NAC L3 OOB VGW possible?

is it possible to do L3 NAC OOB with VGW.
The documentation does not say that it is not possible, but i see some technical difficulties.
In VGW deployment, the Auth IP = Access IP and only the vlan id changes. But on the other end of an L3 link I cannot see vlan id's and there for cannot distinguish between Auth and Access.
So is it correct that OOB L3 VGW is not possible?

It is my understanding that the IP address of the client must change when it moves from auth to access.
It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.
Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.
Once auth is successful, the CAM switches the port to the access vlan.

Similar Messages

  • Configuring Switch for CCA is behind non-Cisco phone, NAC OOB VGW Deployment

    Hi,
    I need to configure the edge switch port to keep serving non-Cisco IP phone on deploying NAC as OOB VGW.
    I appreciate your advise, but make sure 802.1x solution as the last option.
    Thanks
    Mike

    Hi,
    Please look at the config guide:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

    We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.
    When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.
    I did a packet capture of a machine that was experiencing the problem.
    The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)
    If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.
    Has anybody else experienced this? Any ideas?

    Faisal,
    I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.
    I decided to span a port a MAC was connected to and performed another capture.
    Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.
    I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.
    The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"
    When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.
    I changed the filter to just "ends with verisign.com" and it worked 95% of the time.
    Why only 95%?
    One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.
    No problems now.
    Later!
    Bob

  • NAC OOB VGW Auth/Access VLAN

    Hi,
    Does anyone know if when you're setting up this topology and configuring VLAN mapping, if you need unique Auth VLANs for every Access VLAN?  Or can you use one Auth VLAN and map it to multiple Access VLANs.  I assume you need unique Auth VLANs.
    Thanks

    Aaron,
    You can have one auth going to different access vlans based on conditions. Look at User-Role VLANs closely to accomplish that.
    HTH,
    Faisal

  • NAC - L3 OOB

    Hi all,
    We would like to authenticate users L3 adjacent to the NAC appliance server. The NAC is setup as OOB virtual gateway.
    Is that possible, what should be the configuration ?

    I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
    Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
    Sachin

  • NAC L3 OOB Virtual Gateway/Real-IP Gateway

    In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
    Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
    If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
    I didn't found a response for this in the documentation.
    Thanks in advance.

    Hi, Paul
    >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

  • NAC L3 OOB VGM Deployment examples

    Greetings,
    Currently my customer has a L2 OOB VGM deployment for the users inside the campus network.
    The customer is opening new branch offices and wants to use the same NAC server for those office (NAC centrally deployed).
    I would like to get some example and guidance on how to configure the NAC in Layer 3 OOB VGM, since I wouldn't like to change my network topology in order to accomodate for Real-IP mode.
    I have only found examples for Real-IP Layer 3.

    Yes i agree with you. I asked because the NAC can be configured that way, and also Cisco's documentation suggests it is possible.
    The only way I thought that could accomplish L3 OOB VGM is by having a second interface in the WAN router connected to the unauthenticated VLAN, and redirecting traffic to that interface (PBR).

  • NAC WLC OOB integration

    I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?

    Faisal
    I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
    10.8.21.11/32           -               0 0
    10.8.21.1/32            -               1 0
    10.8.21.0/24            -               2 0
    0.0.0.0/0               10.8.21.1       1 0
    10.8.17.0/24            -               2 8
    10.8.15.0/24            -               2 8
    172.16.8.0/24           -               2 8
    10.8.21.10/32           -               0 2
    10.8.17.169/32          10.8.21.1       1 0
    10.8.17.152/32          10.8.21.1       1 0
    10.8.17.182/32          10.8.21.1       1 0
    10.8.17.128/32          10.8.21.1       1 0
    10.8.17.119/32          10.8.21.1       1 0
    10.8.17.137/32          10.8.21.1       1 0
    10.8.17.188/32          10.8.21.1       1 0
    10.8.17.200/32          10.8.21.1       1 0
    10.8.17.165/32          10.8.21.1       1 0
    10.8.17.124/32          10.8.21.1       1 0
    10.8.17.113/32          10.8.21.1       1 0
    10.8.17.197/32          10.8.21.1       1 0
    10.8.17.206/32          10.8.21.1       1 0
    Thanks
    Shaffeel

