages

• NAC In-band Real IP Gateway process

  Hi all,
  I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P
  How does In-band Real-IP Gateway work?
  What is the point of the /30 subnets?
  Are there access/auth VLAN pairs in in-band configurations?
  How does quarantining work?
  I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
  Can you do role-mapping with in-band configurations?
  Any help with any or all of these questions would be GREATLY appreciated!
  Thanks much =]
  ~ Xavier.

  Hi Xavier,
  let me try to answer your questions
  1.How does In-band Real-IP Gateway work?
  The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes
  2. What is the point of the /30 subnets?
  The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.
  Check here for some explaination:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889
  3. Are there access/auth VLAN pairs in in-band configurations?
  If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.
  4. How does quarantining work?
  When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.
  So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.
  5. I  read that the NAC Server can only send traffic out the untrusted port  in one VLAN and that you aren't allowed to trunk that port. Does this  mean that there's no support for multiple untrusted VLANs mapped to a  single NAC Server?
  The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.
  You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.
  This is also mentioned here:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938
  The Clean Access Server can manage one or more  subnets, with its untrusted interface acting as a gateway for the  managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.
  6. Can you do role-mapping with in-band configurations?
  Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.
  Check for instance here for more details:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231
  In a nutshell, irrespective of the use of InBand vs. OutOfBand:
  - the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.
  The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:
  - in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);
  - in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.
  I hope this answers your questions.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• NAC OUT OF BAND REAL IP GATEWAY

  Hello,
  I have NAC 4.8 and setup as Out of Band Real IP Gateway.
  Is it possible to integrate it with WLC5508(Wireless)?
  thank you

  Hello!
  Yes, I'd say you just have to wait for NAC OOB Real-IP with Wireless.. :-)
  In any case, it's perfectly fine to use ACS 5 to authenticate the Wireless users on the CT5508.
  Just a note, if you're actually using ACS 5.0 (and not 5.1 or 5.2), make sure that you also install the latest patch.
  In any case, if you're indeed on 5.0, I'd strongly recommend to go to 5.2.
  If what you're looking for is 802.1x authentication, you can refer to this document for a config example with the PEAP method:
  http://www.cisco.com/en/US/customer/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  If you want to authenticate users through web-auth, then you can refer to this other document:
  http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  The above example refers to ACS 4.x, however, you can achieve the same goal on ACS 5... for that, just make sure you have good understanding of the policy model in ACS 5 .. you can find all the details on the config guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/policy_mod.html
  I hope this helps!
  Regards,
  Federico

• NAC L3 OOB Virtual Gateway/Real-IP Gateway

  In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
  Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
  If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
  I didn't found a response for this in the documentation.
  Thanks in advance.

  Hi, Paul
  >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

• NAC.OOB.L2.Real IP GW.dhcp-relay issue.

  Hello.
  I have CAM (manager) which is configured as L2 OOB real-ip gateway. central deployment.
  ethernet 0 (trusted) is L3. (ip add x.x.x.x)
  ethernet 1 (untrusted) is .1q and several authentication vlans (a,b,c,d) are connected to it.
  of cause managed subnets are configured for auth vlans on eth1.
  Manager is configured as dhcp-relay.
  Is it ok that manager changes dhcp packets to the dhcp server so that it's ethernet 0 ip address (x.x.x.x) becomes the source address of the requests to the dhcp server?
  how can dhcp server recognize auth vlan a from auth vlan b if all packets have the single source (x.x.x.x)???
  Where could be my mistake?
  Regards

  Hello varnavsky!
  You have to configure vlan mapping (at the CAM) for all authentication vlan! After the authentication and posture validation, the NAC client won't give a new IP address, so the client has to have an IP address from the proper access vlan. When you configure these vlan mappings CAS always acquire an IP address from the proper range.
  By(e) Miki

• NAC in Inband L2 Virtual mode

  Dear Experts,
  I m planning to implement NAC INBand virtual mode,as if i have HP and cisco switches in my network,I have read the installation guide and cisco press book for NAC,as if now i want confirmation from you'll experts the step by step procedure to setup NAC,
  As  i thought to post because many of you'll have implemented NAC for several times so the general steps to start,as i m going to do antivirus update and windows update for the host posture assessment,
  NAC in Inband L2 Virtual mode
  About my thinking for Implementation is :
  create authentication vlan on access switches,(no SVI for authentication vlan)
  Do authentication mapping and actual user vlan mapping in NAC,
  create a rule such as windows update and antivirus update and then requirement is to access the antivirus server and windows update server,
  allow Access-list for all the user vlan to go these antivirus and windows update server BUT these ip's will be the actual vlan IP subnet because we will not have any authentication subnet in DHCP ???????   Correct me if i m wrong.
  Shift the users from actual vlan to authentication vlan,
  Configure managed subnet for the reply of DHCP request
  Enable L3 and setup static routes
  Manually go on each and every PC to open a browser so that it will be redirected to install NAC agent, IS THERE any other way TO INSTALL NAC AGENT IN 1000 WINDOWS MACHINE, MINE SYSTEM ADMINISTRATOR ARE NOT VERY SMART,SO PLEASE ANY SOLUTION WITHOUT ANY HELP OF SYSTEM ADMINISTRATOR?????? IT WILL BE HIGHLY APPRECIABLE.
  The point above i have worte,, that is what i think NAC is  any other point's if i m missing please plese please advice me.or give proper guidance.