  • NAC L3 OOB not working accross WAN

    I am setting up a proof of concept lab for a NAC installation.
    I am using Cisco Catalyst 3550 and 2950 switches (the actual environment is using 3750 and 2960 and 2950 switches) and have the NAC set up in central L3 OOB configuration. In this configuration i have a single NAS and NAM at the "MAIN_SITE" and then two branch sites "BRANCH1" and "BRANCH2".
    At the main site, the OOB works fine and when a user logs on, the port is moved from the unauthenticated VLAN (290) to the role based VLAN (200) However, at the "branches" the switches are not placing the port into the role based VLAN, nor if a port is in VLAN 200 and a PC is plugged into that port does the port switch to VLAN 290 (unauthenticated).
    Sniffing the traffic with Wireshark i see the SNMP sets being sent by the NAM to the switch telling it to place the port into VLAN 200, but the switch is not doing it.
    My write strings are set up correctly and the NAM is able to set up the initial commands on the switch for the NAC ("snmp trap mac-notification added" commands to the ports).
    Can anyone say what is wrong?
    Sachin

    I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
    Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
    Sachin

  • NAC L3 OOB VoIP

    I've configured a CAM and CAS as both L2 OOB and have enabled L3 support with Real IP. I have a remote site that uses Avaya 4610SW VoIP phones. Both the CAM and CAS reside locally with no CAS at the remote site.
    I'm able to get full functionality with VoIP phones and clients connected to the phones from a Layer 2 perspective, however when I try and get the remote office VoIP phone/client combo, it doesn't work. When I remove the phone and plug the client machine directly to the switchport, it works, so I'm sure the PBR and GRE configs are correct.
    From my readings, I know that you need to exclude the mac addresses of the phones, and when I have done testing from a Layer 2 perspective, it works without a problem. The problem that I am seeing is that the mac address of the phone is not being picked up by the NAC. I'm aware that mac addresses are stripped off for L3, but I have no idea how to get this to work. The profile has been set up to not bounce the port, mac address notification vs linkup/down, etc.
    Any ideas would be greatly appreciated.
    Thanks
    Jeff

    Jeff,
    In this scenario, the L3 stripping off the MACs doesn't apply. If you are controlling the switch on the remote site with CAM and sending MAC-Notifications to the CAM, those notifications would include the MAC of your phone.
    You have to make sure that the MAC addresses of those phones are in the "IGNORE" filter on your CAM and not ALLOW filter. This essentially tells the CAM that when the switch reports a new MAC on the switchport, and if it's in the IGNORE filter, to ignore that MAC and now switch the port back to AUTH vlan.
    HTH,
    Faisal

  • NAC L2 OOB VG ARP, DNS

    I am deploying a NAC 4.7.2 in-house to stage for a customer deployment, the deployment method I used is L2 OOB VG, I configured the switch, managed subnets, and vlan mapping. However, two problems arose:
    1. Arp replies from the trusted to the untrusted are not being bridged between the access vlan and authentication vlan
    2. dns replies are also not being forwarded from the trusted (access vlan) to the untrusted (authentication vlan)
    what's strange is that DHCP is working fine.
    I have tried to add an arp entry for the default gateway (client gets mac address of untrusted interface as the default gateway) which nac redirects and provided the login process and remaps my port to the access vlan but then I have to manually remove the arp entry for the switch to discover the real mac-address of the default gateway once the client is in the access vlan.
    is there anything else besides managed subnets, and vlan mapping for L2 OOB VG to work. from my understanding , DHCP, DNS, and arp should be bridged normally between the trusted <--> untrusted interfaces with no additional configurations.