  Hi,
  1. This is correct. Auth VLANs shouldn't have SVIs anywhere on the network
  2. Okay
  3. Okay. For posture assessment, look at chalktalk 5 from this link: http://bit.ly/chalktalks
  4. For a L2 VGW setup (assuming In-Band), you will only have one set of IP addresses to work with, and those would be the Access VLAN IP addresses. You don't get a different IP address in your Auth VLAN. You can limit the resources you want your clients to have access to by tweaking the Traffic Policies
  5. You would map the users, and you do that by defining the VLAN mappings
  6. For L2 deployments, you will need managed subnets for all the IP subnets that you work with.
  7. You don't need static routes for L2 deployments
  8. If your clients are using any managed software system, like GPOs using AD, or SMS, or Altiris, you can push out the agent to them using those mechanims.
  HTH,
  Faisal

• NAC in Inband & Outband

  Hi,
  Please let me know whether anybody has configured single NAC appliance to function in both Inband and Outband simultaneously.
  I Have one NAC appliance. I want this to function in inband mode for wireless users and outband for wired users.
  please tell me whether it is possible and how to do?
  R.B.Kumar

  Thank you Rob,
  I appreciate you effort in explaining the concept. I also have one setup here for which i am going to configure the NAC. Can you please explain how it works.
  REQUIREMENT:
  I am configuring NAC Appliance. The following is the deployment scenario.
  I am establishing this in a campus LAN environment.
  I have a Cisco 4510R Layer 3 switch as the Core switch.
  I have Cisco 3550 Layer 3 switch as the distribution switch
  I have some unmanaged and managed switch as the Access layer Switches. All Desktop computers are connected in this access swtich only.
  Distribution Switch and core switch is connected in the Routed backbone (Trunking is not configured between Distribution and Core)
  Since I have unmanaged switches at the access layer and Core to Distribution is Routed backbone (Layer 3) i have decided to configure the NAC appliance in the following setup:
  Layer 3 Inband Virtual Gateway
  I request you to provide solution and configuration steps to achieve the following:
  1. What will be the VLAN the ETH0 & ETH1 of CAS will be in.
  2. Users/Desktop computers should authenticate by username/password & Mac Address/IP address to get into the network. If the Users/Desktop computers do not match the IP address with MAC Address combination configured in the NAC appliance they should be in quarantine role.
  regards

• NAC Agent issues

  Hi guys,
  We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

  Hi Guys,
  I have deployed  NAC as  OOB REAL IP gateway mode and it is working fine over LAN.
  Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
  But NAC pop up is not reflecting to supply the username and password.
  A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
  Note- No ACL is configured till yet
  I have perform following task to fix it;-
  1. Restared NAC agent services.
  2.Checked proxy settings.
  Could you please help me out to resolve this issue?
  Thanks & Regards,
  Azeem Khan

• NAC Inband RealIP-Gateway address

  Hi Experts,
  I want to configure NAC appliance in INBAND-CENTRAL DEPLOYMENT-REAL IP GATEWAY.
  In this scenario, my clients are in different VLANs say 2 & 3. To all my clients the default gateway should be the IP Address of NAC. Correct?
  Where I will configure this IP address in the NAC box so that this IP Address will be the default gateway for my clients.
  I know that the "managed subnet" option in the NAS is for ARP resolution only and not this IP can be used as default gateway for Clients.
  Do i have to create some virtual IP address in the NAC Ethernet card?
  Please help me by sharing your thoughts
  Sairam

  Hi Sairam,
  I put some configure samples about L2 IB for you:
  interface GigabitEthernet1/33
  description To Trusted
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 31,40,110
  switchport mode trunk
  interface GigabitEthernet1/34
  description To Untrusted
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport trunk allowed vlan 41,311,400
  switchport mode trunk
  There are some notes you should know:
  1) NAC server -> core sw: trunking (see details on the above configuration)
  2) Authen VLan: 311, 400 (these should NOT have SVI (Layer 3) interface anywhere on the network)
  Access Vlan: 31, 40
  You should map 311 -> 31, 400 -> 40 on NAC server.
  3) CAS is going to be the default gateway for users
  Hope this help!
  NamNT

• NAC Inband Trunk on Untrusted Interface

  Hi,
  I am query regarding inband implementation of NAC server.
  Is it possible to have multiple vlans to terminate on the untrusted interface of the NAS in real gateway mode?
  Is this is the case, how can  I add an IP address to each vlan ID on the untrusted interface.
  The aim is to implement the following deployment.
  The network architecture is a collapsed Core, Distribution/Core on the same 2 switchs with SVIs on the distribution switchs for all the vlans. Since the network may not have all cisco switchs, I am forced to use Inband deployment.
  I wanted to trunk required vlans to the NAC untrusted interface, remove the SVIs on the Distribution Switchs forcing vlan clients onto the NAC.
  The trusted NAC interface will be connected to a SVI vlan or L3 interface on the distribution switch.
  Since the NAC is in real gateway mode, DHCP pool or DHCP relays need to configure on the NAC server as well.
  As a summary, can you please advise if it is possible to create something like SVIs on the NAC untrusted port and define DHCP relay on those SVIs on the untrusted interface.
  Thanks,
  Ashley

  never mind,
  I didn't add VLAN 111 to the VLAN database.
  not it is working.
  thanks
  Alex

• NAC layer 3 Virtual Gateway Setup

  I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
  Thanks.

  Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
  Search "NAC Chalktalk"

• NAC and Multicasting

                     We're using  NAC configured as IN-BAND, VIRTUAL-GATEWAY. So far the docs I've read haven't been very encouraging in running multicast through this configuration. Has anybody had any experience with this and perhaps some configuration ideas?
  Thanks
  David

  Hi David
  multicast is not supported under the inband real gateway. However, it will work for out-of-band or virtual gateway
  See http://www.cisco.com/en/US/products/ps6128/products_qanda_item09186a00803b7a81.shtml
  Cheers
  Walter

• NAC ADSSO doesn't work

  Hi there,
  I have 1 CAS and 1 CAM. Everything works fine if I use localDB authentication.
  I tried to complete SSO AD configuration, from CAM installation guide. SSO service started to work successful. I'm trying to login to the domain - It's ok, I see green kerbtray icon, tickets are ok, but anyway I receive CCA Agent login/password screen.
  AD logging looks like: (172.16.13.100 is AD server)
  Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
  INFO: GSSServer - SPN : [cisco/[email protected]]
  Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer buildKDCList
  INFO: buildKDCList - KDC-1: computer-c.zozo.gov/172.16.13.100
  Mar 14, 2008 1:10:10 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
  INFO: GSSServer - KDC(s) : [172.16.13.100]
  Mar 14, 2008 1:14:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
  INFO: GSSR - Windows SSO is running
  Mar 14, 2008 1:19:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
  INFO: GSSR - Windows SSO is running
  What's may be wrong in my configuration? Local time on CAM, CAS and AD is the same, TCP/8910 in CAS is in listening mode. I opened full IP from * to my AD Server for Unauthenticated Role.
  Regards,
  Andrey

  Are you running OOB Layer-3 with Real-IP gateway? Are you running 4.1.3? Are you using Certificate Authority? If the answer is yes to all. You may want to review this http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html#wp74768. Be careful though, you may also need to apply an egress ACL to block trusted vlan from sending TCP-8910 to the FQDN of the OOB-CAS's Untrusted IP. Otherwise, the CCA agent may continue to send TCP-8910 to CAS and process SSO and refresh IP continuously(looping process).

• NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

  Hi,
  We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
  The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
  Is there any way to make it automatic?
  Regards,
  Mubasher

  Hi Mubashir,
  I faced the same problem with cisco ISE and Tiago's response actually helped see below.
  " You can also distribute the NACAgentCFG.xml file with that value set.
  Please find here detailed info regarding this file:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
  In that link, read the section: Agent Customization Settings
  From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
  C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
  IP of PDP node or ISE standalone server
  Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
  Regards,
  Henry

• NAC VPN and ASA

  Hi
  I have a customer who currently is using an ASA5520 as a firewall between his network and the Internet. He now wants remote VPN access with SecureID tokens for authentication added which is fine but he has also brought up NAC. Can I simply insert a NAC between the ASA and the internal network as in this Cisco document:
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a008074d641.shtml
  That looks like it will work fine for VPN access but what about the outgoing Internet access for the current internal users will that be OK still or do I need to use a separate ASA for VPN access with NAC. Oh yes will I need an ACS as well or can the NAC talk directly to the SecureID appliance either using radius or RSA's own protocol ? Sorry if these are dumb questions but he dropped the NAC stuff on me at the last minute and I just need to know the basics quickly and can work out the details later.
  Thanks
  Pat

  You can use a single ASA for internet access and NAC VPN.
  If the Cisco NAC Server is Real IP, you can implement Policy Based Routing to route your VPN traffic through the Cisco NAC Server and normal internet traffic will bypass the Cisco NAC Server.
  If the Cisco NAC Server is VGW or you do not want PBR, you can terminate your VPN traffic on a separate interface (two interfaces into internal nework). Once you have the VPN traffic routing this way, implement the Cisco NAC solution by putting the Cisco NAC Server inline with this interface.
  Cisco NAC VPN SSO uses Radius accounting packets to authenticate VPN users. The ASA will interface with the Token server. Once authenticated, the ASA will send a Radius accounting packet to the Cisco NAC Server.
  VGW Example
  NAC Appliance (Cisco Clean Access) In-Band Virtual Gateway for Remote Access VPN Configuration Example
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  Real IP example
  Integrating with Cisco VPN Concentrators
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAS/s_vpncon.html
  Regards,
  Dan Laden