    Hanny,
    Sorry I couldn't look at your diagram in detail before. So there's something wrong here.
    You claim in the PDF that VLAN 5 and 6 are untrusted, mapping to 15 and 16, for which you have the SVIs defined.
    You also claim that FA0/17 is the untrusted interface and FA0/13 is the trusted interface, yet your interface definitions are the inverse of your network diagram. Is it just as simple as you plugging in the interfaces wrong? Or the error is in the diagram? Or the interface definitions in the PDF?
    Please clarify. If you can also, please post the Network tab from your CAS, the Advanced tab from your CAS showing the managed subnets and the VLAN Mapping tab from your CAS. Also please post your sanitized show running-config from your switch and verify where each of the interfaces are plugged in?
    Thanks,
    Faisal

  • NAC L3 OOB - Online Users not correct

    I'm testing a NAC 4.1.3 L3 OOB Real IP configuration and have come across an anomaly. Can someone help please.
    I have configured two switches to be managed by NAC and have configured a role for Web Authentication and set all ports to be controlled.
    When I connect a PC to switch 1 and authenticate all works well and the View Online Users displays the PC/role/Switch Port correctly.
    I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Looking at switch 1, it has moved the port I was connected to the VLAN it should be after authentication. This should have been done to the port I'm now on at the Switch 2!
    MAc notifications are used and Linkup/downs are enabled on the switches. They are not stacked. When disconnecting from the switches it correctly removes me from the online users. After authentication on the new switch it puts me back on the original switch where I was!!!!!!
    This is most infuriating, it means the product is useless if I have users moving from one desk to another ending up on a different switch where they will no longer be able to work as they cannot get past authentication.
    All help is gratefully received.
    Thanks,
    Paul Kyte

    Hi, Paul
    >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

  • NAC L2 OOB Auth and Access VLAN

    I'm new to Cisco NAC appliance.
    I wanted to deploy L2 OOB VGM for my wired userd.
    I wanted to check whether can I have multple Authentication to Access VLAN mapping.
    For example :
    Authentication VLAN - 111 Map to Trusted VLAN 311
    and
    Authentication VLAN - 112 Map to Trusted VLAN 312
    Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
    Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

    Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
    Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
    Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
    Choose User Management > User Roles, select the role (vencorp) and click Edit.
    Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
    Save the role.
    Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
    Change the Access VLAN to User Role VLAN and click Update.
    Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

  • NAC L2 OOB VG with Nortel Phones

    Hi,
    Will users behind the Nortel IP phones be authenticated by NAC in L2 OOB VG mode.
    thanks
    sathappan

    Yes, assuming that the relevant switch ports are controlled by the CAM. Make sure that the phones are excluded from authentication by their MAC addresses (work out some valid prefix and exclude them from authentication) otherwise you will see authentication loops.
    HTH

  • NAC with OOB and Wireless 802.1x

    Had Anybody any experience with
    integration NAC OOB and 802.1x?
    I have seen that there are some issues about it.

    Working pretty well.
    Check this out:
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

Maybe you are looking for

  • How can I run 2 keynote presentations on 2 different macs with only one keyboard?

    How can I have 2 different keynote presentations that I want to run simultaneously through 2 different projectors, but I'd like to try and avoid using 2 keyboards - and use a hardware solution, rather than relying on my 2 fingers!! (it's a long confe

  • Russian Roulette with Computer programs

    Not sure where the best place is to post this. The trouble started when I upgraded to Tiger from Panther several months ago. I do not remember which method I used to upgrade it. I noticed it with Firefox and Thunderbird the most, but also Extensis Su

  • SMARTFORM problems with special characters

    Hi everybody, only to know if somebody knows how to fix a problem printing special characters in a smartform, instead of some characters the smartform display (Print preview)  and prints interrogative symbols <b>"?"</b>. If someone knows about this p

  • Firefox freezes when I switch tabs or write in a form.

    Every time I switch tab by clicking on them(and sometimes when using the short cut, ctrl+tab ctrl+2 etc) or when I start writing in the awesomebar/a form Firefox freezes. It just visual freeze so I can still go to a website, click on stuff and so on.

  • Known issues running SJSWS 7.0 and WebLogic 10.0

    BEA WebLogic Server on Solaris 10 supports Sun Java System Web Server 6.1. However, it does not appear to support Sun Java System Web Server 7.0. Supported Web Servers, Browsers, and Firewalls: [http://edocs.bea.com/platform/suppconfigs/configs100/10